CIS Critical Security Controls: What Are They and How Can You Meet These Standards?

Kaitlyn Graham | November 9, 2021 | tag: Security Performance Management

As cyber threats evolve and business models change, maintaining a mature cybersecurity program can be challenging. You need to be confident that your organization’s current security tools and techniques are effective. All it takes is a software misconfiguration or a delay in patching a system for vulnerabilities to creep into your IT environment.

Fortunately, the Center for Internet Security (CIS) provides a set of standards that your organization can use to gauge the effectiveness of its cybersecurity program. These 18 standards – known as CIS Critical Security Controls – evolve each year to match the changing tide of threat actors.

What are CIS Critical Security Controls?

 

The 18 controls prescribed by CIS are prioritized into three implementation groups (IGs). Each IG identifies a set of safeguards (previously referred to as CIS sub-controls) that your enterprise should implement based on its risk profile and available resources.

For instance, IG1 outlines basic cyber hygiene measures that guard against the most common attacks and should be implemented by every organization, regardless of size. These include maintaining an inventory of all digital assets so that security teams know the totality of what needs to be monitored and protected. These assets include end user devices, network devices, IoT devices, servers, cloud environments, and remote machines. IG1 also encompasses best practices for data protection, secure configuration, account management, access control management, continuous vulnerability management, and more.

IG2 layers in additional cyber defense safeguards that limit unauthorized software use, enforce remote wipe capability for portable end user devices, document data flows, ensure secure network authentication, and so on. It’s an important standard for those responsible for managing an IT infrastructure that spans multiple departments with differing risk profiles. 

Finally, IG3 aims to prevent or lessen the impact of sophisticated attacks and protect sensitive and confidential data. Recommendations include best practices such as data loss prevention, role-based access control, and maintaining separate enterprise workspaces, such as on mobile devices.

How to meet CIS Critical Security Controls recommendations

 

As clear and straightforward as CIS Controls are, as a security leader, you still need a way to assess and monitor your organization’s progress in implementing CIS controls. Because the controls are designed to ensure common threats are considered and covered, any gaps in the adoption of these controls can put your enterprise at risk.

BitSight can help. Using Control Insights, now available as a feature of BitSight for Security Performance Management (SPM), you can quickly evaluate the current state of your security controls and measure your team’s progress over time, as they implement CIS Critical Security Controls. If improvement is needed, BitSight provides specific recommendations for remediating any gaps and implementing the proper safeguards.

Control Insights is designed with ease-of-use in mind. A dashboard format provides at-a-glance views of the effectiveness of each security control – for example, “Needs Improvement” or “Acceptable.” You can also drill down into problem areas for further insight, such as the root causes of issues, specifics on “the why” of a control’s state, and a prescribed course of action.

For instance, identifying software misconfigurations isn’t easy. These vulnerabilities often go undiscovered until an event arises, like a cyber breach or a performance issue. With Control Insights and SPM you can automatically and continuously monitor for insecure configurations and get tips on how to bring your security program back into alignment with CIS controls -  in this case, CIS Control 4.  

And, you can do this without the manual effort normally associated with assessing your organization’s security posture against CIS Critical Security Controls best practices.

Learn more about how you can proactively identify and remediate cyber risk and ensure your security controls meet CIS standards.

Security Ratings Buyers Guide

Suggested Posts

3 Ways to Conduct a Vulnerability Probe that Continuously Exposes Hidden Cyber Risk

You can’t reduce the cyber risks faced by your organization if you don’t know what you’re up against. That’s the purpose of a vulnerability probe.

A vulnerability probe uses scanning technology to scour your organization’s network for...

READ MORE »

Reduce the Risk of DNS Spoofing: Quickly Find and Fix DNSSEC Misconfigurations

There are many ways that a bad actor can infiltrate your IT infrastructure and begin sifting through your data. These vulnerable entry points are known as risk vectors and include insecure endpoints, unsupported mobile devices,...

READ MORE »

CIS Critical Security Controls: What Are They and How Can You Meet These Standards?

As cyber threats evolve and business models change, maintaining a mature cybersecurity program can be challenging. You need to be confident that your organization’s current security tools and techniques are effective. All it takes is a...

READ MORE »

Get the Weekly Cybersecurity Newsletter.