Protecting information assets and the infrastructures that support them is of utmost importance. For this reason, there are currently various frameworks that organizations can adopt to strengthen their security measures. Among all, the CIS Controls framework stands out for its practical and operational approach. In this article, we tell you what CIS Controls are, their structure, what are the different implementation groups, and how the CIS compares to other cybersecurity frameworks.

CIS Controls are a set of guidelines and best practices for securing technological systems and their associated data against digital threats. These controls were developed and are maintained by the Center for Internet Security (CIS), a nonprofit organization that works to improve the security of public and private entities.

CIS Controls are designed to provide organizations with specific and concrete ways to establish and strengthen their cybersecurity defenses. The framework is widely respected for its effectiveness and simplicity, making it an ideal choice for organizations of all sizes and sectors.

What is the structure of the CIS Controls framework?

The CIS Controls framework is structured into a set of 18 controls, each critical in its own right, and subdivided into several safeguards that provide detailed measures for their implementation. These controls are prioritized to help organizations focus on the most critical actions that can provide immediate benefits to improve their cybersecurity posture.

Below is a brief explanation of each of them.

Inventory and control of enterprise assets (hardware)

This control involves maintaining an updated inventory of all technological assets that interact within the network. It is crucial because it helps organizations identify which devices need protection and ensures that security resources are allocated effectively.

Inventory and control of software assets

Similar to physical asset control, this seeks to catalog all the software used within the organization. It is important because it aids in managing software installations, ensuring that unauthorized or malicious software is detected and mitigated swiftly.

Data protection

This control focuses on securing critical data through encryption, access controls, and other mechanisms to prevent data leaks. Its importance lies in protecting sensitive information from unauthorized access and data leaks, which is paramount for maintaining trust and ensuring proper regulatory compliance.

Secure configuration of enterprise assets and software

This control aims to establish and maintain secure configurations for all organizational assets and software. Proper configuration prevents attackers from exploiting default settings and vulnerabilities, thereby enhancing the security posture.

Account management

Involves the management of system and application accounts, including their creation, use, and termination. It is important because it ensures that only authorized users have access to systems, reducing the risk of internal threats and data breaches.

Access control management

Focuses on enforcing the principle of least privilege by ensuring that only authorized individuals have access to the systems and data necessary for their roles. This minimizes the potential damage from human errors or malicious actions.

Continuous vulnerability management

This control requires organizations to continually acquire, assess, and act upon new information regarding vulnerabilities. The importance lies in proactive prevention of security breaches, and patching vulnerabilities before they can be exploited.

Audit log management

Seeks to create, manage, and retain system logs to provide an audit trail of activities. Effective log management is crucial for early detection of suspicious activities, as well as for having forensic information during security incidents.

Email and web browser protections

Aims to protect against threats stemming from emails and web browsing, two common vectors for malware and social engineering attacks, which often exploit employee ignorance. Implementing robust protections reduces the risk of security breaches initiated through these channels.

Malware defenses

Ensures that mechanisms are in place to control the installation, spread, and execution of malicious software. This is important to prevent many forms of more dangerous attacks, which could compromise or damage systems.

Data recovery

This control addresses the need to establish and maintain adequate data recovery capabilities to restore information systems if data is lost accidentally or after the impact of an attack. Having effective and tested data recovery strategies is essential to minimize downtime and loss in case of data corruption or destruction.

Network infrastructure management

Focuses on establishing a secure network configuration and managing changes to the network also securely. Solid network management prevents unauthorized access and ensures that the network functions reliably and securely.

Network monitoring and defense

Involves monitoring to identify and respond to threats before they can impact the organization. This is critical for detecting advanced threats that may evade other defensive measures.

Security awareness and skills training

Emphasizes educating and training on security risks and safe practices to one of the weakest links in the chain: the organization’s employees. Awareness programs are vital to preventing security incidents that stem from human errors or lack of knowledge.

Service provider management

Requires organizations to manage third-party risks associated with service providers, ensuring they comply with the organization’s security requirements. It is important because third parties can introduce vulnerabilities or additional risks that are difficult to detect, and that have been the reason for major security failures in recent history. It is especially important in large companies, which have many interconnections and information transfers with other companies, as well as IT and security systems maintained by third parties. This is a central element of new regulations such as the European DORA (Digital Operational Resilience Act).

Application software security

Seeks to protect applications by ensuring they are developed or configured to withstand attacks. The importance of this control lies in preventing breaches that exploit software vulnerabilities, one of the main existing security issues.

Incident response management

This control focuses on establishing and testing an incident response capability that allows managing security incidents quickly and effectively. Timely and effective incident response is crucial to minimizing damage and recovering from attacks.

Penetration testing

One of the most well-known controls, it seeks to simulate cyberattacks under controlled conditions to identify and address vulnerabilities identified during testing. Penetration testing is essential to validate the effectiveness of existing security measures and identify areas for improvement.

What are Implementation Groups (IG)?

CIS Controls are organized into three distinct implementation groups (IG), which are tailored to the size and complexity of the organization, as well as the nature of its data:

  • IG1: For small businesses or those with limited experience, focused on basic cybersecurity hygiene practices. An IG1 company is generally focused on keeping the business operational.
  • IG2: For medium-sized organizations that have more resources and face greater threats. An IG2 company already has individuals responsible for managing and protecting the IT infrastructure, or stores sensitive information about their customers, with their biggest concern being the loss of public trust if a security breach occurs.
  • IG3: For large organizations or those at high risk requiring significant defense in depth. They are companies with cybersecurity experts specialized in each area of the sector: risk management, penetration testing, etc. and are generally subject to regulatory supervision.

