Well-defined security policies and a strong security team are vital for your company's cyber safety. It is needless to say that any organization which exhibits a strong security culture is more secure against cyberattacks than others. A strong security culture is not only about having the right policies and procedures in place, but It's also important to have a cohesive team of employees that support these efforts, as well as communicate them effectively throughout your organization so everyone knows what they're expected to do when faced with risks or threats.
To help companies set up a strong security setup within the company, the SANS Institute has devised the CIS Controls. Formerly known as the Critical Security Controls, these are a list of activities that can be undertaken to protect a company from the most dangerous and prevalent cyberattacks.
This year SANS updated the CIS Controls from version 7 to version 8 with few changes in key areas. This new version was presented at the global RSA Conference 2021 on May 18th, 2021. This included new controls for preventing advanced persistent threats such as Meltdown or Spectre vulnerabilities in processors that can be used by hackers anywhere from their computer desktops all the way up through national infrastructure networks like electricity grids. The best part is that SANS supports these controls with research, training programs, certification exams, etc that are available easily for anyone to take.
In 2008, an international consortium of companies and individuals from every part of the ecosystem came together to create a set of controls that would protect against cyber threats. The experts who developed these rules were deeply involved in the first-hand experience with various types of vulnerabilities as well as solutions for them; this meant that they were able to represent all points of view concerning best practices when it came to assess risk levels or determine where resources should go next during emergencies like those tied into cybersecurity efforts.
The CIS Controls are occasionally updated and reviewed through an innovative community process that brings together practitioners from government, the IT industry, and academia. Each practitioner possesses a deep technical understanding of security threats as well as the most effective ways to stop them; they pool their knowledge in order to find out what changes are needed for better solutions based on the current data.
The CIS Controls are lightweight, flexible and scalable framework that can be tailored to most major compliance frameworks. It maps one-to-one with NIST's Cybersecurity Framework NIST 800-53 as well as ISO 27000 series regulations like PCI DSS or HIPAA for organizations looking at implementing robust data protection practices in their organization from day 1 without any additional costs involved.
Mappings between the controls provide an easy way of getting started using this proven methodology which will give you peace of mind knowing how much control your business has over its information on both privacy issues and security measures if done right!
The new version of the CIS Control scheme is an updated and improved set of safeguards that can be used by any organization to protect their systems from cyber-attacks. The controls are mapped with modern software, cloud computing environments as well as changing attacker tactics like Work From Home (WFH). Here is a list of the Controls in order;
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 11: Data Recovery
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skills Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing
These 18 actions have been identified by the world’s most knowledgeable cybersecurity practitioners to stop 99% of all hacking attacks. These steps can be implemented by any organization in order to protect themselves from cybercrime and data breaches, without having the need for expensive or time-consuming security measures that could disrupt business as usual operations.
In order to quickly and efficiently identify what's broken in your security, you should do a Risk Assessment based on the SANS CIS Controls. This will allow for the identification of any weaknesses or gaps that could be used by hackers as an entry point into your system (and potentially wreak havoc). The CIS Controls will guide you rapidly identify the most important controls and then focus on them. They're like a map for your enterprise that guides allocating resources, directing efforts towards problems with high payoff immediately, or those in need of long term planning such as adhering security standards set forth by law compliance programs.
Over the last few years, thousands of global enterprises have adopted The CIS Controls including several government and private agencies. Few reputable names include the Federal Reserve Bank, Boeing, Citizens Property Insurance, and the University of Massachusetts. Moreover, the Healthcare industry is also a notable user of CIS Controls such as the Corden Pharma and the Butler Health System. Numerous security solution vendors and consultants such as Softbank, Rapid7, and Tenable have also adopted these as a standard.
CIS Controls are free for anyone to use and upgrade their cybersecurity system. These can be used by vendors, consultants, private or public firms, government agencies, academic institutions, etc. However, implementing these controls is not a one-time feat. Instead, it should be done in gradual stages as many organizations can't afford to implement all 18 security measures at once with the limited resources and time constraints that they have set for themselves.
A more practical approach towards implementing these controls includes:
Step 1: Risk Assessment
This is an important step in the process of securing your information assets. By identifying which risks may be most costly to you, it will help prioritize and implement appropriate controls for those areas before they become threats!
Step 2: Comparison
The CIS Controls will help make sure your security programs are up-to-date with current best practices while helping identify any areas for improvement or additional work needed to be completed on them!
Step 3: Planning
Outline a plan for improving the operational effectiveness of your existing security measures and adopting new technologies to maintain an ever-present lookout against cyber threats. Obtaining management buy-in for your plan will help you form a line of business commitments necessary financial or personnel supports from these key players which may be more difficult without their involvement in making this happen as planned!
Step 4: Implementing
Finally executing the controls will help you keep an eye on trends that could introduce new risks to your organization. Measure progress and risk reduction, then communicate findings with all stakeholders involved!
Want to know more about 18 CIS Controls? Visit the official website of the CIS (Center for Internet Security): https://www.cisecurity.org/controls/
If you are still confused about adopting the SANS CIS Controls and require professional help, then don’t fret, Acropolis is your best friend. We offer enterprise risk assessments along with free consultation to assist you in every step of cyber defense.