Control Summary
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Why is it needed?
Data no longer resides exclusively within the confines of an enterprise’s boundaries; it now resides in the cloud, on portable end-user devices used in remote work settings, and is often shared with partners or online services situated across the globe. In addition to sensitive data encompassing financial records, intellectual property, and customer information, there are also numerous international regulations in place governing the protection of personal data.
The significance of data privacy has grown considerably, with enterprises recognising that privacy entails more than just encryption; it encompasses the judicious use and effective management of data throughout its entire lifecycle. Navigating these privacy regulations can be intricate for multinational enterprises of all sizes, but there are fundamental principles that can be applied universally. When attackers breach an enterprise’s infrastructure, one of their initial objectives is to locate and extract data. Enterprises may remain oblivious to the fact that sensitive data is leaving their environment due to a lack of monitoring of data egress.
Implementing Control
Implementing successful data management involves managerial, procedural, and technical actions.
Implementation Group 1 requires the following six safeguards:
3.1 Establish and Maintain a Data Management Process
Determining the types of data your business holds can enable effective management. Identifying the sensitivity levels and criticality levels of all data held and defining this using levels or labels such as “Sensitive”, “Confidential” or “Public” can be helpful. Firstly, define the sensitivity and criticality, then create a map of your data describing what applications access and store certain data. This will provide a comprehensive view of how data is used in your business and which critical systems and processes require securing and monitoring.
3.2 Establish and Maintain a Data Inventory
Managerial controls consist of policies outlining the type of data the business holds, how it can be used, how it is classified, organised, stored, and how long it is kept. These can be challenging to create as they require executive support and buy-in however they form the baseline understanding of data management in your business and drive all other actions for data lifecycle management.
3.3 Configure Data Access Control Lists
Create data access control lists that are tailored to the needs of a user. Implement data access control lists, which are also known as access permissions, on local and remote file systems, databases, and applications.
3.4 Enforce Data Retention
Ensure that data is stored in accordance with the business data management process. It is necessary to have both a minimum and maximum timeline for data retention.
3.5 Securely Dispose of Data
Dispose of data in a secure manner as per the business data management process. Ensure that the disposal process and method are appropriate for the data sensitivity.
3.6 Encrypt Data on End-User Devices
Encrypt data on end-user devices that contain sensitive data. Windows BitLocker®, Apple FileVault®, and Linux® dm-crypt are just a few examples of implementations that can be used.
Additional safeguards at level 2 or 3:
3.7 Establish and Maintain a Data Classification Scheme
3.8 Document Data Flows
3.9 Encrypt Data on Removable Media
3.10 Encrypt Sensitive Data in Transit
3.11 Encrypt Sensitive Data at Rest
3.12 Segment Data Processing and Storage Based on Sensitivity
3.13 Deploy a Data Loss Prevention Solution
3.14 Log Sensitive Data Access
Incident Response Solutions 