Want clarity on what you really need to be doing by way of security best practice in your organization? Left scratching your head for clearer guidance after reading the PCI DSS, NERC CIP, GDPR or any other Governance, Risk and Compliance (GRC) standard? Still confused about what you must do and should do in terms of data protection for your business, and why? NNT recommend the CIS Critical Security Controls as an essential ‘go to’ resource for any data security and compliance professional. Our thanks to the Center for Internet Security for continuing to expand the world’s understanding of cyber security best practices.
The CIS Critical Security Controls have been formulated to provide clarity and guidance for the bewildering array of security tools and technology, security standards, training, certifications, vulnerability databases, guidance, best practices and compliance mandates. The goal is to answer the fundamental questions regarding security:
- What are the most critical areas we need to address and how should an enterprise take the first step to mature their risk management program?
- Rather than chase every new exceptional threat and neglect the fundamentals, how can we get on track with a roadmap of fundamentals and guidance to measure and improve?
- Which defensive steps have the greatest value?
Most GRC standards outline the need for security best practices to be implemented, supported by strong process and procedures. However, few if any provide any real detail on what is actually expected, recommended or proven to be effective. On the one hand, this generalized and non-prescriptive guidance is unavoidable since every organization is set-up differently. With varying levels of risk to consider, the appropriate level of cyber security defense measures and data protection will necessarily be different for everyone. However there is still a base-level of security practices that everyone should embrace and assimilate into their core IT operations, and this is where the CIS Critical Security Controls really prove their value.
The CIS Critical Security Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, individuals); with every role (threat responders and analysts, technologists, vulnerability-finders, tool makers, solution providers, defenders, users, policy-makers, auditors, etc.); and within many sectors (government, power, defense, finance, transportation, academia, consulting, security, IT) who have banded together to create, adopt, and support the Controls.
Top experts from organizations pooled their extensive first-hand knowledge from defending against actual cyber-attacks to evolve the consensus list of Controls, representing the best defensive techniques to prevent or track them. This ensures that the Controls are the most effective and specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of those attacks.
The Controls are not limited to blocking the initial compromise of systems, but also address detecting already-compromised machines and preventing or disrupting attackers’ follow-on actions. The defenses identified through these Controls deal with reducing the initial attack surface by hardening device configurations, identifying compromised machines to address long-term threats inside an organization’s network, disrupting attackers’ command-and-control of implanted malicious code, and establishing an adaptive, continuous defense and response capability that can be maintained and improved.
The CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. At the same time, this is not a one-size-fits-all solution, in either content or priority. You must still understand what is critical to your business, data, systems, networks, and infrastructures, and you must consider the adversary actions that could impact your ability to be successful in the business or operations. Even a relatively small number of Controls cannot be executed all at once, so you will need to develop a plan for assessment, implementation, and process management.
As such the CIS Critical Security Controls can be used as a universal basis for any compliance mandate an organization is subject to.
Speak to a consultant to learn how NNT automates the CIS Controls