“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.”
–Kamala Harris, 32nd Attorney General of California
The CIS Controls™ security standard is a set of guidelines (formerly known as the SANS Top 20 Critical Security Controls) that gives your organization a reliable, universally-recognized foundation for cybersecurity. Unlike the recommendations you'll get from security vendors, these controls are accepted and trusted as best practices that are used by a variety of brands.
Aligning your system with these universal recommendations, even when it’s not required by law, can fortify your company and show consumers that you take security seriously.
When you’re searching for a cybersecurity certification or unsure of where to begin in creating a secure system for your company, choose CIS Controls - and start with a Gap Analysis.
The CIS Controls were developed in a cooperative effort of IT experts and data security personnel from a wide range of industries and sectors, including defense, education, government, healthcare, manufacturing, retail, and more.
These experienced cyber-defenders set out to create standards that any organization (in any industry) could follow to better protect themselves and their customers.
Together, they wrote a prioritized set of actions that form an in-depth framework of best practices for protecting systems and networks against the most common forms of attack.
Named the CIS Controls after the Center for Internet Security (CIS), which promotes the program, it’s one of today’s most widely-used standards of voluntary cybersecurity compliance.
CIS Controls are based on strategies that have been proven to work when subjected to an actual attack. These guidelines go beyond protecting your systems and include best practices for addressing attacks in progress, post-attack response, detecting compromised machines, preventing follow-up attacks, and even providing actionable information to law enforcement.
The CIS Controls security standard is based on five critical tenets of cyber defense:
Each attack tells a story and teaches a lesson. The knowledge gained from those lessons forms the foundation of CIS Controls. These controls have all been proven effective against actual attacks.
The principle of prioritization calls for the most effective controls to be implemented first. Different controls will provide greater risk reduction for some organizations than they will for others. CIS Implementation Groups help organizations identify the most relevant controls for them.
Common metrics provide a shared language for managers, auditors, IT personnel and security personnel to calculate the effectiveness of security procedures, identify issues and quickly implement any changes.
Ongoing testing validates the effectiveness of implemented security measures, informing the next steps and revealing opportunities for improvement.
To achieve and scale reliable security, defense measures in alignment with the controls must be automated, removing the human component as a roadblock to effective security.
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution.
Continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for attackers.
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
Establish, implement and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Collect, manage and analyze audit logs of events that could help detect, understand, or recover from an attack.
Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering and corrective action.
Manage (track/control/correct) the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
Establish, implement and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Detect/prevent/correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
The processes and tools used to track/control/prevent/correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps and remediate through policy, organizational planning, training and awareness programs.
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect and correct security weaknesses.
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence and restoring the integrity of the network and systems.
After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents. It is inevitable that exercise and training scenarios will identify gaps in plans and processes and unexpected dependencies.
Test the overall strength of an organization’s defense (the technology, the processes and the people) by simulating the objectives and actions of an attacker.
As proud members of CIS and front-line cybersecurity veterans, Truvantis can help you to create a robust security foundation that complies with the CIS Controls standard.
Our CIS Controls Gap Analysis provides a comprehensive assessement of your system against this standard. We offer a vast array of security products and services to help you to achieve the CIS Controls standard with custom recommendations that are right for your business.