The CIS Controls are a set of best practices for securing systems and data against the most common attacks. Also known as the CIS Critical Security Controls or the Top 20, these controls can help organizations protect themselves from the most common and damaging cyber threats.
The CIS Controls contains three categories: Basic, Foundational, and Organizational. CIS recommends that all organizations implement basic controls. Then, organizations should implement Foundational and Organizational controls based on their specific needs.
Basic Controls
The Basic Controls are a set of 20 security practices that every organization should implement. These controls address common attack vectors and contain five categories:
- Identity and Access Management: Controls that help ensure only authorized users have access to systems and data.
- Configuration and Vulnerability Management: Controls that help ensure organizations properly configure systems and patch vulnerabilities promptly.
- Malware Defenses: Controls that help protect against malware infections.
- Application and Information Protection: Controls that help protect applications and data from compromise.
- Incident Response: Controls that help organizations respond quickly and effectively to security incidents.
Foundational Controls
The Foundational Controls are a set of 23 security practices that organizations should implement based on their specific needs. These controls build on the Basic Controls and address more sophisticated attacks. The six categories are:
- Asset Management and Discovery: Controls that help organizations inventory and track their assets.
- Boundary Defense: Controls that help protect the network perimeter from attack.
- Data Protection: Controls that help protect data from compromise.
- Detection and Response Capabilities: Controls that help organizations detect and respond to security incidents.
- User Education and Awareness: Controls that help educate users on security best practices.
- Application and Information Protection: Controls that help protect applications and data from compromise.
Organizational Controls
Organizational Controls are a set of 8 security practices that organizations should implement based on the specific needs of the organization. These controls build on the Basic and Foundational Controls and address more sophisticated attacks. The four categories are:
- Risk Management: Controls that help organizations identify, assess, and mitigate risks.
- Security Governance: Controls that help organizations establish and maintain a security program.
- Supply Chain Security: Controls that help organizations secure their supply chain.
- Third-Party Security: Controls that help organizations secure their relationships with third-party service providers.
Why are CIS Controls Important?
The CIS Controls are important because they provide a comprehensive and practical approach to securing systems and data against the most common attacks. By implementing the controls, organizations can significantly reduce their exposure to cyber threats.
In addition, a wealth of experience and expertise supports CIS Controls. The Center for Internet Security, which developed the controls, is a nonprofit organization that brings together experts from government, academia, and the private sector to collaborate on cybersecurity solutions.
Leading security organizations endorse CIS Controls, including the National Institute of Standards and Technology (NIST), the United States Computer Emergency Readiness Team (US-CERT), and the Department of Homeland Security (DHS).
What are the 20 Critical Security Controls?
The 20 Critical Security Controls (CSCs) are a set of security best practices that the Center for Internet Security (CIS) developed. They designed the CSCs to help organizations protect themselves against the most common attacks, and they fall into the following categories:
1. Inventory and Control of Hardware Assets
Attackers are continuously scanning the Internet for vulnerable systems to exploit. To reduce the risk of compromise, organizations need to inventory and control their hardware assets. This includes keeping track of what systems are in the environment, the software installed on those systems, and who has access to those systems.
2. Inventory and Control of Software Assets
Organizations need to inventory and control their software assets to ensure that employees are only using authorized software on their systems and that all software is up to date with the latest security patches.
3. Configuration Management
Your organization needs to configure systems properly to reduce the risk of compromise. This includes hardening systems according to industry best practices, disabling unnecessary services and accounts, and using strong passwords.
4. Control of External Connections
Your organization needs to secure external connections properly to prevent unauthorized access to systems. This includes configuring firewalls, routers, and other perimeter devices properly, and ensuring that they control remote access properly.
5. Data Protection
Organizations need to protect data properly to prevent unauthorized access and usage. This includes encrypting data at rest and in transit and implementing strict access controls.
6. Vulnerability Management
Attackers often exploit vulnerabilities to gain access to systems. To reduce the risk of compromise, organizations need to scan for vulnerabilities continuously and patch them promptly.
7. Secure Configuration for Network Devices such as Firewalls, Routers, and Switches
Organizations need to configure network devices properly to prevent unauthorized access and usage. This includes disabling unnecessary services and accounts, using strong passwords, and properly configuring firewalls.
