IT Security 101: The CIS Critical Security Controls® v8.1
Introduction
It’s time for another installment of IT Security 101. Today I’ll take a look at a useful framework that an IT security pro should know: The CIS Critical Security Controls®, or simply CIS Controls®.
The Center for Internet Security (CIS) is a US nonprofit that began in 2000. Their major offerings include the CIS Controls™, CIS Benchmarks™, CIS SecureSuite™ and MS-ISAC™. Here is their mission in their own words:
“Our mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.”
Today’s topic, the CIS Critical Security Controls (formerly SANS CSC, SANS Top 20, etc.), is a framework designed to assist in developing an effective security program quickly. The controls are meant to “provide specific and actionable ways to protect against today's most pervasive and dangerous attacks.”¹ The controls are designed to align with frameworks developed by the National Institute of Technology (NIST). Look for future articles on NIST’s Special Publications (SPs) and frameworks.
I’ll try to present the information as simply as possible. There is also official training available from SANS. At the writing of this article, the current version is v8.1, released on June 25, 2024. Previous versions are available.
Some personal and company info is required before access is granted. The controls are available as a 144 page PDF user guide, or formatted as an Excel workbook. The workbook contains a sortable worksheet of the Controls that is very useful when developing an approach to align with the framework. The PDF contains a lot more detail on the history and context of the CIS Controls, as well as a useful glossary, an explanation of why the Controls are important, and general procedures and tools. I suggest utilizing both, but today I will reference only the PDF.
This article will provide a breakdown of the framework, and a brief analysis of the primary objectives. Look for future articles where I offer suggestions for processes and tools that can help align a security program with the framework.
The CIS Controls Explained
There are 18 Controls in total. Each Control contains multiple related Safeguards that describe specific tasks or goals. There are 153 Safeguards in total, and within each Control, they become more complex. They are designed to meet the needs of three organization types, based primarily on organization size, IT/security maturity and risk profile. The organization levels are referred to as the CIS Control Implementation Groups (IGs).
There are three levels (IG1, IG2, & IG3):
“An IG1 enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate toward protecting IT assets and personnel. The principal concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information.”²
”An IG2 enterprise employs individuals responsible for managing and protecting IT infrastructure. These enterprises support multiple departments with differing risk profiles based on job function and mission. Small enterprise units may have regulatory compliance burdens. IG2 enterprises often store and process sensitive client or enterprise information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs.”²
“An IG3 enterprise employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 assets and data contain sensitive information or functions that are subject to regulatory and compliance oversight. An IG3 enterprise must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare.”²
The Safegaurds within each Control, are assigned to an IG. Here is a description of the Safeguards for each IG level:
IG1: “Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks.”²
IG2: ”Safeguards selected for IG2 help security teams cope with increased operational complexity.”²
IG3: “Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.”²
The general idea is that an organization should align with one of the IG levels and implement the Safeguards associated with that level.
The IGs are nested. So, any Safeguards that apply to IG1, also apply to IG2. Likewise, all Safeguards that apply to IG1 and IG2, also apply to IG3. Therefore, IG1 contains the least number of (and least complex) Safeguards, whereas IG3 contains all Safeguards. IG2 falls somewhere in between. Further, all Safeguards associated with IG1 are considered “Essential Cyber Hygiene”² and should be adopted by all organizations.
There are some Safeguards that do not apply to IG1 at all, as they may be too complex or costly for that type of organization. For example, Control 1 (Inventory and Control of Enterprise Assets), is considered Essential Cyber Hygiene, so it applies to all IGs. However, AppSec is considered out of scope for IG1 organizations, so no Safeguards from Control 16 (Application Software Security) apply.
Here are some screenshots from the PDF to illustrate:
Notice that Control 1 has 5 total Safeguards, and 2/5 apply to IG1, 4/5 to IG2 and 5/5 to IG3. Whereas, Control 16 has 14 Safeguards, and 0/14 apply to IG1, 11/14 apply to IG2, and 14/14 apply to IG3.
The number of Safeguards vary between Controls. Every Safeguard is also categorized by two fields:
Asset Type
Devices
Software
Data
Users
Network
Documentation
Security Function
Identify
Detect
Respond
Protect
Govern
Asset Type refers to the objects in scope for the Safeguard. Security Function refers to what the Safeguard accomplishes in a general sense, and aligns with language found in the NIST CSF and NIST SP800-61. Watch for future articles on the the topic of NIST Special Publications (SPs) and frameworks.
