No matter how robust a company’s information technology (IT) resources and protections are, they’re always subject to risk. Even the most proactive companies struggle to keep pace with the evolution of cybercriminals’ methods and vectors of attack. The Center for Internet Security (CIS) has developed a framework to help reduce these risks; the CIS critical security controls for effective cyber defense are a key area of security for all business.
Why CIS Controls Are Critical for Effective Cyber Defense
CIS is dedicated to helping companies across all industries stay protected from the evolving cyberthreat landscape. Even when their analysis of the overall alert level for all businesses is relatively mild (low threat or “guarded”), companies need to continuously monitor and maintain their cyberdefenses to avoid falling victim to cybercrime. When properly followed, the CIS controls make it expontentially harder for a hacker to breach your security perimeter.
In the sections that follow, we’ll break down the critical importance of every single CIS control, across all three categories of controls. Then, we’ll establish how and why the CIS controls are also important for HITRUST certification—and how to achieve and maintain compliance.
But first, let’s dive into what the controls are, overall, and who needs to implement them.
The CIS Critical Security Controls for Effective Cyber Defense
The CIS Critical Security Controls, sometimes called the CSC, were designed to ensure uniform cybersecurity standards across all companies who adopt them. CIS recommends three tiers of implementation for companies based on their size, scope, and risk profile:
- Implementation group 1 – Smaller companies with fewer resources dedicated to IT.
- Implementation group 2 – Medium-sized companies with adequate IT resources.
- Implementation group 3 – Larger companies with mature cybersecurity infrastructure.
All of these groups have to follow certain controls and sub-controls to maintain their defenses. The larger the company, the more controls are needed. By the time you reach group three, you’re required to follow all of the CSC.
Organizations and individuals need to request permission to download the CIS Controls v7.1. But CIS does provide a useful primer for each individual control, easily accessable via their interactive controls and resources list.
Note: If you’re not sure where you fall, CIS provides a controls navigator for organizations to assess which sub-controls apply to them.
Basic Controls and Their Critical Impacts
The first six controls make up the “basic” category. These are the bare minimum cybersecurity safeguards that all businesses need in order to stay protected.
Each of these fundamental controls are critical in their own ways:
- Controlling Hardware Asset Inventory – Devices that appear temporarily on networks, such as employees’ personal computers or phones, may lack up-to-date security measures. Thus, it’s important to keep diligent records of all devices on the network.
- Controlling Software Asset Inventory – When unmonitored software exists on company machines, it can open up vulnerabilities for hackers to exploit. There needs to be strict controls on what software is installed and inventory accounting for all of it.
- Implementing Vulnerability Management – Cybercriminals are constantly scanning for exploitable vulnerabilities. So, it’s vital for organizations to stay informed about what vulnerabilities exist and immediately address (and patch or resolve) them.
- Controlling Administrative Privilege – Once “inside” a network, abuses of mismanaged administrative privileges present some of the easiest ways for hackers to spread and infiltrate the most protected levels within the system.
- Securing Hardware and Software Configurations – It’s essential to optimize security controls for all computers, workstations, devices, servers, and applications. Default configurations are often easily manipulated by attackers; they need to be replaced.
- Maintaining, Monitoring and Analyzing Audit Logs – When auditing logs are mismanaged, hackers can easily find ways to disguise their location or even presence. So, it’s important to regularly log, analyze, and update all security activities.
While every company, no matter the size, stands to benefit from implementing all of the sub-controls, implementation group 1 only needs to follow 11 of the 47 (compared to 38 for group 2 and all 47 for group 3).
Foundational Controls and Their Critical Impacts
The next and largest category is “foundational.” These controls go beyond the basic controls to round out a more complete foundation for cyberdefense:
- Protecting Email and Browsers – Email clients and internet browsers are the main points of contact between system resources and untrusted environments. As such, it’s especially important to safeguard them against code and social engineering attacks.
