CIS Security Controls: What Are They and Should You Use Them?

CIS Controls keyboard

Cybersecurity is a huge field, and one that may feel as if it can never be ‘completed’ by many within information security, but this doesn't have to be case anymore.

Regardless of budget, it can seem impossible for many organizations to completely protect against every attack vector, and cyber risk can be a challenge. Of course, most organizations have security budgets that are far from limitless. How should they allocate their limited security resources to best protect against cyber threats?

This is where the CIS Controls — also known as the CIS Top 20 Security Controls — come in.

What are CIS Security Controls?

The CIS Controls were created to answer a simple question: “What does a typical organization need to do to defend against known attacks?”

The Controls are a set of 20 best practice steps organizations can take to protect against cyber attacks. By focusing on a few highly effective controls, organizations can drastically reduce cyber risk without breaking their budgets.

The CIS Controls are effective for most organizations because they focus on the most common (i.e., highest risk) attack vectors in current use. These top threats are identified by some of the industry’s most trusted reports — such as Verizon’s annual Data Breach Investigations Report — and vetted by a broad spectrum of cybersecurity experts.

Instead of individual organizations having to interpret and action these trends themselves, the CIS Controls provide actionable, best practice guidance on how to protect against the latest threats. Each year, the Controls are updated to reflect the most important current threats.

History of the CIS Controls

The CIS Controls were originally developed by the U.S. National Security Agency (NSA). After several organizations contracted by the U.S. Department of Defense (DoD) suffered major data loss incidents, the DoD asked the NSA to identify the most important security controls to protect against common attacks.

Initially published by the SANS Institute in 2009, the CIS controls were produced through knowledge sharing between a consortium of public and private sector organizations. Before publication, the controls were circulated to hundreds of IT and security organizations, whose comments were used to finalize the first version of the Controls.

Once published, the U.S. State Department reported “remarkable alignment” with the 3,000+ cyber attacks it had experienced during the previous year. From there, the Controls became the standard model for large organizations in both the public and private sectors.

Since their initial publishing, ownership of the Controls has been transferred twice — first to the Council on Cyber Security (CCS) in 2013, and finally to the Center for Internet Security (CIS) in 2015.

Using CIS Controls for Security and Compliance

The security advantages of CIS Controls are obvious. The controls represent the lowest-resistance path to protecting against the most common cyber threats. Later in this article, we’ll look at what each of the Top 20 controls covers, and which threats it helps to defend against.

However, the Controls also have a huge benefit for any organization that must maintain compliance with an industry framework. Why? Because most — if not all — of the major compliance frameworks map very closely to the CIS Controls, as well as to the CIS Benchmarks.

CIS has continually demonstrated how the Controls map directly to 21 different compliance frameworks, including PCI-DSS, HIPAA, NIST CSF, the ISO 27000 series, and the UK’s Cyber Essentials program. In fact,  almost all of the major compliance frameworks directly reference CIS Controls and CIS Benchmarks as the industry standard for secure controls and configuration.

As a result, aligning with CIS resources may be considered a top priority for any organization that needs to minimize cyber risk while maintaining compliance.

CIS Controls: Effective for Reducing Cyber Risk

Modern organizations have no choice but to allocate resources to reducing cyber risk and complying with industry and regulatory requirements. So, when the topic turns to CIS Controls, the most obvious question is: “Will these controls be effective for my organization?”

The answer is a resounding yes.

When the State Department implemented the original version of the Controls in 2009, it quickly achieved an 88% reduction in vulnerability-based risk across its 85,000 systems. That’s a huge result from implementing just 20 security controls.

The reason for this tremendous result is simple. The Controls are designed to help organizations protect against the most common attacks. When implemented effectively, the security controls ensure an organization is protected against the overwhelming majority of cyber attacks. For most organizations, this amounts to protection against practically any attack they are likely to be faced with.

Of course, this prompts a second question: “Are the CIS Controls enough?” With so many frameworks and best practices, many often ask which is best and for what reasons. 

Almost all of them are very detailed, exhaustive, and descriptive telling you “what needs to be done”.  However, only one is prescriptive in nature.  The CIS Controls not only tell you “what needs to be done” but it also tells you in what order they need to be considered when implementing an effective security framework.

For many, aligning with the CIS Controls and Benchmarks should be the starting point. From there, applying additional controls as needed to protect against the more unusual and advanced cyber attacks an organization faces will be the next step.

Overview of the CIS Controls

The CIS Controls are broken down into three categories:

Basic Controls — Essential controls for minimum cyber defense.

