In the closing article of our four-part CIS series, we examine the final set of CIS controls within the framework, called “The Organisational CIS Controls."
The CIS Security Control framework consists of three stages, each with detailed steps in priority order. The purpose is to give organisations processes and best practices for defending against known cyber attacks.
- Overview of the Top 20 CIS Critical Security Controls (Part 1): What Are They?
- CIS Critical Security Controls: The 6 BASIC controls (Part 2)
- The 10 Foundational CIS Critical Security Controls (Part 3)
- Understanding the Organisational CIS Critical Security Controls (Part 4)
Now we’re ready to dive into the Four Organisational CIS controls so you can quickly grasp how they help protect organisations like yours...
The Organisational CIS Controls
These are slightly different in character from both the Basic and Foundational Controls. Although they have many technical aspects, this final set of security controls focuses more on people and the processes involved in cyber security.
17. Security Skills Assessment and Appropriate Training to Fill Gaps
It’s easy to believe that cyber defence is primarily a technical challenge… a problem squarely on the shoulders of your IT team and partners. In reality, how your employees behave and their level of cyber security education are equally important.
If you’ve read our post on the most common types of cyber attack, you’ll notice that many are focused either solely on manipulating users or at least in part rely on human error to get a foothold on your network.
Now, nobody’s suggesting everyone from your CEO to your marketing intern needs to know the intricacies of IT security. Even your CIO may not be a cyber security expert. However, everyone should know the basics of phishing, password attacks, and other common threats.
CIS control #17 helps you identify the knowledge gaps and formulate an ongoing training plan to reduce the risk of human error.
18. Application Software Security
Attackers easily target vulnerabilities in web-based apps and other software. They can insert exploits such as buffer overflows, SQL injections, cross-site scripting and code clickjacking to take control of vulnerable machines. To prevent these kinds of attacks, you need to manage the full security lifecycle of all your software. One crucial aspect is ensuring that only the most recent versions are in use and that all patches are properly installed.
19. Incident Response and Management
Today, security incidents are a fact of life. If you’ve not experienced one yet, the likelihood is that there’s one lurking around the next corner. Even the most well-equipped, savvy and proactive organisations fall prey to successful attacks. It’s how they respond to them that matters.
When all else fails, you need an incident response plan. You need to be able to identify, eradicate and restore your network and systems as fast as possible. It might sound rather pessimistic, but done right, a well-planned incident response process drastically minimises the impact of a successful security breach. Your plan should include:
- Defined roles
- Training
- Management oversight & communications plans
- Damage containment
- Root cause analysis
By being prepared, you minimise downtime, reputational damage, compliance issues and financial repercussions that far outweigh the cost of developing your incident response management process.
20. Penetration Tests and Red Team Exercises
Attackers are always looking for ways to exploit your cyber security defences. In the case of zero-day exploits, hackers look for the gap between defensive plans and actual implementation. This is often that brief window between a vulnerability being announced and a patch being released.
This final control requires you to assess the overall strength of your defences, including the technology, processes and people.
All articles in the series:
» Overview of the top 20 CIS Critical Security Controls (Part 1): What are they?
» CIS Critical Security Controls: The 6 BASIC controls (Part 2)
» The 10 Foundational CIS Critical Security Controls (Part 3)
» Understanding the Organisational CIS Critical Security Controls (Part 4)
Should I DIY our CIS Controls Management Process?
Following the CIS controls from start to finish isn’t a finite journey. Few organisations have the budget, resources, and time required to simultaneously implement the entire set of controls.
For many organisations, it’s often more cost-effective to seek external help from security experts to keep pace with the latest security threats rather than hiring, training and retaining their own 24/7cyber security team.
Whether fully outsourced or working in partnership with internal teams, an outsourced Security Operations Centre will help you quickly scale your security, keep pace with ever-changing threats, and ultimately improve your cyber security posture.