Organizations looking to install the CIS Controls need to understand the scope of the overall framework, along with the specific practices they need for their target Implementation Group. Then, once all controls are in place, they’ll need to conduct an assessment for verification.
Are you prepared to implement the CIS Controls? Schedule a consultation to find out!
Implementing the CIS Controls Framework
The Center for Internet Security (CIS) Controls, formerly known as the CIS critical security controls framework, is a robust yet flexible set of protocols aimed at protecting organizations of all sizes and in every industry against a wide variety of threats. Implementing them requires:
- Determining the scope of your implementation, including mapping and control selection
- Installing safeguards up to the specifications of your chosen Implementation Group
- Assessing your implementation and ensuring seamless long-term control maintenance
One of the best ways to implement the CIS Controls efficiently is to work with a security program advisor or virtual chief information security officer (vCISO) to optimize every part of the process.
Determine Your Implementation Scope
The first step to any CIS Controls implementation is understanding what Controls you’ll need to install. To that effect, Version 8 of the CIS Controls framework breaks down as follows:
- Control 01: Inventory and Control of Enterprise Assets
- Control 02: Inventory and Control of Software Assets
- Control 03: Data Protection
- Control 04: Secure Configuration of Enterprise Assets and Software
- Control 05: Account Management
- Control 06: Access Control and Management
- Control 07: Continuous Vulnerability Management
- Control 08: Audit Log Management
- Control 09: Email and Browser Protections
- Control 10: Malware Defenses
- Control 11: Data Recovery
- Control 12: Network Infrastructure Management
- Control 13: Network Monitoring and Defense
- Control 14: Security Awareness and Skills Training
- Control 15: Service Provider Management
- Control 16: Application Software Security
- Control 17: Incident Response Management
- Control 18: Penetration Testing
Each Control comprises several safeguards, which are distributed across three Implementation Groups (IG). Determining scope means selecting an IG and corresponding safeguards.
But it can also mean determining how to map your existing cyberdefense controls onto these.
This general structure is similar to many other regulatory frameworks, such as the Payment Card Industry’s (PCI) Data Security Standard (DSS), the General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA). If you’re already compliant with one of these, or working towards it, mapping is the most efficient deployment.
CIS provides resources on mapping these frameworks onto the CIS controls. And working with a regulatory compliance advisor will also help you satisfy all requirements with minimal overlap.
Request a Consultation
Install Safeguards for Your Implementation Group
The entire framework of CIS controls includes 153 total cybersecurity safeguards. However, organizations do not necessarily need to implement all of them, and certainly not all at once.
Instead, organizations should select the Implementation Group appropriate for their needs.
Implementation Group 1 is designed for newer and smaller organizations. It includes at least one safeguard from almost every CIS Control, which all work together to form a baseline of security known as “essential cyber hygiene.” This is the foundation for all CIS Controls.
Implementation Group 2 is designed for growing medium-to-large entities with diverse IT systems. If your organization straddles industries with sensitive data, IG might be for you.
Implementation Group 3 is for the largest and most mature organizations. Its protections build on those in IG 1 and IG 2 to form the most advanced protections against sophisticated and persistent attacks. Security at this level rivals that of most other regulatory frameworks.
Implementation Group 1 Safeguards
For IG 1, organizations need to implement the following 56 safeguards:
- Control 01 IG 1 Safeguards –
-
-
- 1.1: Maintain a detailed enterprise asset inventory
- 1.2: Detect and address unauthorized assets
-
- Control 02 IG 1 Safeguards –
-
-
- 2.1: Maintain a detailed software inventory
- 2.2: Ensure all software is currently supported
- 2.3: detect and address unauthorized software
-
- Control 03 IG 1 Safeguards –
-
-
- 3.1: Maintain data management processes
- 3.2: Maintain detailed data inventories
- 3.3: Configure a data access control list
- 3.4: Enforce data retention policies
- 3.5: Ensure data is disposed of securely
- 3.6: Encrypt data across user devices
-
- Control 04 IG 1 Safeguards –
-
-
- 4.1: Maintain secure configuration processes
- 4.2: Maintain secure configuration for networks
- 4.3: Configure automatic session logging on assets
- 4.4: Maintain firewall protections across servers
- 4.5: Maintain firewall protections across devices
- 4.6: Manage enterprise assets and software securely
- 4.7: Manage default accounts across enterprise assets
-
- Control 05 IG 1 Safeguards –
-
-
- 5.1: Maintain a detailed inventory of accounts
- 5.2: Require unique passwords
- 5.3: Disable inactive accounts
