CIS Controls

V 7.1

Today's organizations are faced with unending challenges defending their data and resources from attack. It can overwhelm the most experienced IT professional struggling to protect the network perimeter and mobile users spread across the globe. This is where a best practices approach can provide the framework to ensure a comprehensive strategy that defends all parts of the organization - inside and out.

Enter the Center for Internet Security's Top 20 Controls™.

The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. They are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices.

Whether you are at the start of developing your security strategy or well down the road with an established set of security tools, the CIS Controls can be a guide along the way.

Use this guide to...

Better understand why the CIS Controls work,
Where your organization my fall in the implementation groups,
Deep dive into each control to learn more,
All while learning from security experts along the way.

Why the CIS Controls Work

Offense informs defense

Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.

Prioritization

Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment. The CIS Implementation Groups discussed below are a great place for organizations to start identifying relevant Sub-Controls.

Measurements and Metrics

Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.

Continuous diagnostics and mitigation:

Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.

Automation:

Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.

Why they help:

Katie McCullough breaks down how the CIS controls work.

Listen Now

Why they help:

Katie McCullough breaks down how the CIS controls work.

CLICK FOR TRANSCRIPT

Audio Transcript

I know for us, the CIS Controls help in a couple ways:

One, it's a level set for our customers so that they understand the framework we're using and that it's something that's broken down into fairly simple components. They do get more and more mature as you get into them, but the reality is you can have a pretty fundamentally easy conversation about what they are.
And then we also use this to actually talk to our board about the security we put in place.

So again, you don't necessarily have to have a deep-dive knowledge of security to understand fundamentally how these work. But for those of us in security, it gives us a framework to talk about to other folks. And it really helps drive a maturity for ourselves, for our own organization, and it's ever evolving. So, the Critical Security Controls are global industry best practice. It's a volunteer firm that works together with anybody that's willing to participate.

And they have a huge volunteer organization that comes together on a regular basis to understand what is the attack landscape looking like, and how do these controls need to change? So, it’s not us individual security folks having to research this and come up with our own plan. We’ve got thousands of people helping put this format together. And again, these are general guidelines, and they’re pretty consistent and valid to work from.

Implementation Group 1

An organization with limited resources and cybersecurity expertise available to implement Sub-Controls

Expand

Implementation Group 1

An IG1 organization is small to medium-sized with limited IT and cybersecurity expertise to dedicate toward protecting IT assets and personnel. The principal concern of these organizations is to keep the business operational as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. However, there may be some small to medium-sized organizations that are responsible for protecting sensitive data and, therefore, will fall into a higher Group. Sub-Controls selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Sub-Controls will also typically be designed to work in conjunction with small or home office commercial-off-the-Shelf (COTS) hardware and software.

Collapse

Why they help:

Katie McCullough breaks down Implementation Group 1.

Listen Now

Why they help:

Katie McCullough breaks down Implementation Group 1.

CLICK FOR TRANSCRIPT

Audio Transcript

Look at this implementation group one. So, it’s typically targeted where there’s not a lot of regulated data that you have in your environment. But no matter what, it’s a starting place. So, they break down the controls even further on what you should be focused on as a small business. And then either from a maturity standpoint, or as you go into larger organizations, you get into more of that implementation group two, which certainly has many more controls to consider, starts to deal with sensitive data, potentially even legislative data that you might need to be concerned about. And in this day and age, with all the various legislation being passed, more and more companies are falling into this group to be able to ensure there’s proper security and privacy around their data.

Implementation Group 2

An organization with moderate resources and cybersecurity expertise to implement Sub-Controls

Expand

Implementation Group 2

An IG2 organization employs individuals responsible for managing and protecting IT infrastructure. These organizations support multiple departments with differing risk profiles based on job function and mission. Small organizational units may have regulatory compliance burdens. IG2 organizations often store and process sensitive client or company information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs. Sub-Controls selected for IG2 help security teams cope with increased operational complexity. Some Sub-Controls will depend on enterprise-grade technology and specialized expertise to properly install and configure.

Collapse

Implementation Group 3

A mature organization with significant resources and cybersecurity experience to allocate to Sub-Controls

Expand

Implementation Group 3

An IG3 organization employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 systems and data contain sensitive information or functions that are subject to regulatory and compliance oversight. A IG3 organization must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare. Sub-Controls selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

Collapse

CIS Control Groups

Basic

Controls 1 - 6

Key controls which should be implemented in every organization for essential cyber defense readiness.

Explore

Foundational

Organizational

Basic

Foundational

Controls 7 - 16

The next step up from basic – these technical best practices provide clear security benefits and are a smart move for any organization to implement.

Explore

Organizational

Basic

Foundational

Organizational

Controls 17 - 20

These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused on people and processes involved in cybersecurity.

Explore