Data Management Policy Template for CIS Control 3

An enterprise’s traditional boundaries no longer contain the entirety of an enterprise’s data. The enterprise holds data related to finances, intellectual property, customer, and personnel data. Data is stored in the cloud, on phones and tablets, and even sensitive data is often shared with service providers located all over the world. The enterprise’s loss of control over protected or otherwise sensitive data is a serious and often reportable business impact to include running afoul of local or national data regulations for protection of personal data. Data compromise may occur as a result of theft or espionage, or merely poorly understood data management rules and user error.

This policy template is meant to supplement the CIS Controls v8. The policy statements included within this document can be used by all CIS Implementation Groups (IGs), but are specifically geared towards Safeguards in Implementation Group 1 (IG1).