The Center for Internet Security (CIS) is a nonprofit organization dedicated to promoting security practices for IT systems and information. CIS is well-known for developing the CIS Controls and CIS Benchmarks, which are widely recognized in the industry.
CIS Controls and Implementation Groups
The CIS Controls, previously known as the SANS Critical Security Controls (SANS Top 20), were initially created to address common cyber-attacks faced by organizations. They have now been officially renamed as the CIS Critical Security Controls (CIS Controls). These controls are categorized into three implementation groups:
1. Implementation Group 1: Applicable to all companies, regardless of size.
2. Implementation Group 2: Additional controls for organizations storing sensitive information.
3. Implementation Group 3: Additional controls for organizations handling very sensitive information.
Types of CIS Assessments
Within Implementation Group 3, there are 18 controls that are further categorized as CIS recommended safeguards. While CIS assessments are not mandatory, they are highly regarded as benchmarks within the security industry and are commonly used as a foundation for security control assessments.
CIS Controls Self-Assessment Tool (CIS CSAT)
To aid organizations in tracking and prioritizing the implementation of CIS Controls, the CIS CSAT is available as a free web application. This tool allows organizations to assess their compliance with the controls and prioritize their efforts accordingly.
Control Breakdown of CIS Controls v8
CIS has moved away from the traditional approach of relying solely on physical devices, fixed boundaries, and discrete security domains. Version 8 of the CIS Controls reflects this shift by adjusting the language and introducing an amended category of safeguards. As a result, the number of controls utilized has been reduced. The full breakdown of the CIS Controls version 8 can be found in the official documentation.
Control 01. Inventory and Control of Enterprise Assets
- Actively manage all enterprise assets throughout their lifecycle.
Control 02. Inventory and Control of Software Assets
- Manage software inventory and restrict access to authorized systems only.
Control 03. Data Protection
- Implement processes and technical controls to ensure data protection at every stage of its lifecycle.
Control 04. Secure Configuration of Enterprise Assets and Software
- Establish and maintain secure configurations for enterprise assets.
Control 05. Account Management
- Utilize processes and tools for assigning and managing user credentials and authorizations.
Control 06. Access Control Management
- Establish, assign, manage, and revoke user access credentials and privileges using defined processes and tools.
Control 07. Continuous Vulnerability Management
- Continuously assess and track vulnerabilities across all enterprise assets.
Control 08. Audit Log Management
- Collect, review, and retain event audit logs for effective monitoring and detection.
Control 09. Email Web Browser and Protections
- Enhance protection and detection capabilities against email and web-based threats.
Control 10. Malware Defenses
- Implement measures to prevent and control the installation, spread, and execution of malicious applications, code, or scripts.
Control 11. Data Recovery
- Establish and maintain data recovery practices to restore systems to pre-incident state.
Control 12. Network Infrastructure Management
- Establish, implement, and actively manage network devices to prevent unauthorized access.
Control 13. Network Monitoring and Defense
- Establish and maintain comprehensive network monitoring processes and tools.
Control 14. Security Awareness and Skills Training
- Establish and maintain a program to influence and improve cybersecurity behavior and skills.
Control 15. Service Provider Management
- Develop a process for evaluating third-party providers with access to sensitive data or critical processes.
Control 16. Application Software Security
- Manage the security life cycle of in-house developed, hosted, or acquired software.
Control 17. Incident Response Management
- Establish and maintain a program for incident response capabilities.
Control 18. Penetration Testing
- Conduct tests to identify and exploit weaknesses in enterprise assets, assessing their effectiveness and resiliency.
Content found within this document is based on Carbide’s understanding of and the information provided by the official website and documentation of the Center for Internet Security