It’s time for a new guide for MSPs! The Safeguards within CIS Control 3 speak to the need for proper Data Protection. Implementation Group 1 (i.e.: the minimum we should do) covers some basic data management and protection practices such as:
- Establishing and documenting a process for data management
- Inventorying our data
- Configure Data Access Control Lists
- Enforce retention policies on our data (per our data management process)
- Securely dispose of our data (this is a big one)
- Encrypt our data on end-user devices (also a big one)
These Safeguards cover some of the most basic elements of protecting our data. We should all know by now that encrypting endpoint devices is both an inexpensive and significant win, for example. However, we can (and should) do more to protect our data.
As you dive into Control 3, IGs 2 and 3, things get more interesting. All the way up in Implementation Group 3, we have “Deploy a Data Loss Prevention Solution.” This sits all the way up in IG3 because 1) DLP solutions are historically expensive and hard to deploy, and 2) a full DLP project depends on some of the prior controls (like developing a data classification scheme).
However, I’m a huge fan of leveraging DLP, everywhere, and SMB solutions like Microsoft 365 Business Premium make it possible for SMBs to employ the technology. You see, every business manages some sort of sensitive data. How do you or your clients complete financial transactions? Ever caught an end user emailing credit card information? What about basic protection for patient data for smaller practices? The list goes on.
In this guide, we’ll focus on the basic data loss prevention measures that any business can deploy right now to reduce the likelihood of an accidental or malicious data leakage and reduce their overall liability when interacting with data.
