Can you Become Ransomware-Proof? Part 2: CIS Controls
In my previous post, I talked about the NIST Cybersecurity Framework (CSF). Some of you, I am sure, Googled “NIST CSF” after reading it and found tons of information from NIST on the framework.
Then, as you looked at the details, you might have felt intimidated by the five functions (identify, protect, detect, respond and recover) and the 23 categories and 108 subcategories.
It might have sounded too complicated; too much to bite off and you might have even wondered, “Where do I start?!”
First, that feeling is totally understandable. The NIST CSF is a comprehensive framework. It works well for regulated companies like banks, utilities, hospitals, etc.—organizations that have regulatory compliance needs that must be addressed and that have to protect their customer’s data as well as prove that they have protected that data.
If you recall, at the end of that post I said I would talk about CIS Controls as another framework you can use.
For medium-size companies that may or may not be regulated or do not have to adhere to a compliance standard, the Center for Internet Security (CIS) Controls might be a better solution.
CIS has a set of controls that can be downloaded for free and can be more easily applied to manufacturing, service organizations, retail companies, schools and other verticals that are not as tightly regulated.
CIS Controls Version 8 has 18 categories with safeguards inside each category that map to a particular asset type (like a computer, a software application, company data or corporate network). The safeguards serve a particular function (like identify, protect, detect, respond and recover) for that asset type.
Finally, each of those safeguards are tied to an implementation level of one, two or three, which will vary based on how far along a company is with its security program.
Level one is for organizations that are just getting started, level two is more advanced and level three is the most advanced. You’ll notice that the CIS controls map to the same general categories as the CSF; that’s done intentionally to help companies or organizations understand how they compare with their peers, communicate with auditors, board management and risk committees.
The CIS Controls are written in an easy-to-read language with clear functions and safeguards that are plainly identified and can be implemented at level one with no-cost or low-cost tools.
Often, the topic of cybersecurity is compared to eating an elephant—daunting and unapproachable—but when you look at the CIS Controls, you can more easily see how the process is laid out in an understandable way that allows you to start your journey toward a safer and more secure environment.
In my next blog, I’ll round out my framework discussion by tackling MITRE ATT&CK.
