Cybersecurity is a huge field, and one that may feel as if it can never be ‘completed’ by many within information security, but this doesn't have to be the case anymore.
Regardless of budget, it can seem impossible for many organizations to completely protect against every attack vector, and cyber risk can be a challenge. Of course, most organizations have security budgets that are far from limitless. How should they allocate their limited security resources to protect against cyber threats?
This is where the CIS Controls — also known as the CIS Top 20 Security Controls — come in.
What are CIS Security Controls?
The CIS Controls were created to answer a simple question: “What does a typical organization need to do to defend against known attacks?”
The Controls are a set of 20 best practice steps organizations can take to protect against cyber attacks. By focusing on a few highly effective controls, organizations can drastically reduce cyber risk without breaking their budgets.
The CIS Controls are effective for most organizations because they focus on the most common (i.e., highest risk) attack vectors in current use. These top threats are identified by some of the industry’s most trusted reports — such as Verizon’s annual Data Breach Investigations Report — and vetted by a broad spectrum of cybersecurity experts.
Instead of individual organizations having to interpret and action these trends themselves, the CIS Controls provide actionable, best practice guidance on how to protect against the latest threats. Each year, the Controls are updated to reflect the most important current threats.
History of the CIS Controls
The CIS Controls were originally developed by the U.S. National Security Agency (NSA). After several organizations contracted by the U.S. Department of Defense (DoD) suffered major data loss incidents, the DoD asked the NSA to identify the most important security controls to protect against common attacks.
Initially published by the SANS Institute in 2009, the CIS controls were produced through knowledge sharing between a consortium of public and private sector organizations. Before publication, the controls were circulated to hundreds of IT and security organizations, whose comments were used to finalize the first version of the Controls.
Once published, the U.S. State Department reported “remarkable alignment” with the 3,000+ cyber attacks it had experienced during the previous year. From there, the Controls became the standard model for large organizations in both the public and private sectors.
Since their initial publishing, ownership of the Controls has been transferred twice — first to the Council on Cyber Security (CCS) in 2013, and finally to the Center for Internet Security (CIS) in 2015.
Using CIS Controls for Security and Compliance
The security advantages of CIS Controls are obvious. The controls represent the lowest-resistance path to protecting against the most common cyber threats. Later in this article, we’ll look at what each of the Top 20 controls covers, and which threats it helps to defend against.
However, the Controls also have a huge benefit for any organization that must maintain compliance with an industry framework. Why? Because most — if not all — of the major compliance frameworks map very closely to the CIS Controls, as well as to the CIS Benchmarks.
CIS has continually demonstrated how the Controls map directly to 21 different compliance frameworks, including PCI-DSS, HIPAA, NIST CSF, the ISO 27000 series, and the UK’s Cyber Essentials program. In fact, almost all of the major compliance frameworks directly reference CIS Controls and CIS Benchmarks as the industry standard for secure controls and configuration.
As a result, aligning with CIS resources may be considered a top priority for any organization that needs to minimize cyber risk while maintaining compliance.
CIS Controls: Effective for Reducing Cyber Risk
Modern organizations have no choice but to allocate resources to reduce cyber risk and comply with industry and regulatory requirements. So, when the topic turns to CIS Controls, the most obvious question is: “Will these controls be effective for my organization?”
The answer is a resounding yes.
When the State Department implemented the original version of the Controls in 2009, it quickly achieved an 88% reduction in vulnerability-based risk across its 85,000 systems. That’s a huge result from implementing just 20 security controls.
The reason for this tremendous result is simple. The Controls are designed to help organizations protect against the most common attacks. When implemented effectively, the security controls ensure an organization is protected against the overwhelming majority of cyber attacks. For most organizations, this amounts to protection against practically any attack they are likely to be faced with.
Of course, this prompts a second question: “Are the CIS Controls enough?” With so many frameworks and best practices, many often ask which is best and for what reasons.
Almost all of them are very detailed, exhaustive, and descriptive telling you “what needs to be done”. However, only one is prescriptive in nature. The CIS Controls not only tell you “what needs to be done” but it also tells you in what order they need to be considered when implementing an effective security framework.
For many, aligning with the CIS Controls and Benchmarks should be the starting point. From there, applying additional controls as needed to protect against the more unusual and advanced cyber attacks an organization faces will be the next step.
Overview of the CIS Controls
The CIS Controls are broken down into three categories:
Basic Controls — Essential controls for minimum cyber defense.
Foundational Controls — ‘Next step’ controls that provide clear security benefits.
