Cybersecurity can be both simple AND effective with the CIS Controls.

Water is being poisoned, hospitals are re-routing patients, oil pipelines are shutting down, there’s no such thing as a safe e-mail server, surveillance cameras have been exposed, and critical security updates are being pushed to vulnerable exercise bikes.

The first half of 2021 has been a rough year for network defenders. On a positive note, significant progress has been made toward building awareness, and the president has even signed an executive order to improve cybersecurity in the United States.

Many organizations that previously overlooked cybersecurity are rushing to show their boards and customers that they’re taking things seriously. At this point, executives, managers, and IT professionals are all looking for answers to the same question - where do we start?

This question is easier to answer in regulated industries like finance and healthcare, where compliance with a specific security framework is a black-and-white legal requirement. Several security frameworks exist which are not industry-specific, but simply understanding the requirements can be a daunting task.

For example, while the NIST Cybersecurity Framework is designed for organizations of all sizes and at any information security maturity level, you’ll need to digest a 55-page document, or a summary in the form of a 505-row spreadsheet. There is also ISO27000, a family of information security standards for organizations of all sizes, but even a mid-sized organization who has security controls in place could take 6-12 months or more to certify compliance.

In contrast to lengthy and complex standards and frameworks, governments in the U.K. and Australia have developed their own relatively simple standards to mandate basic cybersecurity hygiene for all businesses. The U.K.’s Cyber Essentials lists 5 security controls for businesses to implement, while Australia’s Essential Eight, of course, has 8. These standards recommend technical controls which mitigate a good portion of known cybersecurity risks, and they’re both based on research, breach data, and other recognized information security standards. However, they’re both relatively new, so their effectiveness and whether or not they’re kept up-to-date remains to be seen.

This is where the Center for Internet Security (CIS) Controls come in. They make it easy to start a new security program and achieve basic cybersecurity hygiene, or to take an existing security team to the next level without committing to an industry-specific framework. We also sometimes refer to them as the ‘gateway drug’ to compliance because while they’re simple to implement, they’re mapped to most prevalent regulatory frameworks. This means that if an organization’s industry or business becomes subjected to regulatory security requirements in the future, they’ve already taken significant steps along the journey toward compliance.

What are the CIS Controls?

According to CIS:

The CIS Controls are a prescriptive, prioritized, and simplified set of cybersecurity best practices and defensive actions that can help support compliance in a multi-framework era. They are leveraged by organizations around the world to provide specific guidance and a clear pathway to achieve the goals and objectives described by multiple legal, regulatory, and policy frameworks.

We use the word ‘simple’ often when we talk about the CIS Controls because they really are. They’re a concise list of only 18 security controls that can be used by any organization to mitigate known threats.

The CIS Controls were initially developed in 2008 by the SANS Institute, and were called the SANS Top 20 or the 20 Critical Security Controls because up until just a month ago, the project referred to 20 critical security controls or key defensive actions for mitigating known attacks. Since then, SANS and CIS have revised and re-prioritized the controls to remain relevant, with CIS taking ownership of the project in 2015.

CIS released the latest version of the CIS Controls, v8, in May 2021. This version further provides a further simplified set of defense actions, reducing the controls from 20 to 18.

Rivalled only by the 10 commandments, here are the the 18 Critical Security Controls from CIS Controls v8:

1. Inventory and Control of Enterprise Assets

2. Inventory and Control of Software Assets

3. Data Protection

4. Secure Configuration of Enterprise Assets and Software

5. Account Management

6. Access Control Management

7. Continous Vulnerability Management

8. Audit Log Management

9. Email and Web Browser Protections

10. Malware Defenses

11. Data Recovery

12. Network Infrastructure Management

13. Network Monitoring and Defense

14. Security Awareness and Skills Training

15. Service Provider Management

16. Application Software Security

17. Incident Response Management

18. Penetration Testing

The first 6

Prior to the latest version of the CIS Controls, the 20 controls were separated into 3 categories (independent of IGs): Basic, Foundational, and Organizational. The first 6 controls were known as the ‘Basic Controls’, and they were considered the highest priority.

Referring to the first 6 controls, a SANS paper cited the Pareto Principle: 80 percent of the impacts comes from 20 percent of the effort. So, if you have limited resources, it was recommended that any organization implement at least the first 6 controls to achieve basic cybersecurity hygiene and mitigate many known attacks.

