Our Emergency Incident Response Team is Ready 24/7: CALL NOW (833) 578-1916 >

March 27, 2023

The 18 CIS Critical Security Controls (Updated for 2023)

These are now officially known as the CIS Critical Security Controls (CIS Controls), formerly known as the SANS Critical Security Controls (SANS Top 20).

Instead of grouping the CIS Controls by who controls the devices, Version 8 organizes them by activity. This is reflected in v8 through altered language and grouping of Safeguards, resulting in a reduction of the number of Controls from 20 to 18. Physical devices, fixed borders, and discrete islands of security implementation are less relevant.

Why Are CIS Critical Security Controls Important To You?

These controls are updated regularly to keep pace with the evolving threat landscape and to provide organizations with up-to-date guidance on how to protect their assets.

The CIS Controls are important to businesses because they provide a framework for implementing effective cybersecurity policies and procedures. By following the CIS Controls, organizations can establish a baseline of security measures that are essential to protecting their networks and data. This can help businesses to identify and mitigate security risks, reduce the likelihood of a successful cyber attack, and minimize the impact of any security incidents that do occur.

Additionally, implementing the CIS Controls can help businesses to comply with industry regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). Compliance with these regulations is often a requirement for conducting business, and failure to comply can result in significant financial penalties and reputational damage.

Overall, the CIS Controls are an essential component of any organization's cybersecurity strategy, and having a company like Cyber Sleuth Security implementing them can help businesses to improve their security posture, protect their sensitive data, and comply with industry regulations and standards.

CIS Control 1: Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and correct) all enterprise assets, including those connected to the infrastructure physically, virtually, remotely, and within cloud environments (end-user devices, including portable and mobile ones; network devices; non-computing/Internet of Things (IoT) devices; and servers). This will allow you to accurately determine the full scope of assets that need to be watched over and protected within the enterprise. Additionally, it will help in locating unlawful and unmanaged assets that need to be removed or fixed.

CIS Control 2: Inventory and Control of Software Assets

Actively manage all software (operating systems and applications) on the network to ensure that only authorized software is installed and can run, and that unauthorized and unmanaged software is detected and stopped from installation and execution. Active management includes inventorying, tracking, and correcting all software.

CIS Control 3: Data Protection

Create procedures and technology safeguards to recognize, categorize, handle data securely, keep it, and discard it.

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Set up and maintain secure configurations for servers, end-user hardware (including mobile and portable devices), network hardware, non-computing/IoT hardware, and software (operating systems and applications).

CIS Control 5: Account Management

To assign and manage authorization for user accounts, including administrator accounts and service accounts, to enterprise assets and software, use processes and technologies.

CIS Control 6: Access Control Management

Create, assign, maintain, and revoke access privileges for user, administrator, and service accounts for enterprise assets and software using procedures and tools.

CIS Control 7: Continuous Vulnerability Management

Create a strategy for monitoring and assessing vulnerabilities throughout the whole infrastructure of the business in order to address them and reduce the window of opportunity for attackers. Keep an eye out for fresh threat and vulnerability information in public and private industry sources.

CIS Control 8: Audit Log Management

Gather, notify, examine, and preserve audit logs of any events that might aid in the detection, comprehension, or recovery from an attack.

CIS Control 9: Email and Web Browser Protections

Enhance defenses against and detection of threats from web and email channels, as these provide chances for attackers to directly influence human behavior.

CIS Control 10: Malware Defenses

Control or prevent the installation, propagation, and execution of malicious programs, scripts, or other code on enterprise assets.

CIS Control 11: Data Recovery

Create and manage data recovery procedures that are adequate to return the in-scope enterprise assets to their trusted, pre-incident state.

CIS Control 12: Network Infrastructure Management

In order to stop attackers from taking advantage of weak network services and access points, network devices must be established, put into use, and actively managed (tracked, reported, and corrected).

CIS Control 13: Network Monitoring and Defense

Utilize procedures and tools to maintain thorough network surveillance and defense against security threats across the user base and network infrastructure of the company.

CIS Control 14: Security Awareness and Skills Training

Security Awareness and Skills Training Create and sustain a security awareness program to influence employee behavior and provide them with the necessary skills to lower cybersecurity risks to the company.

CIS Control 15: Service Provider Management

Create a procedure for assessing service providers who handle sensitive data or are in charge of a company's vital IT systems to make sure they are protecting the systems and the data they handle properly.

CIS Control 16: Application Software Security

Manage the security life cycle of software that has been created, hosted, or bought in-house in order to avoid, identify, and fix security flaws before they have an impact on the business.

CIS Control 17: Incident Response Management

Create a program to build and maintain an incident response capability (e.g., policies, plans, processes, defined roles, training, and communications) to help you be ready for, spot an attack coming, and react rapidly to it.

CIS Control 18: Penetration Testing

By finding and exploiting control (people, process, and technology) weaknesses as well as replicating the goals and behaviors of an attacker, you may evaluate the efficiency and resilience of corporate assets.


Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Post

Cyber Sleuth Security Icon

Copyright © Cyber Sleuth Security. All Rights Reserved

Privacy Notice
Terms of Use
Cookie Policy
Customer Portal Policy
Accessibility Statement
Information Security
Cookies Settings