Here are the 18 controls and their total number of Safeguards:
Control 1 | Inventory and Control of Enterprise Assets | 5 Safeguards
Control 2 | Inventory and Control of Software Assets | 7 Safeguards
Control 3 | Data Protection | 14 Safeguards
Control 4 | Secure Configuration of Enterprise Assets and Software | 12 Safeguards
Control 5 | Account Management | 6 Safeguards
Control 6 | Access Control Management | 8 Safeguards
Control 7 | Continuous Vulnerability Management | 7 Safeguards
Control 8 | Audit Log Management | 12 Safeguards
Control 9 | Email and Web Browser Protections | 7 Safeguards
Control 10 | Malware Defenses | 7 Safeguards
Control 11 | Data Recovery | 5 Safeguards
Control 12 | Network Infrastructure Management | 8 Safeguards
Control 13 | Network Monitoring and Defense | 11 Safeguards
Control 14 | Security Awareness and Skills Training | 9 Safeguards
Control 15 | Service Provider Management | 7 Safeguards
Control 16 | Application Software Security | 14 Safeguards
Control 17 | Incident Response Management | 9 Safeguards
Control 18 | Penetration Testing | 5 Safeguards
The CIS Controls Analyzed
Implementing the controls should be approached holistically, after reviewing the list in its entirety. There may be Safeguards that can be addressed with a single technical control or administrative process, so be aware of them all before making decisions.
There are ways to achieve compliance cheaply, or by deploying the latest high-end security products. That is a business decision that must take into account staff abilities and willingness, budgetary constraints, and regulatory requirements. The first obstacle to overcome is convincing those who make budgetary decisions that this is an important activity, but that is beyond the scope of this article.
In my experience when it comes to addressing the Safeguards, the focus is often on technical control selection. It should be understood that technical and administrative controls are both required for an effective strategy. New policies and processes may need to be introduced and enforced to guarantee compliance with any goals that technical controls aim to accomplish, and additional staff training may be required. Documentation is invaluable.
Consider the changes being introduced, and ensure that the controls themselves are implemented securely. For example, many of the Safeguards focus on creating central repositories for information related to systems, accounts, connections and data. Keep in mind that this information is sensitive and should be protected. For example, think about Safeguards 5.1 and 5.5, which require establishing an inventory of user and service accounts respectively, and now consider the risk to centralizing such data. Or, even worse, imagine what would happen if a malicious actor were to get their hands on the list generated from Safeguard 3.2, which calls for a centralized inventory of sensitive data.
I will now provide a brief overview of each Control and list its Safeguards. Look for future articles on common tools and practices that can assist organizations with achieving compliance.
Control 1 | Inventory and Control of Enterprise Assets
Safeguards: 5 | IG1: 2/5 | IG2: 4/5 | IG3: 5/5
C1 focuses on identifying device assets, managing their authorization, and cataloging them. This includes addressing unauthorized devices through preventive technical controls to block or quarantine them from the network. The scope should include on-prem, cloud and VPN connected networks.
1.1 | Establish and Maintain Detailed Enterprise Asset Inventory
Devices | Identify || IG1 IG2 IG3
1.2 | Address Unauthorized Assets
Devices | Respond | IG1 IG2 IG3
1.3 | Utilize an Active Discovery Tool
Devices | Detect || IG1 IG2 IG3
1.4 | Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Devices | Identify || IG1 IG2 IG3
1.5 | Use a Passive Asset Discovery Tool
Devices | Detect || IG1 IG2 IG3
Control 2 | Inventory and Control of Software Assets
Safeguards: 7 | IG1: 3/7 | IG2: 6/7 | IG3: 7/7
C2 focuses on identifying software assets, managing their authorization, and cataloging them. This includes addressing unauthorized software through preventive technical controls to block installation and execution.
