What are CIS Controls?

The Center for Internet Security (CIS) is a non-profit organization that provides best practices, tools, and cybersecurity resources to help organizations improve their IT security level. The most well-known tools it provides are the CIS Controls and the CIS Benchmarks.

CIS CONTROLS

It is a guide that defines how to implement security controls from different areas of action. Like any other framework, it helps both to define security processes, document them in procedures, implement them, and measure their effectiveness. The 18 CIS controls are:

Control 1: Inventory and Control of Enterprise Assets Control 2: Inventory and Control of Software Assets Control 3: Data Protection Control 4: Secure Configuration of Enterprise Assets and Software Control 5: Account Management Control 6: Access Control Management Control 7: Continuous Vulnerability Management Control 8: Audit Log Management Control 9: Email and Web Browser Protections Control 10: Malware Defenses Control 11: Data Recovery Control 12: Network Infrastructure Management Control 13: Network Monitoring and Defense Control 14: Security Awareness and Skills Training Control 15: Service Provider Management Control 16: Application Software Security Control 17: Incident Response Management Control 18: Penetration Testing

CIS Benchmarks

They are hardening guides that indicate the security configurations of different IT elements, they are usually organized by operating system and version, but they have guides for specific security providers such as network or cloud providers. These guides are very good references to have a security baseline.