Countless businesses use CIS Security Controls as their , and here at Fresh Security, we're one of them. The (CIS) is a non-profit dedicated to internet security. Its security controls methodology is comprehensive yet jargon-free, allowing medium-sized organizations to keep their data and networks safe in the easiest way possible.
What Are the Goals of the CIS Controls?
CIS - The Center for Internet Security. As you'd expect by the name, the main goal of the controls is to improve cybersecurity and help organisations run their IT processes with minimal risk. The defend against problems companies face like hacking, online threats, and data loss. And give guidance on compliance and cybersecurity best practices.
But more specifically, the controls simplify implementing security processes for organisations and give them a resilient framework to follow. Companies could simply implement each of the eighteen controls and know they have maximum protection from the most common threats once everything is in place.
However, for small businesses especially, it can be daunting to figure all of this out for themselves. So the CIS guidance plays a much-needed role by offering a staged approach to the controls. Since there are various approaches for organisations of different sizes, every business can find a viable route to becoming more secure.
An important point is that the CIS controls focus on protecting an organisation's internal security systems rather than explaining how to defend against specific, detailed cyber-attacks. This means the CIS controls aren't foolproof and all-encompassing. Instead, they're a starting point to improve cybersecurity.
What Is the History of the CIS Controls?
CIS first started working on the controls back in 2008 alongside various governmental institutions, companies, and other organisations — it was a grassroots movement that sprang up due to the need for security.
The trigger was a of the US defence base, which also took place in 2008. It was the most significant data loss a US military computer had ever seen. Therefore, it highlighted the importance of establishing solid cyber defence procedures.
The project began under the before switching to the Council on Cyber Security in 2013 and finally the in 2015. Now, the controls have a strong community that helps with peer-reviewing updates and creating new processes.
Since then, the controls we know now have existed in various forms. We're currently on , released in May 2021. There are 18 controls, compared to the previous version, which featured twenty. Each new version of the controls takes steps to adapt to the latest technological advances.
Let's have a quick overview of what they are and why they matter.
CIS Control 1: Inventory and Control of Enterprise Assets
Control number one focuses on , a category that includes Internet of Things devices and all hardware. Previous versions of the CIS controls only cared about servers, which was too limiting for today's infrastructure.
The control is all about recording, monitoring, and maintaining an inventory of assets as part of an active management process.
CIS Control 2: Inventory and Control of Enterprise Assets
Control two aims to do the same thing as the previous but focuses on software assets instead. These software assets are applications you install and use every day (e.g. Microsoft Office or Slack) and operating systems installed on your laptop or tablet.
This way, any software that isn't authorized can be found early on and prevented from causing damage.
CIS Control 3: Data Protection
Possibly one of the most self-explanatory and straightforward requirements, data protection involves identifying and managing data throughout its lifecycle and then disposing of it when necessary.
This is done by creating technical controls and processes that make it easy to keep tabs on your collected and generated information.
CIS Control 4: Secure Configuration of Enterprise Assets and Software
We're back to enterprise assets and software. But this time, the focus is on setting everything up correctly and ensuring that it remains secure.
Although some software and enterprise assets come already configured, the default configurations usually aren't optimal for security. So this control is essential to make sure they're doing what you expect them to.
CIS Control 5: Account Management
This control is about knowing who you are and identifying the people in your team. Account management helps prevent unauthorized people from accessing a system through genuine (yes, genuine) user credentials.
Managing accounts with the right processes and monitoring tools helps to ensure everything remains secure, especially accounts with special privileges (like administrators).
CIS Control 6: Access Control Management
We're now moving on from managing the accounts themselves to managing what each account can access. This gives an extra level of protection to your system. There's no reason for an account to have access to more than what is necessary, the bare minimum.
CIS Control 7: Continuous Vulnerability Management
Vulnerabilities in a system can let the “bad guys” in. Unfortunately, vulnerabilities are constantly changing and need constant updates and patches.
Be one step ahead by evaluating and tracking your vulnerabilities continuously — and taking action to fix them.
CIS Control 8: Audit Log Management
Auditing might not be the most glamorous activity in the world. But it's one of the most important for understanding what's happened and what can be learned from it — especially after an attack takes place.
The more quickly records can be analyzed, the easier it is to identify malicious activity.
CIS Control 9: Email and Web Browser Protections
Web browsers and emails are where organizations spend the bulk of their time, but they also make a good entry point for attacks.
Special efforts should be made to keep them secure and prevent threats.
CIS Control 10: Malware Defences
Without the right processes in place, malware can spread through software or enterprise assets and wreak havoc. Since it usually enters through vulnerabilities, defences must be dynamic enough to detect the malware quickly, so automation is essential.
