CIS Control 13: Data Protection

Home  »  Blog  »  Cyber Security  »  CIS Control...

By Bill Minahan   |   March 30, 2021   |   0 Comments

CIS Control 13

CIS Control 13: Data Protection

What is CIS Control 13?

The CIS controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.

CIS Control 13 focuses on the processes and tools used to prevent data exfiltration in order to mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.

Why is this CIS Control Critical?

The CIS Controls are based on actionable guidance from today’s biggest threats, formed by the consensus of the world’s leading experts across a variety of sectors.

CIS Control 13 is critical because data resides in many places and protection of it is best achieved through the application of a combination of encryption, integrity protection, and data loss prevention techniques.

As organizations continue their move towards cloud computing and mobile access, it is critical to ensure that proper care be taken to limit and report on data exfiltration while also mitigating the effects of data compromise.

For instance, some organizations do not carefully identify and separate their most sensitive and critical assets from less sensitive, publicly accessible information on their internal networks.

Furthermore, in many environments, internal users have access to all or most of the critical assets.

Sensitive assets may also include systems that provide management of control of physical systems, such as Supervisory Control and Data Acquisition (SCADA). Once attackers have penetrated such a network, they can easily find and exfiltrate important information, cause physical damage, or disrupt operations with little to no resistance.

For example, in several high-profile data breaches over the past few years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access to far less important data.

In other cases, attackers were able to use access to the corporate network to gain access to, then control over, physical assets in order to cause damage.

As a result, it is important to manage the process and tools used to protect your data.

CIS Control 13: Procedures and Tools

It is essential that an organization understand what its sensitive information is, where it resides, and what users need access to it.

In order to derive sensitivity levels, organizations need to put together a list of the key types of data and the overall importance of said data to the organization.

Then, this analysis can be used to create an overall data classification scheme for the organization.

For instance, organizations should define labels such as “Sensitive”, “Business Confidential”, and “Public.” Afterward, they can classify their data according to those labels.

Once the private information has been identified, it can then be further subdivided based on the impact it would have on the organization if it were compromised.

After the sensitivity of the data has been identified, create a data inventory or mapping that identifies business applications and the servers that house those applications. The network then needs to be segmented so that systems of the same sensitivity level are on the same network and segmented from systems with different trust levels.

If possible, then firewalls need to control access to each segment.

Furthermore, access to data should be based on job requirements and only handed out on a need-to-know basis. Job requirements should be created for each user group in order to determine what information the group needs access to. Based on the requirements, access should only be given to the data segments or servers that are needed for each job function.

Finally, detailed logging should be turned on for servers in order to track access and allow for security personnel to examine incidents in which data was improperly accessed.

How to Implement CIS Control 13


Asset Type

Security Function

Control Title

Control Descriptions


Data Identify Maintain an Inventory of Sensitive Information  

Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.



Data Protect Remove Sensitive Data or Systems Not Regularly Accessed by Organization  

Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.



Data Detect Monitor and Block Unauthorized Network Traffic  

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.



Data Protect Only Allow Access to Authorized Cloud Storage or Email Providers  

Only allow access to authorized cloud storage or email providers.



Data Detect Monitor and Detect Any Unauthorized Use of Encryption  

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.



Data Protect Encrypt Mobile Device Data  

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.



Data Protect Manage USB Devices  

If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained.



Data Protect Manage System’s External Removable Media’s Read/Write Configurations  

Configure systems not to write data to external removable media if there is no business need for supporting such devices.



Data Protect Encrypt Data on USB Storage Devices  

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.



Implementing CIS Controls

If your team is struggling to implement CIS Control 13 and could use the assistance of a third-party security provider, aNetworks is here to help. Our team of experts can assist with whatever level of service you require from consulting to complete implementation.

If you are interested in learning more about CIS Controls, view our comprehensive list here.

If you are interested, then please contact us below.

Contact Us

Furthermore, if you are looking for more information, check out our resource center here.

Finally, you can always find us on TwitterLinkedIn, and Facebook.

Category: Cyber Security