Building a Foundation for Cyber Integrity (Part 1/3)

The Center for Internet Security Critical Security Controls for Effective Cyber Defense is an implementation guide of best practice guidelines for computer security.

Implementation Guide for ICS using the CIS Controls cover photo

The guidelines consist of 20 key actions, called critical security controls (CSC), that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give practical, actionable recommendations for cybersecurity, written in language that’s easily understood.

Goals of the guidelines include to:
• Leverage cyber offence to inform cyber defence, focusing on high payoff areas,
• Ensure that security investments are focused on counterring the top threats,
• Maximize the use of automation to enforce security controls, thereby negating human errors, and
• Use consensus process to collect the best ideas.

Building cyber integrity is a significant effort but does not need to be costly beyond current outlays for a team that believes proactive security. The Center for Internet Security (CIS) Critical Security Controls provide a valuable, practical framework for establishing cyber integrity presented in three categories: Basic, Fundamental, and Organizational.

These six basic CIS are the first step toward cybersecurity compliance, but it is important to remember that good cybersecurity goes beyond compliance and requires one to be proactive with security. The six Basic Critical Seucity Controls (CSC) are:

CIS Control 1: Inventory and Control of Hardware Assets

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

CIS 2 Control: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

CIS Control 3: Continuous Vulnerability Management

Continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

CIS Control 4: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and settings.

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

In Part 2 of 3: 10 Foundational Critical Security Controls

Download CIS Control V7 here: