Hot Topics
Security Bloggers Network 
SBN

Analyzing the Results of Your CIS Security Controls Risk Assessment

by Maahnoor Siddiqui on July 1, 2022

The objective of the Center for Internet Security (CIS) is to “discover, create, validate, promote, and sustain best practice cyber defense solutions.” 

The Top 20 Critical Security Controls (formerly known as the SANS Top 20 Critical Security Controls) is a prioritized list of best practices developed by the Center for Internet Security (CIS) to combat today’s most ubiquitous and severe threats. 

Top security experts created it worldwide and continue to work on it, updating the list annually to keep up with the threats. 

What Is CIS Top 20?

Here is a list of CIS 20 Security Controls that can help you protect your organization against cyber threats:

  • Inventory and Control of Hardware Assets
  • Inventory and Control of Software Assets
  • Continuous Vulnerability Management
  • Controlled Use of Administrative Privileges
  • Secure Configuration for Hardware and Software on electronic devices, Workstations, and Servers
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Email and Web Browser Protections
  • Malware Defense
  • Limitation and Control of Network Ports, Protocols, and Services
  • Data Recovery Capability
  • Secure Configuration for Network Devices, such as Firewalls, Modems, and Switches
  • Boundary Defense
  • Data Protection
  • Controlled Access Based on a Need To Know
  • Wireless Access Control
  • Account Monitoring and Control
  • Implement a Security Awareness and Training Program
  • Application Software Security
  • Incident Response and Management 
  • Penetration Tests and Red Team Exercises

What Are CIS Benchmarks?

The Center for Internet Security publishes CIS Benchmarks and industry best practices for securely setting IT systems, applications, and networks. Communities of cybersecurity professionals and subject matter experts worldwide created the CIS Benchmarks through a unique consensus-based approach. Over 140 benchmarks are available, encompassing seven critical technological areas. 

Each of them is constantly identifying, refining, and validating security best practices in their respective areas of concentration. CIS benchmarks are updated regularly to secure every IT infrastructure comprehensively.

Benefits of CIS Benchmarks

While businesses are always free to make their own security configuration decisions, the CIS Benchmarks offer the following:

  • A global group of IT and cybersecurity experts have pooled their knowledge.
  • Step-by-step instructions for safeguarding every aspect of the IT infrastructure are updated regularly.
  • Consistency in compliance management.
  • A flexible template for implementing digital transformation initiatives and deploying new cloud services safely.
  • Configurations that are simple to implement for increased operational efficiency and sustainability.

What Are The Levels Of Security, And Why Do They Matter?

The CIS standards offer two degrees of security:

Level 1 proposes basic security standards that may be set on any system and should result in little service disruption or diminished functionality.

Level 2 recommends increased security settings for environments that require high protection at the expense of functionality. 

The Importance Of CIS 20 In the Cybersecurity World 

They are intended to assist businesses in protecting their systems and data against known attack vectors. It can also serve as a valuable guide for companies that do not yet have a comprehensive security program.

How to Implement CIS Controls 

The CIS Top 20 Critical Security Controls are best practices businesses may apply to safeguard themselves in an ever-changing technological environment. Organizations must move forward against security threats by taking adequate measures to secure corporate devices, networks, and data to apply the CSC controls appropriately.

Implementing these best practices includes creating suitable discovery mechanisms and ensuring that all devices on an organization’s network are classified correctly. In addition, a company must monitor device activity and segregate susceptible devices regularly. Security teams should also conduct a risk assessment to verify that security requirements are satisfied.

How does the CIS Top 20 affect your business?

Industry standards frequently specify the depth to which an organization must delve into such murky depths, but they rarely define how. The CIS Critical Security Controls (CSC) is a collection of best practices companies may use to address the most frequent cybersecurity threats.

There are three implementation groups in the CSC, each of which is a progression of controls based on an organization’s needs:

  • All companies should implement controls 1–6, a basic implementation control group. Security teams may apply these six measures with few resources to give even the smallest businesses essential security.
  • However, the basic controls and controls 7–16 are recommended for mid-level enterprises with more significant resources and cybersecurity expertise to deploy security measures.
  • Organizational implementation entails implementing all 20 security rules for large, well-resourced companies with extensive cybersecurity knowledge.

A company may choose the best match for its infrastructure by segmenting the controls into resource and skill-specific pieces.

How To Get CIS Benchmark Certification

Businesses must obtain CIS Benchmarks Configuration Certification to show conformity with the Benchmarks to include and sell the CIS Benchmarks as part of a product offering. The Configuration Certification verifies that a system’s configuration complies with CIS Benchmark(s), ensuring that the system’s performance will not be at risk when used in a CIS hardened environment.

