Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Center for Internet Security Controls
The CIS Controls™ are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including retail, manufacturing, healthcare, education, government, defense, and others.

We are at a fascinating point in the evolution of what we now call cyber defense. Massive data losses, theft of intellectual property, credit card breaches, identity theft, threats to our privacy, denial of service – these have become a way of life for all of us in cyberspace.

As defenders we have access to an extraordinary array of security tools and technology, security standards, training and classes, certifications, vulnerability databases, guidance, best practices, catalogs of security controls, and countless security checklists, benchmarks, and recommendations. To help us understand the threat, we have seen the emergence of threat information feeds, reports, tools, alert services, standards, and threat sharing frameworks. To top it all off, we are surrounded by security requirements, risk management frameworks, compliance regimes, regulatory mandates, and so forth. There is no shortage of information available to security practitioners on what they should do to secure their infrastructure.

But all of this technology, information, and oversight has become a veritable “Fog of More” – competing options, priorities, opinions, and claims that can paralyze or distract an enterprise from vital action. Business complexity is growing, dependencies are expanding, users are becoming more mobile, and the threats are evolving. New technology brings us great benefits, but it also means that our data and applications are now distributed across multiple locations, many of which are not within our organization’s infrastructure. In this complex, interconnected world, no enterprise can think of its security as a standalone problem.

So how can we as a community – the community-at-large, as well as within industries, sectors, partnerships, and coalitions – band together to establish priority of action, support each other, and keep our knowledge and technology current in the face of a rapidly evolving problem and an apparently infinite number of possible solutions? What are the most critical areas we need to address and how should an enterprise take the first step to mature their risk management program? Rather than chase every new exceptional threat and neglect the fundamentals, how can we get on track with a roadmap of fundamentals, and guidance to measure and improve? Which defensive steps have the greatest value?

These are the kinds of issues that led to and now drive the CIS Controls. They started as a grassroots activity to cut through the “Fog of More” and focus on the most fundamental and valuable actions that every enterprise should take. And value here is determined by knowledge and data – the ability to prevent, alert, and respond to the attacks that are plaguing enterprises today.

Led by CIS®, the CIS Controls have been matured by an international community of individuals and institutions that:
  Share insight into attacks and attackers, identify root causes, and translate that into classes of defensive action;
  Document stories of adoption and share tools to solve problems;
  Track the evolution of threats, the capabilities of adversaries, and current vectors of intrusions;
  Map the CIS Controls to regulatory and compliance frameworks and bring collective priority and focus to them;          
Share tools, working aids, and translations; and
  Identify common problems (like initial assessment and implementation roadmaps) and solve them as a community.

These activities ensure that the CIS Controls are not just another list of good things to do, but a prioritized, highly focused set of actions that have a community support network to make them implementable, usable, scalable, and compliant with all industry or government security requirements.

Why the CIS Controls Work: Methodology and Contributors

The CIS Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, individuals); with every role (threat responders and analysts, technologists, vulnerability-finders, tool makers, solution providers, defenders, users, policy-makers, auditors, etc.); and within many sectors (government, power, defense, finance, transportation, academia, consulting, security, IT) who have banded together to create, adopt, and support the Controls. Top experts from organizations pooled their extensive first-hand knowledge from defending against actual cyber-attacks to evolve the consensus list of Controls, representing the best defensive techniques to prevent or track them. This ensures that the CIS Controls are the most effective and specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of those attacks.

The CIS Controls are not limited to blocking the initial compromise of systems, but also address detecting already-compromised machines and preventing or disrupting attackers’ follow-on actions. The defenses identified through these Controls deal with reducing the initial attack surface by hardening device configurations, identifying compromised machines to address long-term threats inside an organization’s network, disrupting attackers’ command-and-control of implanted malicious code, and establishing an adaptive, continuous defense, and response capability that can be maintained and improved.

The five critical tenets of an effective cyber defense system as reflected in the CIS Controls are:
Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment. The CIS Implementation Groups discussed below are a great place for organizations to start identifying relevant Sub-Controls. Measurements and Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.[/color]
Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.
Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.

How to Get Started

The CIS Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. They also change the discussion from “What should my enterprise do?” to “What should we ALL be doing?” to improve security across a broad scale.

