With the cost of a data breach at an all-time high of $4.35M and more data security and privacy regulations coming into force, organizations worldwide must ensure that they have the security controls and measures to keep their data safe.
By implementing the Center for Internet (CIS) Security Controls, organizations can establish a firm base for an effective cybersecurity approach to counter ever-evolving cyber threats. Today, we’re talking CIS Controls compliance.
What is the Center for Internet Security (CIS)?
The Center for Internet Security (CIS), formerly known as Critical Security Controls, is a non-profit organization established in 2000. With the primary goal of enhancing cybersecurity readiness and response, the CIS leverages its expertise to promote and share essential cybersecurity guidelines
The CIS aims to develop and promote best cybersecurity practices to help individuals, businesses, and other organizations protect themselves from evolving cyber threats.
What are the CIS Controls?
The CIS Controls are a set of prescriptive cybersecurity best practices and frameworks. The CIS Controls provide guidance and a clear path for organizations to improve their cybersecurity posture and mitigate the risk of the most pervasive and dangerous security threats. One of the main benefits of the CIS Controls is that they provide a small but focused set of actions that almost any organization can achieve. And yet, these simple steps still yield significant results in deterring possible cyber threats.
Developed by top security experts from around the world, the CIS Controls are regularly updated according to the latest trends in the cyber threat landscape. The latest version of the CIS Controls includes 18 controls that aim to prevent cyberattacks, support compliance, and improve security posture.
Why are the CIS Controls important?
The CIS Controls are important because they combine the easiest and most effective recommendations to reduce the risks of cyberattacks. In the current cybercrime landscape, the CIS Controls can help organizations establish a secure perimeter and maintenance of necessary defenses.
The CIS Controls’ structure
The 18 CIS Controls are split into three implementation groups: basic cyber hygiene (IG1), enterprise-level protection for regulated businesses (IG2), and protection against targeted and zero-day attacks (IG3).
The IG1 controls are a set of 56 safeguards that provide a basic level of cyber hygiene for an organization. Organizations should implement IG1 controls to defend against the most common cyber threats.
The IG2 controls include 74 additional safeguards on top of the 56 in IG1. The IG2 controls and safeguards require specialized expertise and dedicated individuals to manage the security infrastructure. Organizations with more resources and a moderate risk of data exposure should implement IG2 controls alongside IG1 controls.
The IG3 controls come with 23 additional safeguards designed to help mature organizations facing significant security risks or handling the most sensitive data.
CIS Controls Version 8
With the ever-evolving threat landscape, the Center for Internet Security (CIS) continuously updates its set of best practices and frameworks to stay abreast of cybersecurity developments.
The latest iteration of these guidelines, known as the CIS Controls Version 8 or the CIS Critical Security Controls V8, which incorporates revisions and enhancements from the previous Version 7, was introduced in 2021. It builds on its predecessors by refining existing controls and introducing new measures that reflect current security needs.
CIS Controls V8 is designed to address the risks of today's working environment, which heavily involves cloud-based interactions and remote work. For more comprehensive insights into the changes and updates in CIS Controls Version 8, refer to the official CIS documents and Security Metrics' detailed analysis.
CIS Critical Security Controls
Inventory and control of enterprise assets
You need to know what you must protect. Therefore, the first CIS Control focuses on identifying all the assets within the organization. Those assets can include mobile devices, network devices, servers, and Internet of Things (IoT) devices connected to the infrastructure, whether they are connected virtually, physically, or remotely. By getting an accurate inventory of your assets, you will understand what you need to monitor and protect within the organization.
Inventory and control of software assets
The second control on the list focuses on providing safeguards to ensure you know what software your team is using and that no unauthorized software can make its way onto your network.
The third CIS Control urges organizations to develop a technical process and security controls to classify, identify, handle, retain, and dispose of data.
Secure configuration of enterprise assets and software
Default software configurations are usually developed to prioritize ease of development or ease of use rather than security. This CIS Control focuses on establishing a more secure configuration and maintaining it to lower the risk of cyber threats.
The fifth CIS Control focuses on using tools and processes to manage how, when, and why accounts are issued and ensuring they are terminated once they’re no longer in use.
Access control management
Like the previous controls, this control urges organizations to use tools to create and manage access privileges to enterprise assets and software.
Continuous vulnerability management
The cyber threat landscape is constantly evolving. Following the seventh CIS Control will help you develop a strategy to ensure continuous vulnerability management and analysis.
Audit log management
The eighth CIS Control sets out guidelines on how the organization should collect, audit, and examine its logs to ensure they are protected.
