“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.”
–Kamala Harris, 32nd Attorney General of California
The CIS Controls™ security standard is a set of guidelines (formerly known as the SANS Top 20 Critical Security Controls) that gives your organization a reliable, universally-recognized foundation for cybersecurity. Unlike the recommendations you'll get from security vendors, these controls are accepted and trusted as best practices that are used by a variety of brands.
Aligning your system with these universal recommendations, even when it’s not required by law, can fortify your company and show consumers that you take security seriously.
When you’re searching for a cybersecurity certification or unsure of where to begin in creating a secure system for your company, choose CIS Controls - and start with a Gap Analysis.
The CIS Controls were developed in a cooperative effort of IT experts and data security personnel from a wide range of industries and sectors, including defense, education, government, healthcare, manufacturing, retail, and more.
These experienced cyber-defenders set out to create standards that any organization (in any industry) could follow to better protect themselves and their customers.
Together, they wrote a prioritized set of actions that form an in-depth framework of best practices for protecting systems and networks against the most common forms of attack.
Named the CIS Controls after the Center for Internet Security (CIS), which promotes the program, it’s one of today’s most widely-used standards of voluntary cybersecurity compliance.
CIS Controls are based on strategies that have been proven to work when subjected to an actual attack. These guidelines go beyond protecting your systems and include best practices for addressing attacks in progress, post-attack response, detecting compromised machines, preventing follow-up attacks, and even providing actionable information to law enforcement.
The CIS Controls security standard is based on five critical tenets of cyber defense:
Each attack tells a story and teaches a lesson. The knowledge gained from those lessons forms the foundation of CIS Controls. These controls have all been proven effective against actual attacks.
The principle of prioritization calls for the most effective controls to be implemented first. Different controls will provide greater risk reduction for some organizations than they will for others. CIS Implementation Groups help organizations identify the most relevant controls for them.
Common metrics provide a shared language for managers, auditors, IT personnel and security personnel to calculate the effectiveness of security procedures, identify issues and quickly implement any changes.
Ongoing testing validates the effectiveness of implemented security measures, informing the next steps and revealing opportunities for improvement.
To achieve and scale reliable security, defense measures in alignment with the controls must be automated, removing the human component as a roadblock to effective security.
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
As proud members of CIS and front-line cybersecurity veterans, Truvantis can help you to create a robust security foundation that complies with the CIS Controls standard.
Our CIS Controls Gap Analysis provides a comprehensive assessement of your system against this standard. We offer a vast array of security products and services to help you to achieve the CIS Controls standard with custom recommendations that are right for your business.