Steps To Follow To Get Certified

Submit one certification using the support portal on the CIS website, selecting the CIS SecureSuite Vendor Certification option, and filling out the form.

Then attach the CIS-CAT report to demonstrate conformity to the relevant CIS Benchmark version(s) and Profile(s). Please submit and specify if CIS-CAT is unavailable or does not provide coverage for the CIS Benchmark you seek certification for so that CIS Support can assist you.

Please explain any CIS Benchmark recommendation(s) that your solution does not satisfy. You’ll also need to list any CIS Benchmark recommendation(s) that your system/device/appliance/platform does not fulfill. If applicable, an exception report.

And don’t forget to provide a brief description of the hardened compliance system, device, appliance, or platform submitted for CIS Benchmarks Configuration Certification.

Should CIS-20 Be In Every Small Business Or Not?

Today’s business security administrators are as acquainted with the CIS Top 20 Security Controls as they are with penetration testing. But they’re no longer exclusively for big business!

CIS is now making its security policies considerably easier to adopt for small and medium-sized businesses.

Small firms and startups with minimal resources to install the CIS Controls and sub-controls should choose Implementation Group 1. Controls and sub-controls are implemented by Implementation Group 2 for medium and mid-market businesses with limited resources. Finally, big and international firms with sufficient resources, capable of implementing all CIS controls and sub-controls, can execute Implementation Group 3.

With the ease of implementation, small businesses can keep up with the market. Implementing these tools gives companies a head start paving their way toward growth. 

Is it Possible To Get a Perfect Score?

The CSAT assesses the maturity of each CIS control on four levels: policy specified, control executed, control reported, and control automated. Each degree of maturity adds points to the total score for the CIS standards. An overall score is a number between 0 and 100. The application organizes your replies across the 20 variables, compares them to industry norms, and generates detailed reports to convey the status and outcomes.

While getting a perfect score may be difficult, it is not impossible. It all depends on how you work towards improving the four levels under the CSAT.

Wrapping Up

CIS may also hire an independent third party to verify that a solution meets the CIS standards. However, an initial CIS Certification isn’t conditional on passing any third-party examination. CyberStrong can streamline and automate your compliance efforts with these 20 most critical security controls and other gold-standard frameworks like the NIST CSF, DFARS, and ISO. 

Contact us for more information on CyberStrong’s automated compliance and risk management approach.

The objective of the Center for Internet Security (CIS) is to “discover, create, validate, promote, and sustain best practice cyber defense solutions.” 

The Top 20 Critical Security Controls (formerly known as the SANS Top 20 Critical Security Controls) is a prioritized list of best practices developed by the Center for Internet Security (CIS) to combat today’s most ubiquitous and severe threats. 

Top security experts created it worldwide and continue to work on it, updating the list annually to keep up with the threats. 

What Is CIS Top 20?

Here is a list of CIS 20 Security Controls that can help you protect your organization against cyber threats:

  • Inventory and Control of Hardware Assets
  • Inventory and Control of Software Assets
  • Continuous Vulnerability Management
  • Controlled Use of Administrative Privileges
  • Secure Configuration for Hardware and Software on electronic devices, Workstations, and Servers
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Email and Web Browser Protections
  • Malware Defense
  • Limitation and Control of Network Ports, Protocols, and Services
  • Data Recovery Capability
  • Secure Configuration for Network Devices, such as Firewalls, Modems, and Switches
  • Boundary Defense
  • Data Protection
  • Controlled Access Based on a Need To Know
  • Wireless Access Control
  • Account Monitoring and Control
  • Implement a Security Awareness and Training Program
  • Application Software Security
  • Incident Response and Management 
  • Penetration Tests and Red Team Exercises

What Are CIS Benchmarks?

The Center for Internet Security publishes CIS Benchmarks and industry best practices for securely setting IT systems, applications, and networks. Communities of cybersecurity professionals and subject matter experts worldwide created the CIS Benchmarks through a unique consensus-based approach. Over 140 benchmarks are available, encompassing seven critical technological areas. 

Each of them is constantly identifying, refining, and validating security best practices in their respective areas of concentration. CIS benchmarks are updated regularly to secure every IT infrastructure comprehensively.

Benefits of CIS Benchmarks

While businesses are always free to make their own security configuration decisions, the CIS Benchmarks offer the following:

  • A global group of IT and cybersecurity experts have pooled their knowledge.
  • Step-by-step instructions for safeguarding every aspect of the IT infrastructure are updated regularly.
  • Consistency in compliance management.
  • A flexible template for implementing digital transformation initiatives and deploying new cloud services safely.
  • Configurations that are simple to implement for increased operational efficiency and sustainability.

What Are The Levels Of Security, And Why Do They Matter?