- Defending Against Malware – Malware, in various forms, accounts for a large portion of attacks targeting businesses. As such, anti-malware software and practices need to be robust, integrated into any and all incident response systems and protocols.
- Controlling Ports, Protocols and Services – Unmanaged network services that are remotely accessible provide easy paths for hackers to infiltrate your entire system. It’s vitally important to track all operational uses and discontinue unnecessary uses thereof.
- Ensuring Data Recovery – In the event of an attack, hackers may modify configurations of software and hardware, corrupting or otherwise making resources inaccessible. Organizations need to be able to restore previous versions and states of vital data.
- Securing Network Devices Configurations – The default configurations pre-installed on firewalls, routers, switches, and other network devices are often optimized for ease of use rather than security. These need to be changed immediately to prevent attacks.
- Safeguarding Boundary Defenses – Even as boundaries between “internal” and “external” networks diminish, perimeter defenses remain an integral part of overall cybersecurity. Hackers actively seek out vulnerabilities in any permeable borders.
- Protecting All Data – There are many ways hackers steal data. Likewise, multiple layers of protection are needed, including but not limited to classification, storage, automated monitoring, and encryption (in the event that data is exfiltrated).
- Restricting Access By Need to Know – To further ensure that data is not breached, it’s important to drastically limit its accessibility to all parties, including internal personnel. Data must be accessed only when absolutely needed and encrypted at all other times.
- Controlling Wireless Access – It’s critical to track and restrict the use of wireless access points, such as local area networks. These present easy ways for cybercriminals to access your systems, even from outside your physical perimeter.
- Monitoring and Controlling Accounts – When user accounts are poorly managed, hackers can easily seize control of dormant accounts that should be deleted or even create fraudulent ones, posing as authenticated personnel. Rigorous control is required.
This is the largest category with the highest number of controls and sub-controls. Of the whopping 88 total foundational sub-controls, only a quarter (22) are required for implementation group 1. Group 2 is required to implement 70, while group 3 must implement all 88.
Organizational Controls and Their Critical Impacts
Finally, the last category of controls, “organizational,” governs the oversight and general company management of cybersecurity measures and events:
- Implementing Training Programs – All the individual technologies and practices that make up a cybersecurity infrastructure are only effective if the people implementing them are aware of how they operate. Regular and thorough training is absolutely essential.
- Securing All Applications and Software – Web-based applications and software that connect to the internet present some of the most common and exploitable vulnerabilities. Businesses require holistic management of “security life cycles” for all applications and software.
- Implementing Incident Management – No institution is completely immune to accidental and targeted cybersecurity incidents. That’s why a holistic, systematic approach to incident detection and response (with defined roles and protocols) is key.
- Conducting Penetration Testing – Finally, the best defense is a strong offense. To fully understand the ways that a hacker could attack, and what hackers could do once inside the network, organizations need to conduct external and internal penetration tests regularly.
This category is the only one with controls that aren’t required for implementation group 1. Controls 18 and 20 have no required sub-controls for group 1, and group 1 is only required to follow 10 of the 36 categorical controls. Implementation group 2 must follow all but 5, and group 3 all 36.
CIS Controls, HITRUST Certification, and Cybersecurity
While the CIS controls are widely applicable across all industries, they have special singificance for companies in the healthcare sector. The Health Information Trust Alliance (HITRUST) has combined many critical security regulations into the omnibus Common Security Framework (CSF). The CIS controls, along with other major compliance codes, such as the Health Insurance Portability and Accountability Act (HIPAA), are completely integrated into the CSF.
While CSF compliance is not always legally required, it is becoming an industry standard.
In order to help companies comply, RSI Security offers robust HITRUST CSF certification and assessment services. These cover the entire process, from preparation through ongoing compliance. Contact RSI Security today for help implementing the CIS critical security controls for effective cyber defense and any other cybersecurity practices you need to stay safe.