8. Boundary Defense
Organizations need to configure perimeter defenses properly configured to prevent unauthorized access to systems. This includes configuring firewalls, routers, and other perimeter devices properly, and ensuring that they control remote access properly.
9. Data Recovery Capabilities
In the event of data loss or corruption, organizations need to have a plan in place to recover their data. This includes having backups of critical data and testing those backups regularly.
10. Security Skills Assessment and Appropriate Training to Fill Gaps
Organizations need to assess the skills of their employees and provide appropriate training to fill any gaps. This includes identifying which employees need training and providing them with resources such as online courses or in-person workshops.
11. Secure Configurations for Networked Devices
Organizations need to configure networked devices properly to prevent unauthorized access and usage. This includes disabling unnecessary services and accounts, using strong passwords, and properly configuring firewalls.
12. Continuous Vulnerability Assessment and Remediation
Attackers often exploit vulnerabilities to gain access to systems. To reduce the risk of compromise, organizations need to scan for vulnerabilities continuously and patch them promptly.
13. Controlled Use of Administrative Privileges
Organizations should enforce strict control of administrative privileges to prevent unauthorized access to systems. This includes using least privilege principles, creating separate accounts for administrators, and effectively managing access control lists.
14. Maintenance, Monitoring, and Analysis of Audit Logs
Audit logs can be a valuable source of information for detecting and investigating security incidents. To maximize their usefulness, organizations should ensure they maintain, monitor, and analyze audit logs properly.
15. Restriction of Network Ports, Protocols, and Services
Organizations should restrict access to network ports, protocols, and services to only those that need them. This includes disabling unnecessary services and accounts, using strong passwords, and properly configuring firewalls.
16. Account Monitoring and Control
Organizations need to monitor and control user accounts to prevent unauthorized access to systems. This includes creating strong passwords, disabling unused accounts, and regularly monitoring account activity.
17. Data Leakage Prevention
Organizations need to prevent sensitive data from leaking. This includes encrypting data at rest and in transit and implementing strict access controls.
18. Wireless Access Control
Organizations need to configure wireless networks properly to prevent unauthorized access and usage. This includes disabling unnecessary services and accounts, using strong passwords, and configuring firewalls properly.
19. Physical Security Controls
Organizations need to implement physical security controls to prevent unauthorized access to systems. This includes securing data center facilities, using strong passwords, and implementing strict access control measures.
20. Incident Response Plan
In the event of a security incident, organizations need to have a plan in place for responding. This includes identifying the responsible parties, establishing communication protocols, and documenting incident response procedures.
How Can Organizations Implement the CIS Controls
There are several resources available to help organizations implement the CIS Controls, including:
1. The CIS Controls Self-Assessment Guide
This guide helps organizations assess their current security posture and identify which controls they should implement.
2. The CIS Controls Implementation Groups
These groups are composed of security experts who share best practices for implementing the controls.
3. The CIS Controls Toolkits
These toolkits provide guidance and templates for implementing the controls.
4. The CIS Benchmarks
The CIS Benchmarks are Configuration Guidelines that help organizations secure their systems. Organizations can use them in conjunction with the CIS Controls to further harden systems against attack.
5. The CIS Critical Security Controls (CSCs)
The CSCs are a subset of the CIS Controls that focus on the most important security practices. They are available in both English and Spanish.
6. The CIS Secure Suite Membership
This membership provides access to all the CIS resources, including the CIS Controls. It also includes discounts on training and events, as well as priority support from the CIS team.
7. The CIS Certified Products program
This program tests and certifies products that meet certain security requirements. certified products can help organizations quickly and easily implement CIS Controls.
8. The CIS Training and Certification Program
This program offers training and certification exams for individuals who want to demonstrate their expertise in implementing CIS Controls.
The Bottom Line:
The CIS Controls are a valuable resource for organizations looking to improve their security posture. The controls can help guide security efforts and provide a framework for improving organizational security. CIS offers several resources to help organizations implement the controls, including self-assessment guides, toolkits, and training programs. If you are interested in improving your organization’s security, be sure to check out CIS Controls.