The CIS standards offer two degrees of security:

Level 1 proposes basic security standards that may be set on any system and should result in little service disruption or diminished functionality.

Level 2 recommends increased security settings for environments that require high protection at the expense of functionality. 

The Importance Of CIS 20 In the Cybersecurity World 

They are intended to assist businesses in protecting their systems and data against known attack vectors. It can also serve as a valuable guide for companies that do not yet have a comprehensive security program.

How to Implement CIS Controls 

The CIS Top 20 Critical Security Controls are best practices businesses may apply to safeguard themselves in an ever-changing technological environment. Organizations must move forward against security threats by taking adequate measures to secure corporate devices, networks, and data to apply the CSC controls appropriately.

Implementing these best practices includes creating suitable discovery mechanisms and ensuring that all devices on an organization’s network are classified correctly. In addition, a company must monitor device activity and segregate susceptible devices regularly. Security teams should also conduct a risk assessment to verify that security requirements are satisfied.

How does the CIS Top 20 affect your business?

Industry standards frequently specify the depth to which an organization must delve into such murky depths, but they rarely define how. The CIS Critical Security Controls (CSC) is a collection of best practices companies may use to address the most frequent cybersecurity threats.

There are three implementation groups in the CSC, each of which is a progression of controls based on an organization’s needs:

  • All companies should implement controls 1–6, a basic implementation control group. Security teams may apply these six measures with few resources to give even the smallest businesses essential security.
  • However, the basic controls and controls 7–16 are recommended for mid-level enterprises with more significant resources and cybersecurity expertise to deploy security measures.
  • Organizational implementation entails implementing all 20 security rules for large, well-resourced companies with extensive cybersecurity knowledge.

A company may choose the best match for its infrastructure by segmenting the controls into resource and skill-specific pieces.

How To Get CIS Benchmark Certification

Businesses must obtain CIS Benchmarks Configuration Certification to show conformity with the Benchmarks to include and sell the CIS Benchmarks as part of a product offering. The Configuration Certification verifies that a system’s configuration complies with CIS Benchmark(s), ensuring that the system’s performance will not be at risk when used in a CIS hardened environment.

Steps To Follow To Get Certified

Submit one certification using the support portal on the CIS website, selecting the CIS SecureSuite Vendor Certification option, and filling out the form.

Then attach the CIS-CAT report to demonstrate conformity to the relevant CIS Benchmark version(s) and Profile(s). Please submit and specify if CIS-CAT is unavailable or does not provide coverage for the CIS Benchmark you seek certification for so that CIS Support can assist you.

Please explain any CIS Benchmark recommendation(s) that your solution does not satisfy. You’ll also need to list any CIS Benchmark recommendation(s) that your system/device/appliance/platform does not fulfill. If applicable, an exception report.

And don’t forget to provide a brief description of the hardened compliance system, device, appliance, or platform submitted for CIS Benchmarks Configuration Certification.

Should CIS-20 Be In Every Small Business Or Not?

Today’s business security administrators are as acquainted with the CIS Top 20 Security Controls as they are with penetration testing. But they’re no longer exclusively for big business!

CIS is now making its security policies considerably easier to adopt for small and medium-sized businesses.

Small firms and startups with minimal resources to install the CIS Controls and sub-controls should choose Implementation Group 1. Controls and sub-controls are implemented by Implementation Group 2 for medium and mid-market businesses with limited resources. Finally, big and international firms with sufficient resources, capable of implementing all CIS controls and sub-controls, can execute Implementation Group 3.

With the ease of implementation, small businesses can keep up with the market. Implementing these tools gives companies a head start paving their way toward growth. 

Is it Possible To Get a Perfect Score?

The CSAT assesses the maturity of each CIS control on four levels: policy specified, control executed, control reported, and control automated. Each degree of maturity adds points to the total score for the CIS standards. An overall score is a number between 0 and 100. The application organizes your replies across the 20 variables, compares them to industry norms, and generates detailed reports to convey the status and outcomes.

While getting a perfect score may be difficult, it is not impossible. It all depends on how you work towards improving the four levels under the CSAT.

Wrapping Up

CIS may also hire an independent third party to verify that a solution meets the CIS standards. However, an initial CIS Certification isn’t conditional on passing any third-party examination. CyberStrong can streamline and automate your compliance efforts with these 20 most critical security controls and other gold-standard frameworks like the NIST CSF, DFARS, and ISO. 

Contact us for more information on CyberStrong’s automated compliance and risk management approach.

*** This is a Security Bloggers Network syndicated blog from CyberSaint Blog authored by Maahnoor Siddiqui. Read the original post at: https://www.cybersaint.io/blog/analyzing-the-results-of-your-cis-security-controls-risk-assessment

Maahnoor Siddiqui