Discover, design, validate, promote, and sustain best practice cyber protection solutions to safeguard your people and processes. As the cyber attack surface expands, the Center for Internet Security (CIS) has developed a comprehensive list of critical security controls (CSC) to identify gaps in your company's cyber defense strategy and security frameworks.
What is CIS Top 20?
The CIS Top 20 Critical Security Controls is a list of best practices intended to address today's most pervasive and dangerous threats. The world's top security professionals designed this control framework which is updated and validated every year.
The CIS Critical Security Controls (CIS Controls) is a prioritized set of safeguards designed to protect systems and networks from the most common attacks and data breaches. Multiple legal, regulatory, and policy frameworks link to and reference these security controls for effective defense.
Who Uses CIS Controls?
Companies of all kinds and sizes use CIS Controls. As of May 1, 2017, companies have downloaded the control set over 70,000 times. The states of Arizona, Colorado, and Idaho and the cities of Oklahoma City, Portland, and San Diego have all formally accepted using CIS controls for effective cyber defense.
Boeing, Citizens Property Insurance, Corden Pharma, and the Federal Reserve Bank of Richmond are among the major companies that employ CIS controls to protect sensitive information.
Top 5 Recommendations For CIS Controls
Implementing the CIS Top 20 key security measures is an excellent method to safeguard your company against some of the most prevalent threats.
Create And Keep A Software Inventory
Make a complete inventory of all licensed software installed on corporate assets and keep it updated. Each item in the software inventory must include the title, publisher, install/use date, and business objective. The URL, version, deployment mechanism, and decommission data must be included if applicable. It's critical to check and update the software inventory twice a year.
Ascertain that unauthorized software is either removed from corporate assets or given a written exemption. Review at least once a month.
Detect And Respond To Incidents
The incident reaction might be a series of events rather than a single event. Teams must coordinate and organize their efforts to be effective in incident response. Any response program should incorporate five essential steps to effectively address the broad spectrum of security threats that a firm may encounter.
The key to successful incident response is preparation. Even the most minor incident response team cannot adequately address an issue without defined parameters.
The detection and reporting phases primarily focus on monitoring security events to discover, notify and report possible security problems.
- Monitor: Use firewalls, intrusion prevention systems, and data loss prevention to keep track of security occurrences in your environment.
- Detect: Use a SIEM system to correlate signals to identify possible security problems.
- Alert: Analysts produce an event ticket, describe early findings, and categorize the occurrence.
- Report: Your reporting procedure should accommodate regulatory reporting escalation.
Users should have comprehensive knowledge of live system responses, digital forensics, memory analysis, and malware analysis. Security teams should gather data from tools and systems for subsequent analysis and identification of compromise signs.
Next, one essential step of incident response is neutralization and control. The intelligence and signs of a compromise obtained during the analysis phase inform the containment and neutralization plan. Normal operations can continue after the system has been recovered and confirmed security.
After the response team settles the event, there is still work to be done. Make sure to carefully capture any information that may be relevant to prevent such events in the future.
Identify Security Gaps
As the frequency of data breaches grows, organizations must strengthen their defenses to safeguard one of their most essential assets, i.e., data.
Organizations can no longer afford to be clueless about the frequency and complexity of cyber events in their industry and beyond. Before a breach happens, companies must test their defenses and be prepared to respond. It is also essential to know the threats, the opponents, and the available resources.
Attackers may have gained access to a company's network and are waiting for the appropriate moment to attack. Organizations should perform active threat hunting to detect these efforts and prevent attacks from occurring. They also must ensure that the correct monitoring systems are in place to guarantee the early detection of threats and vulnerabilities.
Implement CIS 20 Controls
Once you have identified the problems, implementing CIS controls per your organization's requirements is the next step. Here are some measures through which you can ensure successful implementation.
Take Inventory of your assets to lay the groundwork for the rest of the process—after all, you can't create controls to safeguard devices and people if you don't know what you're protecting. Critical Security Controls 1 and 2 correlate to this stage.
Next, figure out what controls you already have and where you've spent money and effort. Make sure you know how well you are (or aren't) protected right now so you can tell IT and top management. Critical Security Controls 3, 4, 5, 7, 8, 10, 13, and 18 correspond to this stage.
Determine what network entry and exit safeguards are in place. A network boundary inventory will be helpful here. Then, restrict access to your wireless local area networks to authorized users and limit network inflow and egress. Critical Security Controls 9, 11, 12, and 15 correspond to this stage.
Your next step is incident detection and response. It might be tiny, random, or targeted, and you never know when the assault will happen, but you can bank on it happening. Prepare a comprehensive incident response plan and a defined internal procedure that feeds into your security plan for establishing and maintaining controls. Critical Security Controls 6, 16, and 19 correspond to this stage.
To assist you in prioritizing how to drive your security program ahead, you need to know where the gaps exist. But be prepared: determining which gaps are essential needs team unanimity. Now it's time to plan and implement the controls. So now you know how safe you are and where your most serious security flaws are.
Next up? Choose how you'll handle short and long-term maintenance and measure progress over time.
People are typically the weakest link in the security chain, no matter how much we love them. That is why it is critical to teach and test users to ensure they know what to look for and the necessity of security.
Use tools like penetration testing and red team exercise to ensure your controls are working once they're in place. Security teams should perform this activity frequently as your efforts provide confidence in your strategy and internal credibility.
Successful implementation of CIS Top 20 controls is not the only thing that helps you save from all security breaches. Testing them is a must and should be done once all the measures are implemented.
CyberStrong can streamline your compliance with the CIS controls along with other gold-standard frameworks like the NIST Cybersecurity Framework (CSF), ISO 27001, and CMMC. Contact us if you’d like to learn more about CyberStrong’s automated risk and compliance solution, and our experts will guide you throughout the process.