What are the CIS Controls?
The CIS Critical Security Controls (CSC) are published by the Center for Internet Security (CIS) to assist organizations in better defending against well-known threats by converting critical security concepts into executable controls in order to reach a more comprehensive overall cybersecurity defensive strategy. The most recent version, 7.1, was released on April 4, 2019.
As security threats evolve, so do best practices for coping with them. Through their Critical Security Protocols for Effective Cyber Defense, also known as the SANS Top 20 Critical Security Controls, the CIS is well-known in the security industry for providing current and relevant advice to help businesses strengthen their security posture.
While many standards and compliance regulations intended to improve overall security can be industry-specific, the CIS CSC was formed by professionals from various government agencies and industry experts to be universally applicable.
What are the requirements for CIS compliance?
The CIS Controls Implementation Groups establishes a set of Sub-Controls and provides a simplified way to assist organizations of various classes in focusing their security resources.
The 20 Critical Security Controls for effective cyber defense are split into three groups:
- The Basic CIS Controls (1-6) are the foundation of any organization’s cybersecurity
- Fundamental CIS Controls (7-16)
- Organizational CIS Controls (17-20)
Basic CIS Controls
1. Hardware Asset Inventory and Control
2. Software Asset Inventory and Control
3. Vulnerability Management on an Ongoing Basis
4. Constraints on the Use of Administrative Privileges
5. Secure Hardware and Software Configuration on Mobile Devices, Laptops, Workstations, and Servers
6. Audit log maintenance, monitoring, and analysis
Foundational CIS Controls
7. Email and Web Browser Security
8. Malware Protection
9. Limitation and Control of Network Ports, Protocols and Services
10. Capabilities for Data Recovery
11. Secure Network Device Configuration, such as Firewalls, Routers, and Switches
12. Boundary Protection
13. Data Security
14. Access Controlled based on Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
Organizational CIS Controls
17. Established a comprehensive Security Awareness and Training Program
18. Security for Application Software
19. Incident Response and Management
20. Red Team Exercises and Penetration Tests
Why should you comply with CIS?
The CIS Critical Security Controls are a great starting point for organizations seeking to strengthen their overall security and harden their defensive capabilities against the most widely known attacks. They reduce your exposure risk and mitigate the severity of the majority of attack types.
The CIS Critical Security Controls are also cross-compatible with and/or directly map to a variety of other security and compliance standards, which are often specific to the industry—including NIST 800-53, PCI DSS, FISMA, and HIPAA. This means that organizations that must abide by these rules can rely on CIS controls to assist them in doing so. Furthermore, the NIST CSF (Cybersecurity Framework), another powerful tool for improving the efficiency and strength of an organization’s security posture, uses the CIS CSC as a starting point for several of their recommended guiding principles.
How to achieve compliance?
Downloading the benchmarking documents and manually carrying out the recommendations is possible and completely free to get started. However, it is frequently extremely labor-intensive, and it is difficult to ensure ongoing compliance — especially as configurations are updated and new assets are added. An automated solution makes implementing and maintaining compliance with the CIS benchmarks easier and faster.
The Centraleyes platform includes an integrated CIS questionnaire and allows you to collect, analyze, and identify gaps automatically. Once the gaps have been identified, the platform will generate automated actionable remediation tasks using its AI risk engine, guiding the team on what they need to do.
The Centraleyes platform provides organizations with complete visibility into their cyber risk levels and CIS compliance, resulting in time and money savings as well as more accurate data.