Want clarity on what you REALLY need to be doing by way of security best practice in your organization? Left scratching your head for clearer guidance after reading the PCI DSS, NERC CIP, GDPR or any other Governance, Risk and Compliance (GRC) standard? Still confused about what you must do and should do in terms of data protection for your business, and why? NNT recommends the CIS Controls as an essential ‘go to’ resource for any data security and compliance professional. Our thanks to the Center for Internet Security for continuing to expand the world’s knowledge and understanding of cyber security best practices.
The latest version, CIS Controls V7, keeps the same 20 controls that businesses and organizations around the world already depend upon to stay secure; however, the ordering has been updated to reflect the current threat landscape The latest version breaks down the 20 controls into three specific categories: basic, foundational, and organizational.
Key controls which should be implemented in every organization for essential cyber defense readiness.
Technical best practices provide clear security benefits and are a smart move for any organization to implement.
These controls are more focused on people and process involved in cybersecurity.
"The majority of security incidents occur when basic controls are lacking or are poorly implemented. The first six CIS Controls have been assessed as preventing up to 90% of pervasive and dangerous cyber-attacks.”
Read John Gilligan (CEO of Center for Internet Security) testimony to the United States Senate, Permanent Subcommittee on Investigations, Homeland Security & Government Affairs Committee on Private Sector Data Breaches, Thursday, March 7, 2019.
Read John Gilligan’s testimony »
Watch John Gilligan’s testimony »
The CIS Controls have been formulated to provide clarity and guidance for the bewildering array of security tools and technology, security standards, training, certifications, vulnerability databases, guidance, best practices and compliance mandates. The goal is to answer the fundamental questions regarding security:
What are the most critical areas we need to address and how should an enterprise take the first step to mature their risk management program?
Rather than chase every new exceptional threat and neglect the fundamentals, how can we get on track with a roadmap of fundamentals and guidance to measure and improve?
Which defensive steps have the greatest value?
Most GRC standards outline the need for security best practices to be implemented, supported by strong process and procedures. However, few if any provide any real detail on what is actually expected, recommended or proven to be effective. On the one hand, this generalized and non-prescriptive guidance is unavoidable since every organization is set-up differently. With varying levels of risk to consider, the appropriate level of cyber security defense measures and data protection will necessarily be different for everyone. However there is still a base-level of security practices that everyone should embrace and assimilate into their core IT operations, and this is where the CIS Controls really prove their value.
The first six CIS Controls (Basic) are the most critical to implement and manage. Interestingly, they have more to do with operational controls than they do security controls. NNT’s products uniquely align with the requirements of these "Basic" controls by providing a suite of products that address each of the controls requirements.
NNT's strategic partnership with CIS highlights the industry's need to combine an IT management methodology and best practices from both security and IT service management...resulting in a holistic, comprehensive and prescriptive approach to solving security. This strategy is what NNT calls SecureOps™.
This strategy is underpinned by NNT’s knowledge of the essential common controls that overlap to support and achieve business objectives from two different vantage points. This approach creates the security foundation and a solution to eliminate security breaches and incidents as we know them today.
The CIS Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, individuals); with every role (threat responders and analysts, technologists, vulnerability-finders, tool makers, solution providers, defenders, users, policy-makers, auditors, etc.); and within many sectors (government, power, defense, finance, transportation, academia, consulting, security, IT) who have banded together to create, adopt, and support the Controls.
Top experts from organizations pooled their extensive first-hand knowledge from defending against actual cyber-attacks to evolve the consensus list of Controls, representing the best defensive techniques to prevent or track them. This ensures that the Controls are the most effective and specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of those attacks.
The Controls are not limited to blocking the initial compromise of systems, but also address detecting already-compromised machines and preventing or disrupting attackers’ follow-on actions. The defenses identified through these Controls deal with reducing the initial attack surface by hardening device configurations, identifying compromised machines to address long-term threats inside an organization’s network, disrupting attackers’ command-and-control of implanted malicious code, and establishing an adaptive, continuous defense and response capability that can be maintained and improved.
The CIS Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. At the same time, this is not a one-size-fits-all solution, in either content or priority. You must still understand what is critical to your business, data, systems, networks, and infrastructures, and you must consider the adversary actions that could impact your ability to be successful in the business or operations. Even a relatively small number of Controls cannot be executed all at once, so you will need to develop a plan for assessment, implementation, and process management.
As such the CIS Controls can be used as a universal basis for any compliance mandate an organization is subject to.
Speak to a consultant to learn how NNT automates the CIS Controls
Access CIS Resources
Access a broad range of CIS Benchmark reports to audit your enterprise and continuously monitor for any drift from your hardened state.
Download Reports »
Server Hardening Resources
Download Hardened Services checklists, derived by NNT in conjunction with Microsoft, to manually audit your servers for compliance.
Download Checklists »
Audit Policy Template Resources
Gain access to audit policies derived from the Center for Internet Security to generate audit logs on all relevant security levels.
Download Audit Policies »
Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!
Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.
Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.