<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Infographic: The CIS Top 20 Controls Explained

down-arrow

The Center for Internet Security (CIS) is a non profit organization responsible for developing best practices for internet security. The frameworks set forth by CIS affect everybody from people to organizations and governments, and is done in an effort to create safe, reliable standards of protection for IT systems and data from cyber threats. The CIS Controls, formerly the CIS Top 20, make a strong foundation for a newly maturing cybersecurity program. Below we explore the top 20 CIS Critical Security Controls and their requirements.

The CIS Critical Security Controls

What are the CIS Critical Security Controls

Inventory and Control of Hardware Assets

Identify devices on your organization’s network, keep them updated, and maintain an inventory of assets that store or process information.

Inventory and Control of Software Assets

Use software inventory tools to automate the documentation of all software to ensure unauthorized software is blocked from executing on assets.

Continuous Vulnerability Management

Utilize a compliant vulnerability scanning tool to monitor your systems on the network to identify vulnerabilities and keep them up to date.

Controlled Use of Administrative Privileges

Configure systems to issue a log entry and alert when accounts are changed, and ensure administrative accounts have proper access.

Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Maintain documented, standard security configuration standards for all authorized operating systems and software.

Maintenance, Monitoring and Analysis of Audit Logs

Ensure that local logging has been enabled and that appropriate logs are being aggregated to a central log management system for analysis and review.

Email and Web Browser Protections

Ensure that only supported web browsers and email clients are allowed to execute in the organization using the latest official version.

Malware Defenses

Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization's workstations and servers.

Limitation and Control of Network Ports, Protocols and Services

Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system, and perform automated port scans on a regular basis.

Data Recovery Capabilities

Ensure that all system data and key systems is automatically backed up on regular basis.

Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Compare all network device configuration against approved security configurations, and manage all network devices using multi-factor authentication and encrypted sessions.

Boundary Defense

Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges.

Data Protection

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

Controlled Access based on the Need to Know

Segment the network based on the label or classification level of the information stored.

Wireless Access Control

Leverage the Advanced Encryption Standard to encrypt wireless data in transit and create a separate wireless network for personal or untrusted devices.

Account Monitoring and Control

Require multi-factor authentication for all user accounts, on all systems, whether managed onsite or by a third-party provider.

Implement a Security Awareness and Training Program

Perform a skills gap analysis and train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.

Application Software Security

Establish secure coding practices appropriate to the programming language and development environment being used.

Incident Response & Management

Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management.

Penetration Tests and Red Team Exercises

Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks.

 

Becoming compliant with CIS doesn’t need to be as daunting as it seems, with the help of an integrated risk management solution. Thankfully CyberStrong has the ability to streamline and automate your compliance efforts not only with these 20 critical security controls, but also many other gold standard frameworks like the NIST CSF, DFARS and ISO. If you have any additional questions about CIS, integrated risk management, or how CyberStrong can help bolster your cybersecurity and compliance objectives, give us a call at 1 800 NIST CSF or click, here to schedule a conversation.

You may also like

New Gartner Report Identifies ...
on September 15, 2021

With a variety of risks growing out of the pandemic, cybersecurity control failures was listed as the top executive concern during Q1 2021. According to the Gartner Emerging Risks ...

Why IOT in the Commercial ...
on September 14, 2021

Every month there seems to be a new device that changes the way we travel, communicate, conduct business, and live our personal lives. The transformation promises efficiency and ...

Why the Chemical Sector is ...
on September 1, 2021

The chemical sector encompasses more than 70,000 diverse products that are critical to the modern global infrastructure. Several thousand chemical facilities ship, manufacture, ...

Kyndall Elliott
What Does the Future of Risk ...
on August 31, 2021

Cyber risk is the top concern for water and wastewater systems. With government intelligence confirming cyber attacks staged by Russia and Iran, utilities need strong risk ...

What Threatens Other Critical ...
on August 24, 2021

Everyone knows that one person that likes to say that they’re not addicted to their phone. In 2021, it’s difficult to find a way to socialize, work, access vital services, and be ...

Is the Energy Sector Paving the ...
on August 13, 2021

It’s difficult to imagine a day in which the products and services we use are not connected back to the energy sector. How we heat or cool our homes to how we remotely work are ...