But this is not a one-size-fits-all solution, in either content or priority. You must still understand what is critical to your business, data, systems, networks, and infrastructures, and you must consider the adversarial actions that could impact your ability to be successful in the business or operation. Even a relatively small number of Controls cannot be executed all at once, so you will need to develop a plan for assessment, implementation, and process management.

This Version of the CIS Controls

With the release of Version 6 of the CIS Controls (in October 2015), we put in place the means to better understand the needs of adopters, gather ongoing feedback, and understand how the security industry supports the CIS Controls. We used this to drive the evolution of Version 7 and also Version 7.1.
In addition to the critical tenets of cyber defense previously mentioned, we also tried to ensure that every CIS Control is clear, concise, and current. While there’s no magic bullet when defining security controls, we believe this version sets the foundation for much more straightforward and manageable implementation, measurement, and automation.

At CIS, we listen carefully to all of your feedback and ideas for the CIS Controls. In particular, many of you have asked for more help with prioritizing and phasing in the CIS Controls for your cybersecurity program. This topic deserved a substantial treatment and resulted in the Implementation Groups discussed below. As such, the following principles were used to drive the V7.1 update.

  Reassess the prioritization scheme for the CIS Controls down to the Sub-Controls level, given the evolving threat landscape and resource constraints;
  Fix minor typos and errors;
  Enhance the clarity and readability of the CIS Controls and Sub-Controls; and
  Refrain from adding or subtracting from the technical content, or “spirit”, of a CIS Control or Sub-Control.

We also provide detailed change information to minimize the work for enterprises that choose to migrate from Version 7 to Version 7.1. You can also assist by sending your feedback and ideas on prioritization efforts or other matters to, or by joining the CIS WorkBench Community (

Implementation Groups

Historically the CIS Controls utilized the order of the Controls as a means of focusing an organization’s cybersecurity activities, resulting in a subset of the first six CIS Controls referred to as cyber hygiene. However, many of the practices found within the CIS cyber hygiene control set can be difficult for organizations with limited resources to implement. This highlighted a need for a collection of best practices focused on balancing resource constraints and effective risk mitigation. As a result, CIS recommends the following new guidance to prioritize CIS Control utilization, known as CIS Controls Implementation Groups.

The CIS Controls Implementation Groups (IGs) are self-assessed categories for organizations based on relevant cybersecurity attributes. Each IG identifies a subset of the CIS Controls that the community has broadly assessed to be reasonable for an organization with a similar risk profile and resources to strive to implement. These IGs represent a horizontal cut across the CIS Controls tailored to different types of enterprises. Each IG builds upon the previous one. As such, IG2 includes IG1, and IG3 includes all of the CIS Sub-Controls in IG1 and IG2. A resource constrained organization may have to protect critical data and, therefore, implement Sub-Controls in a higher IG. Ultimately, an organization implementing the CIS Sub-Controls defined for their IG is moving toward a standard duty of care as described in the CIS Risk Assessment Method (CIS RAM). CIS RAM is a free resource available at

CIS recommends that organizations prioritize their implementation of the Controls by following the IGs. Organizations should implement Sub-Controls in IG1, followed by IG2 and then IG3. The Sub-Controls contained within IG1 are essential to success. Implementation of IG1 should be considered among the very first things to be done as part of a cybersecurity program. CIS refers to IG1 as “Cyber Hygiene” – the essential protections that must be put into place to defend against common attacks. Organizations are encouraged to classify themselves as belonging to one of three Implementation Groups. For instance:
 A family-owned business with ~10 employees may self-classify as IG1;
 A regional organization providing a service may classify itself as IG2; or
A large corporation with thousands of employees may be labeled IG3.

Once a classification is determined, organizations can then focus on implementing the CIS Sub-Controls found within that IG. The criteria organizations use to identify their organizational category are based on the characteristics described below:

1.       Data sensitivity and criticality of services offered by the organization. Organizations providing services that must be available for any reason (e.g., public safety, critical infrastructure) or working with data that must be protected under a further restricted set of requirements (e.g., federal legislation) need to implement more advanced cybersecurity controls than those that do not.
2.       Expected level of technical expertise exhibited by staff or on contract. Cybersecurity knowledge and experience are difficult to obtain, yet are necessary to implement many of the detailed cybersecurity mitigations outlined within the CIS Controls. Many of the CIS Controls require minimum core IT competencies, whereas others necessitate in-depth cybersecurity skills and knowledge to successfully implement.
3.       Resources available and dedicated toward cybersecurity activities. Time, money, and personnel are all necessary in order to implement many of the best practices contained within the CIS Controls. Enterprises that can dedicate these resources toward cybersecurity can mount a more sophisticated defense against today’s adversaries. While there are open-source tools available that assist an organization’s implementation, they may come at a cost of additional management and deployment overhead that needs to be recognized and taken into consideration.

