CIS Control 11: Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Why is this CIS Control Critical?
In the cybersecurity triad -- Confidentiality, Integrity, and Availability (CIA) -- the availability of data is, in some cases, more critical than its confidentiality. Enterprises need many types of data to make business decisions, and when that data is not available or is untrusted, then it could impact the enterprise. An easy example is weather information to a transportation enterprise.
When attackers compromise assets, they make changes to configurations, add accounts, and often add software or scripts. These changes are not always easy to identify, as attackers might have corrupted or replaced trusted applications with malicious versions, or the changes might appear to be standard-looking account names. Configuration changes can include adding or changing registry entries, opening ports, turning off security services, deleting logs, or other malicious actions that make a system insecure. These actions do not have to be malicious; human error can cause each of these as well. Therefore, it is important to have an ability to have recent backups or mirrors to recover enterprise assets and data back to a known trusted state.
There has been an exponential rise in ransomware over the last few years. It is not a new threat, though it has become more commercialized and organized as a reliable method for attackers to make money. If an attacker encrypts an enterprise's data and demands ransom for its restoration, having a recent backup to recover to a known, trusted state can be helpful. However, as ransomware has evolved, it has also become an extortion technique, where data is exfiltrated before being encrypted, and the attacker asks for payment to restore the enterprise's data, as well as to keep it from being sold or publicized. In this case, restoration would only solve the issue of restoring systems to a trusted state and continuing operations. Leveraging the guidance within the CIS Controls will help reduce the risk of ransomware through improved cyber hygiene, as attackers usually use older or basic exploits on insecure systems.
11.1: Establish and Maintain a Data Recovery Process
Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Asset Type | Security Function | Implementation Groups |
---|---|---|
Documentation | Govern | 1, 2, 3 |
Dependencies
- None
Inputs
- Data recovery process for the enterprise
- Date of last update to the data recovery process
Operations
-
Check if the enterprise has a data recovery process Input 1
- If so, M1 = 1
- If not, M1 = 0
-
Examine the enterprise's data recovery process and determine if it addresses, at a minimum, the scope of data recovery activities, recovery prioritization, and the security of backup data
- For each element included within the process, assign the element a value of 1. M2 = sum of all the values.
-
Compare the date of the last update to the data recovery process to the curren date and capture the timeframe in months (M3)
Measures
- M1 = Output of Operation 1
- M2 = Sum of elements included in the data recovery process
- M3 = Timeframe in months of the last update to the data recovery process
Metrics
- If M1 is 0, the Safeguard receives a failing score. The other metrics don't apply.
- If M3 is greater than twelve, this Safeguard is measured at a 0 and receives a failing score. The other metrics don't apply.
Completeness
Metric | The percentage of elements included in the data recovery process |
---|---|
Calculation | M2 / M3 |
11.2: Perform Automated Backups
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.
Asset Type | Security Function | Implementation Groups |
---|---|---|
Data | Recover | 1, 2, 3 |
Dependencies
- Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
- Safeguard 2.1: Establish and Maintain a Software Inventory
- Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Inputs
GV1
: Enterprise asset inventoryGV5
: Authorized software inventoryGV3
: Configuration standards
Operations
-
For each asset in
GV1
identify and enumerate assets that are in-scope for automated backups:GV33
(M1) -
Use
GV5
to identify authorized backup software and for each asset identified in Operation 1- Identify and enumerate assets covered by at least one authorized backup software:
GV34
(M2) - Identify and enumerate assets not covered by at least one authorized backup software (M3)
- Identify and enumerate assets covered by at least one authorized backup software:
-
Use
GV3
to check if the software on assets identified in Operation 2.1 is configured correctly- Identify and enumerate assets with properly configured backup software (M4)
- Identify and enumerate assets with improperly configured backup software (M5)
-
For each asset with backup software identified in Operation 2.1, examine logs to determine the most recent successful backup date. Compare that date to the current date and capture the timeframe in days.
