Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

The Pocket Guide for Implementing the CIS Security Controls

down-arrow

For CISOs and cybersecurity practitioners, tackling a framework like the CIS controls can be an intimidating task. With 20 critical controls to track and no specific route to achieving compliance, things can quickly become confusing. To ease this stress, we have developed a pocket guide to help ease the process of implementing CIS controls for any sized organization.

In response to the changing technology, work, and threat landscape, The Center for Internet Security (CIS) has launched CIS Controls v8. This update now has 18 key controls with 153 safeguards and addresses cloud and mobile technologies.

The Center for Internet Security (CIS) operates as a nonprofit organization dedicated to making the internet a better place for individuals, organizations, and governments. CIS controls serve as an international gold standard framework for mitigating companies from cyber threats and lead a global community of IT professionals that continuously work to evolve the CIS controls. CIS controls are based on risk management and share a lot of similarities to the NIST Cybersecurity Framework. CIS also has its process called the CIS Risk Assessment Method (CIS RAM) that requires implementing implementation tiers to measure an organization’s scope and determine what controls need to be implemented. CIS currently has 20 critical controls to guide readers on where to start their CIS critical controls’ implementation journey. We will be examining the twenty related to the five functions of the NIST CSF: Identify, Protect, Detect, Respond, and Recover.

How to Implement the CIS Critical Controls

Here we will be diving into the CIS controls to align with each of the five NIST CSF Functions’ outcomes.

First, identify and log all IT systems, networks, devices, and software to keep an inventory of your organizational assets and who has access to those assets.

1. Inventory and Control of Hardware Assets

2. Inventory and Control of Software Assets

Going further, provide evidence that assets and sensitive data are protected. Accomplish this by managing secure baseline configurations to prevent gaps and vulnerabilities within the organization. Additionally, this includes properly training personnel who have access to IT systems and sensitive information.

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

7. Email and Web Browser Protections

9. Limitation and Control of Network Ports, Protocols and Services

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control

17. Implement a Security Awareness and Training Program

18. Application Software Security

The organization will also need to provide evidence of cybersecurity detection in an anomaly or cybersecurity event and provide evidence of continuous monitoring and verify the effectiveness of protective measures.

3. Continuous Vulnerability Management

4. Controlled Use of Administrative Privileges

6. Maintenance, Monitoring and Analysis of Audit Logs

8. Malware Defenses

20. Penetration Tests and Red Team Exercises

With a cybersecurity event’s potential, the organization will need to prove it has an incident response plan. For this, provide evidence of the resources and people to contact in the circumstance of a cybersecurity event. This is done to mitigate the downtime and the detrimental impact that can occur in the event of a breach.

19. Incident Response and Management

The organization will also need to prove and log its data recovery capabilities to mitigate the potential damage from a cybersecurity event or day-zero attack. This will require evidence of backups that are properly maintained and protected.

10. Data Recovery Capabilities

Proving compliance with CIS is unique for each organization. Thankfully it shares many commonalities with the NIST CSF and many other gold standard cybersecurity frameworks. If you have any questions about CIS, CIS Controls or the NIST CSF, give us a call at 1-800 NIST CSF or click here, to learn more.

You may also like

How to Leverage the FAIR Model ...
on December 19, 2024

In light of the Colonial Pipeline cyberattack, measuring risk is on everyone’s minds. However, quantifying risk is often not easy. So many factors go into determining and ...

Kyndall Elliott
How to Effectively Communicate Top ...
on December 9, 2024

Effective cybersecurity reporting is more important than ever for CISOs, CIOs, and other security leaders in today's complex threat landscape. Reporting isn’t just about sharing ...

November Product Update
on November 27, 2024

The CyberSaint team has been working hard to deliver the latest updates to streamline and improve our customers’ user experience and address their top-of-mind challenges. We’re ...

Putting the “R” back in GRC - ...
on December 5, 2024

Cyber GRC (Governance, Risk, and Compliance) tools help organizations manage and streamline their cybersecurity, risk management, and compliance processes. These tools integrate ...

October Product Update
on October 17, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start off, we’ve made it easier to create an assessment and risk ...

Transforming Cyber Risk ...
on October 12, 2024

In today’s complex cyber landscape, managing risks effectively isn’t just about identifying threats—it’s about understanding their impact and knowing how to prioritize ...