What are the CIS Controls?
The CIS Critical Security Controls (CSC) are published by the Center for Internet Security (CIS) to assist organizations in better defending against well-known threats by converting critical security concepts into executable controls in order to reach a more comprehensive overall cybersecurity defensive strategy.
The most recent version, v8, was released in May 2021. In the enhanced version, the controls are now arranged into activities and attack styles. As a result, the controls have been reduced from 20 to 18 to better suit cloud, hybrid, and activity-based platforms.
The main purpose of the CIS controls is to keep risks to the absolute minimum. The CIS Controls are intended to safeguard your company’s data and systems against hacking, cyber-attacks, and other online risks.
While many standards and compliance regulations intended to improve overall security can be industry-specific, the CIS CSC was formed by professionals from various government agencies and industry experts to be universally applicable.
What are the requirements for CIS compliance?
The CIS Controls Implementation Groups (IGs) give new recommendations for prioritizing implementation and a streamlined method for assisting enterprises of all sizes in directing their security resources. The following is a list of the 18 CIS controls included in version 8.0:
1. Inventory and control of hardware
2. Inventory and control of Software
3. Data protection
4. Secure configuration for hardware and software
5. Account management
6. Controlled access of administrative privileges
7. Continuous vulnerability management
8. Maintenance, monitoring, and analysis of audit logs
9. Email and web browser protections
10. Malware defenses
11. Data recovery capability
12. Network infrastructure management
13. Network monitoring and defense
14. Security awareness and skill training
15. Service provider management
16. Application software security
17. Incident response management
18. Penetration testing
Why should you comply with CIS?
The CIS Critical Security Controls are a great starting point for organizations seeking to strengthen their overall security and harden their defensive capabilities against the most widely known attacks. They reduce your exposure risk and mitigate the severity of the majority of attack types.
The CIS Critical Security Controls are also cross-compatible with and/or directly map to a variety of other security and compliance standards, which are often specific to the industry—including NIST 800-53, PCI DSS, FISMA, and HIPAA. This means that organizations that must abide by these rules can rely on CIS controls to assist them in doing so. Furthermore, the NIST CSF (Cybersecurity Framework), another powerful tool for improving the efficiency and strength of an organization’s security posture, uses the CIS CSC as a starting point for several of their recommended guiding principles.
How to achieve compliance?
Downloading the benchmarking documents and manually carrying out the recommendations is possible and completely free to get started. However, it is frequently extremely labor-intensive, and it is difficult to ensure ongoing compliance — especially as configurations are updated and new assets are added. An automated solution makes implementing and maintaining compliance with the CIS benchmarks easier and faster.
The Centraleyes platform includes an integrated CIS questionnaire and allows you to collect, analyze, and identify gaps automatically. Once the gaps have been identified, the platform will generate automated actionable remediation tasks using its AI risk engine, guiding the team on what they need to do.
The Centraleyes platform provides organizations with complete visibility into their cyber risk levels and CIS compliance, resulting in time and money savings as well as more accurate data.