In our last blog post, we talked about ISO 27001, and its relevance to cyber security. In particular, we mentioned that it is just one component in a wider IT security network that exists to help keep businesses like yours secure. Yet another area of security framework that focuses on cyber security within businesses are those published by The Centre for Internet Security Controls for Effective Cyber Defence, otherwise known as CIS controls. In this post, we will go into the basics of what CIS controls are and how they impact your business.
What Are CIS Controls?
Put simply, the CIS Critical Security Controls are a recommended set of actions for cyber defence that provide specific and actionable ways to stop today’s most pervasive cyber criminals. Note we say recommended – there is no legal obligation for businesses to abide by or implement CIS controls, but it is considered a best practice. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work – NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organisations and some of the nation’s top forensics and incident response organisations – to answer the question, “what do we need to do to stop known attacks?”
That group of experts reached consensus and today we have a set of controls that can cover businesses and organisations from cyber attacks on all fronts.
What Are The Controls
The current CIS controls can be broken down into 2 categories – the essential 5 and the recommended 15. The first 5 CIS controls mean that a business should undertake the following:
- Inventory of Authorised and Unauthorised Devices
- Inventory of Authorised and Unauthorised Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administration Privileges
These 5 controls are in place to eliminate the vast majority of your organisation’s vulnerabilities. This is the absolute minimum standard that any business handling sensitive data, should be aiming for. On top of that there are 15 more controls, these are:
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defences
- Limitation and Control of Network Ports
- Data Recovery Capability
- Secure Configurations for Network Devices
- Boundary Defence
- Data Protection
- Controlled Access – Based on the need to know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
These 20 controls, when implemented, will work together to secure your entire organisation against today’s most pervasive threats. You can download a comprehensive guide to all 20 CIS controls directly from the CIS website – just click here.
At Bridewell Consulting, we work with business owners across the country, to ensure their businesses are complying with all 20 CIS controls. By doing this they can be confident that their data is being protected to the highest standard and that there have been multiple safety precautions put in place, to ensure the safety of their sensitive information. To find out more about how Bridewell can help you, get in touch with one of our experts today.