Home / Blog / General / Understanding the Organisational CIS Critical Security Controls (Part 4)

April 3, 2019

In the closing article of our 4-part CIS series, we look into the final set of CIS controls within the framework – called “The Organisational CIS Controls”.

The CIS Security Control’s framework is made up of 3 stages and within each stage, there are detailed steps in priority order. The purpose is to give organisations processes and best practices to defend against known cyber attacks.

Now we’re ready to dive into the Four Organisational CIS controls so you can get a quick grasp on how they help protect organisations like yours…

Understanding the Organisational CIS Critical Security Controls

The Organisational CIS Controls

These are slightly different in character from both the Basic and Foundational Controls – although they have many technical aspects, this final set of security controls focuses more on people and the processes involved in cyber security.

Organisational CIS Controls

17.  Security Skills Assessment and Appropriate Training to Fill Gaps

It’s easy to believe that cyber defence is primarily a technical challenge… a problem squarely on the shoulders of your IT team and partners. In reality, how your employees behave and their level of education in cyber security is every bit as important.

If you’ve read our post on the most common types of cyber attack, you’ll notice that many are focused either solely on manipulating users, or at least in part rely on human error to get a foothold on your network.

Now, nobody’s suggesting everyone from your CEO to your marketing intern needs to know the intricacies of IT security. In fact, even your CIO may not be a cyber security expert. But there are basics that everyone should know around phishing, password attacks and other common threats.

CIS control #17 helps you identify the knowledge gaps and formulate an ongoing training plan to reduce the risk of human error.

18.  Application Software Security

Vulnerabilities in web-based apps and other software are an easy target for attackers. They can insert exploits such as buffer overflows, SQL injections, cross-site scripting and code clickjacking to take control of vulnerable machines.

To keep these kinds of attacks at bay, you need to manage the full security lifecycle of all your software. One of the most crucial aspects is ensuring only the most recent versions are in use and that all patches are properly installed.

19.  Incident Response and Management

Today, security incidents are a fact of life. If you’ve not experienced one yet, the likelihood is that there’s one lurking around the next corner. Even the most well-equipped, savvy and proactive organisations fall prey to successful attacks. It’s how they respond to them that matters.

When all else fails, you need an incident response plan. You need to be able to identify, eradicate and restore your network and systems as fast as possible. It might sound rather pessimistic but done right, a well-planned incident response process drastically minimises the impact of a successful security breach. Your plan should include:

  • Defined roles
  • Training
  • Management oversight & communications plans
  • Damage containment
  • Root cause analysis

By being prepared, you minimise downtime, reputational damage, compliance issues and financial repercussions that far outweigh the cost of developing your incident response management process.

20.  Penetration Tests and Red Team Exercises

Attackers are always on the lookout for ways to exploit your cyber security defences. In the case of Zero-day-Exploits, hackers look for the the gap between defensive plans and actual implementation. This is often that brief window between a vulnerability being announced and a patch being released.

This final control requires you to assess the overall strength of your defences. Including the technology, processes and people.

All articles in the series:

» Overview of the top 20 CIS Critical Security Controls (Part 1): What are they?
» CIS Critical Security Controls: The 6 BASIC controls (Part 2)
» The 10 Foundational CIS Critical Security Controls (Part 3)
» Understanding the Organisational CIS Critical Security Controls (Part 4)

Should I DIY our CIS Controls Management Process?

CIS secuirty controls overview

Following the CIS controls from start to finish isn’t a finite journey. Few organisations have the budget, human resources and time required to implement the entire set of controls simultaneously.

For many organisations, it’s often a more cost-effective route is to seek external help from security experts to keep pace with the latest security threats rather than hiring, training and retaining your own 24-7 cyber security team.

Whether fully outsourced, or working in partnership with internal teams, an outsourced Security Operations Centre will help you to quickly scale your security, keep pace with ever-changing threats – and ultimately make a real difference to your cyber security posture.

Related Articles:

Comtact's UK Security Operation Centre (SOC)

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.