CIS Control 3: Data Protection

DEEP DIVE

Explores strategies for enterprise data protection. Updating to ensure clear linkages to the central CIS Critical Security Controls v8 wiki page.

Updated 4/12/2026cis, controls, data-protection, encryption, v8

Data protection is a cornerstone of modern cybersecurity, shifting the defensive focus from the perimeter and hardware directly to the information itself. As a critical component of the overarching CIS Critical Security Controls Version 8, CIS Control 3 establishes the required processes and technical safeguards to identify, classify, securely handle, retain, and dispose of enterprise data.

Data Governance and Identification

Before technical controls can be effectively applied, an enterprise must understand what data it possesses, where it lives, and how critical it is to the business.

Data Management Process and Classification

Organizations must establish a robust Data Management Process (Safeguard 3.1) that clearly defines data ownership, handling procedures, and lifecycle requirements based on organizational standards.

Coupled with this process is the creation of a Data Classification Scheme (Safeguard 3.7). Enterprises should adopt standardized labels to categorize data based on risk. Common classification tiers include:

  • Public: Data approved for external release (e.g., marketing materials).
  • Confidential: Internal data that would cause moderate harm if exposed (e.g., employee memos).
  • Sensitive: Highly restricted data that would cause severe financial or reputational damage if compromised (e.g., intellectual property, PII, PHI).

Both the management process and the classification scheme must be reviewed and updated annually, or whenever significant enterprise changes occur.

Inventories and Data Flows

You cannot protect unknown data. Enterprises are required to maintain a Data Inventory (Safeguard 3.2), prioritizing sensitive information at a minimum. To accurately track this information, organizations must formally Document Data Flows (Safeguard 3.8). This documentation maps how data moves between systems, applications, and networks.

Edge Case: Third-party vendor integrations are a frequent blind spot. Data flow documentation must explicitly include service provider data flows to ensure data is not inadvertently exposed outside the enterprise perimeter.

Access Control and Data Lifecycle

Protecting data requires strict limitations on who can interact with it and how long it remains within the enterprise environment.

Need-to-Know Access

Data should only be accessible to users and systems that require it for legitimate business functions. Enterprises must configure Data Access Control Lists (Safeguards 3.3), commonly known as access permissions, based on the principle of "need to know." These restrictions must be consistently applied across local file systems, remote file shares, databases, and individual applications. This practice aligns closely with the identity principles outlined in CIS Control 6: Access Control Management.

Retention and Secure Disposal

A major trap organizations fall into is indefinite data hoarding, which severely increases compliance risk and liability during a breach. To mitigate this, organizations must enforce strict Data Retention policies (Safeguard 3.4). Effective retention policies must define both minimum timelines (to satisfy legal and regulatory requirements) and maximum timelines (to reduce liability by purging stale data).

When data reaches the end of its lifecycle, organizations must securely Dispose of Data (Safeguard 3.5). The chosen disposal method—whether cryptographic erasure, physical destruction, or secure wiping—must be commensurate with the data's classification level. For practical implementation, refer to the NIST SP 800-88r1 Guidelines for Media Sanitization.

Data Encryption Strategies

Cryptographic protections are mandatory to safeguard data against physical theft, interception, and unauthorized access. Organizations should look to standards like NIST FIPS 140-2 and FIPS 140-3 when validating cryptographic modules.

Protecting Data at Rest

Endpoints are highly susceptible to loss or theft. It is imperative to Encrypt Data on End-User Devices (Safeguard 3.6) that contain sensitive data. Standard implementations leverage native OS encryption tools:

  • Windows BitLocker®
  • Apple FileVault®
  • Linux® dm-crypt

Similarly, organizations must Encrypt Data on Removable Media (Safeguard 3.9). USB drives and external hard drives are easily lost; encrypting these devices prevents opportunistic data extraction.

Protecting Data in Transit

To prevent man-in-the-middle (MitM) attacks and packet sniffing, organizations must Encrypt Sensitive Data in Transit (Safeguard 3.10). All sensitive data moving across networks—including internal networks, the internet, and cloud environments—must be protected using strong, modern encryption protocols (e.g., TLS 1.2 or higher).

Architectural Considerations

Data classification should directly influence network design. Once data sensitivity is mapped to specific applications and enterprise assets (as outlined in CIS Control 1: Inventory and Control of Enterprise Assets), the network infrastructure should be segmented accordingly.

Assets handling the same sensitivity levels should be grouped on the same network segments and isolated from assets handling different classifications. As detailed in CIS Control 12: Network Infrastructure Management, firewalls and network access controls must be deployed to restrict traffic between these segments, ensuring that only authenticated users with a legitimate business need can cross security boundaries to access sensitive data stores.