Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started
Request Demo

Cybersecurity Frameworks

Recommendations For Your Next CIS Risk Assessment


Discover, design, validate, promote, and sustain best practice cyber protection solutions to safeguard your people and processes. As the cyber attack surface expands, the Center for Internet Security (CIS) has developed a comprehensive list of critical security controls (CSC) to identify gaps in your company's cyber defense strategy and security frameworks.

In response to the changing technology, work, and threat landscape, The Center for Internet Security (CIS) has launched CIS Controls v8. This update now has 18 key controls with 153 safeguards and addresses cloud and mobile technologies.

What is CIS Top 20?

The CIS Top 20 Critical Security Controls is a list of best practices intended to address today's most pervasive and dangerous threats. The world's top security professionals designed this control framework which is updated and validated every year.

The CIS Critical Security Controls (CIS Controls) is a prioritized set of safeguards designed to protect systems and networks from the most common attacks and data breaches. Multiple legal, regulatory, and policy frameworks link to and reference these security controls for effective defense.

Who Uses CIS Controls?

Companies of all kinds and sizes use CIS Controls. As of May 1, 2017, companies have downloaded the control set over 70,000 times. The states of Arizona, Colorado, and Idaho and the cities of Oklahoma City, Portland, and San Diego have all formally accepted using CIS controls for effective cyber defense.

Boeing, Citizens Property Insurance, Corden Pharma, and the Federal Reserve Bank of Richmond are among the major companies that employ CIS benchmarks to protect sensitive information.

Top 5 Recommendations For CIS Controls

Implementing the CIS Top 20 key security measures is an excellent method to safeguard your company against some of the most prevalent threats.

  • Create And Keep A Software Inventory

Make a complete inventory of all licensed software installed on corporate assets and keep it updated. Each item in the software inventory must include the title, publisher, install/use date, and business objective. The URL, version, deployment mechanism, and decommission data must be included if applicable. It's critical to check and update the software inventory twice a year. 

Ascertain that unauthorized software is either removed from corporate assets or given a written exemption. Review at least once a month.

  • Detect And Respond To Incidents

The incident reaction might be a series of events rather than a single event. Teams must coordinate and organize their efforts to be effective in incident response. Any response program should incorporate five essential steps to effectively address the broad spectrum of security threats that a firm may encounter.

The key to successful incident response is preparation. Even the most minor incident response team cannot adequately address an issue without defined parameters. 

The detection and reporting phases primarily focus on monitoring security events to discover, notify and report possible security problems.

  • Monitor: Use firewalls, intrusion prevention systems, and data loss prevention to keep track of security occurrences in your environment.
  • Detect: Use a SIEM system to correlate signals to identify possible security problems.
  • Alert: Analysts produce an event ticket, describe early findings, and categorize the occurrence.
  • Report: Your reporting procedure should accommodate regulatory reporting escalation.

Users should have comprehensive knowledge of live system responses, digital forensics, memory analysis, and malware analysis. Security teams should gather data from tools and systems for subsequent analysis and identification of compromise signs.

Next, one essential step of incident response is neutralization and control. The intelligence and signs of a compromise obtained during the analysis phase inform the containment and neutralization plan. Normal operations can continue after the system has been recovered and confirmed security.

After the response team settles the event, there is still work to be done. Make sure to carefully capture any information that may be relevant to prevent such events in the future.

  • Identify Security Gaps

As the frequency of data breaches grows, organizations must strengthen their defenses to safeguard one of their most essential assets, i.e., data.

Organizations can no longer afford to be clueless about the frequency and complexity of cyber events in their industry and beyond. Before a breach happens, companies must test their defenses and be prepared to respond. It is also essential to know the threats, the opponents, and the available resources. 

Attackers may have gained access to a company's network and are waiting for the appropriate moment to attack. Organizations should perform active threat hunting to detect these efforts and prevent attacks from occurring. They also must ensure that the correct monitoring systems are in place to guarantee the early detection of threats and vulnerabilities.

  • Implement CIS 20 Controls

Once you have identified the problems, implementing CIS controls per your organization's requirements is the next step. Here are some measures through which you can ensure successful implementation.

Take Inventory of your assets to lay the groundwork for the rest of the process—after all, you can't create controls to safeguard devices and people if you don't know what you're protecting. Critical Security Controls 1 and 2 correlate to this stage.

Next, figure out what controls you already have and where you've spent money and effort. Make sure you know how well you are (or aren't) protected right now so you can tell IT and top management. Critical Security Controls 3, 4, 5, 7, 8, 10, 13, and 18 correspond to this stage.

Determine what network entry and exit safeguards are in place. A network boundary inventory will be helpful here. Then, restrict access to your wireless local area networks to authorized users and limit network inflow and egress. Critical Security Controls 9, 11, 12, and 15 correspond to this stage.

Your next step is incident detection and response. It might be tiny, random, or targeted, and you never know when the assault will happen, but you can bank on it happening. Prepare a comprehensive incident response plan and a defined internal procedure that feeds into your security plan for establishing and maintaining controls. Critical Security Controls 6, 16, and 19 correspond to this stage.

To assist you in prioritizing how to drive your security program ahead, you need to know where the gaps exist. But be prepared: determining which gaps are essential needs team unanimity. Now it's time to plan and implement the controls. So now you know how safe you are and where your most serious security flaws are. 

Next up? Choose how you'll handle short and long-term maintenance and measure progress over time.

People are typically the weakest link in the security chain, no matter how much we love them. That is why it is critical to teach and test users to ensure they know what to look for and the necessity of security.

  • Test Controls

Use tools like penetration testing and red team exercise to ensure your controls are working once they're in place. Security teams should perform this activity frequently as your efforts provide confidence in your strategy and internal credibility.

Wrapping Up

Successful implementation of CIS Top 20 controls is not the only thing that helps you save from all security breaches. Testing them is a must and should be done once all the measures are implemented. 

CyberStrong can streamline your compliance with the CIS controls along with other gold-standard frameworks like the NIST Cybersecurity Framework (CSF), ISO 27001, and CMMC. Contact us if you’d like to learn more about CyberStrong’s automated risk and compliance solution, and our experts will guide you throughout the process.

You may also like

Critical Capabilities of Cyber ...
on May 20, 2024

In today's digital landscape, robust cybersecurity risk assessment tools are crucial for effectively identifying and mitigating cyber threats. These tools serve as the first line ...

A Practical Approach to FAIR Cyber ...
on May 10, 2024

In the ever-evolving world of cybersecurity, managing risk is no longer about simply setting up firewalls and antivirus software. As cyber threats become more sophisticated, ...

Unveiling the Best Cyber Security ...
on April 24, 2024

Considering the rollout of regulations like the SEC Cybersecurity Rule and updates to the NIST Cybersecurity Framework; governance and Board communication are rightfully ...

April Product Update
on April 18, 2024

The CyberSaint team is dedicated to providing new features to CyberStrong and advancing the CyberStrong cyber risk management platform to address all your cybersecurity needs. ...

Bridging the Gap: Mastering ...
on April 22, 2024

In today's digital landscape, cybersecurity has become essential to corporate governance. With the increasing frequency and sophistication of cyber threats, the SEC has set forth ...

March Product Update
on March 21, 2024

The CyberSaint team is dedicated to advancing the CyberStrong platform to meet your cyber risk management needs. These latest updates will empower you to benchmark your ...