Note that organizations are encouraged to perform a risk assessment using a methodology such as CIS RAM. This will definitively inform which CIS Sub-Controls should be implemented for an organization. The IGs are not absolute; they are intended to provide a rough measure that organizations can use to better prioritize cybersecurity efforts. The following further defines and describes each Group.

Implementation Group 1:
An IG1 organization is small to medium-sized with limited IT and cybersecurity expertise to dedicate toward protecting IT assets and personnel. The principal concern of these organizations is to keep the business operational as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. However, there may be some small to medium-sized organizations that are responsible for protecting sensitive data and, therefore, will fall into a higher Group.
Sub-Controls selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Sub-Controls will also typically be designed to work in conjunction with small or home office commercial-off-the-Shelf (COTS) hardware and software.

Implementation Group 2:
An IG2 organization employs individuals responsible for managing and protecting IT infrastructure. These organizations support multiple departments with differing risk profiles based on job function and mission. Small organizational units may have regulatory compliance burdens. IG2 organizations often store and process sensitive client or company information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs. Sub-Controls selected for IG2 help security teams cope with increased operational complexity. Some Sub-Controls will depend on enterprise-grade technology and specialized expertise to properly install and configure.
Implementation Group 3:
An IG3 organization employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 systems and data contain sensitive information or functions that are subject to regulatory and compliance oversight. A IG3 organization must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare. Sub-Controls selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

While this approach provides generalized guidance for prioritizing usage of the CIS Controls, this should not replace an organization’s need to understand their own organizational risk posture. Organizations should still seek to conduct their own duty of care analysis and tailor their implementation of the CIS Controls based on what is appropriate and reasonable given their resources, mission, and risks. Using these types of methods, such as those described in CIS RAM, organizations of different Implementation Groups can make risk-informed decisions about which Sub-Controls in their Group they may not want to implement and which higher Group’s they should strive for. The intention is to help organizations focus their efforts based on the resources they have available and integrate into any pre-existing risk management process.

1 CIS Sub-Controls for small, commercial off-the-shelf or home office software environments where sensitivity of the data is low will typically fall under IG1. Remember, any IG1 steps should also be followed by organizations in IG2 and IG3.
2 CIS Sub-Controls focused on helping security teams manage sensitive client or company information fall under IG2. IG2 steps should also be followed by organizations in IG3.
3 CIS Sub-Controls that reduce the impact of zero-day attacks and targeted attacks from sophisticated adversaries typically fall into IG3. IG1 and IG2 organizations may be unable to implement all IG3 Sub-Controls.

Other Resources

The true power of the CIS Controls is not about creating the best list of things to do, it is about harnessing the experience of a community of individuals and enterprises to make security improvements through the sharing of ideas, and collective action. To support this, CIS acts as a catalyst and clearinghouse to help us all learn from each other. Since Version 6, there has been an explosion of complementary information, products, and services available from CIS, and from the industry at large. Please contact CIS for the following kinds of working aids and other support materials:
    Mappings from the Controls to a very wide variety of formal Risk Management Frameworks (like FISMA, ISO, etc.)
    Use Cases of enterprise adoption
    Measurement and Metrics for all versions of the CIS Controls
    Information tailored for Small- and Medium-Sized Enterprises
    Pointers to vendor white papers and other materials that support the Controls
    Documentation on alignment with the NIST Cybersecurity Framework 
Structure of the CIS Controls Document

The presentation of each Control in this document includes the following elements:
    A description of the importance of the CIS Control (Why is This Control Critical?) in blocking or identifying presence of attacks and an explanation of how attackers actively exploit the absence of this Control.
    A table of the specific actions (“Sub-Controls”) that organizations should take to implement the Control.
    Procedures and Tools that enable implementation and automation.
    Sample Entity Relationship Diagrams that show components of implementation.

Forum Jump:

Users browsing this thread: 1 Guest(s)

Powered by © 2002-2020 MyBB Group.
Theme by CreWix. Fixed by Tomik. Customized for Aeowulf.