CIS Controls, or CIS Critical Security Controls for Effective Cyber Defense, are the baseline for effective IT risk management. No matter the size or the industry, organizations around the world can implement CIS controls to build more secure software and systems.
Remote work, cloud computing and third-party vendors are all indispensable parts of modern organizations, but they also introduce new levels of risk. Through CIS compliance, organizations can mitigate the risks they face and protect their competitive advantage.
Here’s everything you need to know about the CIS Controls, the Top 18, and how to implement them into your own network.
What Are CIS Controls?
CIS Controls are a set of clear actions for organizations to strengthen cybersecurity. The aim of CIS Controls is to provide clear, focused actions which will have an impact on severe threats to IT systems.
There are 18 different CIS Controls, which consist of a range of actions to improve resilience to cyberattacks. They are designed to be straightforward and effective, helping to mitigate the potential damage from known cyber threats.
CIS critical security controls are a separate program by the Center for Internet Security but are referenced throughout CIS Benchmarks. Whereas CIS Benchmarks focus on the cybersecurity baseline of a specific system or product, CIS Controls are guidelines for the entire IT system. They are essential for any strategic IT governance decisions or risk management process.
CIS Control v8
CIS Controls help organizations improve their cybersecurity and, as a result, reduce the risk of cyberattacks. CIS Controls v8, or Version 8, enhances the controls to focus on modern software and systems and the new risks that come with them.
These include the rise of remote working, the increase of cloud-based computing, the reliance on third-party vendors and more. The goal of CIS Controls v8 is to prepare organizations to operate securely in a fully remote or hybrid capacity.
CIS Controls v7 vs. v8
CIS released CIS Controls v8 in May 2021. The v8 CIS controls reduced the Top 20 to the Top 18, which is one major difference in CIS Controls v7 vs. v8. The other difference is how the v8 controls are ordered. In v7, the controls were categorized based on the different activities an organization might undertake. The new v8 controls are intended to be more flexible, allowing organizations to apply the guidelines to their unique environment.
CIS Controls List
The Center for Internet Security designed the v8 CIS Controls to be simple and easy to implement. They’re relevant in various environments, paving a more straightforward route for organizations to achieve CIS compliance. They also have a new focus on third-party vendors and cloud computing.
Below is the complete CIS Controls list covered in v8.
- Inventory and Control of Enterprise Assets: Understanding all the devices on your network can reduce your organization’s risk. This includes device tracking and management that prevents unauthorized access to the organization’s network.
- Inventory and Control of Software Assets: Knowing which systems your organization uses is critical. Inventorying your software assets and implementing proper IT governance and management are vital steps toward preventing unauthorized software from being installed on the network.
- Data Protection: Identify the data your organization processes and stores, then develop procedures for secure processing, handling and disposing of that data.
- Secure Configuration of Enterprise Assets and Software: Develop and manage hardware and software configurations to mitigate vulnerable settings across the organization’s IT systems
- Account Management: These controls ensure only authorized users can access company systems. This means creating processes for assigning and managing credentials.
- Access Control Management: With credentials in place, organizations also need procedures for granting the right level of access to the right users, including user, service and administrator-level accounts.
- Continuous Vulnerability Management: To improve cybersecurity, organizations should take a proactive approach to identify and fix vulnerabilities in the IT system. This requires an always-on approach to monitoring vulnerabilities and mitigating potential risks.
- Audit Log Management: Proactively detect and respond to cybersecurity incidents by performing internal audits of event logs.
- Email and Web Browser Protections: Strengthen email and browser systems against cyber threats.
- Malware Defenses: Ensure rapid response to malware attack and proactively limit the likelihood of installation and spread.
- Data Recovery: Implement processes to recover and periodically back up critical data and information.
- Network Infrastructure Management: Mitigate the risk of cyberattacks by ensuring your network infrastructure is secure. Ensure routers, firewalls and other devices on your network are properly configured to filter out suspicious activity.
- Network Monitoring and Defense: Set up a system that will alert you in the event of both attempted and successful breaches. This includes ongoing network intrusion detection and security team audits to ensure all safeguards are in place.
- Security Awareness and Skills Training: Identify and develop the skills and knowledge the organization needs to implement best practice cybersecurity.
