NNT - New Net Technologies
Have you heard of the CIS Controls? Even though they’re not part of any specified GRC (Governance, Risk Management, Compliance) mandate, they could actually be used as the foundation for them all.
A light, straightforward hors d’oeuvre before you take on the mega-calorific, piled-high, full-fat platters of the multi-course feast that is a full Compliance standard. Put simply, Compliance is about ensuring your organization operates IT systems in a way that minimizes their vulnerability to cyber-attack. In the unfortunate event that a breach does succeed, Compliance also confirms that you can quickly identify the offense and respond properly. How you achieve this can be complicated. Since every company is different, with varying levels of risk, security measures are also naturally distinct for everyone.
As such, one of the key faults with our compliance mandates, think PCI DSS, NERC CIP, NIST 800-53 – even GDPR, is that they are documented as a ‘one size fits all’. This single version of the regulations, written in abstract terms, ends up as difficult to read, leaving us to interpret hundreds of pages for ourselves.
As an example, one of the better written documents is NIST 800-53. But it describes itself as:
“A catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors.”
Most studies on legibility say 20-25 words is the recommended limit: “when average sentence length is 14 words, readers understand over 90% of what they're reading. At 43 words, comprehension drops to less than 10%”. The more complex the subject matter, the worse this becomes.
The result? A typical compliance standard is a heavy, blunt instrument for tackling cyber security. Not because the guidance is poor, but because articulating it for the masses is so difficult to accomplish.
By contrast, the Center for Internet Security's CIS Controls
- Explain what the security threats are and how to counteract them
- Prescribe the 20 most essential security best practices
- Specifies technological solutions to use where needed
- Are concise and clear (just 76 pages)
A good grounding in cyber security controls has other benefits too, for example, reducing your dependency on external auditor resources. An experienced auditor will be invaluable when conducting a Gap analysis and formal audit. But consulting an Auditor on a day-rate to assess your adoption of fundamental security controls is like paying a Michelin-starred Chef to boil an egg for you. By working through the CIS Controls and evaluating your adoption of them, you can easily see where holes exist in your current security armory before you engage external expertise.
In fact, the beauty of the CIS Controls is that, while they are not specifically designed to be part of any particular compliance mandate, they’re absolutely perfect for all.
Being such fundamental security controls means they are universally powerful components for any corporations’ cyber security program. Even if you’re not currently mandated to prove compliance with any formal GRC guideline* but just concerned with defending against Ransomware and phishing, then the CIS Controls are for you (*this is now a non-argument – laws protecting personal identifiable information such as the GDPR mean that everyone must implement cyber security measures).
The CIS Controls aren’t an alternative to meeting your responsibilities for Compliance, but they most definitely provide more pragmatic guidance than any long-winded GRC publication. They deliver the universal, lowest-common denominator in security controls, suitable for any IT department seeking to improve their cyber security foundation. By adopting CIS Controls, you will also find the push to meet any formal compliance requirement a significantly easier goal.
As an initiative that helps simplifies the understanding of cyber security controls, the CIS Controls should be welcomed by all IT Professionals as accepted know-how. Maybe then Compliance won’t be such an indigestible prospect?