For organizations of all sizes in every industry, cyber crime is a serious and evolving threat. As reported by Forbes, 2020 was a record-breaking year for data breaches and cyber attacks. With the pandemic presenting new opportunities for attackers, 78% of IT teams say they lack confidence in their cybersecurity posture according to a recent IDG survey.
As cybersecurity budgets rise in an attempt to mitigate the risk, IT teams are grappling with the question of how best to use these resources. Industry-recognized cybersecurity frameworks, such as NIST and CIS CSC, provide an excellent starting point—but with so many options available, which one should be prioritized?
Why cybersecurity should start with CIS CSC
When selecting a cybersecurity framework, an organization’s size, industry, and risk level should all be taken into account. However, the Center for Internet Security Critical Security Controls for Effective Cyber Defense (CIS CSC)—also known as the CIS Top 20 Security Controls—is a universally advantageous place to start.
Although the National Institute of Security and Technology’s Cybersecurity Framework (NIST CSF) is more comprehensive than CIS CSC, it is also far more complex, making it out of reach for most organizations without a compliance and security team. CIS CSC, on the other hand, consists of 20 straightforward, actionable controls that are applicable to organizations of any size and industry.
CIS CSC is regularly updated by government and private industry security experts around the world, making it a well recognized and comprehensive cybersecurity roadmap. It focuses on real-world risks and the technical controls that mitigate those risks. The controls are prioritized based on the current threat landscape, making them an ideal starting point for organizations that need to improve their cybersecurity posture with limited resources.
CIS Controls explained
The CIS standards are divided into three levels: Basic (1-6), Foundational (7-16), and Organizational (17-20). Here is a CIS Controls summary:
| Basic | Foundational | Organizational |
|---|---|---|
| 1. Inventory and control of hardware assets | 7. Email and web browser protections | 17. Implementation of a security awareness and training program |
| 2. Inventory and control of software assets | 8. Malware defenses | 18. Application software security |
| 3. Continuous vulnerability management | 9. Limitation and control of network ports, protocols, and services | 19. Incident response and management |
| 4. Controlled use of administrative privileges | 10. Data recovery capabilities | 20. Penetration testing and red team exercises |
| 5. Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers | 11. Secure configuration for network devices, such as firewalls, routers, and switches | |
| 6. Maintenance, monitoring, and analysis of audit logs | 12. Boundary defense | |
| 13. Data protection | ||
| 14. Controlled access based on the need to know | ||
| 15. Wireless access control | ||
| 16. Account monitoring and control |
The CIS security benefits will be felt by any organization that fulfills the controls. Let’s look at the three categories. The Basic Controls for CIS compliance focus on having the necessary assets, keeping those assets secure, and controlling administrative access to systems. Since the steps are prioritized in order, organizations should start by meeting these six essential controls.
You can then move onto the 10 Foundational CIS Controls, which provide technical best practices that are applicable to any business. Finally, the Organizational Controls cover people, processes, detection, and response—all important components of robust cybersecurity.
For organizations bound by industry regulations such as HIPAA, CMMC, or PCI DSS, the CIS security controls lay the foundation for meeting these standards. This makes meeting the CIS guidelines a worthwhile endeavor for any organization.
How to implement CIS CSC
To begin implementing the CIS framework, you should first identify your gaps and risks. You can perform a simple gap analysis on the CIS website: CIS CSAT. This powerful, free self-assessment tool enables IT teams to track and prioritize their implementation of the CIS Critical Security Controls for Effective Cyber Defense. It covers the documentation, implementation, automation, and reporting of controls, and can be carried out collaboratively between different team members.
Implementation and alignment with CIS is unique for each organization. Thankfully it shares many commonalities with the NIST CSF and many other gold standard cybersecurity frameworks. If you have any questions about CIS, CIS Controls or the NIST CSF, give us a call.