What are the CIS Controls?

cybersecuritycis controlsdefensesans
Written By Christian Grupp

The CIS Controls are a set of best practices for cybersecurity developed by the Center for Internet Security (CIS). They provide a prioritized approach to securing an organization's IT systems and data, and are designed to be simple, practical, and effective. In this blog post, we will discuss the CIS Controls, written for a non-technical user to understand.

 

The CIS Controls are divided into three categories: Basic, Foundational, and Organizational. The Basic Controls are the most essential controls that should be implemented by all organizations. They include the following:

  •  Inventory of Authorized and Unauthorized Devices

  • Inventory of Authorized and Unauthorized Software

  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

  • Continuous Vulnerability Management

  • Controlled Use of Administrative Privileges

  • Maintenance, Monitoring, and Analysis of Audit Logs

The Foundational Controls build on the Basic Controls and provide additional security measures for organizations. They include the following:

  •  Email and Web Browser Protections

  • Malware Defenses

  • Limitation and Control of Network Ports, Protocols, and Services

  • Data Recovery Capabilities

  • Security Skills Assessment and Appropriate Training to Fill Gaps

The Organizational Controls are specific to each organization and should be tailored to the organization's specific needs. They include the following:

  •  Incident Response and Management

  • Penetration Tests and Red Team Exercises

  • Controlled Access Based on the Need to Know

  • Account Monitoring and Control

  • Security Continuous Monitoring

It's important to note that the CIS controls are not a one-time implementation but rather a continuous process, regularly reviewing and updating the controls according to the organization's changing needs and new threats.

 

One of the key benefits of the CIS controls is that they provide a prioritized approach to securing an organization's IT systems and data. By focusing on the most essential controls first, organizations can quickly and effectively improve their security posture. Additionally, the controls are designed to be simple, practical, and effective, making them easy to implement and maintain.

 

Another benefit of the CIS controls is that they are widely recognized and accepted in the cybersecurity community. Many organizations and regulatory bodies reference the CIS controls in their own security guidelines and regulations, making it easy for organizations to demonstrate compliance with industry standards.

 

In conclusion, the CIS controls are a set of best practices for cybersecurity developed by the Center for Internet Security (CIS). They provide a prioritized approach to securing an organization's IT systems and data, and are designed to be simple, practical, and effective. The CIS controls are divided into three categories: Basic, Foundational, and Organizational, each providing a different level of security measures. Organizations should start by implementing the Basic Controls, which are the most essential controls that should be implemented by all organizations. The Foundational and Organizational controls build on the Basic controls and provide additional security measures that should be tailored to the organization's specific needs.

 

It's important to note that the CIS controls are not a one-time implementation but rather a continuous process, regularly reviewing and updating the controls according to the organization's changing needs and new threats. The CIS controls also provide a great way for organizations to demonstrate compliance with industry standards. Implementing the CIS controls can be a great way for organizations to improve their overall security posture and protect against cyber threats.

Christian Grupp
Previous

Should I use the CIS Controls?
Next

What are the top ways to improve my security?