13: Data Protection

Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider.

Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

Only allow access to authorized cloud storage or email providers.

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained.

Configure systems not to write data to external removable media, if there is no business need for supporting such devices.

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.