How to Create a Data Protection Plan
By Sean Atkinson, Chief Information Security Officer, CIS
With 2018 being the “Year of Data Privacy,” organizations in every sector should focus on creating and implementing a data protection plan (DPP). A strong DPP will help ensure data within an organization is properly defined, labeled, and controlled. It can also help mitigate against ransomware attacks by limiting an attacker’s access to sensitive data.
Using CIS Control #13 (v7.1) to create a Data Protection Plan
CIS Control 13 – Data Protection – helps identify elements that would comprise a solid DPP:
- Objective – specific to organizational security policies or regulatory controls such as GDPR/NIST
- Roles and responsibilities – addresses key roles in the organization and the data protection responsibilities of each
- Data protection risks – identifies potential security risks as related to sensitive data
- Acceptable use policies – apply to different classes of data within an organization
- Data storage requirements – must consider how to manage the storage size of data (including backups!)
- Data utilization – addresses how data is used within the organization
- Data integrity and assurance – examines how to securely store and transfer data
How CIS Control 13 can help:
As one of the 20 CIS Controls in v7.1, CIS Control 13 recommends the following steps to define and control data:
- Identification of sensitive data – You first have to know what data is sensitive in your organization, to know what requisite controls need to be in place.
- Apply controls to systems that house or transport the data identified above – Now that sensitive data has been identified, safeguards must be deployed to protect the data in transit and at rest.
- Data loss prevention (DLP) – Data is the lifeblood of any organization and it changes, constantly for internal processes, updates, new information, etc. The importance of DLP is to control the flow of data and make sure its utilization is approved, controlled and monitored.
- Threat detection – Once your organization has implemented the subcontrols defined above, a scenario-based risk assessment should be performed to manage data exfiltration and misuse. For example: Ask yourself, “Should deployed endpoints and servers have read/write capability to USB devices?” If for your organization the answer is ‘NO’, then disabling or providing detection software will reduce the risk of exfiltration through such a method.
These are high-level ideas that can help ensure that data privacy is defined and controlled within any organization. As multiple requirements for compliance are often in play and cybersecurity best practices are paramount, a strong DPP can help your organization identify risks and define a plan of action.