Reasons to choose CIS Controls for your cyber security program
It started with a few select people in a room. It was called “Project Insight” by the NSA and DOD and its mission was simple, get some of the best cybersecurity minds into a room, and nobody leaves until we have a prioritized list of what keeps us all up at night. From there The Consensus Audit Guidelines and the SANS TOP-20 were born. Now known as the Center for Internet Security (CIS) Controls, they have become the leading, consensus-driven framework in the industry. The CIS Controls are a set of twenty prioritized actions (best practices) created by the cybersecurity and intelligence communities that you can use free of charge to create a security program, establish defense in depth and improve your Cybersecurity posture.
In the California 2016 Data Breach Report, then-Attorney General Kamala Harris wrote, "The 20 controls in the Center for Internet Security’s Critical Security Controls [CIS20] define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security."
The CIS Controls arranges its 171 sub controls into three separate Implementation groups to further prioritize the controls. For example, Implementation Group 1 has 43 controls, intended for smaller organizations and is referred to as “Cyber Hygiene”.
Developed by an independent, not-for-profit organization, the CIS Controls are an unbiased statement of what to do to improve your cybersecurity posture. They are a community-level translation from attacks to action, and a benchmark of performance to assist with prioritization and planning. They can also be a helpful supply-chain assessment instrument. The CIS Controls and free supporting materials can be used as a reporting template or as an implementation path for NIST CSF.
Perhaps you will use the CIS Controls as a reference or alternative to more formal frameworks or standards. Some of you may be required to use PCI DSS if you take credit cards, or HIPAA if you are in the medical industry. You will be required to use Sarbanes–Oxley (SOX) if you are a publicly traded company, or NIST SP 800-171, FISMA, or FedRAMP if you deal with the US government. But if you are free to choose your own governance framework, you might consider other standards such as the NIST Cybersecurity Framework, ISO27001, or SOC 2. All are comparable to CIS Controls and they each have their unique benefits.
Since 1993, all US federal regulations–whether or not they are related to information security–require risk analysis to achieve a cost-benefit balance while achieving compliance.
Experts and authorities consistently require organizations to secure information and systems as much as they can to prevent harm to others, but not to allow safeguards to be overly burdensome to them or the public. And they point to risk assessments as the way to find the balance.
The CIS Controls and supporting material includes CIS RAM a security risk assessment framework which aligns with the CIS Top-20 Controls. Every business needs to assess cybersecurity risk and the CIS RAM framework can help as it:
Presents cyber risk analysis in business terms
- Translating security risk into business terms for executive involvement
Prepares organizations for regulatory compliance
- Demonstrating “reasonable”, “appropriate”, and “acceptable”
Prepares organizations for litigation
- CIS RAM is similar to judicial “multi-factor balancing tests” that determine “due care”
Originally created in 2008 the CIS Controls are recommended by a wide range of organizations including the American Institute for Standards and Technology and the UK Center for National Infrastructure. Implementing the CIS Controls reflects a strong security posture and can help you prove capabilities across layered defense.
The CIS Controls are peer reviewed and well respected, and are accompanied by detailed supporting narrative for each. They are easy to size for your organization. The controls are non-prescriptive meaning you can do it your way and the phased approach of the Implementation Groups means you don’t have to do it all at once.
The controls represent a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. They have been developed, refined and validated by a community of leading experts from around the world.
- Globally recognized cybersecurity standard
- Developed and by thousands of cybersecurity experts around the world
- Prioritized set of actions that’s designed to scale
- Provides a logical path to build a foundation and gradually improve your cybersecurity posture
Truvantis can help you understand and use the CIS Controls framework. It will get you going and help you along the way to forming a comprehensive, business-as-usual cyber security program in your organization.