Guide To CIS Critical Security Control Mapping

CIS critical security controls mapping will help your business achieve best-practice cybersecurity through its detailed approach to tiered implementation, and in this article, we will show you how.

Whether you are an SME or a multinational, the Center for Internet Security (CIS) has got you covered. The framework comprises a 3 level system where the basic controls (level 1) can be implemented by organizations with few resources, all the way to the institutional grouping for organizations with extensive cybersecurity resources.   

 

What is CIS Critical Security Controls Mapping?

The CIS developed a framework in the last decade that was designed to tackle growing cybersecurity risks. The framework outlines 20 security controls that range from basic to institutional, as we briefly mentioned in the previous section. 

Although there are no formal requirements or regulations requiring organizations to comply with the framework, many organizations will use the framework in conjunction with industry-specific frameworks.

The framework itself is one of high standing, being drafted by the wider cybersecurity community. Professionals, interest groups, and subject matter experts all work together to update the framework and notify its users of changes to the threat landscape.

The CIS differentiates itself from other frameworks by offering securely configured settings for an extensive list of operating systems (OS) and devices. This part of the framework is known as CIS benchmarks, which we will discuss a little later as it comprises CIS critical security controls mapping.

 

CIS Critical Security Controls Mapping

CIS critical security controls mapping is the implementation of the framework’s controls. Essentially, it is the “compliance”. As mentioned previously, the framework is by no means a regulation so the mapping is more a type of soft compliance.

How one archives mapping is first by implementing the 20 controls, or the level at which is available to your business. 

Then your organization should go through the CIS benchmarking process.

In the coming sections, we will discuss these two elements in greater detail. 

 

20 CIS Critical Security Controls

The CIS 20 security controls make up the bulk of the framework, in fact, one could say it is the entire framework, but it is a little more nuanced than that. In this article, we will not look at each individual control but rather discuss what the controls mean to compliance with the framework. If you wish to know more about the 20 controls in detail please read our blog post about it here. 

The 20 CIS critical security controls (CSC) are the application of cybersecurity practices to key vulnerability areas. As an example, security control 8 titled “malware defense” requires the organization to control the execution and spread of malware through the use of anti-malware software and tools.

The controls are also grouped into three tiers. These tiers are:

1. Basic Controls
2. Foundational Controls
3. Organizational Controls

The control mapping, and subsequently, the compliance, can be achieved at any level depending on the resources available to the organization. 

 

Basic Controls

This control group, numbers 1-6, is colloquially known as “cyber hygiene”. It consists of activities that can be undertaken by any organization large or small and should be implemented by all organizations, regardless of resources if they are to take their security seriously.

According to CIS, even with the implementation of the first control group, organizations can reduce the chance of successful cyberattacks by 84 percent. An interesting prospect indeed.

The controls themselves mostly consist of taking inventory of IT assets and basic monitoring and limitation of certain accesses and privileges. If you wish to see the complete explanation of the basic controls, check out this article on our blog.

The six basic controls:

1. Inventory and control of hardware assets
2. Inventory and control of software assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
6. Maintenance, Monitoring, and Analysis of Audit Log

 

Assess your CIS CSC Compliance

 

Here are a few more articles to help you learn more about CIS CSC :

• What are the 20 CIS Critical Security Controls?

• Basics of the CIS Hardening Guidelines

 

Foundational Controls

When assessing the available resources that your organization has, it may be useful to go through the foundational control group and see if the control implementation is possible. This way you can gauge if the business is able to comply up to this level. 

Keep in mind, that full control mapping involves all three tiers; this is especially true if the organization operates at an international or high level. The high level being 250 employees or more. 

In the same vein, do not forget to check if there are any regulations that your industry must comply with; see a list of our compliance services here. The CIS CSC framework does a great job of preparing organizations in the compliance landscape but there might still be regulations such as the GDPR, NERC CIP, or others that your organization must comply with.

The foundational control group is where the framework becomes a more involved process. The controls are more focused and address specific issues like email security for example. This control grouping is necessary within the broader context of critical security control mapping the larger your business network grows.

The foundational controls make up the bulk of the framework and with their full implementation, the organization would be engaging in what professionals would consider a best practice model. 

