Sunday, October 25, 2020

The Center for Internet Security Controls

Where can individuals and companies go to get a list of specific information security that they should implement? 

Official frameworks for NIST, SOC 2, and others can be hundreds of pages long. They may leave the reader overwhelmed, wondering how to even get started. I recommend my clients read the Center for Internet Security (CIS) Controls to learn about about specific controls and also to understand the big picture in terms of information security.  

The CIS Controls V 7.1 is a free 78 page document that outlines 20 controls that "collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks." The Center for Information Security is a non-profit dedicated to making "the connected world a safer place..." The controls are developed by experienced information technology professionals from a variety of industry backgrounds.  

Bridge over the Allegheny River in Pittsburgh

The CIS Controls document includes images and charts that help explain information security at a high level for executive-level readers in terms they can understand. It also contains specific steps so that the readers with technical skills and responsibilities have enough information to move forward. 

The clients I work with are often new to compliance frameworks or are smaller organizations. They don't always understand the need to implement some security controls to meet requirements. They may only have a handful of developers and a systems administrator whose experience may be limited to the most basic of security controls. They know they don't want their applications and servers to get hacked. But they don't know what to do beyond having proper firewall rules, patched systems, and strong passwords to protect their environment.  

Some clients undergo annual pen tests of their web applications. The rest of the time they are focused on continuously updating code and running their business. They don't know why it's necessary to have an up to date inventory of systems or why they need file integrity monitoring. 

The flip side of that are larger companies that have big IT and information security departments with dedicated teams that work in silos. While the individual team members are very experienced and skilled in specific control areas, they may not be knowledgeable or even aware of control topics outside of their specialization. The CIS document brings it all together.    

The CIS Controls provides the 20 controls in order so that management, information technology, and information security staff can see a clear roadmap. The document organizes the controls into three areas – Basic, Foundational, Organizational. Inventory of assets and software fall under Basic. Boundary Defense and Data Protection fall under the Foundational controls category. Incident Response and Management are an Organizational control. Let's take a look at the entire list. 

Basic Controls                                                                                         

1. Inventory and Control of Hardware Assets

2. Inventory and Control of Software Assets

3. Continuous Vulnerability Management

4. Controlled Use of Administrative Privileges

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational Controls

7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports, Protocols and Services
   
10. Data Recovery Capabilities

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control 

Organizational Controls

17. Implement a Security Awareness and Training Program

18. Application Software Security

19. Incident Response and Management

20. Penetration Tests and Red Team Exercises

Each control is listed with a short explanation and why it is critical. It also explains how hackers can take advantage when the control is not in place. Each control includes a chart with sub-controls. A Procedures and Tools section for each control provides additional recommendations as to which security tools would be useful, such as Intrusion Detection Systems/Intrusion Prevention Systems for Control 12 - Boundary Defense.

The CIS Controls document states that while these are the 20 controls all organizations should implement, they are not a one-size-fits-all-solution. You must understand them in context to what is critical to your business and take into account how the controls may impact your operations. 

The controls includes Implementation Groups with sub-controls that apply to organizations based on their size. Implementation Group 1 is for small business. They would implement sub-controls based on the data they are protecting and their staffing resources. 

Implementation Group 2 is for medium-sized organization that have dedicated IT departments and more resources. They would implement more sub-controls than small business. 

Implementation Group 3 is for larger companies with large IT departments, expertise in information security, and manage more sensitive data. They would implement all of the sub-controls for each major control. For example, for Control 4 - Controlled Use of Administrative Privileges, a small company would implement only 2 of the 9 sub-controls. A large company would implement all 9 sub-controls.

Whether your are an individual just getting started in information security or a seasoned professional, the CIS Controls document is a great resource. I frequently reference and share it. It distills principles and practices from cybersecurity books and frameworks into 20 succinct and easy to understand controls. You can obtain the CIS Controls at: 

No comments:

Post a Comment