14.7: Enforce Access Control to Data Through Automated Tools
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when the data is copied off a system.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Data |
Protect |
3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 1.5: Maintain Asset Inventory Information
Sub-control 2.1: Maintain Inventory of Authorized Software
Sub-control 2.5: Integrate Software and Hardware Asset Inventories
Inputs
The list of endpoints
The list of authorized software
Operations
Enumerate endpoints capable of storing data
Enumerate all DLP software
- For each instance of DLP software:
Enumerate the endpoints covered by the DLP software
Enumerate all endpoints covered by the set of DLP software
Complement the list of covered endpoints with the list of endpoints enumerated in the first operation to get the enumeration of endpoints not covered
Measures
M1 = List of endpoints capable of storing data
M2 = List of DLP software instances
M3 = List of all endpoints covered by the set of DLP software
M4 = List of all endpoints not covered by the set of DLP software
M5 = Count of endpoints capable of storing data (count of M1)
M6 = Count of DLP software instances (count of M2)
M7 = Count of endpoints covered by the set of DLP software (count of M3)
M8 = Count of endpoints not covered by the set of DLP software (count of M4)
Metrics
Coverage
Metric |
The ratio of endpoints covered by at least one DLP software instance to the total
number of endpoints capable of storing data
|
Calculation |
|