CIS Safeguard 3.12: Segment Data Processing and Storage Based on Sensitivity

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

CIS Safeguard 3.12 mandates the segmentation of sensitive data while it is stored. This strategy involves categorizing and handling data according to its sensitivity, thus ensuring that the most critical information receives the highest level of protection.

Data segmentation involves dividing data into distinct categories based on its sensitivity. Sensitive information, such as financial records, personal data, and intellectual property, requires stringent security measures. Less sensitive information may not need the same level of protection, allowing for more flexible handling. By segmenting data, organizations can prioritize their security efforts, allocate resources more effectively, and reduce the risk of data breaches.

Real World Examples

1. Financial Sector: Banks and financial institutions routinely handle highly sensitive personal and financial data. These organizations implement segmentation by classifying data into categories such as transactional data, customer personal information, and internal communications. For example, banking information, including account numbers and transaction details, is stored in highly secure environments with strong encryption and access controls. Conversely, less sensitive information, such as marketing data, may reside in less restrictive environments.
2. Healthcare Industry: Healthcare organizations manage vast amounts of sensitive patient information. Segmenting data in this context involves categorizing medical records, billing information, and administrative data. Medical records are stored in encrypted databases with strict access controls, ensuring that only authorized personnel can access them. In contrast, administrative data, which may include scheduling information or general communications, can be stored with less rigorous protections.
3. Corporate Environment: Corporations often handle proprietary information, trade secrets, and employee data. They segment data by distinguishing between highly confidential information, such as strategic plans and intellectual property, and less sensitive data, such as routine HR communications. Confidential data is stored in secure, encrypted systems with limited access, whereas general communications may be stored in standard network environments.

Recommendations for Implementation

1. Identify and Classify Data: The first step in implementing data segmentation is identifying and classifying data based on its sensitivity. Organizations should conduct comprehensive audits to determine what types of data they handle and classify them into categories, such as highly sensitive, moderately sensitive, and non-sensitive. This classification process should involve input from various departments to ensure a holistic understanding of the organization's data landscape.
2. Implement Access Controls: Once data is classified, organizations should implement access controls tailored to the sensitivity of each category. Highly sensitive data should have stringent access restrictions, allowing only authorized individuals to view or modify it. These controls can include password protections, multi-factor authentication, and role-based access controls. Less sensitive data can have more flexible access measures.
3. Use Encryption: Encryption is critical for protecting sensitive data both in transit and at rest. Organizations should employ strong encryption protocols to safeguard highly sensitive data. This ensures that even if the data is intercepted or accessed by unauthorized individuals, it remains unreadable and secure. Encryption tools should be regularly updated to address emerging threats and vulnerabilities.
4. Regularly Audit and Monitor: Regular audits and monitoring are essential to maintaining effective data segmentation. Organizations should periodically review their data classification, access controls, and encryption protocols to ensure they remain appropriate and effective. Continuous monitoring can help identify potential security issues early, allowing for prompt remediation.
5. Educate Employees: Employee awareness and training are crucial for successful data segmentation. Organizations should educate employees about the importance of data sensitivity, proper handling procedures, and security protocols. Regular training sessions can help reinforce these concepts and ensure that employees understand their role in protecting sensitive information.

Conclusion

CIS Safeguard 3.12 provides a robust framework for enhancing data security through segmentation. By categorizing data based on sensitivity and implementing tailored protection measures, organizations can better safeguard their most critical information. Real-world examples from the financial, healthcare, and corporate sectors illustrate the effectiveness of this approach. With careful planning, implementation, and ongoing education, organizations can create a secure data environment that minimizes the risk of breaches and protects their valuable assets.

Resources

Here’s a link to the Data Management Policy Template for CIS Control 3 provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 3 – Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.