Overview of Control 13

00:00

everyone Welcome back to the core. So in the last video, we took a look at

00:04

how Barbary defense mapped up to the next cybersecurity framework. So again, that was control number 12 and this video, we're gonna talk through control number 13 which is data protection.

00:16

So when we talk about data protection, we need to focus on as an organization. What is our sensitive data? And then what data? What type of data is actually critical to us sustaining business operations

00:27

so as an example from like, healthcare sensitive data is, of course, patient records, right financial data as well as probably some intellectual property.

00:35

But what is our critical data? Well, I would argue from being a practitioner in the past

00:42

is, ah the critical data. Some of it, at least, is going to be that patient's chart because what happens if the patient's been on certain medication and the doctor needs to see their last vital signs and then ransomware attack occurs and you can't look that information upright? Usually most

00:58

organizations will have a backup plan. Let's say it doesn't right. Let's say they don't have one.

01:03

You need to understand what is your critical data. And how can you protect that? Better because you don't want that situation to occur. And then also, when we talk about critical infrastructure, lace keita that's where we're also talking about that critical data that if something happens, it could really affect lives and even cost people their lives in some instances,

01:22

so some control 13 1 We want to maintain an inventory of the sensitive information. So whatever information we deem to be sensitive, we need to make sure we inventory

01:32

what's being stored, what's being processed,

01:34

what sense of day is being transmitted

01:38

and even Ah, so basically, we're gonna be looking at those on site as well as any off site remote service providers, etcetera, etcetera, right? So, basically, where is that sensitive data at? Where's it going? House being sent? And we need to maintain an inventory of how that's moving around

01:56

sub control 13 to remove sensitive data or systems that we don't regularly access by the organization. So, as an example, I shouldn't have sensitive data on my local machine if I don't actually need it there, right, so there should be something in place to track that and remove it if I'm trying to store sensitive data on my local device.

02:14

Also, if we got systems that no one normally access is we want to make sure we don't put sense of the data on those right, or we want to make sure that those systems are The systems with sensitive data are standard load systems, right? We want to take them off our traditional network

02:31

and disconnect them, so to speak and segment them out. So that way, nobody else could get into it and

02:38

get access and a sense of data and possibly manipulated or steal it or something else.

02:44

Some control. 13 3 Monitor and block any type of unauthorized network traffic. You'll see it is commonly throughout most of this course. We want to block anything this unauthorized, so that way we can help protect our data. Better

02:58

some control. 13 4

03:00

We want to only allow access to authorized cloud storage or email providers.

03:07

Some control. 13 5 Just monitor detect any unauthorized use of encryption so somebody's trying to encrypt something and send it outside of the network. So part of that data loss prevention we want to make sure we monitor that and say wait a minute. Why is this person trying to encrypt this right?

03:28

Some control 13 6 Encrypt the mobile device data.

03:32

So

03:34

we want to use any type of approve cryptographic mechanism. So basically, the latest encryption used that to protect any type of data that's being stored in our mobile devices. Specifically, one common way of doing this is enabling, like full disk encryption on a company laptop, Right? So that way, if it's stolen from a trunk of a car or something,

03:53

it's very difficult for the attacker to get that data on the laptop

04:00

Some control. 13 7 That's where we talk about managing USB devices.

04:04

So if for some reason your organization is using USB storage devices, just making sure that

04:13

there's only specific devices that are allowed so list, you know, issued by the company and then also making sure that there's an inventory of of those devices to make sure that

04:23

people aren't just taking those home or something like that.

04:27

Some control 13 8 Managing the systems external removable media. So basically the read write configuration, right, so we don't want toe, have somebody plug something in and have it right onto our systems and corrupt our data.

04:40

And also, if there's no legitimate business reason why someone's trying to plug in that removable media, we want to make sure we blocked that right. We don't want them to be plugging it in just because.

04:51

And finally, some control. 13 9 So we're talking about encrypting data on USB storage devices. So again, if you're actually using USB stores devices, you want to make sure that your encrypting that data while it's at rest.