- Service Provider Management: Many organizations work with multiple third-party service providers. Doing so securely means configuring security processes that reduce the risk of attack via third-party access.
- Application Software Security: Identify and fix vulnerabilities in software the organization uses, then implement application controls to protect the network further.
- Incident Response and Management: Develop and embed incident response processes across the organization to restore the IT system after serious cybersecurity incidents.
- Penetration Testing: Simulate a cyberattack to test the cybersecurity strengths of the organization.
CIS Controls Mapping by Industry Framework
Different industries have different compliance frameworks. These frameworks often overlap with CIS Controls, which is why organizations need to map their CIS Controls according to their industry. The CIS provides guidance on how their controls interact with popular industry frameworks, including GDPR and HIPAA.
Below are the important CIS Controls according to the industry framework.
PCI DSS
Retailers must follow Payment Card Industry Data Security Standard (PCI DSS), many of which are in line with CIS Controls. By implementing CIS Controls, retailers can also achieve compliance with certain PCI DSS requirements, including:
- Firewall and Router Configuration
- Patch Management
- Change Control
- Access Control
NIST and FISMA
The National Institute of Standards and Technology (NIST) oversees technology compliance. CIS Controls can be considered a precursor to the NIST standards, including the Federal Information Security Modernization Act (FISMA) component.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) creates a standard for protecting sensitive patient information. Its guidance contains many of the same requirements as the CIS Controls, since they both focus on mitigating the risk of breach and safeguarding data. CIS Controls also reach beyond HIPAA’s requirements, allowing organizations to develop a more robust cybersecurity program.
GDPR
As of May 2018, organizations that handle the data of E.U. citizens must follow the General Data Protection Regulation (GDPR). CIS Controls can support organizations as they achieve GDPR compliance, since CIS guidelines also focus on data privacy.
ISO/IEC 27001
CIS Controls are also used by organizations seeking ISO/IEC 27001 compliance. The International Organization for Standardization (ISO) created ISO/IEC 27001 to help with securing technologies. It focuses on many of the same cybersecurity standards as the CIS Controls, which is why CIS Controls are recognized as a benchmark for ISO compliance.
CIS Controls Implementation Groups
CIS Controls are prioritized to help organizations perform actions with the most positive impact. These different priorities are referred to as ‘implementation groups’ for CIS Controls. These are different groups of organizations that vary in scale, scope and cybersecurity requirements. Organizations decide which group they belong to, which helps them understand which CIS Controls to implement according to their risk profile and strategic resources.
Implementation groups play a crucial role in strategic risk management and planning. They weigh the risks and resources to help organizations take focused actions suitable to their cybersecurity needs.
- Implementation group 1: smaller organizations with limited resources to allocate to cybersecurity. Data sensitivity may be low, and organizations will likely use off-the-shelf software and IT systems.
- Implementation group 2: larger organizations with multiple departments and more complex IT systems. There may be the need for cybersecurity compliance, and the organizations will likely be using enterprise-level IT systems and products.
- Implementation group 3: complex organizations with requirements for cybersecurity compliance. There may be cybersecurity specialists within the organization, with complex IT governance and risk management responsibilities. CIS Controls will help to reduce the risk of targeted cyber threats.
CIS Controls Assessment
The CIS Controls Self Assessment Tool (CSAT) allows organizations to track their compliance with every individual CIS control. This includes whether or not they’ve implemented that control and how effective that implementation is. Built-in workflows also allow IT teams to configure their CSAT based on their Implementation Group, which informs a comprehensive compliance score.
With CSAT, organizations can document, implement, automate, and report on their CIS activities. They can also produce a report at any time, allowing them to provide critical assurances to the board and shareholders.
Successfully Manage IT Risk With CIS Controls
CIS Controls are an important tool organizations use to mitigate the risk of cyberattacks. But it’s just one way that IT teams can manage their IT and third-party risks. Today's IT teams must be prepared in the face of an increasingly-complicated risk landscape, one with dispersed teams, cloud-based data and third-party vendors.
The stakes are higher than ever, too. Even one cyber attack can result in irrevocable damage to an organization’s reputation and bottom line.
Learn more about protecting your organization and its data with Diligent’s roadmap to IT and third-party risk management technology.