Security Control 15:
Controlled Access Based on the Need to Know

Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to nonpublic data and files.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

15.1

Establish an on-going process for data identification and classification.

REQ REQ REQ

15.2

Ensure that file shares have defined controls (such as Windows share access control lists) that specify at least that only "authenticated users" can access the share.

REQ REQ REQ

15.3

Networks should be segmented based on the risk of the information stored on the servers.

[additional details]

Whenever information flows over a network of lower risk, the information should be encrypted.

REQ REQ REQ

15.4

Enforce detailed audit logging for access to data.

REQ REC OPT

15.5

The use of portable USB drives should either be limited or data should automatically be encrypted before it is written to a portable drive.

REQ REC OPT

Additional Reading