2.1 | Establish and Maintain a Software Inventory
Software | Identify || IG1 IG2 IG3
2.2 | Ensure Authorized Software is Currently Supported
Software | Identify || IG1 IG2 IG3
2.3 | Address Unauthorized Software
Software | Respond || IG1 IG2 IG3
2.4 | Utilize Automated Software Inventory Tools
Software | Detect || IG1 IG2 IG3
2.5 | Allowlist Authorized Software
Software | Protect || IG1 IG2 IG3
2.6 | Allowlist Authorized Libraries
Software | Protect || IG1 IG2 IG3
2.7 | Allowlist Authorized Scripts
Software | Protect || IG1 IG2 IG3
Control 3 | Data Protection
Safeguards: 14 | IG1: 6/14 | IG2: 12/14 | IG3: 14/14
C3 focuses on data confidentiality (one of the CIA Triad’s points - watch for future articles on this topic.) It prescribes “controls to identify, classify, securely handle, retain, and dispose of data”². This includes deploying technical controls to enforce encryption for data at rest and in transit, and to address unauthorized disclosure. Data should be identified and categorized so that appropriate controls can be put into place.
The primary goal is to protect data deemed critical by the organization, which could be based on many factors, including its type, its value to the business, and any regulations or laws that govern it. For this to be effective, the first two controls are critical steps, or data may be missed or misidentified.
3.1 | Establish and Maintain a Data Management Process
Data | Govern || IG1 IG2 IG3
3.2 | Establish and Maintain a Data Inventory
Data | Identify || IG1 IG2 IG3
3.3 | Configure Data Access Control Lists
Data | Protect || IG1 IG2 IG3
3.4 | Enforce Data Retention
Data | Protect || IG1 IG2 IG3
3.5 | Securely Dispose of Data
Data | Protect || IG1 IG2 IG3
3.6 | Encrypt Data on End-User Devices
Data | Protect || IG1 IG2 IG3
3.7 | Establish and Maintain a Data Classification Scheme
Data | Identify || IG1 IG2 IG3
3.8 | Document Data Flows
Data | Identify || IG1 IG2 IG3
3.9 | Encrypt Data on Removable Media
Data | Protect || IG1 IG2 IG3
3.10: Encrypt Sensitive Data in Transit
Data | Protect || IG1 IG3
3.11 | Encrypt Sensitive Data at Rest
Data | Protect || IG1 IG2 IG3
3.12 | Segment Data Processing and Storage Based on Sensitivity
Data | Protect || IG1 IG2 IG3
3.13 | Deploy a Data Loss Prevention Solution
Data | Protect || IG1 IG2 IG3
3.14 | Log Sensitive Data Access
Data | Detect || IG1 IG2 IG3
Control 4 | Secure Configuration of Enterprise Assets and Software
Safeguards: 12 | IG1: 7/12 | IG2: 11/12 | IG3: 12/12
C4 focuses on secure configuration of both device and software assets. This includes hardening and baselining devices and operating systems, and configuring client firewalls. It is a good practice to close gaps before systems are ever introduced into the environment.
4.1 | Establish and Maintain a Secure Configuration Process
Documentation | Govern || IG1 IG2 IG3
4.2 | Establish and Maintain a Secure Configuration Process for Network Infrastructure
Documentation | Govern || IG1 IG2 IG3
4.3 | Configure Automatic Session Locking on Enterprise Assets
Devices | Protect || IG1 IG2 IG3
4.4 | Implement and Manage a Firewall on Servers
Devices | Protect || IG1 IG2 IG3
4.5 | Implement and Manage a Firewall on End-User Devices
Devices | Protect || IG1 IG2 IG3
4.6 | Securely Manage Enterprise Assets and Software
Devices | Protect || IG1 IG2 IG3
4.7 | Manage Default Accounts on Enterprise Assets and Software
Users | Protect || IG1 IG2 IG3
4.8 | Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
Devices | Protect || IG1 IG2 IG3
4.9 | Configure Trusted DNS Servers on Enterprise Assets
Devices | Protect || IG1 IG2 IG3
4.10 | Enforce Automatic Device Lockout on Portable End-User Devices
Devices | Protect || IG1 IG2 IG3
4.11 | Enforce Remote Wipe Capability on Portable End-User Devices
Devices | Protect || IG1 IG2 IG3
4.12 | Separate Enterprise Workspaces on Mobile End-User Devices
Devices | Protect || IG1 IG2 IG3
Control 5 | Account Management
Safeguards: 6 | IG1: 4/6 | IG2: 6/6 | IG3: 6/6
C5 focuses on identifying, cataloging and managing user and service accounts.
The identification of service accounts can be challenging. Quite often accounts are spun up for test or dev and are not removed when no longer required, accounts may contain nondescript or misleading names, and there may be a general lack of documentation. This is another area that highlights the importance of the identification processes in Controls 1, 2 and 3. The data gathered form those activities can assist with identifying service accounts.
