The Ultimate Guide to
CIS Critical Security Controls®
Mitigate the Most Common Forms of Cyber Attacks with CIS Critical Security Controls®
Cyber attack schemes can change quickly, but the most common and effective forms of cyber attacks against an enterprise’s systems and networks haven’t changed all that much in the last few years.
The CIS Critical Security Controls (CIS Controls) are a prescriptive, prioritized, and simplified set of critical security controls and cybersecurity best practices developed by a community of cybersecurity experts that can help support compliance in a multi-framework era. They are leveraged by enterprises around the world to provide specific guidance and a clear pathway to achieve the goals and objectives described by multiple legal, regulatory, and policy frameworks.
Implementing all 18 CIS Controls is the definition of an effective cybersecurity program and effectively implementing Implementation Group 1 of the CIS Controls represents essential cyber hygiene for any enterprise. The CIS Controls can serve as a solid security baseline to help you in your compliance journey.
Want to become an expert in CIS Critical Security Controls?
How are organizations implementing the CIS Controls?
1. Speed up Compliance to Other Frameworks Such as SOC 2
Security-conscious enterprises have used CIS Controls to more rapidly achieve SOC 2 compliance. To pass a SOC 2 audit, enterprises need to use a set of best-practice controls to keep up with the evolving threat landscape and provide evidence to the auditor showing that they’ve been maintaining an effective cybersecurity program over time.
CIS Controls is a great resource for identifying what security actions an enterprise should prioritize and implement. While other frameworks emphasize requirements on a very general level, CIS Controls go further, showing enterprises how they can immediately improve security posture.
Meanwhile, enterprises have developed a policy for system hardening and workstation security using the CIS BenchmarksTM – consensus developed secure configuration guidelines for hardening operating systems, servers, cloud environments, and more. The CIS Benchmarks include more than 100 configuration guidelines across 25+ vendor product families.
Based on case studies published by CIS, IT security auditors have chosen to use CIS Controls as their security audit criteria. Specifically, auditors want to understand the process auditee enterprises use to tailor the CIS best practices to their own environments and see evidence that their systems conform to the standards.
A compliance professional whose enterprise uses CIS Benchmarks and CIS Controls can show their auditor how they’ve aligned their security actions to CIS Controls and provide evidence that these controls were implemented, tested, and shown to be effective. These artifacts would satisfy the auditor.
From an audit report, an auditee enterprise can see how they align with leading practices and determine what else they can do to become more aligned with the CIS Controls. Using these evaluations, the auditee can do their own risk assessment and determine the level they’d like to achieve based on their enterprise’s size and resources.
2. Use CIS Controls to Measure Your Organization’s Security Posture and Identify Improvement Areas
Even if you’re not using CIS Controls to adhere to a regulatory or legal standard, you can use CIS Controls to see how your current security program maps to best practices and identify gaps and remediation areas to prioritize. What’s particularly nice about CIS Controls is that the controls are divided into three Implementation Groups (IGs): IG1, IG2, and IG3. These groups support a pragmatic approach based on an enterprise’s resource constraints and the sensitivity of the data they are responsible for protecting. The IGs build upon each other so enterprises can mature and improve their cyber hygiene with each.
For smaller enterprises with limited resources and cybersecurity expertise available to implement security controls, they can start improving their cyber hygiene by first focusing on controls within Implementation Group 1.
After implementing the essential controls in IG 1, you will have already made progress in improving your enterprise’s cyber hygiene. You can then tailor more advanced actions for your enterprise as needed by extending to IG2 and IG3.
What are the CIS Controls?
PCI Data Security Standards — High-Level Overview
source: PCI Security Standards Council
CIS Control 1 – Inventory and Control of Enterprise Assets
Catalog all “enterprise assets” attached to your enterprise (physically and virtually) in order to have a complete understanding of what needs monitoring and to identify potentially harmful unauthorized or unmanaged devices.
CIS Control 2 – Inventory and Control of Software Assets
Track all software on your network to prevent the installation of software that hasn’t been reviewed or authorized by your enterprise.
CIS Control 3 – Data Protection
Securely manage and monitor data by creating detailed data protection processes and controls.
CIS Control 4 – Secure Configuration of Enterprise Assets and Software
Develop comprehensive processes to ensure that your enterprise’s assets and software are configured securely.
