CIS Safeguard 3.12: Segment Data Processing and Storage Based on Sensitivity

CIS Safeguard 3.12: Segment Data Processing and Storage Based on Sensitivity

By Steve Gold
Posted in Security
On June 17, 2025

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

CIS Safeguard 3.12 mandates the segmentation of sensitive data while it is stored. This strategy involves categorizing and handling data according to its sensitivity, thus ensuring that the most critical information receives the highest level of protection.

Data segmentation involves dividing data into distinct categories based on its sensitivity. Sensitive information, such as financial records, personal data, and intellectual property, requires stringent security measures. Less sensitive information may not need the same level of protection, allowing for more flexible handling. By segmenting data, organizations can prioritize their security efforts, allocate resources more effectively, and reduce the risk of data breaches.

Real World Examples
  1. Financial Sector: Banks and financial institutions routinely handle highly sensitive personal and financial data. These organizations implement segmentation by classifying data into categories such as transactional data, customer personal information, and internal communications. For example, banking information, including account numbers and transaction details, is stored in highly secure environments with strong encryption and access controls. Conversely, less sensitive information, such as marketing data, may reside in less restrictive environments.
  2. Healthcare Industry: Healthcare organizations manage vast amounts of sensitive patient information. Segmenting data in this context involves categorizing medical records, billing information, and administrative data. Medical records are stored in encrypted databases with strict access controls, ensuring that only authorized personnel can access them. In contrast, administrative data, which may include scheduling information or general communications, can be stored with less rigorous protections.
  3. Corporate Environment: Corporations often handle proprietary information, trade secrets, and employee data. They segment data by distinguishing between highly confidential information, such as strategic plans and intellectual property, and less sensitive data, such as routine HR communications. Confidential data is stored in secure, encrypted systems with limited access, whereas general communications may be stored in standard network environments.
Recommendations for Implementation
  1. Identify and Classify Data: The first step in implementing data segmentation is identifying and classifying data based on its sensitivity. Organizations should conduct comprehensive audits to determine what types of data they handle and classify them into categories, such as highly sensitive, moderately sensitive, and non-sensitive. This classification process should involve input from various departments to ensure a holistic understanding of the organization's data landscape.
  2. Implement Access Controls: Once data is classified, organizations should implement access controls tailored to the sensitivity of each category. Highly sensitive data should have stringent access restrictions, allowing only authorized individuals to view or modify it. These controls can include password protections, multi-factor authentication, and role-based access controls. Less sensitive data can have more flexible access measures.
  3. Use Encryption: Encryption is critical for protecting sensitive data both in transit and at rest. Organizations should employ strong encryption protocols to safeguard highly sensitive data. This ensures that even if the data is intercepted or accessed by unauthorized individuals, it remains unreadable and secure. Encryption tools should be regularly updated to address emerging threats and vulnerabilities.
  4. Regularly Audit and Monitor: Regular audits and monitoring are essential to maintaining effective data segmentation. Organizations should periodically review their data classification, access controls, and encryption protocols to ensure they remain appropriate and effective. Continuous monitoring can help identify potential security issues early, allowing for prompt remediation.
  5. Educate Employees: Employee awareness and training are crucial for successful data segmentation. Organizations should educate employees about the importance of data sensitivity, proper handling procedures, and security protocols. Regular training sessions can help reinforce these concepts and ensure that employees understand their role in protecting sensitive information.
Conclusion

CIS Safeguard 3.12 provides a robust framework for enhancing data security through segmentation. By categorizing data based on sensitivity and implementing tailored protection measures, organizations can better safeguard their most critical information. Real-world examples from the financial, healthcare, and corporate sectors illustrate the effectiveness of this approach. With careful planning, implementation, and ongoing education, organizations can create a secure data environment that minimizes the risk of breaches and protects their valuable assets.

Resources

Here’s a link to the Data Management Policy Template for CIS Control 3 provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 3 – Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.