Organizational Controls Perspective (Part 3/3)

Part 1/3 covered the Basic CIS Controls, and Part 2/3 overviewed the Foundational CIS Controls found in the Center for Internet SecurityCritical Security Controls for Effective Cyber Defense implementation guide of best practice guidelines for computer security.

Implementation Guide for ICS using the CIS Controls cover photo

The Organizational CIS Controls are less focused on technical aspect of controls and more focused on people and processes. The Organizational CIS Controls are pervasive need consideration across the entire enterprise and all of the previously presented Basic and Foundational CIS Controls. Their measurements and metrics of success are driven more by observations about process steps and outcomes, and less by technical data gathering.

These final four CIS Controls demands much attention to achieve certifiable cybersecurity compliance, but it is important to remember that good cybersecurity goes beyond compliance and requires one to be proactive with all security aspect for one’s data, information, and systems.

CIS Control 17: Implement a Security Awareness and Training Program

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support the defence of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

CIS Control 18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

CIS Control 19: Incident Response and Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CIS Control 20: Penetration Tests and Red Team Exercises

Test the overall strength of an organization’s defence (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

I hope these three parts peeked your interests to form a cybersecurity defense-in-depth based best practices that mitigate the most common attacks against systems and networks. Always remember cyberspace and our world are full of danger requiring all of us to be proactive with security.

Download CIS Control V7 here: