Security Frameworks and CIS Controls
DATA SECURITY PODCAST
In a recent podcast interview with Steve Morgan, editor-in chief of Cybercrime Magazine, Robert E. Johnson, III, Cimcor CEO/President discusses the latest views on data security, and the importance of security frameworks and best practices for businesses. The podcast can be listened to in it's entirety below.
Welcome to The Data Security Podcast is sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today as President and CEO Robert Johnson, III. Robert has been a pioneer in the development of next-gen system integrity monitoring self-healing systems and cybersecurity software. Rob, great to have you back with us again.
A: Great to be back with you Steve.
Q: So I want to jump right in today and talk to you about best practices and frameworks. You’re one of the top people in the industry on this topic. You have to tell me, with so many best practices and security frameworks we read about it, you know, in so many different places, CISOs asking himself or herself, where should I start and why? Does one provide a better structure than another?
A: Right. Well, you know, I get that question a lot and the real answer Steve, is that there isn't a silver bullet. There's not one framework that kind of fits the needs of everyone. Every organization is unique, and they all have their own set of regulatory and compliance requirements. So really, the right answer is dependent on the industry that you are in. You really have to assess what is out there and then select that framework that makes the most sense for your organization. Now, am I biased towards things? Yes, I have some biases.
I am more biased toward frameworks that are more specific, frameworks that provide security professionals with a little guidance of exactly what we need to do, so that you know you are not forgetting steps. A good example or framework that provides that level of specificity is the CIS Controls framework, especially when you combine it with CIS Benchmarks. I mean, that provides security professionals with a lot of strong, actionable information and guidance in this framework. I think it makes it easier for folks to understand exactly what they need to do, and also audit where they are in this compliance and framework implementation continuum.
But ultimately, you have to pick the framework that works for you. I would say, regardless of the framework that you select, you need to find a way to measure where you stand from a level of compliancy with that framework, and you need to identify the frequency that you are going to measure yourself.
You also want to look for trends. Are you compliant today, and if you check again in a week are you at the same level compliancy? Or has that dropped over time, or this past week, or increased? So you need to measure that [trend] over time, or continuously measure where you stand in terms of implementation of that framework. We are working on creating tools to help you do that with our product CimTrak. But there are a variety of methods that you can implement, a lot of them manual, to assess where you stand. And I recommend doing it as frequently as you can.
Q: So Robert for our listeners who don't have a lot of experience with this or maybe, you know, for the first time they're thinking seriously about CIS. Can you give us one example of a CIS Benchmark?
A: Sure. So, you have CIS Controls and that's the framework. And then and you have CIS Benchmarks, and I will describe both. CIS Controls is the security framework and they define 20 key controls that, when implemented, improve the security posture of your organization. So those controls are broken into three core areas basic, foundational and organizational.
For those basic controls, they include items such as inventory of your hardware assets, inventory what software is running on those assets, perform continuous vulnerability management, or ensure that you have a handle on administrator privileges. So those are the kind of items that are listed in CIS controls. They go on to even things like ensure that you have an incident response system or ensure that you are performing security training. It is that general framework. Now, what is interesting about CIS Controls is that they also have a sister product, CIS Benchmarks.
CIS Benchmarks are a bunch of recommendations of how systems should be configured in order to ensure that they are in a hardened state. So CIS Controls is general and applies toward everything, and CIS Benchmarks are very specific and they apply to a particular operating system.
For instance, you may say, let's assess a particular system, a Windows 10 system against the Windows 10 CIS Benchmark. And in that scenario, there are perhaps 300-400 configuration items that will be checked to make sure that the Windows 10 system is configured in a hardened state and really the CIS benchmarks recommend the best practices from a hardening perspective. And those[benchmarks] are for Windows and Linux CentOS and Red Hat, databases, different network devices. So it's a great way for security professionals to really drill in and go deep, without having to understand every single little parameter or configuration item, and actually configure those systems in a secure state, and harden it.
I think that [benchmarks] are a shortcut to make sure that you are in the best security posture that you can be in based upon consensus and good practices.
Q: That was great. Robert, I'm glad I asked that you shared that for anyone listening. You can go off and learn more at cimcor.com/cimtrak. They've got a lot of great information published specifically on CIS Controls and Benchmarks. Robert, great having you today.
A: Love being on with Steve and we'll catch up with you next time.
We hope you enjoyed listening. To learn more download the CimTrak CIS Benchmarks solution brief.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".