By Bill Minahan | January 22, 2021 | 2 Comments
The CIS Controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.
The controls are derived from the most widespread attack patterns. Specifically, the attack patterns are identified in the most trusted threat reports and vetted across a broad community of trusted industry and government practitioners. AKA, the individuals who know how attacks work. For instance, the NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations, all of which work together to answer the question— “what do we need to do to stop known attacks?”
The 20 CIS controls are the current agreed-upon method by the world’s top leading experts on how to stop today’s most common attacks. So let’s dive into who needs them as well as how to implement them.
Unlike many other standards and compliance regulations aimed at improving security, the CIS Controls are not industry-specific but universally applicable and industry-agnostic. Experts across a broad range of government agencies and industry leaders created the top 20 controls. As a result, they successfully strengthen any organization’s information security and IT governance.
So, if your organization stores, transmits, or uses, sensitive data that needs to be protected, then the answer is: You need CIS controls.
Correct implementation of all 20 critical controls significantly reduces your security risk, lowers operational costs, and greatly improves an organization’s defensive posture.
However, the most significant difference between CIS controls and other security frameworks is that CIS controls acknowledge that organizations are limited in resources.
Every organization cannot implement each and every control that they would like and may very well need. As a result, the 20 controls prioritize based on risk. That way, your organization can put out the largest flames first.
The CIS controls are divided into basic, foundational, and organizational families. Each control can be further subdivided into sections to make them easier to implement and analyze.
The controls cover not only data, software and hardware, but also people and processes.
The first six controls prioritize the “basic” security controls.
The following is a complete list of the top 20 critical controls:
Before your organization begins to implement CIS controls, it is important to find out where you stand and which security controls you already have in place.
Furthermore, it is important to benchmark your current security posture so that you, your team, and those who you report to can track your progress.
NIST cyber security framework is a popular and robust tool that draws on the controls for several of their best practices.
As a result, a NIST cyber security assessment is a great place to start before you begin diving deeper into the controls.
If you have already taken a security assessment and are looking for assistance working through CIS controls, then please contact us.
aNetworks will walk through the controls with you and assist you with implementing the solutions needed to strengthen your security. We can help you better understand CIS controls as a framework and take some of the heavy lifting off your shoulders.
If you are looking for more resources, then please check out our resource center.