How these controls apply to your organization
The Center for Internet Security (CIS) publishes the CIS Critical Security Controls (CSC) to help organizations better defend against known attacks by distilling key security concepts into actionable controls to achieve greater overall cybersecurity defense.
As security challenges evolve, so do the best practices to meet them. The CIS is well-regarded in the security industry for making both current and concrete recommendations to help enterprises improve their security posture via their Critical Security Controls for Effective Cyber Defense, formerly known as the SANS Top 20 Critical Security Controls.
Whereas many standards and compliance regulations aimed at improving overall security can be narrow in focus by being industry-specific, the CIS CSC—currently on its seventh iteration at version 7—was created by experts across numerous government agencies and industry leaders to be industry-agnostic and universally applicable.
The CIS benchmarks also acknowledge the reality most organizations face in that resources are usually limited and priorities must be set. As such, CIS separates the controls into three categories: basic, foundational, and organizational, regardless of industry type. That prioritization of standards is what differentiates the CIS CSC recommendations from other security controls and lists, which may mention prioritization as a necessity but don't go as far as making concrete recommendations.
There are 20 CIS controls in all, with the first six in the list prioritized as “basic” controls which should be implemented by all organizations for cyber defense readiness. In iteration 7, these top six CIS controls are:
1) Inventory and Control of Hardware Assets
2) Inventory and Control of Software Assets
3) Continuous Vulnerability Management
4) Controlled Use of Administrative Privileges
5) Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
6) Maintenance, Monitoring and Analysis of Audit Logs
Each control is wide in scope but aligns with solid principles: making sure the right users have access to the right assets, and that all systems are kept up-to-date and as hardened as possible. Following CIS guidance for these top six controls will yield great benefits, even if these are the only controls your organization can implement.
The scope of all of the Top 20 CIS Critical Security Controls is comprehensive in its view of what's required for robust cybersecurity defense: Security is never just a technological problem, and the CIS recommendations encompass not only data, software and hardware, but also people and processes. For example, Incident Response teams and Red teams, both key components of any robust proactive defense plan, are part of CIS controls 19 and 20 respectively.
The CIS Critical Security Controls also have cross-compatibility and/or directly map to a number of other compliance and security standards, many of which are industry specific—including NIST 800-53, PCI DSS, FISMA, and HIPAA—meaning organizations that must follow these regulations can use the CIS controls as an aid to compliance. In addition, the NIST Cybersecurity Framework, another robust tool commonly employed to better streamline and strengthen an organization's security posture, draws from the CIS CSC as their baseline for a number of their recommended best practices.
For organizations looking to improve their security posture and harden their defenses against the attack vectors they're most likely to encounter, the CIS Critical Security Controls are a great starting point to reduce your risk of exposure and mitigate the severity of most of the attack types.