These categories (including the ‘Basic’ category which distinguished the first 6 controls) were eliminated in v8, as one of the latest version’s goals was to focus on actions regardless of who’s doing them.

With the CIS Controls now organized into Implementation Groups (IGs), organizations of any size can implement smaller subsets of the controls.

Implementation Groups

Each of the 3 IGs applies to organizations of varying size and risk tolerance:

IG 1: Small to medium-sized organizations with limited IT resources, low tolerance for downtime, and sensitive data primarily consisting of only employee and financial information.

IG 2: Enterprises with a dedicated IT function, regulatory compliance requirements, storage and processing of sensitive client information, and a risk of losing customer trust if a breach occurs.

IG 3: Enterprises with dedicated cybersecurity experts who store and process data sensitive to operations or subject to regulatory oversight, and risk of a breach resulting in significant impact to the general public.

Each IG contains a subset of the CIS Controls, along with a subset of each control’s sub-controls..

Implementing IG 1 represents basic cyber hygiene for any organization (and aims to achieve the same goal as the ‘Basic’ category did for the first 6 controls), while implementing all of the CIS Controls (i.e. all 3 IGs) is the definition of an effective cybersecurity program.

How are the CIS Controls more effective than any other list of security controls?

That’s easy. It’s because each revision of the CIS Controls is comprised of subject matter expert knowledge from every industry, and addresses current technologies and the current threat landscape.

There are vast amounts of publications from contributors or users of the CIS Controls which speak to their relevance and effectiveness, but perhaps the most prominent example is the Verizon Data Breach Investigations Report (DBIR).

The DBIR is the one of the foremost sources for data on cybersecurity incidents and breaches. In recent years, the CIS Controls have been integrated into the DBIR to correlate controls with incidents they may have prevented.

In addition, CIS are developing the Community Defense Model (CDM), a data-driven approach to further prove effectiveness.

Compliance and the CIS Controls

The CIS Controls are applicable to any organization in any industry. In the absence of an under-the-gun scenario requiring compliance with a specific regulatory requirement, we always recommend starting security programs with the CIS Controls, or aligning existing programs to them. In addition to strengthening security posture, it will set you up for success with compliance.

For starters, the CIS Controls have been mapped to other industry-agnostic standards like the NIST Cybersecurity Framework and ISO 27001.

Here are some examples of mappings to industry standards:

Healthcare: the CIS Controls are fully integrated into the Health Information Trust Alliance Common Security Framework (HITRUST CSF) which combines the Health Insurance Portability and Accountability Act (HIPAA) and other critical healthcare security regulations.

Government: the CIS Controls have been mapped to the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), NIST’s SP 800-171, and NIST’s SP 800-53

Finance: the CIS Controls have been mapped to the Payment Card Industry Data Security Standard (PCI DSS)

The CIS Controls are also named or included as requirements in data protection legislation introduced by a growling list of states, including California, Nevada, Ohio, and Idaho.

Getting started with the CIS Controls

CIS makes the CIS Controls freely available - you can download the latest version as a PDF here. CIS also provides the CIS Controls Navigator tool which shows all of the controls and sub-controls, and allows them to be quickly filtered by Implementation Group or mapping to the CSA Cloud Controls Matrix, CMMC, MITRE ATT&CK, NIST CSF, SP 800-171, or SP 800-53.

To get started quickly:

1. Download the PDF

2. Review the descriptions of each of the 3 IGs to determine which is most applicable to your organization

3. Browse to the CIS Controls Navigator and filter controls using the applicable IG. The results are a prioritized list of cybersecurity controls and sub-controls for your organization to implement.

4. Create and execute a plan for your organization to implement these controls and sub-controls (in order, since they’re already prioritized).

5. If you need supporting details to justify the importance of a particular control, or examples on how to implement a given control, refer to the PDF.

Keep in mind that even if you’re only implementing IG 1 for basic cybersecurity hygiene, you’re still looking at sizable project, especially if you have limited IT resources. CIS have done their best to help organizations in this situation with their implementation guide for SMEs (or SMBs), which provides several free tools, resources, and suggestions for small organizations to get started.

You don’t have to go it alone. Partnering with cybersecurity experts to provide an independent assessment and recommend tailored solutions for your environment is always the best option.

As a CIS SecureSuite member, JTI Cybersecurity has access to advanced CIS tools to help audit and secure your systems. If you want to leverage our experience in implementing the CIS Controls, contact us for an assessment.