CIS Controls

Framework

The Center for Internet Security (CIS), established in 2000, is a non-profit organization that develops configurable policy standards that enable organizations to improve security and compliance programs and postures.
CIS Controls™ and its CIS Benchmarks™ are global standards and accepted best practices for securing IT systems and data against the most common attacks. These proven guidelines are continuously refined and verified by experienced IT professional volunteers worldwide.
CIS is also home to the Multi-State Information Sharing and Analysis Center® (MSISAC®), a resource devoted to preventing, protecting, responding, and recovering cyber threats for state, local, tribal, and territorial government entities. And the Election Infrastructure Information Sharing and Analysis Center™ (EIISAC™) serving the cybersecurity needs of US state, regional, and territorial election offices. Recently, CIS released no-cost best practice guidance in the form of the Community Defense Model mapping the CIS Controls to the MITRE ATT&CK model, CIS Foundations Benchmarks for cloud service providers, a guide to the Shared Responsibility Model for security in the cloud, the CIS Password Policy Guide, the CIS Videoconferencing Security Guide, and more.

CIS Controls

CIS Controls were developed starting in 2008 and are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that offer a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense. The last version of CIS Controls is v8 with 18 safeguards.
The CIS Controls are not a replacement for any existing regulatory, compliance, or authorization scheme. The CIS Controls map to most major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series, and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA. Mappings from the CIS Controls have been defined for these other frameworks to give a starting point for action.
It is essential to look for CIS Controls as an ecosystem and recognize that “it’s not about the list.” The true power of the CIS Controls is not about creating the best list; it is about harnessing the experience of a community of individuals and enterprises to make security improvements through the sharing of ideas, tools, lessons, and collective action. CIS Controls are grouped into three Implementation Groups (IGs). The CIS Controls IGs are self-assessed categories for enterprises. These IGs represent a horizontal look across the CIS Controls tailored to different types of enterprises. Specifically, IG1 is “basic cyber hygiene,” the foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks. Each IG then builds upon the previous one: IG2 includes IG1, and IG3 includes all CIS Safeguards in IG1 and IG2.

Implementation Groups

Implementation Groups (IGs) are the recommended guidelines to prioritize the CIS Controls implementation.

IG1

CIS Controls v8 defines Implementation Group 1 (IG1) as essential cyber hygiene and represents an emerging minimum standard of information security for all enterprises. An IG1 enterprise is small to medium-sized with limited IT and cybersecurity expertise to protect IT assets and personnel. The principal concern of these enterprises is to keep the business operational, as they have limited tolerance for downtime. It should be implementable with limited cybersecurity expertise.

IG2

An IG2 enterprise employs individuals responsible for managing and protecting IT infrastructure. These enterprises support multiple departments with differing risk profiles based on job function and mission. Small enterprise units may have regulatory compliance burdens. IG2 enterprises often store and process sensitive client or enterprise information and can withstand short service interruptions. It helps security teams cope with increased operational complexity.

IG3

An IG3 enterprise employs security experts specializing in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 assets and data contain sensitive information or functions subject to regulatory and compliance oversight. An IG3 enterprise must address the availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare.

Controls and Safeguards Index

01 Inventory and Control of Enterprise Assets

  1. Establish and Maintain Detailed Enterprise Asset Inventory
  2. Address Unauthorized Assets
  3. Utilize an Active Discovery Tool
  4. Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
  5. Use a Passive Asset Discovery Tool

02 Inventory and Control of Software Assets

  1. Establish and Maintain a Software Inventory
  2. Ensure Authorized Software is Currently Supported
  3. Address Unauthorized Software
  4. Utilize Automated Software Inventory Tools
  5. Allowlist Authorized Software
  6. Allowlist Authorized Libraries
  7. Allowlist Authorized Scripts

03 Data Protection

  1. Establish and Maintain a Data Management Process
  2. Establish and Maintain a Data Inventory
  3. Configure Data Access Control Lists
  4. Enforce Data Retention
  5. Securely Dispose of Data
  6. Encrypt Data on End-User Devices
  7. Establish and Maintain a Data Classification Scheme
  8. Document Data Flows
  9. Encrypt Data on Removable Media
  10. Encrypt Sensitive Data in Transit
  11. Encrypt Sensitive Data at Rest
  12. Segment Data Processing and Storage Based on Sensitivity
  13. Deploy a Data Loss Prevention Solution
  14. Log Sensitive Data Access

04 Secure Configuration of Enterprise Assets and Software

  1. Establish and Maintain a Secure Configuration Process
  2. Establish and Maintain a Secure Configuration Process for Network Infrastructure
  3. Establish and Maintain a Secure Configuration Process for Network Infrastructure
  4. Implement and Manage a Firewall on Servers
  5. Implement and Manage a Firewall on End-User Devices
  6. Securely Manage Enterprise Assets and Software
  7. Manage Default Accounts on Enterprise Assets and Software
  8. Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
  9. Configure Trusted DNS Servers on Enterprise Assets
  10. Enforce Automatic Device Lockout on Portable End-User Devices
  11. Enforce Remote Wipe Capability on Portable End-User Devices
  12. Separate Enterprise Workspaces on Mobile End-User Devices

05 Account Management

  1. Establish and Maintain an Inventory of Accounts
  2. Use Unique Passwords
  3. Disable Dormant Accounts
  4. Restrict Administrator Privileges to Dedicated Administrator Accounts
  5. Establish and Maintain an Inventory of Service Accounts
  6. Centralize Account Management

