9 hours 24 minutes
everyone Welcome back to the core. So in the last video, we took a look at
how Barbary defense mapped up to the next cybersecurity framework. So again, that was control number 12 and this video, we're gonna talk through control number 13 which is data protection.
So when we talk about data protection, we need to focus on as an organization. What is our sensitive data? And then what data? What type of data is actually critical to us sustaining business operations
so as an example from like, healthcare sensitive data is, of course, patient records, right financial data as well as probably some intellectual property.
But what is our critical data? Well, I would argue from being a practitioner in the past
is, ah the critical data. Some of it, at least, is going to be that patient's chart because what happens if the patient's been on certain medication and the doctor needs to see their last vital signs and then ransomware attack occurs and you can't look that information upright? Usually most
organizations will have a backup plan. Let's say it doesn't right. Let's say they don't have one.
You need to understand what is your critical data. And how can you protect that? Better because you don't want that situation to occur. And then also, when we talk about critical infrastructure, lace keita that's where we're also talking about that critical data that if something happens, it could really affect lives and even cost people their lives in some instances,
so some control 13 1 We want to maintain an inventory of the sensitive information. So whatever information we deem to be sensitive, we need to make sure we inventory
what's being stored, what's being processed,
what sense of day is being transmitted
and even Ah, so basically, we're gonna be looking at those on site as well as any off site remote service providers, etcetera, etcetera, right? So, basically, where is that sensitive data at? Where's it going? House being sent? And we need to maintain an inventory of how that's moving around
sub control 13 to remove sensitive data or systems that we don't regularly access by the organization. So, as an example, I shouldn't have sensitive data on my local machine if I don't actually need it there, right, so there should be something in place to track that and remove it if I'm trying to store sensitive data on my local device.
Also, if we got systems that no one normally access is we want to make sure we don't put sense of the data on those right, or we want to make sure that those systems are The systems with sensitive data are standard load systems, right? We want to take them off our traditional network
and disconnect them, so to speak and segment them out. So that way, nobody else could get into it and
get access and a sense of data and possibly manipulated or steal it or something else.
Some control. 13 3 Monitor and block any type of unauthorized network traffic. You'll see it is commonly throughout most of this course. We want to block anything this unauthorized, so that way we can help protect our data. Better
some control. 13 4
We want to only allow access to authorized cloud storage or email providers.
Some control. 13 5 Just monitor detect any unauthorized use of encryption so somebody's trying to encrypt something and send it outside of the network. So part of that data loss prevention we want to make sure we monitor that and say wait a minute. Why is this person trying to encrypt this right?
Some control 13 6 Encrypt the mobile device data.
we want to use any type of approve cryptographic mechanism. So basically, the latest encryption used that to protect any type of data that's being stored in our mobile devices. Specifically, one common way of doing this is enabling, like full disk encryption on a company laptop, Right? So that way, if it's stolen from a trunk of a car or something,
it's very difficult for the attacker to get that data on the laptop
Some control. 13 7 That's where we talk about managing USB devices.
So if for some reason your organization is using USB storage devices, just making sure that
there's only specific devices that are allowed so list, you know, issued by the company and then also making sure that there's an inventory of of those devices to make sure that
people aren't just taking those home or something like that.
Some control 13 8 Managing the systems external removable media. So basically the read write configuration, right, so we don't want toe, have somebody plug something in and have it right onto our systems and corrupt our data.
And also, if there's no legitimate business reason why someone's trying to plug in that removable media, we want to make sure we blocked that right. We don't want them to be plugging it in just because.
And finally, some control. 13 9 So we're talking about encrypting data on USB storage devices. So again, if you're actually using USB stores devices, you want to make sure that your encrypting that data while it's at rest.
All right. So this video we just took a look at Sky's Control Number 13 again around data protection, and the next video, we're gonna see how that maps up to the next cybersecurity framework.
CIS Top 20 Critical Security Controls
This course will provide students with an overview of the CIS Top 20 Critical Security Controls v7.1. Students in this course will learn each CIS control and why it is important to an organization.