What are the CIS Controls? | 20 CIST Controls

Home  »  Blog  »  Cyber Security  »  What are...

By Bill Minahan   |   January 22, 2021   |   0 Comments

CIS Control 6

What are the CIS Controls?

The CIS Controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.

The controls are derived from the most widespread attack patterns. Specifically, the attack patterns are identified in the most trusted threat reports and vetted across a broad community of trusted industry and government practitioners. AKA, the individuals who know how attacks work. For instance, the NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations, all of which work together to answer the question— “what do we need to do to stop known attacks?”

The 20 CIS controls are the current agreed-upon method by the world’s top leading experts on how to stop today’s most common attacks. So let’s dive into who needs them as well as how to implement them.

Who needs CIS controls?

Unlike many other standards and compliance regulations aimed at improving security, the CIS Controls are not industry-specific but universally applicable and industry-agnostic.  Experts across a broad range of government agencies and industry leaders created the top 20 controls. As a result, they successfully strengthen any organization’s information security and IT governance.

So, if your organization stores, transmits, or uses, sensitive data that needs to be protected, then the answer is: You need CIS controls.

Correct implementation of all 20 critical controls significantly reduces your security risk, lowers operational costs, and greatly improves an organization’s defensive posture.

However, the most significant difference between CIS controls and other security frameworks is that CIS controls acknowledge that organizations are limited in resources.

Every organization cannot implement each and every control that they would like and may very well need. As a result, the 20 controls prioritize based on risk. That way, your organization can put out the largest flames first.

CIS Controls List

The CIS controls are divided into basic, foundational, and organizational families. Each control can be further subdivided into sections to make them easier to implement and analyze.

The controls cover not only data, software and hardware, but also people and processes.

The first six controls prioritize the “basic” security controls.

The following is a complete list of the top 20 critical controls:

CIS controls list: Basic controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration of Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

CIS controls list: Foundational controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols, and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

CIS controls list: Organizational controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

How to implement CIS Controls

Before your organization begins to implement CIS controls, it is important to find out where you stand and which security controls you already have in place.

Furthermore, it is important to benchmark your current security posture so that you, your team, and those who you report to can track your progress.

NIST cyber security framework is a popular and robust tool that draws on the controls for several of their best practices.

As a result, a NIST cyber security assessment is a great place to start before you begin diving deeper into the controls.

aNetworks offers a free automated NIST security assessment tool for those looking to benchmark their current posture. You can use it here.

If you have already taken a security assessment and are looking for assistance working through CIS controls, then please contact us.

aNetworks will walk through the controls with you and assist you with implementing the solutions needed to strengthen your security. We can help you better understand CIS controls as a framework and take some of the heavy lifting off your shoulders.

Contact Us

If you are looking for more resources, then please check out our resource center.

Finally, you can always find us on TwitterLinkedIn, and Facebook.


Category: Cyber Security