CIS Control 5 – Account Management
Track user credentials for all accounts. Whether an account is tied to confidential data or is purely administrative, no account should be discounted or overlooked as a potential security risk.
CIS Control 6 – Access Control Management
Create detailed processes to track and manage who has credentials or access to what assets and software — the process of revoking user access should be just as carefully monitored as assigning access.
CIS Control 7 – Continuous Vulnerability Management
Build processes that regularly track and monitor vulnerabilities in order to identify potential risks and better prevent security incidents.
CIS Control 8 – Audit Log Management
Create an audit log where your team can track and manage events tied to security incidents. This log can be used to understand why incidents occur and as a means to help prevent future attacks.
CIS Control 9 – Email and Web Browser Protections
Identify potential email and web browser threats, then develop new protections or improve existing protections against those threats.
CIS Control 10 – Malware Defenses
Build processes focused on defending against the installation or spread of malware on your enterprise’s physical and virtual assets.
CIS Control 11 – Data Recovery
Develop robust practices to ensure that your enterprise’s assets can recover from, and potentially be restored after, any security incidents.
CIS Control 12 – Network Infrastructure Management
Protect vulnerable network services and access points by carefully tracking and monitoring your enterprise’s devices (physical and virtual).
CIS Control 13 – Network Monitoring and Defense
Utilize tools and processes to monitor and defend against potential security threats to your network.
CIS Control 14 – Security Awareness and Skills Training
Increase employee knowledge and awareness of potential security issues via a security awareness program that includes regular cross-departmental training sessions.
CIS Control 15 – Service Provider Management
Thoroughly evaluate service providers who have access to your enterprise’s sensitive data to ensure that they are managing data securely and appropriately.
CIS Control 16 – Application Software Security
Assess software that is developed, housed, or acquired by your company for security weaknesses, then protect and monitor those weaknesses to prevent potential incidents.
CIS Control 17 – Incident Response Management
Create a detailed incident response plan that will detect and analyze security incidents when they occur and then trigger the appropriate actions needed to mitigate such incidents.
CIS Control 18 – Penetration Testing
Identify and test weaknesses of enterprise assets in order to better understand how effective your controls are.
“Enterprise assets” is defined by CIS as: “end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers.”
Mapping Between CIS Controls and Other Frameworks
On the CIS website you can see how the CIS Controls map to a variety of other legal, regulatory, and policy frameworks, including:
The CIS Critical Security Controls®: Frequently Asked Questions
Hyperproof for Critical Security Controls® Compliance
Hyperproof’s powerful compliance operations platform is designed to help you maintain security controls and continuous compliance in the most efficient way possible.
Enterprises large and small, from a variety of industries, have incorporated the CIS Controls into their environment to support a solid security posture, but many firms also need to implement controls recommended by other cybersecurity guidelines (e.g. NIST SP 800-53, NIST CSF, Cloud Security Alliance’s Cloud Controls Matrix) for a host of reasons.
In Hyperproof, it’s easy to reference the CIS Controls and a host of other data protection control frameworks and add them to your control environment. By creating a single source of controls – or a common controls framework – within your enterprise, you’ll gain better visibility into your compliance posture, catch issues sooner, and improve the operational efficiency of your compliance program.
Use Hyperproof to cut down on the time it takes to comply with new regulatory regimes and standards. Hyperproof comes with the CIS Controls (including IG1, IG2, and IG3) out-of-the box, making it easy to implement the CIS Controls in your environment.
Hyperproof speeds up the mapping of the CIS Controls to various frameworks, standards, and regulatory regimes (e.g., PCI, SOC 2, or HIPAA and more). Once a control is mapped to multiple compliance requirements, you’ll be able to collect evidence once and use that evidence to satisfy multiple auditors’ requests.
While CIS provides native tools to conduct point-in-time tests of their controls, Hyperproof comes with an automation engine that enables you to set up a continuous controls monitoring system.
You can configure Hyperproof to automatically extract evidence of specific control procedures from source systems, define automated tests highlighting success or failure of each assertion, conduct tests at any frequency you need, and automate a workflow for managing the generated alarms, including communicating and investigating any failed assertion and ultimately correcting the control weakness.
Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.