NIST CSF Series #9: Protect – Data Security

Protect Function - Data Security

Function:   Protect  (PR)
Category:  Data Security  (DS)

“Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.”


PR.DS-1:  Data-at-rest is protected

This area addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.  PII is more easily defined as requiring protection but system information may not be.  Examples may include configurations or rule sets on firewalls, gateways, intrusion detection/prevention systems, or filtering routers.

Using approved hard drive encryption software to mobile devices and systems that may hold sensitive data is important.  Many state laws identify laptops as “removable media” and therefore encryption must be put in place before that system leaves the physical controls of an organization if there is a chance that sensitive information may be stored on it.

Audit Considerations

Auditors may look to see if confidential or sensitive information is identified on the network or on mobile devices and that confidential data is secured.

Applicable CIS Critical Controls:

CIS Control 13 –  Data Protection

Data resides in many places.  The adoption of data encryption, both in transit and at rest, provides mitigation against data compromise.  Care should be taken to ensure that products used within an enterprise implement well known and vetted cryptographic algorithms.  Re-evaluation of the algorithms and key sizes used should be performed on an annual basis to ensure that organizations are not falling behind in the strength of protection applied to their data.


PR.DS-2:  Data-in-transit is protected

This area addresses the confidentiality and integrity of information as it is transmitted both in and between internal and external networks.  The use of unencrypted channels such as e-mail, ftp, and telnet are discouraged and while convenient for some, often lead to the unauthorized disclosure of information.    Sensitive information should only be transmitted using security communication channels using up to date cryptographic mechanisms.

Remember that the secure transmission of sensitive data does not protect the data at its final location.  It only secures it in transit.

Audit Considerations

Auditors may determine if sensitive information is secured when transmitted across publicly accessible networks and if adequate policies are in place regarding transmission of sensitive information.

Applicable CIS Critical Controls:

CIS Control 13 –  Data Protection

Data resides in many places.  The adoption of data encryption, both in transit and at rest, provides mitigation against data compromise.  Care should be taken to ensure that products used within an enterprise implement well known and vetted cryptographic algorithms.  Re-evaluation of the algorithms and key sizes used should be performed on an annual basis to ensure that organizations are not falling behind in the strength of protection applied to their data. 


PR.DS-3:  Assets are formally managed throughout removal, transfers, and dispositions

Organizations may choose to implement a centralized information system component inventory that includes components from all information systems.  Alternatively, a process in which inventory is kept manually and verified as up to date may be used.  Information for effective accountability of information systems may include hardware inventory specifications, software licensing, software versions, component owners, machine names, and IP address.

Additionally, a process in place for the disposition of decommissioned assets should be in place.  A The process may include wiping hard drives (not just deleting or quick formatting) and verifying before sending equipment to surplus.

Audit Considerations

This will tie into asset inventories previously covered in the Identify function.  Auditors may look for asset inventory policies and procedures and accuracy of asset tracking/tagging.   Secure removal and/or destruction of confidential information from decommissioned assets may also be reviewed.

Applicable CIS Critical Controls:

CIS Control 1 – Inventory of Authorized and Unauthorized Devices

Disposition of assets requires an accurate inventory.  This may be done through an automated asset inventory tool or a discovery tool that updates a file kept separately.

CIS Control 2 –  Inventory of Authorized and Unauthorized Software

An inventory of authorized software allows better control for software licensing in the process of removal, transfer, and decommissioning of assets.


PR.DS-4:  Adequate capacity to ensure availability is maintained

Organizations that perform a regular review of their storage, CPU and network capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss of service or data.  This also applies to contingency planning in the event of a disaster in that essential information system components are already identified and planned for.

Audit Considerations

Auditors may ask to review samples of capacity management monitoring reports to see that critical resources such as network bandwidth, CPU, and disk utilization are appropriately monitored.  They may also see if the risk of distributed denial-of-service has been addressed.


PR.DS-5:  Protections against data leaks are implemented

This covers a wide range of information protection processes and technology.   Controlling the flow of information, access control, and segregation of duties may all play a role in preventing the leaking of sensitive information.    Applying the practice of least privilege, where only the access required to perform a function or job is assigned and nothing more.

This also may apply to self-provisioned cloud services such as Dropbox, Google Drive, and others where users may move information outside of the control of the organization.

Audit Considerations

Auditors may look for risk assessments or other information security documentation to determine if data loss prevention or exfiltration of confidential data has been considered.   A review of controls and tools that are in place to detect or block potential unauthorized or unintentional transmission or removal of confidential data (email, FTP, USB devices)

Applicable CIS Critical Controls:

CIS Control 13 –  Data Protection

Data resides in many places.  The adoption of data encryption, both in transit and at rest, provides mitigation against data compromise.  Care should be taken to ensure that products used within an enterprise implement well known and vetted cryptographic algorithms.   Data loss prevention falls into this area, and is a comprehensive approach that covers people, processes, and systems to identify, monitor, and protect data in use, data in motions, and data at rest.   DLP controls are often based on policy and data classification.


PR.DS-6:  Integrity checking mechanisms are used to verify software, firmware ,and information integrity.

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity.  Software includes, for example, operating systems, middleware, and applications.  Firmware includes, for example, the system BIOS.   Information may include metadata such as security attributes associated with information.

Integrity checking tools can automatically monitor the integrity of information systems and hosted applications to make sure data has not been inappropriately changed.

Audit Considerations

Auditors may look for integrity verification tools (e.g. parity checks, CRC, cryptographic hashes) to detect unauthorized changes to software.


PR.DS-7:  The development and testing environment(s) are separate from the production environment

Development and testing environments must be adequately separated from the production environment to prevent unauthorized access or data integrity issues.   Segregation of duties is a necessary component in the separation to prevent end-to-end promotion of changes into production without appropriate oversight, authorization, and control.

Audit Considerations

Auditors may look if the organization maintains a separate development or testing environment, review network diagrams, database connections, and applicable firewall configurations to determine sufficient separation between these environments and the production network.   Segregation of duties will come into play.