The CIS Controls are a set of 18 prioritized cybersecurity best practices developed by the Center for Internet Security (CIS) to help organizations protect against common cyber threats. These controls, grouped into Implementation Groups (IG1, IG2, and IG3), are tailored for organizations of varying sizes and maturity levels, making them accessible to organizations with limited resources while providing a roadmap for advanced security implementations.
The CIS Controls are divided into three Implementation Groups (IGs), each representing a different maturity level and resource commitment:
IG1: Basic cybersecurity hygiene controls for small to medium-sized organizations.
IG2: Intermediate controls for organizations with moderate resources and a higher security focus.
IG3: Advanced controls designed for large organizations with high-risk exposure and extensive resources.
This control emphasizes maintaining an accurate inventory of all hardware assets within the organization. Managing and securing enterprise assets help prevent unauthorized devices from accessing network resources and helps secure the organization’s physical and digital assets.
Asset Discovery: Identify and record all hardware assets within the organization.
Example: Use automated discovery tools to scan the network for connected devices.
Asset Management: Maintain an inventory database with up-to-date records of hardware assets.
Example: Use an asset management platform to track hardware lifecycle from acquisition to disposal.
Unauthorized Device Control: Monitor and restrict access of unauthorized devices on the network.
Example: Use network access control (NAC) solutions to block unapproved devices.
This control focuses on maintaining an inventory of software within the organization to protect against unauthorized or vulnerable applications that may be exploited by adversaries. Ensuring that only authorized software is installed helps reduce exposure to software-related threats.
Software Inventory: Identify and maintain an inventory of all authorized software.
Example: Use endpoint management software to track and manage software installations across devices.
Software Whitelisting: Restrict installation of unauthorized applications.
Example: Implement application control policies to allow only approved software.
Patch Management: Regularly update software to address known vulnerabilities.
Example: Use automated patch management tools to schedule and deploy updates.
The Data Protection control focuses on implementing safeguards to secure organizational data from unauthorized access, disclosure, or modification. This includes data encryption, classification, and data loss prevention measures.
Data Classification: Classify data based on its sensitivity and importance.
Example: Label sensitive information as “Confidential” and apply additional security measures.
Data Encryption: Protect data at rest and in transit through encryption.
Example: Use AES-256 encryption for sensitive files and data transfer.
Data Loss Prevention (DLP): Implement DLP tools to prevent unauthorized data exfiltration.
Example: Monitor outbound communications to detect and block unauthorized data sharing.
This control mandates secure configurations for all enterprise assets and software, minimizing vulnerabilities that adversaries could exploit. Secure configurations provide baseline settings for reducing attack surfaces across systems.
Baseline Configurations: Establish and maintain secure baseline configurations for systems.
Example: Use configuration management tools to enforce baseline security settings on all servers.
Configuration Management: Continuously manage and monitor configurations for compliance.
Example: Regularly audit system configurations to detect unauthorized changes.
Vulnerability Management: Identify and remediate configuration vulnerabilities.
Example: Use automated scanning tools to identify and prioritize vulnerabilities.
The Account Management control ensures that access to enterprise resources is controlled and based on user roles and responsibilities. This control includes policies for account creation, modification, and deactivation, helping to prevent unauthorized access to systems and data.
Account Creation and Approval: Ensure accounts are created based on need and role.
Example: Require management approval for new accounts and assign minimal privileges.
Account Monitoring and Auditing: Regularly review and audit active accounts.
Example: Conduct quarterly reviews of all accounts to ensure only authorized users have access.
Deactivation of Inactive Accounts: Automatically deactivate or delete inactive accounts.
Example: Use account management tools to enforce automatic deactivation after a specified period of inactivity.