Foundational Controls — ‘Next step’ controls that provide clear security benefits.

Organizational Controls — Additional controls that cover the people and processes involved in an organization’s cybersecurity function.

Realistically, every organization should aim to align its security program with all 20 CIS Controls. The following table contains a brief overview of each Control, and what it’s designed to protect against.

Basic CIS Controls

Control

Purpose

1. Inventory and Control of Hardware Assets

Track all hardware devices attached to your network and ensure only authorized devices are allowed access.

2. Inventory and Control of Software Assets

Manage all software running on your network and ensure only authorized software can be installed and executed.

3. Continuous Vulnerability Management

Have an ongoing process in place to identify and patch known vulnerabilities

4. Controlled Use of Administrative Privileges

Control user access and ensure correct use of account privileges.

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Achieve and maintain secure configuration of all devices attached to your network.

6. Maintenance, Monitoring and Analysis of Audit Logs

Collect and monitor logs of all events that could help your organization detect, understand, or recover from a cyber attack.

 

Implementing the Basic Controls can (controls 1-6) may reduce cyber risk by as much as 85%.

 

Foundational CIS Controls

Control

Purpose

7. Email and Web Browser Protections

Minimize opportunities for attackers to manipulate users as they interact with web browsers and email.

8. Malware Defenses

Protect against installation, propagation, and execution of malicious applications.

9. Limitation and Control of Network Ports, Protocols and Services

Manage the use of ports, protocols, and services to minimize vulnerability to attack.

10. Data Recovery Capabilities

Have a process for backing up and recovering critical data.

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Manage the secure configuration of network devices using a rigorous configuration and change control process.

12. Boundary Defense

Control the flow of sensitive information in and out of your network, and between internal networks of different trust levels.

13. Data Protection

Ensure the privacy and integrity of sensitive information, and protect against data theft.

14. Controlled Access Based on the Need to Know

Have tools and processes in place to manage and ensure secure access to critical assets.

15. Wireless Access Control

Have tools and processes in place to manage and ensure secure access to wireless networks and access points.

16. Account Monitoring and Control

Manage the creation, use, and deletion of system and application accounts.

 

Organizational CIS Controls

Control

Purpose

17. Implement a Security Awareness and Training Program

Provide all users with the knowledge and skills they need to help protect the organization.

18. Application Software Security

Continually manage and improve the security of applications.

19. Incident Response and Management

Have plans, roles, training, and communication in place to ensure effective response to cyber incidents.

20. Penetration Tests and Red Team Exercises

Formally test the effectiveness of security technologies, processes, and people through simulated attacks.

You can find more information about all of the controls at the CIS Controls download page.

 

Align with CIS Controls using CimTrak

CimTrak is an IT integrity, security, and compliance toolset that helps any organization align its security program with the CIS Controls. CimTrak provides a CIS certified solution set that includes full or partial coverage for 17 of the 20 controls — and more than 70-plus CIS Benchmarks.

CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify and eliminate any vulnerabilities introduced.

Some of the top security benefits of CimTrak include:

CIS Controls Powered By CIS Benchmarks. CimTrak will utilize CIS Benchmarks to continuously assess your infrastructure for vulnerabilities and to ensure that systems are in a hardened state.   The results of these CIS Benchmark tests are mapped to the CIS Controls.  This provides you with powerful evidence that you have implemented a CIS Control or CIS sub-control.  CimTrak's advanced reporting makes it easy to understand where you stand in your CIS Controls implementation journey.

Continuous Vulnerability Management. CimTrak will continuously acquire, assess, and take action on information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

 

Control all hardware and software assets. CimTrak’s discovery scans make it easy to keep track of assets on your network to ensure they are known, understood, and permitted.

Ensure secure asset configuration. Integrity Verification and Assurance is the process of continuous detection, interpretation and management of change and deviations from and to a correct or expected state of operation. CimTrak eliminates the overwhelming change noise to pinpoint unwanted, unauthorized, and unexpected activity in real-time to create and establish a trusted and resilient infrastructure to help mitigate identified CIS vulnerabilities. If a change introduces a vulnerability, CimTrak immediately raises an alert and provides guidance on how to remediate the risk. 

Recover critical data. If data is compromised, e.g., by a ransomware attack, CimTrak can quickly restore critical files back to their baseline state.

To see a full listing of the controls CimTrak is aligned with and how CimTrak can help your organization align its security strategy and processes with CIS Controls, download the solution brief today.

New call-to-action

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".