Control 5 also contains Safeguards that prescribe unique passwords, and minimum password length requirements of 8 for MFA protected accounts, and 14 for those without MFA (MFA is addressed in Control 6). There is also a Safeguard to disable dormant accounts, and to remove/reduce administrative privileges.
5.1 | Establish and Maintain an Inventory of Accounts
Users | Identify || IG1 IG2 IG3
5.2 | Use Unique Passwords
Users | Protect || IG1 IG2 IG3
5.3 | Disable Dormant Accounts
Users | Protect || IG1 IG2 IG3
5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts
Users | Protect || IG1 IG2 IG3
5.5 | Establish and Maintain an Inventory of Service Accounts
Users | Identify || IG1 / IG2 / IG3
5.6 | Centralize Account Management
Users | Govern || IG1 / IG2 / IG3
Control 6 | Access Control Management
Safeguards: 8 | IG1: 5/8 | IG2: 7/8 | IG3: 8/8
This Control and its Safeguards focus on the creation and revocation of accounts, the enforcement of MFA, and the management of account access, ideally through centralization. This is a continuation of Control 5, which set the groundwork.
Notice that MFA is considered Essential Cyber Hygiene here, with 3/8 Safeguards specifying it for different types of accounts. That highlights the importance of it.
6.1 | Establish an Access Granting Process
Documentation | Govern || IG1 IG2 IG3
6.2 | Establish an Access Revoking Process
Documentation | Govern || IG1 IG2 IG3
6.3 | Require MFA for Externally-Exposed Applications
Users | Protect || IG1 IG2 IG3
6.4 | Require MFA for Remote Network Access
Users | Protect || IG1 IG2 IG3
6.5 | Require MFA for Administrative Access
Users | Protect || IG1 IG2 IG3
6.6 | Establish and Maintain an Inventory of Authentication and Authorization Systems
Software | Identify || IG1 IG2 IG3
6.7 | Centralize Access Control
Users | Protect || IG1 IG2 IG3
6.8 | Define and Maintain Role-Based Access Control
Users | Govern || IG1 IG2 IG3
Control 7 | Continuous Vulnerability Management
Safeguards: 7 | IG1: 4/7 | IG2: 7/7 | IG3: 7/7
C7 focuses on vulnerability and patch management. This includes development of an overall management process to identify, remediate and track vulnerabilities. It considers vulnerability scanning to be out of scope for IG1, but patch management is Essential Cyber Hygiene.
7.1 | Establish and Maintain a Vulnerability Management Process
Documentation | Govern || IG1 IG2 IG3
7.2 | Establish and Maintain a Remediation Process
Documentation | Govern || IG1 IG2 IG3
7.3 | Perform Automated Operating System Patch Management
Software | Protect || IG1 IG2 IG3
7.4 | Perform Automated Application Patch Management
Software | Protect || IG1 IG2 IG3
7.5 | Perform Automated Vulnerability Scans of Internal Enterprise Assets
Software | Identify || IG1 IG2 IG3
7.6 | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
Software | Identify || IG1 IG2 IG3
7.7 | Remediate Detected Vulnerabilities
Software | Respond || IG1 IG2 IG3
Control 8 | Audit Log Management
Safeguards: 12 | IG1: 3/12 | IG2: 11/12 | IG3: 12/12
C8 focuses on the collection of logs to assist in alert and incident response activities. It specifies that a process should be in place to manage logs, and provides specific logs to collect. It also dictates log retention of 90 minimally, and log reviews weekly or more often.
8.1 | Establish and Maintain an Audit Log Management Process
Documentation | Govern || IG1 IG2 IG3
8.2 | Collect Audit Logs
Data | Detect || IG1 IG2 IG3
8.3 | Ensure Adequate Audit Log Storage
Data | Protect || IG1 IG2 IG3
8.4 | Standardize Time Synchronization
Data | Protect || IG1 IG2 IG3
8.5 | Collect Detailed Audit Logs
Data| Detect || IG1 IG2 IG3
8.6 | Collect DNS Query Audit Logs
Data | Detect || IG1 IG2 IG3
8.7 | Collect URL Request Audit Logs
Data | Detect || IG1 IG2 IG3
8.8 | Collect Command-Line Audit Logs
Data | Detect || IG1 IG2 IG3
8.9 | Centralize Audit Logs
Data | Detect || IG1 IG2 IG3
8.10 | Retain Audit Logs
Data | Protect || IG1 IG2 IG3
8.11 | Conduct Audit Log Reviews
Data | Detect || IG1 IG2 IG3
8.12 | Collect Service Provider Logs
Data | Detect || IG1 IG2 IG3
Control 9 | Email and Web Browser Protections
Safeguards: 7 | IG1: 2/7 | IG2: 6/7 | IG3: 7/7
C9 focuses on protecting against threats from email and the Web, including mostly technical controls to identify, prevent and remediate threats.
