<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TFQTPSJ" height="0" width="0" style="display:none;visibility:hidden">

CIS Controls™

Adopt Trusted, Universal Best Practices

“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.”

–Kamala Harris, 32nd Attorney General of California

A Gateway to Foundational Cybersecurity

The CIS Controls™ security standard is a set of guidelines (formerly known as the SANS Top 20 Critical Security Controls) that gives your organization a reliable, universally-recognized foundation for cybersecurity. Unlike the recommendations you'll get from security vendors, these controls are accepted and trusted as best practices that are used by a variety of brands.

Aligning your system with these universal recommendations, even when it’s not required by law, can fortify your company and show consumers that you take security seriously.

When you’re searching for a cybersecurity certification or unsure of where to begin in creating a secure system for your company, choose CIS Controls - and start with a Gap Analysis.

truvantis-cis-controls-cybersecurity

The Story of CIS Controls

The CIS Controls were developed in a cooperative effort of IT experts and data security personnel from a wide range of industries and sectors, including defense, education, government, healthcare, manufacturing, retail, and more.

These experienced cyber-defenders set out to create standards that any organization (in any industry) could follow to better protect themselves and their customers.

Together, they wrote a prioritized set of actions that form an in-depth framework of best practices for protecting systems and networks against the most common forms of attack. 

Named the CIS Controls after the Center for Internet Security (CIS), which promotes the program, it’s one of today’s most widely-used standards of voluntary cybersecurity compliance. 


Why CIS Controls Work

CIS Controls are based on strategies that have been proven to work when subjected to an actual attack. These guidelines go beyond protecting your systems and include best practices for addressing attacks in progress, post-attack response, detecting compromised machines, preventing follow-up attacks, and even providing actionable information to law enforcement.

Components of CIS Controls

The CIS Controls security standard is based on five critical tenets of cyber defense:

Offense Informs Defense

Each attack tells a story and teaches a lesson. The knowledge gained from those lessons forms the foundation of CIS Controls. These controls have all been proven effective against actual attacks. 

Prioritization

The principle of prioritization calls for the most effective controls to be implemented first. Different controls will provide greater risk reduction for some organizations than they will for others. CIS Implementation Groups help organizations identify the most relevant controls for them.

 

Measurements and Metrics

Common metrics provide a shared language for managers, auditors, IT personnel and security personnel to calculate the effectiveness of security procedures, identify issues and quickly implement any changes.

Continuous Diagnostics and Mitigation

Ongoing testing validates the effectiveness of implemented security measures, informing the next steps and revealing opportunities for improvement.

Automation

To achieve and scale reliable security, defense measures in alignment with the controls must be automated, removing the human component as a roadblock to effective security.

Understanding the CIS Controls

CIS Control 1: Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

CIS Control 2: Inventory and Control of Software Assets 

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

CIS Control 3: Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

CIS Control 5: Account Management

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

CIS Control 6: Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

CIS Control 7: Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

CIS Control 8: Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

CIS Control 9: Email and Web Browser Protections

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

CIS Control 10: Malware Defenses

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

CIS Control 11: Data Recovery

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

CIS Control 12: Network Infrastructure Management

Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

CIS Control 13: Data Protection 

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.

CIS Control 14: Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

CIS Control 15: Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

CIS Control 16: Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

CIS Control 17: Incident Response & Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

CIS Control 18: Penetration Testing

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

Truvantis® for Your CIS Controls Implementation

As proud members of CIS and front-line cybersecurity veterans, Truvantis can help you to create a robust security foundation that complies with the CIS Controls standard. 

Our CIS Controls Gap Analysis provides a comprehensive assessement of your system against this standard. We offer a vast array of security products and services to help you to achieve the CIS Controls standard with custom recommendations that are right for your business.  

Contact Truvantis today to learn more about the CIS Controls for your business.