In the following chart, you can see each of the control categories and the number of safeguards associated with each implementation group (IG1/IG2/IG3)

List of CIS Controls
CIS Controls control categories

As can be seen, what is intended with these implementation groups (IG) is that they are adaptable and scalable, ensuring that all organizations, regardless of size or industry, can find applicable and effective security measures for their context.

How are each of the CIS Controls evaluated?

In turn, each safeguard of the framework can be evaluated based on 4 incremental levels of required maturity:

  • Policy: This category refers to the formal policies and procedures that must be established to manage and protect assets. Policies are essential because they define expectations, roles, and responsibilities within the organization, as well as establish enforceable standards for employees and infrastructure. The existence of clear and well-communicated policies is fundamental to ensuring that all members of the organization understand how they should handle information and technological resources at their disposal.

  • Control: Controls are the practices and technical solutions that are implemented to comply with the safeguard. They can include physical controls, such as locks and access control to facilities, and technical controls, such as firewall devices, antivirus software, or encryption mechanisms. The effective implementation of adequate controls is crucial to mitigating risks and protecting against threats and vulnerabilities.

  • Automated: The automation of security controls helps ensure that protection measures are always active and are executed consistently without manual intervention, reducing the risk of potential human errors. Automation can include automatic software updates, continuous network monitoring, and automatic response to security incidents. The implementation of automated controls facilitates the management of security in large-scale or highly complex environments.

  • Reported: This category involves the continuous monitoring and reporting of the security status. Reports should generate data on the performance of security controls and any security incidents that may occur. This information is vital for assessing the effectiveness of existing policies and controls, as well as for identifying areas for continuous improvement. Additionally, detailed reports help increase the chances of early detection of security incidents, aiding in generating a quick incident response that can minimize the impact that a potential attacker can achieve.

What tools can help implement CIS Controls?

CIS offers a multitude of tools with the aim of helping organizations implement its controls. Some of the most important tools that have been made available to the community are:

CIS CSAT (Center for Internet Security Controls Self-Assessment Tool)

This is an online self-assessment tool accessible at Center for Internet Security Controls Self-Assessment Tool

This tool guides the user through a detailed process to assess how CIS Controls are being applied within their organization. One of its advantages is that it allows tracking maturity over time, making it useful for planning security improvements, as well as generating internal audit reports. Regarding reports, the tool offers analysis and reports that facilitate the identification of areas for improvement and strengths, helping the company to prioritize its next efforts and investments. Also, the tool allows multiple users of the company to collaborate within the same tool, and even upload evidence to the platform, which facilitates coordination. Currently this tool is available only in English.

CIS CSAT Tool
CIS CSAT Tool, only available in English

CIS Benchmark

As part of the ecosystem of tools offered by CIS to help protect companies, there are the so-called CIS Benchmarks. These are basically hardening guides, that is, documents that detail in a community-validated way the secure configuration that allows protecting a wide variety of systems and technological products. Among others, there are guides for operating systems, middleware products, network devices, desktop software, cloud environments, etc. These guides are maintained regularly to reflect changes in technologies and the security context.

On the other hand, one of the greatest benefits of this type of guide is that they help in the process of automation, as they are implemented by many configuration and security management tools, which allows analyzing our environment over time to validate that it maintains the expected secure configuration.

<em>CIS Benchmark</em>
CIS Benchmarks for Microsoft

CIS Controls Assessment Specification

With the aim of defining a standardized approach to the evaluation of controls, CIS offers the Assessment Specification, which defines the exact guidelines and methodologies for using this controls framework. In this specification, it is defined what exact criteria should be evaluated, what evidence to collect, and how to interpret the results to define the level of implementation maturity.

This allows successive evaluations carried out over time to remain consistent.

https://controls-assessment-specification.readthedocs.io

Comparison with other cybersecurity frameworks

While CIS Controls provide a solid foundation for cybersecurity, there are other valid security frameworks, such as the famous NIST (from the National Institute of Standards and Technology), the ISO 27K family (from the International Organization for Standardization) and PCI DSS (a standard for the Payment Industry) that also offer substantial guidance. Some of the differences between these and the CIS Framework are:

  • NIST Cybersecurity Framework (CSF): NIST provides a more strategic approach to the organization’s complete cybersecurity, focused on all aspects of risk management. CIS Controls are more tactical and practical, offering specific actions to take at each moment.
  • ISO/IEC 27001: This is a broad framework that includes requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). A company can be certified in this standard, which can be interesting or even a requirement in certain sectors, while CIS does not have any formal certification process.
  • PCI DSS: Specifically designed for businesses that handle credit card information, PCI DSS has specific requirements to protect cardholder data. CIS Controls are more general and are not limited to the payment industry.

The choice between CIS Controls and other frameworks depends on several factors, including specific industry regulations, the size of the organization, and the nature of the data it handles. For organizations looking for a clear and actionable path to quick wins in security, CIS Controls are often the preferred choice. For those who need a more comprehensive approach to risk management or need to comply with specific regulations, frameworks like NIST or ISO may be more appropriate.

Summary

CIS Controls offer a clear and effective roadmap for securing an organization’s systems and data. By focusing on critical security controls and tailoring implementation to the size and risk level of the organization, they provide a clear path to effective cybersecurity. Whether used alone or in conjunction with other standards, implementing CIS Controls is a step towards a more secure operating environment.