CIS Control 3.12: Segment Data Processing and Storage Based on Sensitivity
Data segmentation is a foundational control that prevents sensitive information from being processed on systems designed for less critical data. Organizations failing to segregate data by sensitivity risk exposing regulated data to unauthorized access and increasing breach impact. This control ensures your infrastructure matches your data classification strategy.
What this means
CIS Control 3.12 requires you to isolate data processing and storage based on sensitivity levels. Sensitive data—such as PII, financial records, or trade secrets—must never be processed on general-purpose enterprise assets. Instead, create segregated environments where sensitive data processing occurs on systems with elevated security controls, restricted access, and enhanced monitoring.
How to comply
- 1.Classify all organizational data by sensitivity level (public, internal, confidential, restricted)
- 2.Map data types to processing environments and document which systems handle each classification
- 3.Configure network segmentation to isolate sensitive data processing zones from general-use networks
- 4.Restrict access to sensitive data systems using role-based access controls matched to job functions
- 5.Implement enhanced monitoring and logging for sensitive data environments
- 6.Prohibit sensitive data from flowing through or being processed on non-sensitive systems
- 7.Document and enforce data handling procedures for each sensitivity tier
- 8.Conduct quarterly reviews to ensure systems remain compliant with segmentation policies
Evidence auditors look for
- Data classification matrix documenting sensitivity levels and associated systems
- Network topology diagrams showing segmented zones for sensitive vs. general data
- Access control lists restricting user permissions by data sensitivity
- System configuration hardening standards for sensitive data environments
- Audit logs demonstrating monitoring of sensitive data access and processing
- Data flow documentation showing prohibited and permitted pathways
- Policy documentation on handling procedures for each data classification
- Quarterly compliance assessment reports validating segmentation effectiveness
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
See how GRCWatch handles this control automatically.
See how GRCWatch handles this control automatically
Start free trial