Understanding whether you need to implement the CIS security controls comes down to:
- Checking your regulatory requirements to see if they’re mandated
- Parsing existing and potential data privacy agreements you have
- Considering your other options for comprehensive data protection
- Working with a CIS compliance advisor to strategize for security
Check Your Regulatory Requirements
The Center for Internet Security (CIS) publishes a list of 18 cybersecurity best practices known as the CIS Critical Security Controls for effective cyber defense. CIS is not a regulatory agency in and of itself, and the CIS Controls are a set of recommendations, not requirements. So, at present, there are no explicit legal mandates to implement them at the federal or state level.
However, the CIS Controls may be a formal or informal requirement within your industry. Or, local ordinances and laws might require a baseline level of data privacy where your business operates. In these cases, the CIS Controls might be one of several optional frameworks you can implement and assess to maintain the certification you need to continue operations as normal.
Beyond the CIS Controls themselves, CIS also publishes a list of security benchmarks that can be used to improve the security of common software and applications, such as web browsers. A combination of baselines and controls may be required or recommended for your organization.
And, even if they are not explicitly mandated, the CIS Critical Security Controls v8 are an excellent way to protect your data—and meet other explicit or implicit security requirements.
Parse Your Data Privacy Agreements
Outside of direct regulatory requirements placed on you, there are other reasons to implement security frameworks such as the CIS Controls. Chief among them are expectations set within an industry or other environment or the specific preferences of a prospective business partner.
You should scan your existing and potential contracts for mentions of the CIS Security Controls or any other data privacy requirements that implementing the controls would help you meet.
For example, even if your organization is not involved in healthcare, there is a chance that you may need to abide by the rules set out in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA applies directly to covered entities such as healthcare providers, insurance plan administrators, and clearinghouses. But it also applies indirectly to business associates of these covered entities. Business associate contracts stipulate the specific measures you need to take to keep protected health information (PHI) safe, and CIS implementation might be required.
Even if the CIS Controls are not an explicit requirement, they may be the ideal way to meet any named specifications efficiently—especially if your partner organization is familiar with them.
Consider Other Comprehensive Protections
The CIS Security Controls are effective for a wide range of organizations specifically because they do not focus on industry- or location-specific protections. Instead, they prioritize a deep and complex set of protections that can be modified to the specific context in which you find yourself.
If this approach appeals to you, you should also consider other comprehensive frameworks:
- The National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) is a comprehensive guide of recommended best practices that can be used by organizations in any industry. It’s also the basis of most governmentally required frameworks, such as NIST SP 800-171 and SP 800-53.
- The HITRUST CSF is an omnibus framework designed to streamline controls across industry, government, and other standards. Its hundreds of controls, specifications, and mapping protocols allow for customized deployments and flexible self- or third-party assessments. Critically, it empowers organizations to “assess once, report many.”
Depending on your needs and means, any one of these three options may be enough to check all of the boxes in terms of data protection, customer satisfaction, and regulatory compliance.
Work With a Security and Compliance Advisor
Ultimately, the best way to be certain about whether you need to implement the CIS Controls is to work with a security program advisor or compliance specialist who can help you make the decision. They’ll take all of the above factors into consideration, along with granular details about the kind of data in your IT environment and the internal and external threats to it.
Based on that information, the best advisors will both help you determine whether you should implement these (or other) controls and work with you to develop a strategy for doing so. And, with that strategy in place, they can assist with the design and deployment of controls, along with assessment to verify compliance or prove to stakeholders that you take security seriously.
Implement the CIS Security Controls Today
Depending on your industry niche, location, or business agreements, your organization might need to implement the CIS Controls. And, even if you don’t need to, installing and maintaining the controls might be the best way to meet or exceed your other cybersecurity needs efficiently.
RSI Security has helped countless organizations implement CIS and other security frameworks to meet compliance needs and keep all stakeholders secure. We operate on the principle that discipline creates freedom; installing protection now will empower greater flexibility in the future.
To get started on your CIS critical security control implementation, contact RSI Security today!