Any organization that processes, stores, and manages data, should implement cyber security measures to protect it from external and internal threats. However, the biggest bottleneck that many companies face is the lack of resources, knowledge, and/or time needed to implement robust defense. Here is where CIS controls come into play.
Understanding CIS controls
First things first, let’s define CIS controls and understand what they are. According to the Center of Internet Security, CIS controls are “a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks”. In simple words, CIS controls describe clear and specific actions that any company can take to enhance security within its environment.
The best part about it is that there are three different implementation groups of CIS controls. Each group is suited for a different organization type (i.e. a small business) and thus, provides a list of recommended actions that are suitable for this specific organization. That means, recommended CIS controls are not the same for a startup and a Fortune 500 enterprise.
Categorization of CIS controls
CIS controls can be categorized by their type and priority and by their implementation groups. Let’s look at each categorization in more detail so you better understand what controls will be perfect for your specific business.
Types of CIS security controls
The latest version of the CIS controls list was released in May 2021, and is known as v8. Why do we need to know that? Because in version 7, all controls were divided into three groups:
- Basic: key security controls that are a must for any organization despite its size and domain;
- Foundational: best practices that are highly recommended;
- Organizational: describe controls that focus on processes and people and that assist in your overall security strategy.
However, with the release of version 8, there are no longer three categorization groups. Instead, controls now fall into either IG1 (Implementation Group 1) or IG2. The IG1 group contains almost all controls from the list (except for 13, 16, 18) and these controls are considered the basic ones for any organization.
Remember we talked about how CIS controls are tailored for every organization despite its size and type? Now it’s time to discuss their categorization based on the implementation groups (should not be confused with IG1 and IG2).
There are three implementation groups for all CIS controls:
- Group 1: includes small and middle-sized businesses that have limited cybersecurity capabilities;
- Group 2: middle-sized and big companies that have enough resources to establish robust cyber security;
- Group 3: well-established big companies with extensive experience in cyber security and extensive resources.
How does this categorization work? Each control has a certain number of safeguards (recommended actions) to take. So for example, control 01 aka Inventory and Control of Enterprise Assets has a total of 5 safeguards. But you can’t apply all five to all three implementation groups. Hence, CIS proposes the following:
- For Implementation Group 1: 2/5 safeguards;
- For Implementation Group 2: 4/5 safeguards;
- For Implementation Group 3: 5/5 safeguards.
As you can see, a startup does not have to implement the same security measures as an enterprise. That’s what makes CIS controls so great - they are suitable for literally any business.
A list of CIS controls from v8
Now, let’s list down all 18 controls that were included in version 8. Note that in version 7, there were 20 controls but some of them were unified or excluded from v8.
- Inventory and Control of Enterprise Assets: is aimed at helping you identify company’s assets (not software ones!) and understand who manages them and how. To implement this control, you’ll need to assemble a detailed list of your hardware inventory, including employees’ personal devices.
- Inventory and Control of Software Assets: similar to Control 01, this one is used for analyzing software inventory and ensuring that unauthorized software is not used.
- Data Protection: to implement this control, you’ll need to assemble an inventory of your data as well as identify all processes related to its management, flows, storage, and processing. The main goal here is to ensure that the data is properly secured.
- Secure Configuration of Enterprise Assets and Software: includes best practices on establishing and maintaining secure configurations of the company’s hardware and software.
- Account Management: is aimed at strengthening vulnerable accounts via their secure management.
- Access Control Management: it controls user privileges which means, it helps you set up proper user roles and permissions.
- Continuous Vulnerability Management: this control helps you detect and monitor vulnerabilities and properly remediate them (as well as document them).
- Audit Log Management: covers full management of audit logs (their collections, storage, review, and time synchronization).
- Email and Web Browser Protections: includes a set of safeguards that help you secure your email and web browsers.
- Malware Defenses: this control includes best practices to prevent or/and control the installation and execution of malicious software.
- Data recovery: describes how to back up your data properly and securely recover it.
- Network Infrastructure Management: covers proper and active management of all your network devices.
- Network Monitoring and Defense: similar to Control 12, this one focuses on monitoring and defending your network with the help of included safeguards.
- Security Awareness and Skills Training: this control helps you spread security awareness as well as establish proper security training within your organization.
- Service Provider Management: focuses on your provides and explains how to manage all processes and data that are handled by external parties.
- Application Software Security: this control describes how to properly manage the security lifestyle of your organization’s software.
- Incident Response Management: focuses on the procedure of proper incident reporting and response.
- Penetration Testing: advices on how to perform penetration testing with an aim to check your cyber defense.
How to implement CIS controls?
Though the selection of required CIS controls will be different for every organization (due to its size and availability of resources), there are certain steps that are a must to follow when planning your CIS implementation strategy. You can consider them somewhat a canvas that you will use to further elaborate your cybersecurity strategy. As for the steps, they are:
- Perform the “inventory check” of your environment and network: understand what devices are connected to the network, what apps run in the system, what the admin rights and levels of access are. In other words, you’ll need to get a full view of your environment and the system in order to know what’s needed to be protected and how.
- Make sure to apply needed configuration changes and to update software regularly. List down all actions that need to be taken in order to protect your assets.
- Educate your employees on cybersecurity and make sure they understand its important and what needs to be done. You can hold training sessions or provide learning resources - whatever works best for you.
- Prepare in advance for possible attacks and come up with a response and a recovery strategy. Sure, it’s nice to timely react to any threats but it’s much more important to be proactive and have a solid recovery plan at your fingertips. For instance, you might want to better manage your backups or ensure you have sufficient ones.
But most importantly, go through the list of CIS controls and check which ones apply to your specific company depending on the implementation group. After that, prioritize what has to be done in the first turn and what can be implemented later on.
Why do you really need to implement CIS security controls?
Let’s be honest - even though cybersecurity is an acute issue, many organizations tend to overlook it or ignore minor things without realizing what impact these tiny flaws may cause. Another scenario: you want to receive ISO 27001 certification in the future but are not sure where to started (or you simply worry you don’t have enough knowledge and resources).
This is where CIS controls can greatly help you. They are perfectly beginner-friendly and allow organizations to establish robust defense against malicious actions and threats at the most basic level. And if you need a remider on why it’s important, let’s review the main benefits of robust cybersecurity:
- Protection of data against leaks and exposure;
- Saving company’s finances and resources by preventing possible attacks and thus eliminating spendings on recover;
- Inreased trust from clients and partners;
- Complete control over organization’s assets and resources (with no data silos or dark data left).
The thing is, robust cybersecurity does not only protect your organization and its assets but also contributes to increased transparency and better control of the processes. And the implementation of CIS controls can definitely assist you with that.
As you can see, CIS security controls cover all aspects of cyber security and are relevant to any organization that uses information technology and stores and manages data. Remember though that the controls’ implementation process will be different for every company as it will be based on your existing processes and inventory/resources. Hence, it might be a good idea to consult a cybersecurity expert in order to establish the best approach to applying CIS security controls.