By the Center for Internet Security
Attacks like Spectre and Meltdown brought data privacy to the forefront of cybersecurity in 2018. The year also ushered in new regulations concerning data protection, including the EU General Data Protection Regulation (GDPR). These activities opened up fresh opportunities to review and advance our incident response planning and data management processes. Yet two years later, many organizations are still lagging behind when it comes to data privacy and protection. In 2020, it’s up to every organization to develop and implement a solid Data Protection Plan (DPP). Let’s look at some of the challenges and opportunities created by the need for a strong DPP.
Understanding data flow
In order to create an effective DPP, your organization first needs to develop a clear picture of its data flow. There are areas around information handling which every organization will need to review and fine-tune. Some questions to start your investigation:
- What data do we have?
- How do we use it?
- Where is it stored and processed?
The answers to these questions will form a reference point for your organization to gain a controlled foothold over its data and information management processes. Your specific industry dictates the type of data you have (payment information, customer data, health records, etc.). The type will produce different answers. Still, the questions need to be asked, understood, and documented in a DPP. If you don’t have a plan in place, now’s the time to start developing one.
What makes a solid DPP?
Elements of a DPP
- Objective: Specific to organizational security policies or regulatory controls such as GDPR/NIST.
- Roles and responsibilities: Addresses key roles in the organization and the data protection responsibilities of each.
- Data protection risks: Identifies potential security risks as related to sensitive data.
- Acceptable use policies: Applies to different classes of data within an organization.
- Data storage requirements: Must consider how to manage the storage size of data (including backups!).
- Data utilization: Addresses how data is used within the organization.
- Data integrity and assurance: Examines how to securely store and transfer data.
Bringing each of these elements together can seem overwhelming; however, there are cybersecurity best practices your organization can follow. The CIS Controls are prioritized defensive security actions that can provide a strong starting point for understanding how to build your organization’s DPP. In particular, CIS Control 13 focuses on data protection.
Learn more: CIS Controls
Applying CIS Control 13
The CIS Controls Implementation Groups (IGs) take a horizontal look at prioritizing cybersecurity best practices based on an organization’s available resources and maturity level. For CIS Control 13, the IGs identify elements comprising a solid DPP for any size organization.
Leveraging the CIS Controls IGs can help organizations with varying technical resources and capabilities build a DPP. Every organization, regardless of size or capability, should start with IG1. There are three CIS Sub-Controls from CIS Control 13 that support building a DPP. See the chart below for more details.
Specifically, organizations should focus on these steps when starting to develop a DPP:
- Inventorying sensitive information (13.1): You have to know what data is sensitive in your organization in order to determine which security controls need to be in place.
- Removing sensitive systems and data which aren’t regularly accessed (13.2): Make sure your assets are properly segmented and disconnected when not in use. This will limit the chance that sensitive data is compromised in case of an attack.
- Encrypting data for mobile devices (13.6): As part of your organization’s mobile device policy, use approved whole disk encryption software.
More mature organizations should strive to implement additional CIS Sub-Controls found in IG1 and IG2 as part of a growing DPP.
Getting ready for the future
No matter what 2020 holds, developing a solid DPP will be key to protecting your organization’s data. Building a strong DPP can help with:
- Day-to-day management of information
- Preparing your organization for any future breach or incident which may occur
- Ensuring data within an organization is properly defined, labeled, and controlled
- Mitigating against ransomware attacks by limiting an attacker’s access to sensitive data
To get more information about leveraging your organization’s DPP for GDPR compliance and other cybersecurity best practices, download our free eBook: A CISO’s Guide to Bolstering Cyber Defenses.