If you get the joke behind the title, you’re either as old as I am or spend hours on the Internet searching for 80’s commercials. Either way, good on ya!
In 2006, Clive Humby, a British mathematician and data science entrepreneur, coined the phrase “Data is the new oil.” Humby meant that data, like oil, isn't useful in its raw state. It needs to be refined, processed, and turned into something useful; its value lies in its potential. Many others have come up with different interpretations and you’re about to get mine now.
I believe the phrase “Data is the new oil” wields a social effect. It communicates data’s power and lucrativeness in the digital age. This is proven by the continual increase in breaches caused by ransomware solely to gain access to data.
During a ransomware event, data is either exfiltrated, encrypted, or in most cases, both. The systems that store/access the data are also typically disabled. Paying the ransom “should”:
- Enable all the systems and decrypt the data
- Prevent the exfiltrated data from hitting the dark web or being sold to other malicious groups
- Prevent you from being attacked again
However, as we know, “should” rarely happens.
This leads us back to the last two Controls. You can’t protect what you can’t see. If you don’t know what data you have, where your data lives, what’s in your data, and who’s accessing your data, you can’t protect it. This Control and these next few Safeguards are going to address how you can protect your data.
It is imperative for organizations to develop a data management process that includes a data management framework, data classification guidelines, and requirements for protection, handling, retention, and disposal of data. We’ll dive into the most important components over the next few posts.
Here’s the CIS definition of this Control/Safeguard. If you want more detail, DM me.
CIS Control 3 – Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Implementation Group 1
CIS Safeguard 3.1 - Establish and Maintain a Data Management Process
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.