- 5.4: Restrict administrative privileges
-
- Control 06 IG 1 Safeguards –
-
-
- 6.1: Establish processes for granting access
- 6.2: Establish practices for revoking access
- 6.3: Require MFA for external-facing applications
- 6.4: Require MFA for access to remote networks
- 6.5: Require MFA for administrative functions
-
- Control 07 IG 1 Safeguards –
-
-
- 7.1: Maintain processes for vulnerability management
- 7.2: Maintain processes for vulnerability remediation
- 7.3: Automate operating system patch management
- 7.4: Automate application-level patch management
-
- Control 08 IG 1 Safeguards –
-
-
- 8.1: Maintain processes for managing audit logs
- 8.2: Collect all audit logs for future analysis
- 8.3: Maintain adequate storage for audit logs
-
- Control 09 IG 1 Safeguards –
-
-
- 9.1: Utilize only fully supported browsers and email clients
- 9.2: Utilize DNS filtering services or solutions
-
- Control 10 IG 1 Safeguards –
-
-
- 10.1: Maintain anti-malware protection solutions
- 10.2: Automate updates to anti-malware protections
- 10.3: Disable autoplay functionality for removable media
-
- Control 11 IG 1 Safeguards –
-
-
- 11.1: Maintain processes for data recovery
- 11.2: Automate data backup processes
- 11.3: Protect data involved in recoveries
- 11.4: Maintain isolated instances of recovery data
-
- Control 12 IG 1 Safeguards –
-
-
- 12.1: Ensure network infrastructure is up to date
-
- Control 14 IG 1 Safeguards –
-
-
- 14.1: Maintain a security awareness training program
- 14.2: Train staff to recognize social engineering scams
- 14.3: Train staff on best practices for authentication
- 14.4: Train staff on best practices for data handling
- 14.5: Train staff on causes for unintentional data exposure
- 14.6: Train staff on how to recognize and report incidents
- 14.7: Train staff on how to report missing security updates
- 14.8: Train staff on the dangers of insecure networks
-
- Control 15 IG 1 Safeguards –
-
-
- 15.1: Maintain a detailed inventory of third-party service providers
-
- Control 17 IG 1 Safeguards –
-
- 17.1: Designate specific personnel for incident handling
- 17.2: Maintain contact information registries for incident reporting
- 17.3: Maintain organizational processes for incident reporting
Implementation Group 2 Safeguards
There are 74 new safeguards introduced in IG 2, which break down as follows:
- Control 01 IG 2 Safeguards –
-
-
- 1.3: Utilize asset discovery tools
- 1.4: Utilize dynamic host configuration protocol (DHCP)
-
- Control 02 IG 2 Safeguards –
-
-
- 2.4: Utilize automated software inventory solutions
- 2.5: Utilize allowlist authorized software
- 2.6: Utilize allowlist authorized libraries
-
- Control 03 IG 2 Safeguards –
-
-
- 3.7: Maintain a data classification scheme
- 3.8: Document data flows accurately
- 3.9: Encrypt data across removable media
- 3.10: Encrypt all sensitive data for transit
- 3.11: Encrypt all sensitive data at rest
- 3.12: Segment data processing by sensitivity
-
- Control 04 IG 2 Safeguards –
-
-
- 4.8: Disable unnecessary functions across enterprise assets
- 4.9: Configure trusted DNS across enterprise assets
- 4.10: Enforce automatic lockout on enterprise devices
- 4.11: Enable remote wipe capability on enterprise devices
-
- Control 05 IG 2 Safeguards –
-
-
- 5.5: Maintain a detailed inventory of service accounts
- 5.6: Centralize all elements of account management
-
- Control 06 IG 2 Safeguards –
-
-
- 6.6: Maintain a detailed inventory of authentication systems
- 6.7: Centralize all elements of access control
-
- Control 07 IG 2 Safeguards –
-
-
- 7.5: Automate vulnerability scans across internal enterprise assets
- 7.6: Automate vulnerability scans across external-facing enterprise assets
- 7.7: Ensure all detected vulnerabilities are remediated fully and swiftly
-
- Control 08 IG 2 Safeguards –
-
-
- 8.4: Standardize time synchronization practices
- 8.5: Collect sufficiently detailed audit logs
- 8.6: Collect detailed DNS query audit logs
- 8.7: Collect detailed URL request audit logs
- 8.8: Collect detailed command-line audit logs
- 8.9: Centralize all elements of audit log collection
- 8.10: Retain audit logs indefinitely
- 8.11: Conduct reviews of audit logs
-
- Control 09 IG 2 Safeguards –
-
-
- 9.3: Enforce network-based URL filtering
- 9.4: Restrict unnecessary extensions
- 9.5: Implement DMARC solutions
- 9.6: Block unnecessary types of files
-
- Control 10 IG 2 Safeguards –
-
-
- 10.4: Automate anti-malware scanning for removable media
- 10.5: Enable anti-exploitation functionality
- 10.6: Centralize anti-malware management
- 10.7: Utilize behavior-based anti-malware protections
-
- Control 11 IG 2 Safeguards –
-
-
- 11.5: Assess data recovery processes regularly
-
- Control 12 IG 2 Safeguards –
-
-
- 12.2: Maintain secure network architecture
- 12.3: Manage network infrastructure securely
- 12.4: Maintain network architecture diagrams
- 12.5: Centralize authentication, authorization, and auditing
- 12.6: Utilize secure network and communication protocols
- 12.7: Ensure remote devices connect to enterprise networks securely
-
- Control 13 IG 2 Safeguards –
-
-
- 13.1: Centralize all elements of security event alerting
- 13.2: Deploy host-based intrusion detection solutions
