It is of prime importance to any organization to identify sensitive information and control access to it. Data Protection is one of the important 20 CIS Controls defined by Council on Cyber Security. A data classification scheme should be in place to recognize the sensitivity of the data and classify it into various levels. Once the sensitive information is classified into various levels, action needs to be taken to maintain control over who accesses the data.
Following are top 4 action items required to maintain appropriate control for data protection:
Isolate the highly sensitive information which is rarely used
The sensitive information data servers or systems which are not required in daily use must be removed from the network in order to avoid any data breach on those systems. These systems may be used as stand-alone systems as and when needed and not connected to the network.
Automate network traffic Monitoring
All the incoming and outgoing network traffic should be monitored and tracked by an automated tool. The automated systems should be capable enough to block any unauthorised transfer of sensitive data and should be able to immediately alert the cyber security team of the organization. This will curb any unauthorized transfer of sensitive data.
All the hard drives and USBs should be encrypted
All the hard drive of systems as well as mobile devices should be encrypted with whole disk encryption softwares in order to add an extra layer of security. If USBs are required for the business, they should be managed via an inventory.
Manage Read and Write operations on external devices
Configure systems in such a way that writing to external devices is not permitted. This will protect the data from being stolen internally using external devices.
Maintaining appropriate controls will enhance security and reduce data breaches in your organization. It is the key to protecting your sensitive data and keep your network secure.