Post

CIS Critical Security Controls - Overview

Posted
By Erich Mair 1 min read

Introduction

These 20 critical security controls (CSC) were developed by the Center for Internet Security (CIS) and the SANS Institute. This framework is presented in a format that can be easily adapted by any organization to better prepare themselves against cyber attacks and to protect critical data assets. We only found one and that’s on the 3rd floor I believe the one it was on the 2nd was replaced with a camera because we’re not locating the other disk.

Structure

The 20 CSC are separated into three implementation levels:

  • [A] Basic Level — Applying controls 1 – 6, and is advised for all organizations. These six controls can be implemented with conservative resources, and will provide a basic level of protection that even the smallest of organizations can utilize.
  • [B] Foundational Level — Applying the basic controls and controls 7 – 16, and is advised for mid-level organizations that have more resources and cybersecurity professionals to implement security measures.
  • [C] Organizational Level — Applying all 20 controls, and is intended for developed organizations that have robust cybersecurity expertise and extensive resources.

The 20 Controls

Basic Level: Controls 1-6

  • Control 1: Inventory and Control of Hardware Assets
  • Control 2: Inventory and Control of Software Assets
  • Control 3: Continuous Vulnerability Management
  • Control 4: Controlled Use of Administrative Privileges
  • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Foundational Level: Basic (1-6) + Controls 7-16

  • Control 7: Email and Web Browser Protections
  • Control 8: Malware Defenses
  • Control 9: Limitation and Control of Network Ports, Protocols, and Services
  • Control 10: Data Recovery Capabilities
  • Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
  • Control 12: Boundary Defense
  • Control 13: Data Protection
  • Control 14: Controlled Access Based on the Need to Know
  • Control 15: Wireless Access Control
  • Control 16: Account Monitoring and Control

Organizational Level: All Controls (1-20)

  • Control 17: Implement a Security Awareness and Training Program
  • Control 18: Application Software Security
  • Control 19: Incident Response and Management
  • Control 20: Penetration Tests and Red Team Exercises

Source: https://www.cisecurity.org/controls

Security Frameworks, Defensive Frameworks
Security Frameworks
This post is licensed under CC BY 4.0 by the author.