CIS controls — or, in the long version, Critical Security Controls (CSC) for Effective Cyber Defense — are a set of best practices to improve cybersecurity, created by the Center for Internet Security (CIS).
Remember way back in the early days of the Internet, when having an antivirus was the end-all-be-all of cybersecurity? These were admittedly wilder times but in a way, only a few bad actors had the tools and knowledge to threaten and breach corporate IT infrastructures.
Times have changed and thanks to the dissemination of information and widespread accessibility to more hacking technology, cyber attacks have become a very real and tangible menace with potentially devastating consequences. Among other things, this is why it's important to build a culture of cybersecurity in your company.
However, the pendulum swings both ways. As hackers and bad actors have found new ways of carrying out their malicious practices, companies have beefed up their security measures so as to better face these new dangers. And this is where CIS Controls enter the picture.
In this article, we’ll take a look at CIS CSC and not only explain their role in IT but also, why they should be a top priority for companies looking to shield themselves from the inherent dangers of using the internet as a platform for their operations.
What are CIS Controls?
CIS Controls are a set of cybersecurity defensive actions and best practices developed by the Center for Internet Security (CIS). They are prescriptive and divided into prioritized recommendations called Controls. As of version 8, there are 18 controls in total and they are aimed at preventing pervasive and harmful attacks, as well as offer support compliances in a multitude of frameworks.
These cyber defense practices are developed by groups of IT professionals who have gathered data from actual real-life attacks and effective defensive measures. In other words, CIS Controls work as a guide for organizations to protect their IT infrastructures by complying with policy, regulatory and legal frameworks.
What are CIS Control Implementation Groups?
A key aspect of CIS Controls, particularly in version 8, is that they’ve been divided into Implementation Groups (IGs) which are prioritization guidelines for the implementation of Controls.
In order to adequately help companies of all sizes, IGs are segmented into three distinct groups. They are divided according to the risk profile and available resources that the organization has and how to best implement the CIS Controls according to that information:
Implementation Group 1 (IG1)
IG1’s main focus is on simple cyber hygiene. It is made up of the essential set of cyber defense safeguards that all companies should implement to guard against the most usual attacks. Small or medium-sized companies with little to no cybersecurity infrastructures and low-sensitivity data would greatly benefit from the safeguards and Controls that belong to the IG1 category.
Implementation Group 2 (IG2)
Companies with a greater amount of resources and a moderate risk of data exposure due to sensitive assets should not only implement IG2 Controls but also IG1 Controls as well. These Controls are focused on aiding security teams to manage moderately sensitive client and company information
Implementation Group 3 (IG3)
Bigger and more mature organizations with a significantly larger amount of resources and highly sensitive data need to implement Controls from the IG3 category as well as IG1 and IG2 Controls. Safeguards designated for IG3 protect organizations from highly effective hackers and reduce the impact of attacks.
The 18 CIS Controls of version 8
In this explanatory section of our article, we’ll take a deep dive into the 18 different CIS Controls and what they entail specifically. It is key to remember that different companies have different needs and while these are recommendations aimed at all organizations equally, most of them are essential regardless of company size.
CIS Critical Security Control 1: Inventory and control of enterprise assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things or IoT devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud security environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
CIS Critical Security Control 2: Inventory and control of software assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
CIS Critical Security Control 3: Data protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
CIS Critical Security Control 4: Secure configuration of enterprise assets and software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
CIS Critical Security Control 5: Account management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
CIS Critical Security Control 6: Access control management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
CIS Critical Security Control 7: Continuous vulnerability management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
CIS Critical Security Control 8: Audit log management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
CIS Critical Security Control 9: Email and web browser protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
CIS Critical Security Control 10: Malware defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
CIS Critical Security Control 11: Data recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
CIS Critical Security Control 12: Network infrastructure management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
CIS Critical Security Control 13: Network monitoring and defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
CIS Critical Security Control 14: Security awareness and skills training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
CIS Critical Security Control 15: Service provider management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
CIS Critical Security Control 16: Application software security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
CIS Critical Security Control 17: Incident response and management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
CIS Critical Security Control 18: Penetration testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
Example of CIS Control implementation
A real-life example of CIS CSC implementation could be a scenario where a small company is trying to beef up its cyber security measures after an attempted attack on its database.
The first step would be identifying the company’s Implementation Group, which would be 1 in this case, since we’ve stated this is a small company.
Afterward, all assets and accounts should be monitored and audited, following CIS CSC 1-5. CSC 9 should be a must as well since browser and email protection are a standard. Perhaps the most important aspect of implementation is making sure that all of the CSC are clearly communicated all thorough out managerial positions and IT specialists should be trained in all of the previously mentioned CIS Controls.
With even the most basic of CIS Controls, this hypothetical company would be infinitely safer than without them, and that’s a testament to their effectiveness in the current IT landscape.
Frequently Asked Questions
What are CIS Controls?
CIS Controls are a set of cybersecurity defensive actions and best practices developed by the Center for Internet Security (CIS).
What are CIS Control Implementation Groups?
Implementation Groups are a way to tell which CIS Controls are better according different company sizes and available resources. They go from IG1 (small/medium-sized) to IG3 (big)
Why are CIS Controls important?
CIS Controls are important because they comprise the most effective and easy to implement set of recommendations to avoid cyber attacks in the current IT landscape.