9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients
Software | Protect | | IG1 IG2 IG3
9.2 | Use DNS Filtering Services
Devices | Protect | | IG1 IG2 IG3
9.3 | Maintain and Enforce Network-Based URL Filters
Network | Protect | | IG1 IG2 IG3
9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
Software | Protect | | IG1 IG2 IG3
9.5 | Implement DMARC
Network | Protect | | IG1 IG2 IG3
9.6 | Block Unnecessary File Types
Network | Security Function: Protect | | IG1 IG2 IG3
9.7 | Deploy and Maintain Email Server Anti-Malware Protections
Network | Protect | | IG1 IG2 IG3
Control 10 | Malware Defense
Safeguards: 7 | IG1: 3/7 | IG2: 7/7 | IG3: 7/7
C10 is focused on anti-malware, including mostly technical controls to detect, prevent and remediate malware on endpoints.
10.1 | Deploy and Maintain Anti-Malware Software
Devices | Detect | | IG1 IG2 IG3
10.2 | Configure Automatic Anti-Malware Signature Updates
Devices | Protect | | IG1 IG2 IG3
10.3 | Disable Autorun and Autoplay for Removable Media
Devices | Protect | | IG1 IG2 IG3
10.4 | Configure Automatic Anti-Malware Scanning of Removable Media
Devices | Detect | | IG1 IG2 IG3
10.5 | Enable Anti-Exploitation Features
Devices | Protect | | IG1 IG2 IG3
10.6 | Centrally Manage Anti-Malware Software
Devices | Protect | | IG1 IG2 IG3
10.7 | Use Behavior-Based Anti-Malware Software
Devices | Detect | | IG1 IG2 IG3
Control 11 | Data Recovery
Safeguards: 5 | IG1: 4/5 | IG2: 5/5 | IG3: 5/5
C11 is focused on ensuring the ability to recover data in the case of an incident (a good one for I & A of the CIA Triad - again, more on that in the future). It includes the creation of an overall plan, the automation of backups, the protection of recovery data, and the testing of data to validate processes and data integrity. This is almost entirely Essential Cyber Hygiene.
11.1 | Establish and Maintain a Data Recovery Process
Documentation | Govern | | IG1 IG2 IG3
11.2 | Perform Automated Backups
Data | Recover | | IG1 IG2 IG3
11.3 | Protect Recovery Data
Data | Protect | | IG1 IG2 IG3
11.4 | Establish and Maintain an Isolated Instance of Recovery Data
Data | Recover | | IG1 IG2 IG3
11.5: Test Data Recovery
Data | Recover | | IG1 IG2 IG3
Control 12 | Network Infrastructure Management
Safeguards: 8 | IG1: 1/8 | IG2: 7/8 | IG3: 8/8
C12 is focused on protecting network devices through software/firmware updates, secure network design, secure channel communication, network diagram development, implementation of centralized Authentication, Authorization, and Auditing (AAA), utilizing VPNs, and segregating administrative access.
12.1 | Ensure Network Infrastructure is Up-to-Date
Network | Protect | | IG1 IG2 IG3
12.2 | Establish and Maintain a Secure Network Architecture
Network | Protect | | IG1 IG2 IG3
12.3 | Securely Manage Network Infrastructure
Network | Protect | | IG1 IG2 IG3
12.4 | Establish and Maintain Architecture Diagram(s)
Documentation | Govern | | IG1 IG2 IG3
12.5 | Centralize Network Authentication, Authorization, and Auditing (AAA)
Network | Protect | | IG1 IG2 IG3
12.6 | Use of Secure Network Management and Communication Protocols
Devices | Protect | | IG1 IG2 IG3
12.7 | Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
Devices | Protect | | IG1 IG2 IG3
12.8 | Establish and Maintain Dedicated Computing Resources for All Administrative Work
Devices | Protect | | IG1 IG2 IG3
Control 13 | Network Monitoring and Defense
Safeguards: 11 | IG1: 0/11 | IG2: 6/11 | IG3: 11/11
C13 is focused on protecting the entire network through both administrative and technical controls. IG1 has no Safeguards assigned, but that does not mean that meeting the requirements is unobtainable. Safeguards include network-based and host-based IDS/IPS, centralized event alerting, mobile device management, and more strict network access control techniques.
