Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

The CIS Top 20 Controls Explained

down-arrow

The Center for Internet Security (CIS) is a non-profit organization responsible for developing best practices to improve Internet security and protect against security incidences. The frameworks set forth by CIS affect everybody, from people to organizations and governments, and were done to create safe, reliable standards of protection for IT systems and cybersecurity programs from data breaches. The CIS Controls, formerly the CIS Top 20, make a strong foundation for a newly maturing cybersecurity program. Below, we explore the top 20 Critical Security Controls and their requirements.

In response to the changing technology, work, and threat landscape, The Center for Internet Security (CIS) has launched CIS Top 18 Controls (v8). This update has 18 key controls with 153 safeguards and addresses cloud and mobile technologies.

The CIS Critical Security Controls

What are the CIS Critical Security Controls

Inventory and Control of Hardware Assets

Identify devices on your organization’s network, update them, and maintain an inventory of assets that store or process information.

Inventory and Control of Software Assets

Use software inventory tools to automate all software documentation to prevent unauthorized software from executing on assets.

Continuous Vulnerability Management

Utilize a complaint vulnerability scanning tool to monitor your systems on the network to identify vulnerabilities and keep them up to date.

Controlled Use of Administrative Privileges

Configure systems to issue log entries, alert when accounts are changed, and ensure administrative accounts have proper access.

Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Maintain documented, standard security configuration standards for all authorized operating systems and software.

Maintenance, Monitoring, and Analysis of Audit Logs

Ensure that local logging has been enabled and appropriate logs are aggregated to a central log management system for analysis and review.

Email and Web Browser Protections

Ensure that only supported web browsers and email clients can execute in the organization using the latest official version.

Malware Defenses

Utilize centrally managed anti-malware software to continuously monitor and defend each organization's workstations and servers.

Limitations and Control of Network Ports, Protocols, and Services

Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system, and perform automated port scans regularly.

Data Recovery Capabilities

Ensure that all system data and key systems are automatically backed up regularly.

Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Compare all network device configurations against approved security configurations and manage all network devices using multi-factor authentication and encrypted sessions.

Boundary Defense

Deny communications with known malicious or unused Internet IP addresses and limit access to trusted and necessary IP address ranges.

Data Protection

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

Controlled Access Based on the Need to Know

Segment the network based on the label or classification level of the information stored.

Wireless Access Control

Leverage the Advanced Encryption Standard to encrypt wireless data in transit and create a separate wireless network for personal or untrusted devices.

Account Monitoring and Control

Require multi-factor authentication (MFA) for all system user accounts, whether managed onsite or by a third-party provider.

Implement a Security Awareness and Training Program

Perform a skills gap analysis and train the workforce to identify social engineering attacks, such as phishing, phone scams, and impersonation calls.

Application Software Security

Establish secure coding practices appropriate to the programming language and development environment being used.

Incident Response & Management

Ensure written incident response plans define personnel roles and incident handling/management phases.

Penetration Tests and Red Team Exercises 

Establish a program for penetration tests that includes a full scope of common attacks, such as wireless, client-based, and web application attacks.

 

 

 

Implementing CIS controls doesn’t need to be as daunting as it seems with the help of an automated risk assessment solution like CyberStrong. The CyberStrong platform can streamline and automate your compliance efforts with these 20 critical security controls and many other gold-standard frameworks, such as the NIST CSF, DFARS, and ISO 27001.

 

 

 

 

Schedule a conversation if you have any additional questions about the CIS cybersecurity controls, cyber risk management, or how CyberStrong can help bolster your cybersecurity and compliance objectives.

You may also like

Step-by-Step Guide: How to Create ...
on September 23, 2024

Cyber risk management has become more critical in today's challenging digital landscape. Organizations face increased pressure to identify, assess, and mitigate risks that could ...

From Fragmentation to Integration: ...
on September 17, 2024

Organizations are often inundated with many security threats and vulnerabilities in today's fast-paced cybersecurity landscape. As a result, many have turned to point ...

How to Create a Comprehensive ...
on September 9, 2024

Cyber threats are becoming more frequent, sophisticated, and damaging in today's rapidly evolving digital landscape. Traditional approaches to cyber risk management, which often ...

Top Cybersecurity Risk Mitigation ...
on August 22, 2024

In today’s rapidly evolving digital landscape, cybersecurity risks are more prevalent and sophisticated than ever before. Organizations of all sizes are increasingly exposed to ...

August Product Update
on August 16, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates made to the CyberStrong solution. These latest updates will focus on reporting and remediation. To ...

The Ultimate Guide to Managing ...
on September 24, 2024

Cyber risk management has taken center stage for managing and assessing cybersecurity. Security professionals who have taken a risk-first approach to replacing legacy GRC tools ...