06 Access Control Management

  1. Establish an Access Granting Process
  2. Establish an Access Revoking Process
  3. Require MFA for Externally-Exposed Applications
  4. Require MFA for Remote Network Access
  5. Require MFA for Administrative Access
  6. Establish and Maintain an Inventory of Authentication and Authorization Systems
  7. Centralize Access Control
  8. Define and Maintain Role-Based Access Control

07 Continuous Vulnerability Management

  1. Establish and Maintain a Vulnerability Management Process
  2. Establish and Maintain a Remediation Process
  3. Perform Automated Operating System Patch Management
  4. Perform Automated Application Patch Management
  5. Perform Automated Vulnerability Scans of Internal Enterprise Assets
  6. Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
  7. Remediate Detected Vulnerabilities

08 Audit Log Management

  1. Establish and Maintain an Audit Log Management Process
  2. Collect Audit Logs
  3. Ensure Adequate Audit Log Storage
  4. Standardize Time Synchronization
  5. Collect Detailed Audit Logs
  6. Collect DNS Query Audit Logs
  7. Collect URL Request Audit Logs
  8. Collect Command-Line Audit Logs
  9. Centralize Audit Logs
  10. Retain Audit Logs
  11. Conduct Audit Log Reviews
  12. Collect Service Provider Logs

09 Email and Web Browser Protections

  1.  Ensure Use of Only Fully Supported Browsers and Email Clients
  2. Use DNS Filtering Services
  3. Maintain and Enforce Network-Based URL Filters
  4. Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
  5. Implement DMARC
  6. Block Unnecessary File Types
  7. Deploy and Maintain Email Server Anti-Malware Protections

10 Malware Defenses

  1. Deploy and Maintain Anti-Malware Software
  2. Configure Automatic Anti-Malware Signature Updates
  3. Disable Autorun and Autoplay for Removable Media
  4. Configure Automatic Anti-Malware Scanning of Removable Media
  5. Enable Anti-Exploitation Features
  6. Centrally Manage Anti-Malware Software
  7. Use Behavior-Based Anti-Malware Software

11 Data Recovery

  1. Establish and Maintain a Data Recovery Process
  2. Perform Automated Backups
  3. Protect Recovery Data
  4. Establish and Maintain an Isolated Instance of Recovery Data
  5. Test Data Recovery

12 Network Infrastructure Management

  1. Ensure Network Infrastructure is Up-to-Date
  2. Establish and Maintain a Secure Network Architecture
  3. Securely Manage Network Infrastructure
  4. Establish and Maintain Architecture Diagram(s)
  5. Centralize Network Authentication, Authorization, and Auditing (AAA)
  6. Use of Secure Network Management and Communication Protocols
  7. Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
  8. Establish and Maintain Dedicated Computing Resources for All Administrative Work

13 Network Monitoring and Defense

  1. Centralize Security Event Alerting
  2. Deploy a Host-Based Intrusion Detection Solution
  3. Deploy a Network Intrusion Detection Solution
  4. Perform Traffic Filtering Between Network Segments
  5. Manage Access Control for Remote Assets
  6. Collect Network Traffic Flow Logs
  7. Deploy a Host-Based Intrusion Prevention Solution
  8. Deploy a Network Intrusion Prevention Solution
  9. Deploy Port-Level Access Control
  10. Perform Application Layer Filtering
  11. Tune Security Event Alerting Thresholds

14 Security Awareness and Skills Training

  1. Establish and Maintain a Security Awareness Program
  2. Train Workforce Members to Recognize Social Engineering Attacks
  3. Train Workforce Members on Authentication Best Practices
  4. Train Workforce on Data Handling Best Practices
  5. Train Workforce Members on Causes of Unintentional Data Exposure
  6. Train Workforce Members on Recognizing and Reporting Security Incidents
  7. Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
  8. Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
  9. Conduct Role-Specific Security Awareness and Skills Training

15 Service Provider Management

  1. Establish and Maintain an Inventory of Service Providers
  2. Establish and Maintain a Service Provider Management Policy
  3. Classify Service Providers
  4. Ensure Service Provider Contracts Include Security Requirements
  5. Assess Service Providers
  6. Monitor Service Providers
  7. Securely Decommission Service Providers

16 Application Software Security

  1. Establish and Maintain a Secure Application Development Process
  2. Establish and Maintain a Process to Accept and Address Software Vulnerabilities
  3. Perform Root Cause Analysis on Security Vulnerabilities
  4. Establish and Manage an Inventory of Third-Party Software Components
  5. Use Up-to-Date and Trusted Third-Party Software Components
  6. Establish and Maintain a Severity Rating System and Process for Application
    Vulnerabilities
  7. Use Standard Hardening Configuration Templates for Application Infrastructure
  8. Separate Production and Non-Production Systems
  9. Train Developers in Application Security Concepts and Secure Coding
  10. Apply Secure Design Principles in Application Architectures
  11. Leverage Vetted Modules or Services for Application Security Components
  12. Implement Code-Level Security Checks
  13. Conduct Application Penetration Testing
  14. Conduct Threat Modeling

17 Incident Response Management

  1. Designate Personnel to Manage Incident Handling
  2. Establish and Maintain Contact Information for Reporting Security Incidents
  3. Establish and Maintain an Enterprise Process for Reporting Incidents
  4. Establish and Maintain an Incident Response Process
  5. Assign Key Roles and Responsibilities
  6. Define Mechanisms for Communicating During Incident Response
  7. Conduct Routine Incident Response Exercises
  8. Conduct Post-Incident Reviews
  9. Establish and Maintain Security Incident Thresholds

18 Penetration Testing

  1. Establish and Maintain a Penetration Testing Program
  2. Perform Periodic External Penetration Tests
  3. Remediate Penetration Test Findings
  4. Validate Security Measures
  5. Perform Periodic Internal Penetration Tests

Related Posts