13.1 | Centralize Security Event Alerting
Network | Detect | | IG1 IG2 IG3
13.2 | Deploy a Host-Based Intrusion Detection Solution
Devices | Detect | | IG1 IG2 IG3
13.3 | Deploy a Network Intrusion Detection Solution
Network | Detect | | IG1 IG2 IG3
13.4 | Perform Traffic Filtering Between Network Segments
Network | Protect | | IG1 IG2 IG3
13.5 | Manage Access Control for Remote Assets
Devices | Protect | | IG1 IG2 IG3
13.6 | Collect Network Traffic Flow Logs
Network | Detect | | IG1 IG2 IG3
13.7 | Deploy a Host-Based Intrusion Prevention Solution
Devices | Protect | | IG1 IG2 IG3
13.8 | Deploy a Network Intrusion Prevention Solution
Network | Protect | | IG1 IG2 IG3
13.9 | Deploy Port-Level Access Control
Network | Protect | | IG1 IG2 IG3
13.10 | Perform Application Layer Filtering
Network | Protect | | IG1 IG2 IG3
13.11 | Tune Security Event Alerting Thresholds
Network | Detect | | IG1 IG2 IG3
Control 14 | Security Awareness and Skills Training
Safeguards: 9 | IG1: 8/9 | IG2: 9/9 | IG3: 9/9
C14 is focused on ensuring users are trained in security best practices, and identification of common threats. Each Safeguard is essentially a specific subject on which users should be trained, except 14.1 which dictates the establishment of an awareness program, and 14.9 which prescribes role-specific training. This is almost entirely Essential Cyber Hygiene.
14.1 | Establish and Maintain a Security Awareness Program
Documentation | Govern | | IG1 IG2 IG3
14.2 | Train Workforce Members to Recognize Social Engineering Attacks
Users | Protect | | IG1 IG2 IG3
14.3 | Train Workforce Members on Authentication Best Practices
Users | Protect | | IG1 IG2 IG3
14.4 | Train Workforce on Data Handling Best Practices
Users | Protect | | IG1 IG2 IG3
14.5 | Train Workforce Members on Causes of Unintentional Data Exposure
Users | Protect | | IG1 IG2 IG3
14.6 | Train Workforce Members on Recognizing and Reporting Security Incidents
Users | Protect | | IG1 IG2 IG3
14.7 | Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Users | Protect | | IG1 IG2 IG3
14.8 | Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Users | Protect | | IG1 IG2 IG3
14.9 | Conduct Role-Specific Security Awareness and Skills Training
Users | Protect | | IG1 IG2 IG3
Control 15 | Service Provider Management
Safeguards: 7 | IG1: 1/7 | IG2: 4/7 | IG3: 7/7
C15 focuses on identifying, classifying, assessing, monitoring, selecting and decommission service providers.
15.1 | Establish and Maintain an Inventory of Service Providers
Users | Identify | | IG1 IG2 IG3
15.2 | Establish and Maintain a Service Provider Management Policy
Documentation | Govern | | IG1 IG2 IG3
15.3 | Classify Service Providers
Users | Govern | | IG1 IG2 IG3
15.4 | Ensure Service Provider Contracts Include Security Requirements
Documentation | Govern | | IG1 IG2 IG3
15.5 | Assess Service Providers
Users | Govern | | IG1 IG2 IG3
15.6 | Monitor Service Providers
Data | Govern | | IG1 IG2 IG3
15.7 | Securely Decommission Service Providers
Data | Protect | | IG1 IG2 IG3
Control 16 | Application Software Security
Safeguards: 14 | IG1: 0/14 | IG2: 11/14 | IG3: 14/14
C16 focuses on the security of internally-developed applications, and its best-practices.
