CIS Controls

CIS Controls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The latest release of the CIS Controls is version eight, which was published in 2021. The list is still prioritized in order of importance, but there are some notable changes to the controls and their order. The controls are now task-focused and combined by activities broken down into 18 Controls within three implementation groups.

Implementation Groups

An Implementation Group 1 (IG1) enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. The principal concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information.

Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off- the-shelf (COTS) hardware and software.

An IG2 (includes IG1) enterprise employs individuals responsible for managing and protecting IT infrastructure. These enterprises support multiple departments with differing risk profiles based on job function and mission. Small enterprise units may have regulatory compliance burdens. IG2 enterprises often store and process sensitive client or enterprise information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs.

Safeguards selected for IG2 help security teams cope with increased operational complexity. Some Safeguards will depend on enterprise-grade technology and specialized expertise to properly install and configure.

A IG3 (includes IG1 & IG2) enterprise employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 assets and data contain sensitive information or functions that are subject to regulatory and compliance oversight. An IG3 enterprise must address availability of services

and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare.

Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

CIS Controls

CIS Control 1: Inventory and Control of Enterprise Assets

A comprehensive view of the devices on your network is the first step in reducing your organization’s attack surface. Use both active and passive asset discovery solutions on an ongoing basis to monitor your inventory and make sure all hardware is accounted for.

1.1 - Establish and Maintain Detailed Enterprise Asset Inventory [IG1] [IG2] [IG3]
1.2 - Address Unauthorized Assets [IG1] [IG2] [IG3]
1.3 - Utilize an Active Discovery Tool [IG2] [IG3]
1.4 - Use Dynamic Host Configuration Protocol (DHCP) Logging to update Enterprise Asset Inventory [IG2] [IG3]
1.5 - Use a Passive Asset Discovery Tool [IG3]

CIS Control 2: Inventory and Control of Software Assets

Another one of the top controls also deals with asset discovery, making network inventorying the single most critical step you can take to harden your system. After all, you can’t keep track of assets that you don’t know you have on your network.

2.1 - Establish and Maintain a Software Inventory [IG1] [IG2] [IG3]
2.2 - Ensure Authorized Software is Currently Supported [IG1] [IG2] [IG3]
2.3 - Address Unauthorized Software [IG1] [IG2] [IG3]
2.4 - Utilize Automated Software Inventory Tools [IG2] [IG3]
2.5 - Allowlist Authorized Software [IG2] [IG3]
2.6 - Allowlist Authorized Libraries [IG2] [IG3]
2.7 - Allowlist Authorized Scripts [IG3]

CIS Control 3: Data Protection

A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data an enterprise produces or consumes as well as being able to classify it based on sensitivity are the keystones of such a plan. Despite its simple name, this is one of the more complex and difficult controls to put into practice thanks to ongoing processes like inventorying sensitive information.

3.1 - Establish and Maintain a Data Management Process [IG1] [IG2] [IG3]
3.2 - Establish and Maintain a Data Inventory [IG1] [IG2] [IG3]
3.3 - Configure Data Access Control Lists [IG1] [IG2] [IG3]
3.4 - Enforce Data Retention [IG1] [IG2] [IG3]
3.5 - Securely Dispose of Data [IG1] [IG2] [IG3]
3.6 - Encrypt Data on End-User Devices [IG1] [IG2] [IG3]
3.7 - Establish and Maintain a Data Classification Scheme [IG2] [IG3]
3.8 - Document Data Flows [IG2] [IG3]
3.9 - Encrypt Data on Removable Media [IG2] [IG3]
3.10 - Encrypt Sensitive Data in Transit [IG2] [IG3]
3.11 - Encrypt Sensitive Data at Rest [IG2] [IG3]
3.12 - Segment Data Processing and Storage Based on Sensitivity [IG2] [IG3]
3.13 - Deploy a Data Loss Prevention Solution [IG3]
3.14 - Log Sensitive Data Access [IG3]

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Leverage file integrity monitoring (FIM) to keep track of configuration files, master images, and more. This control speaks to the need for automating configuration monitoring systems so that departures from known baselines trigger security alerts. The systems in scope under this control include mobile devices, laptops, workstations, servers, and other devices.

4.1 - Establish and Maintain a Secure Configuration Process [IG1] [IG2] [IG3]
4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure [IG1] [IG2] [IG3]
4.3 - Configure Automatic Session Looking on Enterprise Assets [IG1] [IG2] [IG3]
4.4 - Implement and Manage a Firewall on Servers [IG1] [IG2] [IG3]
4.5 - Implement and Manage a Firewall on End-User Devices [IG1] [IG2] [IG3]
4.6 - Securely Manage Enterprise Assets and Software [IG1] [IG2] [IG3]
4.7 - Manage Default Accounts on Enterprise Assets and Software [IG1] [IG2] [IG3]
4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software [IG2] [IG3]
4.9 - Configure Trusted DNS Servers on Enterprise Assets [IG2] [IG3]
4.10 - Enforce Automatic Device Lockout on Portable End-User Devices [IG2] [IG3]
4.11 - Enforce Remote Wipe Capability on Portable End-User Devices [IG2] [IG3]
4.12 - Separate Enterprise Workspaces on Mobile End-User Devices [IG3]

CIS Control 5: Account Management

In order to keep valid credentials out of hackers’ hands, you must have a system in place to control authentication mechanisms. Administrative credentials are a prime target for cybercriminals. Luckily, there are several steps you can take to safeguard them, such as keeping a detailed inventory of admin accounts and changing default passwords. Monitoring and controlling accounts makes it much harder for malicious actors to successfully attack a company and steal or damage assets.

