CIS Controls (Center for Internet Security Controls)

CIS Controls (Center for Internet Security Controls)

  1. Overview

The Center for Internet Security (CIS) controls are a set of best practices and guidelines for securing information systems and networks. The CIS controls are divided into 20 critical security controls, which are organized into three categories: Basic, Foundational, and Organizational.

The Basic controls are considered as the first line of defense and include practices such as:

  1. Inventory of authorized and unauthorized devices
  2. Inventory of authorized and unauthorized software
  3. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
  4. Continuous vulnerability management

The Foundational controls are considered as the next level of defense and include practices such as:

  1. Controlled use of administrative privileges
  2. Maintenance, monitoring, and analysis of audit logs
  3. Email and web browser protections
  4. Malware defenses

The Organizational controls are considered as the final level of defense and include practices such as:

  1. Incident response and management
  2. Secure network architecture
  3. Limitation and control of network ports, protocols, and services
  4. Data recovery capabilities

The CIS controls are designed to provide a comprehensive and flexible approach to securing information systems and networks. The controls are regularly updated to reflect the latest threats and best practices in cybersecurity. Organizations can use the CIS controls as a guide to help them identify and prioritize security measures, and to evaluate their overall cybersecurity posture.

  1. Approach

The approach to implementing the Center for Internet Security (CIS) controls involves a multi-step process that includes:

  • Assessment: Organizations begin by conducting a self-assessment of their current security posture and identifying areas where they align or deviate from the CIS controls.
  • Prioritization: After identifying areas of alignment and deviation, organizations prioritize which controls to implement based on their specific needs and risk profile.
  • Implementation: Organizations implement the selected CIS controls, which may include implementing new security measures, configuring existing systems, and updating policies and procedures.
  • Testing: Organizations test and validate the effectiveness of the implemented controls to ensure they are functioning as intended.
  • Monitoring: Organizations establish ongoing monitoring procedures to detect and respond to security incidents and to continuously assess the effectiveness of the implemented controls.
  • Continuous improvement: Organizations evaluate their security posture on a regular basis and make adjustments as necessary to adapt to changing threat landscape and new security best practices.

It is important to note that implementing the CIS controls is an ongoing process and it requires continuous monitoring, testing and improvement.

Organizations should also understand that the CIS controls are not a one-time effort and they will have to maintain them to ensure their continued effectiveness.

  1. Benefits

Implementing the Center for Internet Security (CIS) controls can provide several benefits for organizations, including:

  • Improved cybersecurity posture: The CIS controls are designed to provide a comprehensive and flexible approach to securing information systems and networks, which can help organizations better protect against cyber threats.
  • Compliance with industry standards: The CIS controls align with industry standards and regulations, making it easier for organizations to meet compliance requirements.
  • Risk reduction: By implementing the CIS controls, organizations can reduce the risk of a cybersecurity incident occurring, and minimize the impact if an incident does occur.
  • Improved incident response: The CIS controls include guidelines for incident response and recovery, helping organizations respond to cybersecurity incidents more effectively.
  • Better communication and collaboration: The CIS controls provide a common language and framework for organizations to communicate and collaborate with stakeholders on cybersecurity risks and responses.
  • Increased efficiency: Implementing the CIS controls can help organizations streamline their security processes and increase efficiency by eliminating redundant or unnecessary controls.
  • Continuous improvement: Implementing the CIS controls is an ongoing process, organizations can continuously monitor and evaluate their security posture and identify areas for improvement over time.

In summary, implementing the CIS controls can help organizations improve their cybersecurity posture, reduce risks, improve incident response capabilities, and better align with industry standards and regulations.

  1. Deliverables

Implementing the Center for Internet Security (CIS) controls can lead to several key deliverables for an organization, including:

  • Improved cybersecurity posture: By implementing the CIS controls, organizations can improve their overall cybersecurity posture and better protect against cyber threats.
  • Compliance documentation: Organizations can use the CIS controls to document their compliance with the framework, which can be used to demonstrate compliance to regulatory bodies, clients and other stakeholders.
  • Risk reduction: Implementing the CIS controls can help organizations reduce the risk of a cybersecurity incident occurring, and minimize the impact if an incident does occur.
  • Improved incident response: The CIS controls include guidelines for incident response and recovery, helping organizations respond to cybersecurity incidents more effectively.
  • Better communication and collaboration: The CIS controls provide a common language and framework for organizations to communicate and collaborate with stakeholders on cybersecurity risks and responses.
  • Increased efficiency: Implementing the CIS controls can help organizations streamline their security processes and increase efficiency by eliminating redundant or unnecessary controls.
  • Continuous improvement: Implementing the CIS controls is an ongoing process, organizations can continuously monitor and evaluate their security posture and identify areas for improvement over time.
  • Auditing, reporting, and compliance tracking capabilities: Organizations can use the information gathered through implementing the CIS controls to produce regular reports on their compliance, track the progress of their security efforts, and provide evidence of their compliance to regulatory bodies or clients.

Overall, implementing the CIS controls can lead to improved security, compliance, and more efficient use of resources, as well as better incident response and communication.

  1. Training

Training on the Center for Internet Security (CIS) controls can help organizations better understand and implement the controls to improve their cybersecurity posture. Training on CIS controls can include:

  • Overview of the CIS controls: This type of training provides an introduction to the CIS controls, including their purpose, components, and key concepts.
  • Implementation of the CIS controls: This type of training can help organizations understand how to implement the CIS controls in their own environment, including how to select and implement the controls that align with their specific needs and risk profile.
  • Self-assessment: Training on self-assessment can help organizations evaluate their current security posture and identify areas where they align or deviate from the CIS controls.
  • Compliance and regulatory requirements: Training on compliance and regulatory requirements can help organizations understand how the CIS controls align with various regulations and industry standards.
  • Incident response and recovery: Training on incident response and recovery can help organizations understand how to respond to and recover from cybersecurity incidents in accordance with the CIS controls.
  • Monitoring and continuous improvement: Training on monitoring and continuous improvement can help organizations understand how to establish ongoing monitoring procedures, detect and respond to security incidents and continuously assess the effectiveness of the implemented controls.
  • Auditing and reporting: Training on auditing and reporting can help organizations understand how to use the information gathered through implementing the CIS controls to produce regular reports on their compliance, track the progress of their security efforts, and provide evidence of their compliance to regulatory bodies or clients.

These trainings are often provided by security firms, consulting firms, and educational institutions authorized by the CIS, they can also be provided by internal IT/security departments or teams.

REACH US TO ENSURE THAT WHEN EVEN WHEN A CRISIS STRIKES, YOUR BUSINESS MUST GO ON AS USUAL.