These are now officially known as the CIS Critical Security Controls (CIS Controls), formerly known as the SANS Critical Security Controls (SANS Top 20).
Instead of grouping the CIS Controls by who controls the devices, Version 8 organizes them by activity. This is reflected in v8 through altered language and grouping of Safeguards, resulting in a reduction of the number of Controls from 20 to 18. Physical devices, fixed borders, and discrete islands of security implementation are less relevant.
Why Are CIS Critical Security Controls Important To You?
These controls are updated regularly to keep pace with the evolving threat landscape and to provide organizations with up-to-date guidance on how to protect their assets.
The CIS Controls are important to businesses because they provide a framework for implementing effective cybersecurity policies and procedures. By following the CIS Controls, organizations can establish a baseline of security measures that are essential to protecting their networks and data. This can help businesses to identify and mitigate security risks, reduce the likelihood of a successful cyber attack, and minimize the impact of any security incidents that do occur.
Additionally, implementing the CIS Controls can help businesses to comply with industry regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). Compliance with these regulations is often a requirement for conducting business, and failure to comply can result in significant financial penalties and reputational damage.
Overall, the CIS Controls are an essential component of any organization's cybersecurity strategy, and having a company like Cyber Sleuth Security implementing them can help businesses to improve their security posture, protect their sensitive data, and comply with industry regulations and standards.
CIS Control 1: Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets, including those connected to the infrastructure physically, virtually, remotely, and within cloud environments (end-user devices, including portable and mobile ones; network devices; non-computing/Internet of Things (IoT) devices; and servers). This will allow you to accurately determine the full scope of assets that need to be watched over and protected within the enterprise. Additionally, it will help in locating unlawful and unmanaged assets that need to be removed or fixed.
CIS Control 2: Inventory and Control of Software Assets
Actively manage all software (operating systems and applications) on the network to ensure that only authorized software is installed and can run, and that unauthorized and unmanaged software is detected and stopped from installation and execution. Active management includes inventorying, tracking, and correcting all software.
CIS Control 3: Data Protection
Create procedures and technology safeguards to recognize, categorize, handle data securely, keep it, and discard it.
CIS Control 4: Secure Configuration of Enterprise Assets and Software
Set up and maintain secure configurations for servers, end-user hardware (including mobile and portable devices), network hardware, non-computing/IoT hardware, and software (operating systems and applications).
CIS Control 5: Account Management
To assign and manage authorization for user accounts, including administrator accounts and service accounts, to enterprise assets and software, use processes and technologies.
CIS Control 6: Access Control Management
Create, assign, maintain, and revoke access privileges for user, administrator, and service accounts for enterprise assets and software using procedures and tools.
CIS Control 7: Continuous Vulnerability Management
Create a strategy for monitoring and assessing vulnerabilities throughout the whole infrastructure of the business in order to address them and reduce the window of opportunity for attackers. Keep an eye out for fresh threat and vulnerability information in public and private industry sources.
CIS Control 8: Audit Log Management
Gather, notify, examine, and preserve audit logs of any events that might aid in the detection, comprehension, or recovery from an attack.
CIS Control 9: Email and Web Browser Protections
Enhance defenses against and detection of threats from web and email channels, as these provide chances for attackers to directly influence human behavior.
CIS Control 10: Malware Defenses
Control or prevent the installation, propagation, and execution of malicious programs, scripts, or other code on enterprise assets.
CIS Control 11: Data Recovery
Create and manage data recovery procedures that are adequate to return the in-scope enterprise assets to their trusted, pre-incident state.
CIS Control 12: Network Infrastructure Management
In order to stop attackers from taking advantage of weak network services and access points, network devices must be established, put into use, and actively managed (tracked, reported, and corrected).
CIS Control 13: Network Monitoring and Defense
Utilize procedures and tools to maintain thorough network surveillance and defense against security threats across the user base and network infrastructure of the company.
CIS Control 14: Security Awareness and Skills Training
Security Awareness and Skills Training Create and sustain a security awareness program to influence employee behavior and provide them with the necessary skills to lower cybersecurity risks to the company.
CIS Control 15: Service Provider Management
Create a procedure for assessing service providers who handle sensitive data or are in charge of a company's vital IT systems to make sure they are protecting the systems and the data they handle properly.
CIS Control 16: Application Software Security
Manage the security life cycle of software that has been created, hosted, or bought in-house in order to avoid, identify, and fix security flaws before they have an impact on the business.
CIS Control 17: Incident Response Management
Create a program to build and maintain an incident response capability (e.g., policies, plans, processes, defined roles, training, and communications) to help you be ready for, spot an attack coming, and react rapidly to it.
CIS Control 18: Penetration Testing
By finding and exploiting control (people, process, and technology) weaknesses as well as replicating the goals and behaviors of an attacker, you may evaluate the efficiency and resilience of corporate assets.