5.1 - Establish and Maintain an Inventory of Accounts [IG1] [IG2] [IG3]
5.2 - Use Unique Passwords [IG1] [IG2] [IG3]
5.3 - Disable Dormant Accounts [IG1] [IG2] [IG3]
5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts [IG1] [IG2] [IG3]
5.5 - Establish and Maintain an Inventory of Service Accounts [IG2] [IG3]
5.6 - Centralize Account Management [IG2] [IG3]

CIS Control 6: Access Control Management

The first step in implementing this control is inventorying your network’s wireless access points. From there, the control takes a deep dive into mitigating all types of wireless access risks. By encrypting information in transit and disabling communication between workstations, you can also start to limit potential security incidents that can occur when data privileges are overly lax.

CIS Control 7: Continuous Vulnerability Management

A major challenge in cybersecurity involves keeping up with all the common vulnerabilities and exposures (CVEs) identified in real time around the world. Effective security programs have to keep up with a plethora of new vulnerabilities every day. CIS lists continuous vulnerability assessment and remediation as a key part of risk and governance programs.

CIS Control 8: Audit Log Management

System logs provide an accurate account of all activity on your network. This means that in the event of a cybersecurity incident, proper log management practices will give you all the data you need about the who, what, where, when, and how of the event in question. Security teams must pay attention to logs and use them in conjunction with tools that are designed to analyze log information and generate actionable management guidance.

CIS Control 9: Email and Web Browser Protections

There are more security threats in email and web browsers than phishing alone. Even a single pixel in an email image can give cybercriminals the information they need in order to carry out an attack. Attackers frequently use web browsers and email clients as entry points for code exploitation and social engineering, and controls need to be implemented to protect against interactions with untrusted environments.

CIS Control 10: Malware Defenses

Increasing ransomware attacks necessitate that organizations bolster their malware defenses. Make sure your antivirus tools integrate well with the rest of your security toolchain. Implement anti-malware software and ensure that it is kept regularly updated. This control also involves disabling certain functions, such as autorun and autoplay for removable media.

CIS Control 11: Data Recovery

Organizations must have a strong plan for dealing with the recovery of lost data should preventive controls fail. Are you performing regular, automated backups? Are you protecting your backed-up data? Ensuring proper data recovery capabilities will protect you from threats like ransomware. It’s also important to practice and test restoring your data so you will be prepared in the event of actual data loss.

CIS Control 12: Network Infrastructure Management

Implementing this control will help you reduce your attack surface by way of tactics like automated port scanning and application firewalls. Network devices can be viewed as the gateways to your enterprise, whether physical or virtual. Proper administration and secure configuration of routers, switches, firewalls, and other network devices is essential to managing ingress and egress filtering rules for enterprise policy-based protection.

CIS Control 13: Network Monitoring and Defense

This control involves centralizing security event alerting, deploying host-based intrusion detection systems, using a network intrusion detection system, and more. Network monitoring and defense must be viewed as an ongoing process that is given substantial attention by security teams. Safeguards such as network segmentation and application layer filtering will help ensure that networks stay hardened against attacks.

CIS Control 14: Security Awareness and Skills Training

Security training should be a bigger priority at most organizations, due in part to the widening cybersecurity skills gap. This control also emphasizes the need for ongoing security training rather than one-time engagements. When employees understand how to practice stringent cyber hygiene, they are much harder to exploit by way of phishing and social engineering attacks.

CIS Control 15: Service Provider Management

Most organizations entrust certain processes and functions to third-party service providers who frequently have access to sensitive data. Unfortunately, service providers have become an attack vector for cybercriminals, so managing the security of your organization’s service providers is now a necessity. And this isn’t just for security’s sake; many compliance standards, HIPAA and PCI for example, require compliance to cover third-party service providers.

CIS Control 16: Application Software Security

Code developed in-house needs security assessments through processes like static and dynamic security analysis to uncover hidden vulnerabilities. The most popular target for hackers is your application base, so it’s essential to implement a comprehensive program of application security controls. This should include scanning, testing, and software development lifecycle (SDLC) controls.

CIS Control 17: Incident Response Management

This control helps you put strategies in place to plan and test for cybersecurity incidents so that you’re not left scrambling when they occur. Know who at your organization is responsible for handling incidents and what processes they’ll use to mitigate them. It’s also crucial to conduct post-incident reviews to understand what happened and how to prevent a repeat occurrence.

CIS Control 18: Penetration Testing

Regular penetration testing helps you identify vulnerabilities and attack vectors that would otherwise go unknown until discovered by malicious actors. It’s an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems.

Need help implementing?

The 18 security controls can create a framework that will help you protect your organization and data from cyber attack. Scott has utilized the CIS Controls framework to create the foundational cybersecurity programs at more than 50 organizations across the globe. Message This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more how Scott can help your organization implement CIS Controls today.