Organizational Controls — Additional controls that cover the people and processes involved in an organization’s cybersecurity function.
Realistically, every organization should aim to align its security program with all 20 CIS Controls. The following table contains a brief overview of each Control, and what it’s designed to protect against.
Basic CIS Controls
Control |
Purpose |
1. Inventory and Control of Hardware Assets |
Track all hardware devices attached to your network and ensure only authorized devices are allowed access. |
2. Inventory and Control of Software Assets |
Manage all software running on your network and ensure only authorized software can be installed and executed. |
3. Continuous Vulnerability Management |
Have an ongoing process in place to identify and patch known vulnerabilities |
4. Controlled Use of Administrative Privileges |
Control user access and ensure correct use of account privileges. |
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers |
Achieve and maintain secure configuration of all devices attached to your network. |
6. Maintenance, Monitoring, and Analysis of Audit Logs |
Collect and monitor logs of all events that could help your organization detect, understand, or recover from a cyber attack. |
Implementing the Basic Controls can (controls 1-6) may reduce cyber risk by as much as 85%.
Foundational CIS Controls
Control |
Purpose |
7. Email and Web Browser Protections |
Minimize opportunities for attackers to manipulate users as they interact with web browsers and email. |
8. Malware Defenses |
Protect against installation, propagation, and execution of malicious applications. |
9. Limitation and Control of Network Ports, Protocols and Services |
Manage the use of ports, protocols, and services to minimize vulnerability to attack. |
10. Data Recovery Capabilities |
Have a process for backing up and recovering critical data. |
11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches |
Manage the secure configuration of network devices using a rigorous configuration and change control process. |
12. Boundary Defense |
Control the flow of sensitive information in and out of your network, and between internal networks of different trust levels. |
13. Data Protection |
Ensure the privacy and integrity of sensitive information, and protect against data theft. |
14. Controlled Access Based on the Need to Know |
Have tools and processes in place to manage and ensure secure access to critical assets. |
15. Wireless Access Control |
Have tools and processes in place to manage and ensure secure access to wireless networks and access points. |
16. Account Monitoring and Control |
Manage the creation, use, and deletion of system and application accounts. |
Organizational CIS Controls
Control |
Purpose |
17. Implement a Security Awareness and Training Program |
Provide all users with the knowledge and skills they need to help protect the organization. |
18. Application Software Security |
Continually manage and improve the security of applications. |
19. Incident Response and Management |
Have plans, roles, training, and communication in place to ensure effective response to cyber incidents. |
20. Penetration Tests and Red Team Exercises |
Formally test the effectiveness of security technologies, processes, and people through simulated attacks. |
You can find more information about all of the controls on the CIS Controls download page.
Align with CIS Controls Using CimTrak
CimTrak is an IT integrity, security, and compliance toolset that helps any organization align its security program with the CIS Controls. CimTrak provides a CIS-certified solution set that includes full or partial coverage for 17 of the 20 controls — and more than 70 plus CIS Benchmarks.
CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify and eliminate any vulnerabilities introduced.
Some of the top security benefits of CimTrak include:
CIS Controls Powered By CIS Benchmarks
CimTrak will utilize CIS Benchmarks to continuously assess your infrastructure for vulnerabilities and to ensure that systems are in a hardened state. The results of these CIS Benchmark tests are mapped to the CIS Controls. This provides you with powerful evidence that you have implemented a CIS Control or CIS sub-control. CimTrak's advanced reporting makes it easy to understand where you stand in your CIS Controls implementation journey.
Continuous Vulnerability Management
CimTrak will continuously acquire, assess, and take action on information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
Control all hardware and software assets
CimTrak’s discovery scans make it easy to track your network's assets to ensure they are known, understood, and permitted.
Ensure secure asset configuration
Integrity Verification and Assurance is the process of continuous detection, interpretation, and management of change and deviations from and to a correct or expected state of operation. CimTrak eliminates the overwhelming change noise to pinpoint unwanted, unauthorized, and unexpected activity in real-time to create and establish a trusted and resilient infrastructure to help mitigate identified CIS vulnerabilities. If a change introduces a vulnerability, CimTrak immediately raises an alert and provides guidance on how to remediate the risk.
Recover critical data
If data is compromised, e.g., by a ransomware attack, CimTrak can quickly restore critical files back to their baseline state.
To see a full listing of the controls CimTrak is aligned with and how CimTrak can help your organization align its security strategy and processes with CIS Controls, download the solution brief today.
Tags:

June 17, 2020