Top 20 CIS Critical Security Controls (Part 1): What Are They?

One step ahead of cyber criminals requires expertise, technology and robust processes. Add the pressures of regulatory compliance and finite resources, and the cyber security puzzle can become overwhelming.

You know you need to prioritise your defences but without a clear roadmap, you can’t help feeling you’ve left a chink in your cyber armour.

The Centre for Internet Security (CIS) Controls come in here. In this 4-part series, we’ll look at what these CIS Controls are and dig into how each one works to protect organisations of all types and sizes to better defend against known attacks and achieve a greater overall cyber security posture.

All Articles in The Series:

• Overview of the Top 20 CIS Critical Security Controls (Part 1): What Are They?
• CIS Critical Security Controls: The 6 BASIC Controls (Part 2)
• The 10 Foundational CIS Critical Security Controls (Part 3)
• Understanding the Organisational CIS Critical Security Controls (Part 4)

What Are CIS Critical Security Controls?

The 20 CIS critical security controls are specific actions that defend against the most prevalent cyber attacks. They are an actionable list of high-priority, effective steps that form your cyber security groundwork. Instead of starting from scratch, you can stand on the shoulders of other cyber security experts to get the essentials in place... and protect yourself from 85% of common cyber attacks.

Who Created the CIS Controls?

In 2008, volunteer experts from various fields developed the CIS Controls. This consortium included public and private sector teams and individuals:

• Cyber analysts
• Vulnerability testers
• Solution providers
• Consultants
• Policymakers
• Academics
• Auditors
• Users

The 20 CIS Controls they developed stop most attacks, providing a framework for systems management and automation that will serve you well into the future. They’re free to access and widely adopted as best practice by government agencies and enterprises across the UK, EU and US.

CIS Controls, Compliance Frameworks & Regulations

The CIS Controls aren’t designed to replace existing compliance or regulatory frameworks. They’re designed to map to the regulations and compliance commitments your business needs to adhere to. They can work as a stand-alone strategy or in combination with other frameworks:

Compliance Frameworks

• NIST cyber security Framework
• NIST 800-53
• ISO 27000 series
• ITIL

Regulations

• GDPR
• PCI DSS
• HIPAA
• NERC CIP
• FISMA

CIS Controls V7

Since cyber criminals don’t stand still, experts continue to bring their knowledge to the CIS Controls, keeping them up-to-date with the ever-changing cyber threats of today.

CIS V7 was released in Mar 2018. The framework has been re-ordered and updated to include security tools and threats. Outlined in three layers, the current CIS controls comprise these components:

6 Basic CIS Controls:

1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administration Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
6. Maintenance, Monitoring and Analysis of Audit Logs

10 Foundational CIS Controls:

1. Email and Web Browser Protections
2. Malware Defences
3. Limitation and Control of Network Ports, Protocols and Services
4. Data Recovery Capabilities
5. Secure Configurations for Network Devices
6. Boundary Defence
7. Data Protection
8. Controlled Access Based on the Need to Know
9. Wireless Access Control
10. Account Monitoring Control

4 Organisational CIS Controls:

1. Implement a Security Awareness and Training Program
2. Application Software Security
3. Incident Response and Management
4. Penetration Test and Red Team Exercises

Should I DIY our CIS Controls Management Process?

The CIS Controls are a great foundation for any organisation looking to strengthen its cyber security—and the resource is free to download! But implementation to harden defences against attack vectors you’re likely to encounter isn’t free. Even with the best free resources, most organisations find it a tall order to keep pace with the latest security threats and manage people, processes and associated technologies.

Often, a more cost-effective route is to seek external help from security experts rather than hiring, training and retaining your own 24/7 cyber security team. Whether fully outsourced or working in partnership with internal teams, an outsourced Security Operations Centre will help you quickly scale your security, keep pace with ever-changing threats, and ultimately make a real difference to your cyber security posture.

In the next 3 CIS articles, we dig a little deeper to help you implement as much as you can in-house and determine whether you’d be better off with any outsourced areas.