CIS Controls

As part of your cyber risk management, we recommend adopting a set of industry-standard cyber security controls that provide strong baseline security.

Centre for Internet Security (CIS) Controls

The CIS Controls are a relatively small number of prioritised, well-vetted, and supported security actions that organisations can take to assess and improve their current security state. The controls are designed using knowledge of actual attacks to help an organisation prioritise their investment in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented.

To prioritise the subset of controls to be implemented by a business, CIS uses “Implementation Groups (IGs)” which are self-assessed categories based on relevant cybersecurity attributes. Each IG is linked to a subset of the CIS Controls that the broader security community has assessed to be reasonable for an organisation with a similar risk profile and resources to strive to implement.

At a high level, the three IG group definitions are:

  • Implementation Group 1 – A small or medium-sized organisation with limited resources and cybersecurity expertise available to implement Sub-Controls.
  • Implementation Group 2 – An organisation with moderate resources and cybersecurity expertise to implement Sub-Controls.
  • Implementation Group 3 – A mature organisation with significant resources and cybersecurity experience to allocate to Sub-Controls.

There are 20 CIS controls in total.  The first six, however, are considered basic security hygiene controls, and we recommended that these six be the initial focus of any organisation along with any additional controls identified during this process as key to achieving current objectives.

CIS Control 1: Inventory and Control of Hardware Assets

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorised devices are given access, and unauthorised and unmanaged devices are found and prevented from gaining access.

CIS Control 2: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software on the network so that only authorised software is installed and can execute, and that all unauthorised and unmanaged software is found and prevented from installation or execution.

CIS Control 3: Continuous Vulnerability Management

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimise the window of opportunity for attackers.

CIS Control 4: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Collect, manage, and analyse audit logs of events that could help detect, understand, or recover from an attack.

Contact us to arrange a consultation.