13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization
Sub-control 13.2 states that you must remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Data | Protect | 1, 2, 3 |
Dependencies
-
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 13.1: Maintain an Inventory of Sensitive Information
Inputs
-
List of sensitive systems: A list of sensitive systems. Ideally, this uses the endpoint inventory (sub-control 1.4).
-
The list of systems from 13.1 scanning with Content Audit files can identify the systems with sensitive data.
-
-
Access frequency: The access frequency for any sensitive systems.
-
Access frequency threshold: An organizationally-defined access frequency threshold.
Assumptions
-
Access to sensitive data takes place through some system. Therefore the system, when processing, storing, or transmitting sensitive data, is a sensitive system.
-
Isolation/exposure score of zero is assumed ideal.
Operations
-
Determine the subset of sensitive systems that are infrequently used (using all Inputs).
-
For each infrequently used sensitive system, calculate the system's isolation/exposure.
Measures
| Measure | Definition |
|---|---|
| M1 = List of all systems used to process sensitive information |
A list all systems used to process sensitive information. |
|
M2 = Count of items in M1 |
A count of the total number of items in M1. |
| M3 = Set of infrequently used sensitive systems | A list of infrequently used sensitive systems. |
| M4 = Count of infrequently used sensitive systems | A count of infrequently used sensitive systems. |
| M5 = List of infrequently used sensitive systems with isolation/exposure scores greater than 0 | A list of infrequently used sensitive systems with isolation/exposure scores greater than 0. |
| M6 = Count of items in M4 | A count of the total number of items in M4. |
Metrics
Coverage
| Metric | Calculation |
|---|---|
| The percentage of infrequently used sensitive systems that are not properly isolated. | M6 / M4 |