RSI Security

What is the Center for Internet Security (CIS)?


In the early days of technology the interwebs were similar to the Wild Wild West—anarchic, lawless, and unregulated. While the interweaving of technology and society created many benefits and conveniences, it also spawned a multibillion dollar cybercrime industry.

In response to this growing threat a group of volunteer security experts formed a non-profit organization they called the Center for Internet Security (CIS). It’s mission—to help public and private sector entities manage their cybersecurity risks.

But how do they accomplish this? Let’s discuss.


What is the CIS Center for Internet Security 

In October of 2000 the Center for Internet Security was established as a 501(c)(3) nonprofit organization. Its charter had two clearly stated goals:

  1. Identify, develop, validate, promote, and sustain best practice solutions for cyber defense.
  2. Build and lead communities to enable an environment of trust in cyberspace.

Headquartered in New York, the organization has hundreds of IT security professionals representing governmental agencies, the military, large corporations, conglomerates, and  academic institutions.

Over time it set the global standard for internet security and best practices, most of which are outlined in its CIS Controls and CIS Benchmarks. Participating organizations include:


The CIS Crowdsourcing Structure 

The world of cybercrime is mercurial. It’s composed of tens of thousands of individuals working self-autonomously—each with their own goals, methods, and strategies. In terms of security this decentralization creates a massive problem. There are too many criminals and too many potential areas of attack for one entity to handle on its own.

To fight fire with fire CIS eschewes a top-down security control model. Instead it favors a unique group defense that heavily relies on crowdsourcing. Individual members of CIS are deputized. This gives them authority to perform two primary tasks:

  1. Identify security liabilities
  2. Propose refinements to security measures

An alert or recommendation is shared between and evaluated by the community, then brought up for a vote. If it passes, the security measure is integrated.

Over the years this collaboration has helped form the framework for the CIS Critical Security Controls and Benchmarks.


Assess your cybersecurity


The 20 CIS Critical Security Controls   

The CIS Critical Security controls are composed of 20 essential security protocols, which are grouped into three tiers:

The CIS controls aren’t all of the possible security protocols avaialble to you; however, they do form a vital first line of defense against most cyberattacks.

The Basic Critical Security Controls 

The first 5 controls are the most critical. They’ll stop 85% of attacks. Over the years basic controls have been added to, refined, and updated—the most recent being V7.1. With each newly released version, the security prescriptions are more applicable and actionable.

Because the controls are regularly updated using current attack data, they are able to remain effective against today’s evolving cyber threats. Per the AHA,  “CIS Controls act as a blueprint for network operators to cut through clutter of innumerable recommendations made by innumerable sources—the “Fog of More”—to improve cybersecurity by suggesting specific actions to be done in a priority order.”

So, what are the basic security controls?




The Foundational Security Controls 

Although we won’t go into detail, the foundational security controls include:


The Organizational Security Controls 

Similarly, the four remaining controls are:


Control Companion Guides 

In addition to the general security controls the Center for Internet Security provides members with companion guides that are tailored to specific devices or platforms. They include:


CIS Benchmarks

The Center for Internet Security has also created CIS Benchmarks. These are best practices for ensuring a secure configuration of a specific technology system. While there are over 100 benchmarks covering more than 14 technology groups, notable benchmarks include:

Each one of these benchmarks can be downloaded for free here.


How the Benchmarks are Developed 

To build the benchmarks a group of experts, community members, and technology vendors work in conjunction with the CIS Benchmark Development team. Benchmarks start as a working draft, which focuses on defining the scope. Once completed they are discussed, developed, and tested. After consensus has been reached, the final benchmark is published to the community.

Typically, a CIS Benchmark is categorized into one of two profile levels:


CIS Program Areas and Communities

The Center for Internet Security provides its members with various other program areas and communities, including:

CIS Benchmark-hardened images help your business stay secure and reduce cost.


Applying CIS Controls and Benchmarks to Your Organization  

Your business is under constant threat of cyberattacks, and that threat continues to evolve.

The Center for Internet Security was created to help businesses, both big and small, protect their data and networks. By banding together and collaborating, security experts can stay ahead of hackers.

Even if you don’t become a member of CIS, it’s essential that you apply its security controls and benchmarks to thwart the vast majority of cyber-intrusions.

Looking for a flexible and knowledgeable IT partner? Then you’re in good hands.

At RSI Security our team of experts focus on compliance, managed network security services, penetration testing, and cloud computing security services. We help you ensure that your organization is properly applying the CIS Controls and CIS Benchmarks from the top down.  Ready to get started? Reach out today to speak with our trusted experts.


Speak with a Cybersecurity expert today – Schedule a Free Consultation


Exit mobile version