CIS Control 11: Data Recovery
Few things are worse than the prospect of losing all your data or having it corrupted by attackers, but if it does happen, it's important to know there's a way to get it back.
Fortunately, with the proper data recovery practices, you can restore enterprise assets to their pre-incident state.
CIS Control 12: Network Infrastructure Management
Network infrastructure is the glue that connects your team's laptops and tablets to your business's internal websites and file shares. Needless to say, it plays a crucial part in defending systems from cyberattacks, but setting up the proper configuration is far from simple (again, the default usually isn't secure).
Active management keeps networks consistently secure and prevents vulnerabilities from arising.
CIS Control 13: Network Monitoring and Defence
Network infrastructure can help to protect your business. Still, it will only be effective if monitoring and defence come hand in hand. This way, threats can be found as quickly as possible and alerts sent.
CIS Control 14: Security Awareness and Skills Training
Although it's tempting to rely on technology and sit back, staff need to understand cybersecurity and their company's approach. We're only as strong as our weakest link, so make sure everyone gets the training they need.
CIS Control 15: Service Provider Management
Most companies use countless third-party services daily. Each one could hold sensitive data and cause a vulnerability. Although a data breach is a real possibility, you can reduce the impact of breaches with the right processes.
CIS Control 16: Application Software Security
The applications you create in-house aren't off the hook either. In fact, they often handle the most sensitive information, so secure development processes should be in place.
Having secure account management and access control is part of this, but there are many more.
CIS Control 17: Incident Response Management
Just as every office has a fire drill in place for emergencies, your systems need a comprehensive incident response plan. This way, if an attack does take place, you can prepare, detect, and respond promptly.
Ideally, the threat would be found and stopped before it can spread further.
CIS Control 18: Penetration Testing
The only way you know whether your security efforts will work is to try to break them and see the result — and that's what penetration testing is for. It simulates an attack to test for potential weaknesses in the people, processes, and technology. Depending on how the test goes, adjustments can be made.
How Were the CIS Controls Designed?
CIS designed the controls to allow small and mid-sized organisations to implement and oversee them so that each employee in a firm can use them effectively. So they're not just designed as something that a third party installs, but nobody in the organisation can understand.
As touched on already, the eighth version of the security controls features up to 153 safeguards. However, the number implemented depends on how mature a company wants its processes to be. The safeguards are split into implementation groups: IG1, IG2, or IG3. And the desired level of maturity comes down to a business decision for the organisation.
CIS Implementation Groups
- Implementation Group 1 is the foundation and focuses on basic cyber hygiene and mitigating the background noise of cyber-attacks on the internet.
- Implementation Group 2 is for organisations that want to protect their business against losses from ransomware attacks and cybercriminal activities.
- Implementation Group 3 is for companies that are likely to be actively targeted by cybercriminals. This level of implementation requires a company to have its own security team.
How Can My Company Implement CIS Controls?
As we've mentioned, one of the standout features of CIS controls is that they're designed to allow organisations and even individual employees to handle them independently. But that doesn't mean there is no risk in starting an implementation project on your own.
One of the challenges of implementing frameworks - including the CIS Controls - is that companies spend too much time and effort. This may seem counterintuitive. But "Let's just make it a little bit more secure..." and "But a hacker could..." create unplanned expenses and delays, even to well-planned projects.
Working with a specialist cybersecurity company to implement CIS controls is mainly about controlling costs and avoiding cost overruns. This is based on the experience of companies like Fresh Security to deliver what is needed and focus on the most impactful security controls first. From a business perspective, it is essential to make cybersecurity processes "good enough" rather than "perfect".
In most cases, a company won't need to implement absolutely everything and all in equal quantities.
Why Are Compliance Controls Important?
Hopefully, if you're reading this, you don't need us to tell you why it's crucial to protect your data, sensitive information, and technological infrastructure.
The implications of breaches are significant. For one, they can result in severe damage to revenue due to lost productivity, data assets, and resources. Perhaps even worse, they can harm your credibility if you've failed to look after your customers' data adequately — who'd want to work with a company that appears careless?
Yet, these risks can be easily minimised by simply setting up business processes and implementing compliance controls. Once you have security controls in place, you can be confident your business systems will function with integrity, confidentiality and will be available when needed.
Although compliance controls can't eliminate the possibility of accidents altogether, they protect against incidents such as:
- Intellectual property theft
- Corporate espionage
- Data leaks
It's also a clear signal to potential partners and clients that you take cybersecurity seriously and are a reliable business anyone can trust with sensitive information. Although controls involve an upfront investment, they almost always pay dividends over the long run.
A Final Thought
The 18 CIS security controls can seem daunting at first, and there's more detail and complexity under the covers, but you shouldn't expect to have 100% understanding from the get-go. Proceeding one step at a time will get you where you need to be in the end, and the sooner you get moving, the better.