Read our blog post on the foundational controls here. The 10 foundational controls:

1. Email and Web Browser Protections
2. Malware Defenses 
3. Limitation and Control of Network Ports, Protocols, and Services
4. Data Recovery Capability 
5. Secure Configuration for Network Devices 
6. Boundary Defense
7. Data Protection 
8. Controlled Access Based on the Need to Know
9. Wireless Access and Control 
10. Account Monitoring and Control 

 

Organizational Controls

The final grouping, or the last 4, in CIS critical security controls mapping is known as the organizational controls. These controls are really only meant to be implemented by large organizations. The types of organizations that have very extensive networks and deal with critical business information, sensitive, or classified data. 

Think of this control grouping as the maintenance and readiness group. The controls themselves deal with aspects of cybersecurity that may not necessarily be tangible but have a high impact on the overall cyber health of the organization. 

The controls are:

1. Implement a Security Awareness and Training Program
2. Application Software Security
3. Incident Response and Management
4. Penetration Tests and Red Team Exercises

From this list, you may be able to tell that SMEs most definitely don’t have the resources to execute many of these controls, nor do they have to. However, if the resources are available to the organization it would greatly benefit them. This is because unlike the other control groupings the organizational controls help build the culture of security within the business, which will ensure the long-term success of business operations.

Implementation of the critical security controls, dependent on the resources available to the organization, is the first step in the overall control mapping process. What sets this framework apart from the rest of the next step, CIS benchmarks. 

 

CIS Benchmarks

CIS benchmarks are the hallmark of the framework. The CIS organization is built up of volunteers from the wider cybersecurity community, and they dedicate their time to developing, updating, and communicating the CIS benchmarks, but what are they? 

The benchmark is a database of security configurations for:

• Operating Systems
• Server Software
• Cloud Providers
• Mobile Devices
• Network Devices
• Desktop Software
• Multifunction Print Devices

Under each of the categories, any organization can go to the CIS website and download the proper security configurations for a multitude of different IT systems.

When we talk about security configurations for devices and software, we are referring to the secure use of said software and devices. Many software and devices, out of the box, are configured for ease of use and not security.

The CIS benchmarks aim to fix the problem by allowing organizations access to the secure configurations database so that your business can feel like the software and devices that they acquire is not betraying their security needs. 

You might be wondering how the security configurations are decided. Well, the benchmarks are determined on a consensus-based model. Meaning that a group of cyber professionals, interest groups, and subject matter experts unanimously decided on the best security configuration for the object in question.

Currently, there are security configuration settings for over 140 different software and devices.

Benchmark Profiles

Most of the available benchmarks have a profile level of either 1 or 2. The difference between the levels is dependent on the security needs of the organization. 

Level 1 is surface-level security where it does not hinder the business operations and usability of the device or software. This profile is intended to be applied promptly with minimal disruption. 

Level 2 is “defense in depth”; this is only necessary for organizations where security is of paramount importance. These types of organizations may be processing highly sensitive or even classified data. However, if this profile level is not implemented properly, or without due care, it may have adverse effects on business operations. 

 

The purpose of the CIS framework

Now that you have a basic understanding of the framework, we can discuss the theory behind the framework, namely its overall purpose.

The CIS has stated that “we live in a multi framework era”, they would be right to say so given the increased regulations, surrounding issues in cybersecurity, industries are facing. With new regulations come new frameworks. 

The great thing about the CIS CSC framework is that it can be adapted to any industry. Especially considering the extensive amount of work that has gone into the CIS benchmarks, after all almost every business nowadays uses one or more of the software or devices listed on their database.

However, we must stress that it is not a catch-all and that there may be industry-specific frameworks that must be complied with as per regulation.

What the CIS CSC does; is give organizations large and small an opportunity to wet their feet in the world of compliance and cybersecurity. As mentioned previously, the basic controls alone are enough to reduce the chance of successful cyberattacks by 84 percent. More than that is that implementation is achievable even by businesses with limited resources. 

You might be able to see the picture we are trying to build here, CIS critical security controls mapping is flexible, easy to implement, and fundamentally will face your organization in the right direction when it comes to cybersecurity best practice models. 

 

Conclusions

With the implementation of the critical security controls followed by the correct application of the CIS benchmarks your organization is on the path to CIS critical security controls mapping.

This framework truly sets itself apart by the great work achieved by the wider cybersecurity community.

With that in mind, here at RSI Security, we understand the complexities of implementation and compliance. CIS benchmarks and control mapping can be difficult to understand for the untrained mind, lets us pick up on that.

Whether you are looking for compliance help or full-stack cybersecurity architecture, RSI Security is the partner for you. Do not hesitate, get in contact today and book a free consultation. 

 

---

Download our free checklist today to see which CIS security controls you need to address.