18 CIS Controls - an Effective Framework for Security

You can achieve Information security by complying with an adequate set of security policies, standards, and procedures. Of course, there is no such thing as 100% secure, but if you comply with an appropriate set of security policies, standards, and procedures, your organization is actively managing its risk. As a result, When I hear security professionals quote the old mantra, “compliance does not equal security,” it sounds like an excuse for questionable practices. At Truvantis, we believe that when done correctly, compliance does equal security. 

You can build and maintain an effective security program by leveraging an industry-standard security framework. The 18 CIS Critical Security Controls (formerly known as the SANS Top 20 Critical Security Controls) is a framework your organization can use as a reliable, universally recognized foundation for cybersecurity. Experts agree that CIS Controls is a gold standard framework for defining, implementing, and operating an effective, risk-based security program. 

The Center for Internet Security (CIS) Critical Security Controls (aka CIS Controls) gives organizations a way to compare their operations with industry best practices with the most impact on today’s environments. 

The CIS Controls reflect the combined knowledge of actual attacks and effective defenses of experts across the ecosystem. According to experts, the CIS Controls are the most effective and specific technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of those attacks. 

Evaluating yourself against the CIS Controls is a starting point that an enterprise can use for immediate, high-value action. In addition, CIS is demonstrably consistent with other formal risk management frameworks and provides a basis for standard action across diverse industries. 

What are the CIS Controls? 

The CIS Controls security standard provides a foundational framework for building and maintaining cybersecurity using a consistent, systematic approach to security. The CIS controls are created by a consensus of security professionals and practitioners worldwide, endorsed by leading IT security vendors and governing bodies. By comparing your security program against a standard such as CIS controls, you get a level of assurance for yourself, organizational leadership, customers, partners, and others that your program is mature based on industry best practices. 

Methodologies are Used to Analyze CIS Controls 

Once you’ve decided to pursue the CIS Controls as your target for security compliance and risk management, the first step is understanding the gaps in your current program. Then create a plan to bring your program into compliance with as little disruption to your operations as possible.  

Determine the scope of the gap analysis, identify staff, and align expectations. Include selecting the parts of the standard that apply to you based on both the implementation groups (IGs) and cloud model mapping. Once the analysis is complete, formulate a feasible plan of action to move forward. Customize security products and services to help you achieve the CIS Controls standard according to your business goals.   

Additional initiatives may include: 

  • Penetration Testing 
  • Vulnerability Assessments 
  • Code Review 
  • Training 
  • Risk Assessments 
  • Incident Response Planning 
  • Policy and Procedure Writing 
  • Architectural Consulting 

Why Are CIS Controls Effective? 

CIS Controls are based on strategies that have been proven to work when subjected to an actual attack. These guidelines go beyond protecting your systems and include best practices for addressing attacks in progress, post-attack response, detecting compromised machines, preventing follow-up attacks, and even providing actionable information to law enforcement. 

Some time ago, we discovered a state agency suffering DDoS events as it was hammered with login attempts. Our investigation found the attack had been exploiting a ‘legacy’ network device outside the domain firewall through telnet port 23. Unfortunately, this sort of error happens frequently as legacy systems get set up and eventually become ‘forgotten.’ This vulnerability is easily mitigated by deploying CIS Safeguard 1.1: Establish and maintain a detailed enterprise asset inventory. Organizations need to know what they have out there. CIS Safeguard 4.2 Establishing and maintaining a secure configuration process for network infrastructure is another layered defense to help mitigate this type of vulnerability.  

Why Truvantis 

As proud members of CIS and front-line cybersecurity veterans, Truvantis can help you to create a robust security foundation that complies with the CIS Controls standard. 

Our CIS Controls Gap Analysis comprehensively assesses your system against this standard. In addition, we offer a vast array of security products and services to help you achieve the CIS Controls standard with custom recommendations that are right for your business.   

Contact Truvantis today to learn more about the CIS Controls for your business. 

Truvantis is a cybersecurity and privacy consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cybersecurity and privacy posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance. Contact us to get started today. 



Related Articles By Topic

SOC2 HIPAA CIS Controls Security Program

Contact Us
Consult with a CIS Controls expert to find out how to use this framework to manage your risk.
Schedule a call
Contact Us