The Center for Internet Security (CIS) controls are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve its cyber defense.

Initially developed by the SANS Institute and known as the SANS Critical Controls, these best practices are indispensable to organizations both large and small. By adopting these sets of controls, organizations can prevent the majority of cyberattacks.

18 Critical Security Controls for Effective Cyber Defense

The latest release of the CIS Controls is version eight, which was published in 2021. The list is still prioritized in order of importance, but there are some notable changes to the controls and their order. The controls are now task-focused and combined by activities. Another change is that what were previously called sub-controls are now called safeguards.

CIS Controls implementatin groups
Source: https://www.cisecurity.org/controls/implementation-groups/ig3

CIS Control 1: Inventory and Control of Enterprise Assets

A comprehensive view of the devices on your network is the first step in reducing your organization’s attack surface. Use both active and passive asset discovery solutions on an ongoing basis to monitor your inventory and make sure all hardware is accounted for.

CIS Control 2: Inventory and Control of Software Assets

Another one of the top controls also deals with asset discovery, making network inventorying the single most critical step you can take to harden your system. After all, you can’t keep track of assets that you don’t know you have on your network.

CIS Control 3: Data Protection

A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data an enterprise produces or consumes as well as being able to classify it based on sensitivity are the keystones of such a plan. Despite its simple name, this (Read more...)