Notes from the Field: CIS Control 3 – Data Protection

by Greg Halpin / May 19th, 2023

Your data is one of the most valuable aspects of your organization.  Are you protecting it properly?

Continuing our series on the Center for Internet Security (CIS) Controls, auditor Greg Halpin will explore the third CIS Control about data protection and how he sees his clients implementing these requirements in the field.  As a reminder, the CIS controls are 18 information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks from attackers.

The CIS overview for Data Protection is – Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Why are data protection controls critical to your org’s success? 

A breach of company or customer data would cause reputational harm to the organization and potentially result in lost business and costly lawsuits. There are also governmental and industry requirements for protecting data. Failure to meet the requirements could result in fines from various governments or an industry group.

Protecting data is more challenging than ever as data is stored in many locations: on-premises and a seemingly endless number of cloud services. Data may be shared with various service providers in support of a company’s services. Fortunately, many tools in support of protecting data are now available, easier to implement, and less expensive than in previous years. 

The CIS Controls document states that attackers will find and exfiltrate data after they penetrate a company’s systems. Your goal is to prevent that from happening. The document lists the following 14 sub-controls or safeguards in support of data protection:

• 3.1 Establish and Maintain a Data Management Process
• 3.2 Establish and Maintain a Data Inventory
• 3.3 Configure Data Access Control Lists
• 3.4 Enforce Data Retention
• 3.5 Securely Dispose of Data
• 3.6 Encrypt Data on End-User Devices
• 3.7 Establish and Maintain a Data Classification Scheme
• 3.8 Document Data Flows
• 3.9 Encrypt Data on Removable Media
• 3.10 Encrypt Sensitive Data in Transit
• 3.11 Encrypt Sensitive Data at Rest
• 3.12 Segment Data Processing and Storage Based on Sensitivity
• 3.13 Deploy a Data Loss Prevention Solution
• 3.14 Log Sensitive Data Access  

How do data protection efforts affect clients?

When I work with clients, the senior executives, including the Information Technology Director or the Chief Information Security (CISO), sometimes don’t have a full understanding of their own networks, systems, and data. They may be new in the position or dealing with high level priorities, like long-term strategy and budgets. They are not always in the technical and security weeds with a true feel for what goes on in their environments. They trust their subordinates are staying on top of things.

As the systems and cloud administrators discuss where data is stored and how it is protected, the IT Director or CISO might say they had no idea the company collected credit card numbers or Social Security numbers, let alone stored them unencrypted. They thought those data fields were deleted after processing or encrypted or tokenized in cases where that type of data was collected. They become concerned the company has poor controls and processes in place to protect the data. 

Data protection controls worth implementing

Data classification is listed as a control so that companies can determine the sensitivity of data and protect it accordingly. Larger companies generally do a better job of this, from what I’ve encountered. Smaller companies find it easier to protect all of their non-public data the same way as they don’t have the staffing resources or tools to do much else.   

One of the most basic things a company must do is properly restrict access to data via access controls as well as log access to data. Companies usually implement this well but occasionally I’ll find that customers have share drives that contain sensitive information and are open to all staff or more staff than have a need for access. In one case, a company’s Human Resources share drive was not restricted. All of the employees’ job offer letters with salary information was available. Onboarding documents, such as I-9 forms with Social Security numbers and copies of drivers’ licenses, were also accessible to anyone in the company who happened to know how to access the share.

In another case, a company’s code repositories were configured to allow any of the thousands of employees in the company to access, change, and delete the code. In cloud environments, I find that customers sometimes misconfigure their AWS buckets so they are available to the public or are not encrypted. Again, the IT Directors and CISOs are taken aback when they see that organization data is not properly protected. They don’t know about the data so they can’t protect it. 

In a recent gap analysis, a client I worked with provided services to hospitals and medical practices. They collected Social Security numbers via a web application. The SSNs were encrypted in the database but the SSN field for each patient was available to all customer support staff every time they looked at a patient record. This is not the usual practice. Most companies mask the first five digits with only the last four digits viewable. Or they may mask the entire SSN. They make the full SSN available only when the staff member clicks on a button to do so…and only if they have been granted the need to know it. Additionally, they may also need to authenticate again to reveal the full number.   This data needs to be encrypted and restricted properly to ensure the upmost security.

A tool that can help you understand your data environment and security needs better is a data flow diagram, as the CIS Controls document recommends. A data flow diagram is a visual representation of how data flows into and out of an organization’s infrastructure, where it’s stored on company systems, the role of cloud providers, and how data is shared with and received back from service providers.

It’s also very important to establish a data lifecycle.  This lifecycle should have six stages:

1. Create
2. Store
3. Use
4. Share
5. Archive
6. Destroy

It costs money to store and protect data you don’t need. It also opens your company up to legal liability. In the event of a data breach and public release of sensitive information, you will have a difficult time explaining why you stored data of a customer who stopped using your service 10 years ago. The company may be in violation of regulations and be liable to fines or lawsuits. I see this a lot with customers. They save data forever as they did not plan for data deletion when they designed their applications and databases. They were focused on getting a functional web application to customers as quickly as possible. They don’t know how to redesign their collection and storage of the data. 

Fortunately, there are tools available when data management is planned from the onset. Administrators can run tasks on databases to archive or delete data once it ages past the retention policy. AWS bucket policies can be configured to send inactive and old data to Glacier. It can then be automatically deleted after a specified number of months or years. Microsoft Outlook 365 also has data retention policies that can be implemented.

Generally, companies don’t take advantage of these tools because they are short-staffed. The employees have little if any time to implement such features as they struggle with their main priority to maintain their services for customers. Companies with dedicated IT security or compliance departments are generally more successful in this area. 

However, implementing these practices is still critical to a successful data security program. If your organization is deciding which controls to prioritize implementing, I suggest the following:

Encryption of data at rest – Be diligent about encrypting data or using tools and services that make encryption the default option.  Encrypt drive volumes and databases in AWS and Azure.  Encrypt Windows drives with BitLocker, macOS drives with FileVault, and Linux drives with LUKS.  

Encryption of data in transit – Most companies use the currently supported version of TLS to encrypt data in transit between web applications and end users. STFP/SSH is used for file transfers. VPNs are established between on-premises locations and cloud services. Laptops users should be required to use a VPN client to protect their traffic from interception when using public Wi-Fi networks. 

Data Loss Prevention – Many tools now exist to prevent data exfiltration that were expensive and difficult to implement in the past. Some companies I’ve worked with have policies and tools in place that monitor and limit the number of files a person may email outside the organization or upload to a cloud service. Some companies even prevent any and all copying and pasting of data from email or Office 365 products to a non-company managed products and systems. DLP tools can prevent copying of files to USB drives. Firewalls can report on the amount of data a particular user is uploading to online storage services. 

Incident Response Plan – Most companies have an incident response plan and steps in place to respond to a data breach. IT security teams should conduct at least annual testing (if not quarterly!) of their response plan so they are prepared when a data breach occurs.   

Work with a KirkpatrickPrice Expert to Create the Data Protection Program Your Organization Deserves 

Implementing CIS Control 03 and its sub-controls will help protect your organization and it’s valuable data.  However, we understand that implementing these controls properly takes a lot of hard work and resources.  If you need a partner to help you create a data security program, connect with a KirkpatrickPrice expert today.  We’d be more than happy to help you create a process that allows you to face today’s threats confidently.

About the Author 

Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications.  He enjoys working with people and organizations to help them secure their networks and systems. Greg lives in Happy Valley, PA.