- 13.3: Deploy network-based intrusion detection solutions
- 13.4: Filter traffic between network segments
- 13.5: Control access across remote assets
- 13.6: Collect detailed network traffic flow logs
-
- Control 14 IG 2 Safeguards –
-
-
- 14.9: Conduct role-specific awareness training
-
- Control 15 IG 2 Safeguards –
-
-
- 15.2: Maintain policies for managing third-party service providers
- 15.3: Establish classifications for third-party service providers
- 15.4: Enforce security requirements on third-party contracts
-
- Control 16 IG 2 Safeguards –
-
-
- 16.1: Maintain secure application development processes
- 16.2: Maintain processes to accept and address vulnerabilities
- 16.3: Perform root cause analysis (RCA) on vulnerabilities
- 16.4: Manage a detailed inventory of third-party software
- 16.5: Utilize only updated and trusted third-party software
- 16.6: Maintain a severity rating system for vulnerabilities
- 16.7: Utilize software hardening templates for applications
- 16.8: Segment production and non-production systems
- 16.9: Train development staff in secure coding practices
- 16.10: Apply secure design principles across architectures
- 16.11: Levered vetted services for application security
-
- Control 17 IG 2 Safeguards –
-
-
- 17.4: Maintain organizational processes for incident response
- 17.5: Assign critical incident response roles and responsibilities
- 17.6: Define communication protocols specific to incident response
- 17.7: Conduct regular incident response exercises
- 17.8: Collect detailed post-incident reviews
-
- Control 18 IG 2 Safeguards –
-
- 18.1: Maintain programs for penetration testing
- 18.2: Perform external penetration tests periodically
- 18.3: Remediate findings from penetration tests
Implementation Group 3 Safeguards
The final 23 safeguards are added in IG 3, breaking down as follows:
- Control 01 IG 3 Safeguards –
-
-
- 1.5: Utilize a passive asset discovery tool
-
- Control 02 IG 3 Safeguards –
-
-
- 2.7: Utilize allowlist authorized scripts
-
- Control 03 IG 3 Safeguards –
-
-
- 3.13: Deploy data loss prevention (DLP) solutions
- 3.14: Log all access to sensitive data
-
- Control 04 IG 3 Safeguards –
-
-
- 4.12: Separate enterprise workspaces on mobile devices
-
- Control 06 IG 3 Safeguards –
-
-
- 6.8: Maintain role-based access control (RBAC)
-
- Control 08 IG 3 Safeguards –
-
-
- 8.12: Collect logs from third-party service providers
-
- Control 09 IG 3 Safeguards –
-
-
- 9.7: Maintain anti-malware protections on email servers
-
- Control 12 IG 3 Safeguards –
-
-
- 12.8: Maintain dedicated resources for administrative work
-
- Control 13 IG 3 Safeguards –
-
-
- 13.7: Deploy host-based intrusion prevention solutions
- 13.8: Deploy network intrusion prevention solutions
- 13.9: Deploy access controls at the port level
- 13.10: Implement application layer filtering
- 13.11: Maintain security event alert thresholds
-
- Control 15 IG 3 Safeguards –
-
-
- 15.5: Asses third-party service providers
- 15.6: Monitor third-party service providers
- 15.7: Decommission service providers securely
-
- Control 16 IG 3 Safeguards –
-
-
- 16.12: Implement regular code-level security checks
- 16.13: Conduct application-level penetration tests
- 16.14: Conduct threat modeling exercises
-
- Control 17 IG 3 Safeguards –
-
-
- 17.9: Establish and maintain incident security thresholds
-
- Control 18 IG 3 Safeguards –
-
- 18.4: Validate security measures with penetration tests
- 18.5: Perform internal penetration tests periodically
Assess Your CIS Controls Implementation
Once you’ve installed CIS framework controls up to your target IG, you’ll need to confirm that they are functioning as intended. CIS assessments using the CIS Controls Self Assessment Tool (CSAT) allow you to verify your implementation and assure stakeholders of your security.
The CSAT, available via subscription through CIS, empowers organizations to report on their security. Its features also include monitoring for compliance with other regulatory frameworks, along with tools for mitigating issues and managing different tiered assessments (i.e., lower or higher IG requirements) for different roles or segments of your organization—or third parties.
Although it is designed to facilitate self-assessment, working with a compliance advisor further optimizes the benefits that CSAT offers. The CSAT does facilitate compliance reporting for other regulations, but you’ll usually still need to work with qualified providers to achieve certification.
Implement the CIS Controls Framework Today
RSI Security is a full-service advisor and assessor; we help organizations optimize every step of their CIS Control implementation. Our experts will work with your organization to determine if any of your pre-existing controls match CIS requirements and how to map them. Then, we’ll help you decide which Implementation Group to target and design or install safeguards. Finally, we’ll work with you on assessing and reporting to meet any and all applicable regulatory needs.
At RSI Security, we believe that the right way is the only way to keep your data safe. And we’re committed to helping you do that as efficiently as possible, minimizing unnecessary overlap.
To get started on your CIS Controls framework implementation, contact RSI Security today!