CIS Critical Security Controls: What Are They and How Can You Meet These Standards?
As cyber threats evolve and business models change, maintaining a mature cybersecurity program can be challenging. You need to be confident that your organization’s current security tools and techniques are effective. A single error or postponement in resolving a software problem can create weaknesses in your IT infrastructure, increasing the likelihood of cyber attacks.
Fortunately, the Center for Internet Security (CIS) provides a set of standards that your organization can use to gauge the effectiveness of its cybersecurity program. These 18 standards – known as CIS Critical Security Controls – evolve each year to match the changing tide of threat actors.
What are CIS Critical Security Controls?
The 18 controls prescribed by CIS are prioritized into three implementation groups (IGs). Each IG identifies a set of safeguards (previously referred to as CIS sub-controls) that your enterprise should implement based on its risk profile and available resources.
IG1
For instance, IG1 outlines basic cyber hygiene measures that guard against the most common attacks and should be implemented by every organization, regardless of size. These include maintaining an inventory of all digital assets so that security teams know the totality of what needs to be monitored and protected. These assets include end user devices, network devices, IoT devices, servers, cloud environments, and remote machines. IG1 also encompasses best practices for data protection, secure configuration, account management, access control management, continuous vulnerability management, and more.
IG2
IG2 layers in additional cyber defense safeguards that limit unauthorized software use, enforce remote wipe capability for portable end user devices, document data flows, ensure secure network authentication, and so on. It’s an important standard for those responsible for managing an IT infrastructure that spans multiple departments with differing risk profiles and security postures.
IG3
Finally, IG3 aims to prevent or lessen the impact of sophisticated attacks and protect sensitive and confidential data. Suggestions include following guidelines like preventing data loss, controlling access based on roles, and keeping separate workspaces on mobile devices.
How to meet CIS Critical Security Controls recommendations
As a security leader, you need a method to evaluate and track your organization's implementation progress for CIS Controls. These controls are easy to understand. Improper use of controls can put your business at risk. Controls are designed to protect against common threats.
Bitsight can help manage your organizations security controls. Using Control Insights, now available as a feature of Bitsight for Security Performance Management (SPM), you can quickly evaluate the current state of your security controls and measure your team’s progress over time, as they implement CIS Critical Security Controls. If improvement is needed, Bitsight provides specific recommendations for remediating any gaps and implementing the proper safeguards.
Control Insights is designed with ease-of-use in mind. A dashboard format provides at-a-glance views of the effectiveness of each security control – for example, “Needs Improvement” or “Acceptable.” You can also drill down into problem areas for further insight, such as the root causes of issues, specifics on “the why” of a control’s state, and a prescribed course of action.
For instance, identifying software misconfigurations isn’t easy. These vulnerabilities often go undiscovered until an event arises, like a data breach or a performance issue. With Control Insights and SPM you can automatically and continuously monitor for insecure configurations and get tips on how to bring your security program back into alignment with CIS controls - in this case, CIS Control 4.
And, you can do this without the manual effort normally associated with assessing your organization’s security posture against CIS Critical Security Controls best practices.
Learn more about how you can proactively identify and remediate cyber risk and ensure your security controls meet CIS standards.