Email and web browser protections
This CIS Control focuses on using appropriate security measures to ensure browsers are not vulnerable to threats and email communications are always secure.
The 10th CIS Control outlines how organizations can prevent malicious software from entering the organization’s network with the help of appropriate security tools.
The 11th CIS Control focuses on developing a data recovery plan and processes that would be sufficient to restore any enterprise assets to a pre-incident state.
Network infrastructure management
To help organizations lower the potential attack vector, this CIS Control outlines how to actively manage organizational networks and the devices on those networks.
Network monitoring and defense
CIS Control number 13 encourages companies to monitor their network for suspicious activity and ensure that appropriate defense mechanisms are in place to deter bad actors.
Security awareness and skills training
The 14th CIS Control outlines the benefits of regular cybersecurity awareness and training sessions to ensure that the entire organization understands the risks and security strategy.
Service provider management
These days, supply chain attacks are rampant. To reduce the chances of being hit by a supply chain attack, this CIS Control urges companies to develop a comprehensive process to evaluate their partners and service providers to ensure their security practices are up to standard.
Application software security
CIS Control number 16 urges organizations to manage the security of the software they develop or use on commission to prevent security vulnerabilities.
Incident response management
To help organizations manage crises effectively and efficiently, this CIS Control stresses the importance of developing a comprehensive cybersecurity incident response.
The final CIS Control defines the importance of testing the resilience and effectiveness of organizational security posture and encourages the company to run penetration tests that simulate real-life cyberattacks.
How do the CIS Controls work with other compliance standards?
Today, any business that wishes to handle sensitive data must adhere to various security and compliance regulations, such as the General Data Protection Act (GDPR) or California Consumer Privacy Act (CCPA). The CIS Controls are cross-compatible with various compliance regulations because they provide clear and in-depth best practices regarding cybersecurity in a business environment, which are in line with compliance standards.
CIS vs. NIST: What’s the difference?
In the cybersecurity world, CIS and NIST are two often-mentioned acronyms. Understanding the differences between the CIS framework vs. NIST is critical for effective information security. Both contribute significantly to cybersecurity, but their focuses and approaches vary.
Organizational background: The Center for Internet Security (CIS) is a non-profit organization established in 1999, known for creating the CIS Controls, a set of best practices for securing systems and data. NIST (the National Institute of Standards and Technology), a federal agency within the US Department of Commerce, has a broader mission, focusing on advancing measurement science, standards, and technology, with a recent emphasis on cybersecurity issues.
Mission and resources: CIS focuses specifically on cybersecurity, offering resources like security benchmarks and threat intelligence. In contrast, NIST's scope is wider, focusing on developing standards and guidance.
Approach: CIS takes a pragmatic approach, collaboratively developing tools and resources, while NIST's research-oriented approach focuses on studying and understanding cybersecurity issues.
Size and impact: CIS, with a staff of just over 100, influences numerous organizations globally, whereas NIST, with a staff of over 3,000, primarily impacts US government agencies.
While both offer valuable tools, they differ in approach. The differences between NIST vs. CIS could influence their relevance depending on your specific needs and the nature of your organization.
How to implement the CIS Controls
In order to successfully implement the CIS Controls, organizations must be ready and willing to take action to establish a secure organizational perimeter. The CIS Controls implementation guide recommends taking a phased approach.
Phase 1 should include an audit of your entire network, what’s connected to it, and why. During this phase, you will clearly understand your organization’s cybersecurity baseline.
During phase 2, you should focus on securing your baseline through staff education and implementing security tools and processes. Phase 3 is the time to craft incident-response plans to ensure your organization acts in a well-coordinated manner in case of an emergency.
How to achieve CIS Compliance with NordPass
Besides the fact that a business password manager is a must-have tool for any organization that seeks to remain secure these days, corporate password managers are also handy compliance-wise.
A password manager such as NordPass Business can help organizations meet many of the benchmarks set by CIS.
NordPass provides companies with a single secure place to store passwords, credit cards, and other sensitive data. Thanks to end-to-end encryption and zero-knowledge architecture, everything stored in the NordPass vault is highly protected.
Furthermore, NordPass’ advanced security tools, such as Password Health and the Data Breach Scanner, can help organizations further assess their password strength and determine whether any of their emails or domains have appeared in a data leak.
Finally, NordPass Business allows organization owners and admins to have a complete overview of user activity and manage access privileges according to specific needs.
If you are looking for a business password manager for your organization and want to know how NordPass Business can improve your organization’s overall security stance and compliance posture, please get in touch with our representative to schedule a demo.