Listen to: "12 Commonly Asked Questions About CIS Controls"
The Center for Internet Security (CIS) is a nonprofit organization founded in 2000. Its mission is to develop, promote and sustain best practices in computer security to enable a trusted environment for the internet. CIS’s members are organizations that include government agencies, large corporations and academic institutions. These members began developing controls for computing ecosystems in 2008 based on efforts from experts in a variety of fields, including security analysts, auditors, executives and policy makers.
CIS Controls are a set of recommendations that provide actionable steps for defending computer systems from sophisticated attacks. This list of highly effective actions is relatively short, but they offer users a prioritized starting point for any organization seeking to improve its cyber security. People who use CIS Controls often ask the following questions.
What are the CIS Controls?
CIS Controls currently consist of 20 action items, although that number wasn’t specifically selected. They don’t attempt to balance security against cost or manageability, which all organizations must do to some extent. However, experts in the CIS community strongly agree that implementing CIS Controls will prevent the vast majority of attacks that are occurring today. They should also provide the framework for automating and managing cyber defenses well into the future.
The current version of CIS Controls is Version 7.1, which includes the following controls:
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Secure configurations for hardware and software
- Continuous vulnerability assessment and remediation
- Controlled use of administrative privileges
- Maintenance, monitoring, and analysis of audit logs
- Email and web browser protections
- Malware defenses
- Limitation and control of network ports, protocols, and services
- Data recovery capability
- Secure configurations for network devices
- Boundary defense
- Data protection
- Controlled access based on the need to know
- Wireless access control
- Account monitoring and control
- Security skills assessment and appropriate training to fill gaps
- Application software security
- Incident response and management
- Penetration tests and red team exercises
What is the purpose of CIS Controls?
CIS Controls allow organizations to mitigate known attacks and are designed to be largely implemented, monitored and enforced through automated means. The primary purpose of this approach is to minimize the effect of human error, especially when it comes to enforcing security controls. CIS Controls also focus on areas that offer the best payoffs in terms of countering threats.
Prioritization is another important benefit of CIS Controls, since they allow organizations to quickly define a starting point for implementation. The ability to direct actions with a high-value payoff is particularly helpful for organizations with limited resources to devote to their cyber defense. CIS Controls also help users focus their attention on mitigating risks that are specific to their mission.
Who endorses CIS Controls?
Many large organizations and influential individuals strongly support the use CIS controls to improve security. The U.S. Government recommends CIS Controls as an approach to implementing the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework. U.S. Senator Kamala Harris stated that the CIS Controls “represented a minimum level of security … that any organization should meet” in 2016 when she was the California Attorney General.
Other organizations recommending the use of CIS Controls include the National Governors Association (NGA) in the U.S. and the Centre for the Protection of National Infrastructure (CPNI) in the U.K. The European Telecommunications Standards Institute (ETSI) has adopted the CIS Controls in addition to several of its companion guides. The National Highway Traffic Safety Administration (NHTSA) also recommends that automotive manufacturers use CIS Controls.
Who uses CIS Controls?
Thousands of organizations of all sizes use CIS Controls, which have been downloaded more than 70,000 times as of May 1, 2017. The state governments of Arizona, Colorado and Idaho have officially adopted them, as have the cities of Oklahoma City, Portland and San Diego among many others. Major corporations that use CIS Controls include Boeing, Citizens Property Insurance, Corden Pharma and the Federal Reserve Bank of Richmond. Educational institutions like the University of Massachusetts also include CIS Controls in their security processes. Many other groups support CIS Controls in their operations, including consultants, integrators and security solution vendors like Softbank, Rapid7 and Tenable.
How are CIS Controls updated?
Members of the CIS community review and update CIS Controls regularly through an informal process. These members belong to various government agencies, business sectors and educational institutions, which provides deep technical expertise in multiple subjects. Some of the most important areas of expertise for updating CIS Controls include threat assessment, defensive technology, tools and enterprise management. CIS members are thus able to develop effective controls against new attacks by pooling their knowledge.
What’s the version history of the CIS controls?
Version 3.0 was the first version of CIS controls to be publicly available, which was released in 2011. The Council on Cyber Security (CCS) released Version 5.0 in 2014 and Version 6.0 the following year. Version 6 re-prioritized the controls and made other significant changes such as the removal of Secure Network Engineering and addition of Email and Web Browser Protections. Version 7.0 was released in 2018, and Version 7.1 was released on April 4, 2019.
What are the CIS Benchmarks?
CIS Controls are a general set of recommended practices for cyber security that doesn’t address specific hardware or software. However, it does reference the need for secure configurations of various devices such as desktops, laptops, servers and mobile devices. The CIS Benchmarks are a set of guidelines for implementing specific hardware and software in compliance with the CIS Controls, including operating systems, software applications, middleware and network devices. Like the CIS Controls themselves, communities of experts develop CIS Benchmarks with a consensus-based approach.
What is the CIS Self-Assessment Tool?
The CIS Controls Self-Assessment Tool, also known as CIS CSAT, is an online platform that allows CIS users to assess, conduct and track their implementation of CIS Controls. It’s based on the CIS Controls Manual Assessment Tool (CIS MAT) which organizations use to implement and document the best practices in the CIS Controls. CIS CSAT builds on CIS MAT by enabling collaboration on assessments and scaling tracking efforts.
How do I use CIS CSAT?
Using CSAT requires you to register, even if you already have a WorkBench account. Once you have access to CSAT, you can collaborate on your assessment across multiple departments by delegating questions to other team members and validating their responses. You can also create new assessments, view existing ones and compare results with anonymous peer groups in your industry.
CIS stores assessment data on its Amazon Web Services (AWS) East Region infrastructure, and doesn’t share it with third parties. The data is stored in an encrypted format in accordance with best practices for AWS. CSAT also allows you to export your results in many common formats, including Excel, PowerPoint and PDF.
How is CIS CSAT data used?
CIS CSAT data helps improve CIS Controls, thus benefiting the organizations that use them. In particular, this data provides insight into existing security gaps, allowing members to collaborate in enhancing the security posture of organizations that implement CIS Controls. CIS CSAT data also supports the CIS community by helping members improve the best practices in CIS Controls.
What do my CIS CSAT results mean?
A CIS CSAT routinely shows that an organization doesn’t comply with some of the recommendations in the CIS Controls. Such a result isn’t necessarily any cause for concern, since some of these controls may be unreasonable for a particular organization. In other cases, a CIS control may be unnecessary because a similar control is already in place.
Fortunately, CIS users can mark a control as “not-applicable,” which prevents the lack of that control from counting against them on the CIS CSAT. Organizations should therefore consider their first CIS CSAT to be a starting point for their implementation of CIS Controls, rather than the final result.
How do I use my CIS CSAT results?
You can use your CIS CSAT results in multiple ways, such as evaluating your progress with a future CSAT. You can also use them to determine the team members responsible for each control. The ability to export a result means that you can easily share them with other project stakeholders, including team members and management. CIS CSAT results can also help you prioritize your organization’s spending on security measures.
About I.S. Partners
I.S. Partners, LLC is a CPA audit firm specializing in IT services such as System and Organization Controls (SOC) audits and IT Assurance services. Our team members have decades of experience from the Big 4 firms, allowing us to competently navigate our clients through business risks in their particular industry. We provide business insight beyond merely providing deliverables by challenging the perception of what it means to be audited. Contact us today to learn more about how we can help you with your next audit.