CIS Controls

 

The Center for Internet Security (CIS) Controls is a widely adopted set of best practices and guidelines for securing computer systems and networks. There are 20 CIS Controls, organized into three categories: Basic, Foundational, and Organizational. Here are the core tenets of the CIS Controls:

1. Control selection based on risk: The CIS Controls are prioritized based on the risk that they address. The most critical controls are listed first.
2. Consensus-based: The CIS Controls are developed and maintained by a community of experts from government, academia, and industry, with input from a wide range of stakeholders.
3. Actionable: The CIS Controls provide specific guidance on how to implement each control, making them practical and actionable.
4. Measurable: The CIS Controls are designed to be measurable, so that organizations can track their progress and measure the effectiveness of their security efforts.
5. Continuous improvement: The CIS Controls are intended to be a living document, with regular updates and revisions based on the latest threats and best practices.
6. Implementation flexibility: The CIS Controls are designed to be adaptable to different types of organizations and environments, from small businesses to large enterprises.
7. Comprehensive coverage: The CIS Controls cover a wide range of security domains, including network security, endpoint security, data protection, and incident response.

Overall, the CIS Controls provide a framework for organizations to build a strong and effective cybersecurity program, based on industry best practices and the latest threat intelligence.

Here are the 20 CIS Controls broken out by the three categories:

Basic Controls:

1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational Controls: 7. Email and Web Browser Protections

8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols and Services
10. Data Recovery Capability
11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
12. Boundary Defense
13. Data Protection

Organizational Controls: 14. Controlled Access Based on the Need to Know

15. Wireless Access Control
16. Account Monitoring and Control
17. Implement a Security Awareness and Training Program
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises

Note that these controls are prioritized based on risk and organizations should implement them in the order specified by the CIS Controls. Also, it is recommended that organizations should not skip any of the basic controls, as they provide the foundation for an effective cybersecurity program.