CIS Controls Gap AnalysisThe “Top 20” controls
Effective Cyber Defense
The Center for Internet Security (CIS) Controls Version 7, is a tactical security standard, developed by security professionals and adopted from a standard known as the SANS Top 20. It is recommended by the California Secretary of State as a reference standard, and widely used across multiple industries as a prioritized approach framework to building security programs. There are twenty key (20) focus areas.
All gap analysis engagements are performed via interviews and team discussions. These are not intended to be audits. Claims will not be verified or independently tested. The goal of a gap analysis is to partner with the organization to assess how closely their security program aligns with the standard or framework and to determine which policies, processes, or controls are outstanding for the organization to achieve compliance.
The CIS Controls Version 7
- CSC 1: Inventory and Control of Hardware Assets
- CSC 2: Inventory and Control of Software Assets
- CSC 3: Continuous Vulnerability Management
- CSC 4: Controlled Use of Administrative Privileges
- CSC 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CSC 7: Email and Web Browser Protections
- CSC 8: Malware Defenses
- CSC 9: Limitation and Control of Network Ports, Protocols, and Services
- CSC 10: Data Recovery Capabilities
- CSC 11: Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches
- CSC 12: Boundary Defense
- CSC 13: Data Protection
- CSC 14: Controlled Access Based on the Need to Know
- CSC 15: Wireless Access Control
- CSC 16: Account Monitoring and Control
- CSC 17: Implement a Security Awareness and Training Program
- CSC 18: Application Software Security
- CSC 19: Incident Response and Management
- CSC 20: Penetration Tests and Red Team Exercises
Truvantis Provides Expert Assistance Start To Finish
Truvantis’ report will measure security operations against each of the controls and make recommendations based on its significance to the operation’s risk posture.
There is no attestation or formal certification available for this standard.