IG2 IG3

Segment Data Processing and Storage Based on Sensitivity

Control Group: 3. Data Protection

Asset Type: Network

Security Function: Protect

Description

Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Draft policy/procedure document

7

Obtain stakeholder review and approval

8

Communicate to affected personnel

9

Schedule periodic review and updates

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)

Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Lateral Movement from Low-Value to High-Value Data

Confidentiality

Attackers compromise a low-security system on a flat network and pivot directly to servers processing sensitive financial, health, or classified data without any segmentation barriers.

Compliance Boundary Violation

Confidentiality

Regulated data (PCI cardholder data, HIPAA PHI) is processed on the same network segment as general-purpose systems, expanding the compliance scope and increasing audit exposure.

Vulnerabilities (When Safeguard Absent)

Flat Network Architecture for All Data Sensitivity Levels

Without segmentation based on data sensitivity, all systems share the same network trust zone, meaning a compromise anywhere provides access to the most sensitive data.

Sensitive Data Processing on Non-Hardened Assets

When sensitive data is processed on general-purpose systems not designated or hardened for that sensitivity level, it receives inadequate security controls.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Data Loss Prevention Policy

Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process

3.2 Establish and Maintain a Data Inventory

3.3 Configure Data Access Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

3.6 Encrypt Data on End>User Devices

3.7 Establish and Maintain a Data Classification Scheme

3.8 Document Data Flows

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.13 Deploy a Data Loss Prevention Solution

3.14 Log Sensitive Data Access