16.1 | Establish and Maintain a Secure Application Development Process
Documentation | Govern | | IG1 IG2 IG3
16.2 | Establish and Maintain a Process to Accept and Address Software Vulnerabilities
Documentation | Govern | | IG1 IG2 IG3
16.3 | Perform Root Cause Analysis on Security Vulnerabilities
Software | Protect | | IG1 IG2 IG3
16.4 | Establish and Manage an Inventory of Third-Party Software Components
Software | Identify | | IG1 IG2 IG3
16.5 | Use Up-to-Date and Trusted Third-Party Software Components
Software | Protect | | IG1 IG2 IG3
16.6 | Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
Documentation | Govern | | IG1 IG2 IG3
16.7 | Use Standard Hardening Configuration Templates for Application Infrastructure
Software | Protect | | IG1 IG2 IG3
16.8 | Separate Production and Non-Production Systems
Network | Protect | | IG1 IG2 IG3
16.9 | Train Developers in Application Security Concepts and Secure Coding
Users | Protect | | IG1 IG2 IG3
16.10 | Apply Secure Design Principles in Application Architectures
Software | Protect | | IG1 IG2 IG3
16.11 | Leverage Vetted Modules or Services for Application Security Components
Software | Identify | | IG1 IG2 IG3
16.12 | Implement Code-Level Security Checks
Software | Protect | | IG1 IG2 IG3
16.13 | Conduct Application Penetration Testing
Software | Detect | | IG1 IG2 IG3
16.14 | Conduct Threat Modeling
Software | Protect | | IG1 IG2 IG3
Control 17 | Incident Response Management
Safeguards: 9 | IG1: 3/9 | IG2: 8/9 | IG3: 9/9
C17 focuses on developing, testing, reviewing and baselining incident response plans.
17.1 | Designate Personnel to Manage Incident Handling
Users | Respond | | IG1 IG2 IG3
17.2 | Establish and Maintain Contact Information for Reporting Security Incidents
Documentation | Govern | | IG1 IG2 IG3
17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents
Documentation | Govern | | IG1 IG2 IG3
17.4 | Establish and Maintain an Incident Response Process
Documentation | Govern | | IG1 IG2 IG3
17.5 | Assign Key Roles and Responsibilities
Users | Respond | | IG1 IG2 IG3
17.6 | Define Mechanisms for Communicating During Incident Response
Users | Respond | | IG1 IG2 IG3
17.7 | Conduct Routine Incident Response Exercises
Users | Recover | | IG1 IG2 IG3
17.8 | Conduct Post-Incident Reviews
Users | Recover | | IG1 IG2 IG3
17.9 | Establish and Maintain Security Incident Thresholds
Documentation | Recover | | IG1 IG2 IG3
Control 18 | Penetration Testing
Safeguards: 5 | IG1: 0/5 | IG2: 3/5 | IG3: 5/5
C18 focuses on conducting penetration tests, remediating test findings, and validating security afterwards.
18.1 | Establish and Maintain a Penetration Testing Program
Documentation | Govern | | IG1 IG2 IG3
18.2 | Perform Periodic External Penetration Tests
Network | Detect | | IG1 IG2 IG3
18.3 | Remediate Penetration Test Findings
Network | Protect | | IG1 IG2 IG3
18.4 | Validate Security Measures
Network | Protect | | IG1 IG2 IG3
18.5 | Perform Periodic Internal Penetration Tests
Network | Detect | | IG1 IG2 IG3
Conclusion
The CIS Controls® comprise a solid framework from which an organization can develop a more robust approach to implementing effective security. Again, I recommend reading through the full user guide, and taking a look at the Excel document. Aligning with the framework is not about ticking boxes or stepping through the list one-by-one. It should be used as a general guide to ensure best-practices are met for an organization’s specific needs and requirements. The logical starting point is for all organizations to ensure they have addressed their essential cyber hygiene.
Look for future articles where I will suggest processes and tools organizations can use to enhance their security program in alignment with the framework, and some insights into potential challenges that I have discovered in my experience.
Daily Cuppa
Today’s cuppa is a very well-deserved Mandarin Mint Mindfulness™ provided by Yogi®.
Organic and Fair Trade. A bright and minty aroma and flavor for a calm body and clear mind. Today with a nice hefty splash of soy milk for a comforting creaminess.
¹SANS Institute Blog - “CIS Controls v8”
https://www.sans.org/blog/cis-controls-v8/
²CIS Critical Security Controls® v8.1
https://learn.cisecurity.org/cis-controls-download
Any text or images taken directly from the control documents provided by CIS are covered by the Creative Commons License.
If you enjoy I. Tea. Security., feel free to show your support and buy the author a cup of tea.