Where can individuals and companies go to get a list of specific information security that they should implement?
Official frameworks for NIST, SOC 2, and others can be hundreds of pages long. They may leave the reader overwhelmed, wondering how to even get started. I recommend my clients read the Center for Internet Security (CIS) Controls to learn about about specific controls and also to understand the big picture in terms of information security.
The CIS Controls V 7.1 is a free 78 page document that outlines 20 controls that "collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks." The Center for Information Security is a non-profit dedicated to making "the connected world a safer place..." The controls are developed by experienced information technology professionals from a variety of industry backgrounds.
![]() |
Bridge over the Allegheny River in Pittsburgh |
The CIS Controls document includes images and charts that help explain information security at a high level for executive-level readers in terms they can understand. It also contains specific steps so that the readers with technical skills and responsibilities have enough information to move forward.
The clients I work with are often new to compliance frameworks or are smaller organizations. They don't always understand the need to implement some security controls to meet requirements. They may only have a handful of developers and a systems administrator whose experience may be limited to the most basic of security controls. They know they don't want their applications and servers to get hacked. But they don't know what to do beyond having proper firewall rules, patched systems, and strong passwords to protect their environment.
Some clients undergo annual pen tests of their web applications. The rest of the time they are focused on continuously updating code and running their business. They don't know why it's necessary to have an up to date inventory of systems or why they need file integrity monitoring.
The flip side of that are larger companies that have big IT and information security departments with dedicated teams that work in silos. While the individual team members are very experienced and skilled in specific control areas, they may not be knowledgeable or even aware of control topics outside of their specialization. The CIS document brings it all together.
The CIS Controls provides the 20 controls in order so that management, information technology, and information security staff can see a clear roadmap. The document organizes the controls into three areas – Basic, Foundational, Organizational. Inventory of assets and software fall under Basic. Boundary Defense and Data Protection fall under the Foundational controls category. Incident Response and Management are an Organizational control. Let's take a look at the entire list.
Basic Controls
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
6. Maintenance, Monitoring and Analysis of Audit Logs
Foundational Controls
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols and Services
10. Data Recovery Capabilities
11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
Organizational Controls
17. Implement a Security Awareness and Training Program
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
Each control is listed with a short explanation and why it is critical. It also explains how hackers can take advantage when the control is not in place. Each control includes a chart with sub-controls. A Procedures and Tools section for each control provides additional recommendations as to which security tools would be useful, such as Intrusion Detection Systems/Intrusion Prevention Systems for Control 12 - Boundary Defense.
The CIS Controls document states that while these are the 20 controls all organizations should implement, they are not a one-size-fits-all-solution. You must understand them in context to what is critical to your business and take into account how the controls may impact your operations.
Implementation Group 3 is for larger companies with large IT departments, expertise in information security, and manage more sensitive data. They would implement all of the sub-controls for each major control. For example, for Control 4 - Controlled Use of Administrative Privileges, a small company would implement only 2 of the 9 sub-controls. A large company would implement all 9 sub-controls.
No comments:
Post a Comment