- Identify and enumerate assets that have been backup within seven days or less (M6)
- Identify and enumerate assets that have been backed up outside of a seven-day window (M7)
Measures
- M1 = Count of assets within scope for automated backups
- M2 = Count of in-scope assets with authorized backup software installed
- M3 = Count of in-scope assets without authorized backup software installed
- M4 = Count of in-scope assets with properly configured backup software
- M5 = Count of in-scope assets with improperly configured backup software
- M6 = Count of in-scope assets backed up within a week
- M7 = Count of in-scope assets not backed up within a week
Metrics
Coverage
Metric | The percentage of in-scope assets with properly configured authorized backup software |
---|---|
Calculation | M4 / M1 |
Compliance
Metric | The percentage of in-scope assets backed up within a week timeframe |
---|---|
Calculation | M6 / M1 |
11.3: Protect Recovery Data
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.
Asset Type | Security Function | Implementation Groups |
---|---|---|
Data | Protect | 1, 2, 3 |
Dependencies
- Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
- Safeguard 2.1: Establish and Maintain a Software Inventory
- Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Inputs
GV33
: Assets that are in-scope for automated backupsGV34
: Assets with authorized backup software installedGV3
: Configuration Standard
Operations
-
For each asset with backup software installed, use
GV3
to check if encryption is configured for backups- Identify and enumerate assets with software configured to encrypt backups (M2)
- Identify and enumerate assets with software not configured to encrypt backups (M3)
Measures
- M1 = Count of Input 1:
GV33
- M2 = Count of software configured to encrypt backups
- M3 = Count of software not configured to encrypt backups
Metrics
Coverage
Metric | The percentage of in-scope assets with backup software properly configured to encrypt backups |
---|---|
Calculation | M2 / M1 |
11.4: Establish and Maintain an Isolated Instance of Recovery Data
Establish and maintain an isolated instance of recovery data. Example implementations include, version-controlling backup destinations through offline, cloud, or off-site systems or services.
Asset Type | Security Function | Implementation Groups |
---|---|---|
Data | Recover | 1, 2, 3 |
Dependencies
- Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
- Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Inputs
GV33
: Assets that are in-scope for automated backupsGV34
: Assets with authorized backup software installedGV3
: Configuration standards
Assumptions
Configuration for backups will contain information about the destination of backups
Operations
-
For each asset in Input 2
GV34
, use configuration standards inGV3
to check the destination of backups- Identify and enumerate assets properly configured to send backups to an isolated instance (M2)
- Identify and enumerate assets not properly configured to send backups to an isolated instance (M3)
Measures
- M1 = Count of Input 1
GV33
- M2 = Count of assets with backups sent to an isolated instance
- M3 = Count of assets with backups not sent to an isolated instance
Metrics
Coverage
Metric | The percentage of assets configured to send backups to an isolated instance |
---|---|
Calculation | M2 / M1 |
11.5: Test Data Recovery
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Asset Type | Security Function | Implementation Groups |
---|---|---|
Data | Recover | 2, 3 |
Dependencies
- Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Inputs
- Current set of backups for the enterprise
- Date of last backup recovery test
Assumption
- Enterprise will know what a properly working restored backup looks like.
Operations
-
Use Input 1 to restore a sampling of the backups to a temporary location
- Enumerate the total number of backups restored (M1)
- Identify and enumerate backups that are properly working after being restored (M2)
- Identify and enumerate backups that did not properly work after being restored (M3)
-
Compare Input 2 to the current date and capture the time frame in months (M4)
Measures
- M1 = Count of backups being tested
- M2 = Count of properly working backups after restoration
- M3 = Count of backups not properly working after restoration
- M4 = Timeframe between tests of backup recovery
Metrics
- If M4 is greater than three months, then this Safeguard is measured at a 0 and receives a failing score. The other metrics don't apply.
Backup Integrity Quality
Metric | The percentage of restored backup sampling deemed to be properly working |
---|---|
Calculation | M2 / M1 |