Simple Security Starting Point

Center for Internet Security Critical Security Controls

The Center for Internet Security (CIS) Critical Security Controls are a set of guidelines and best practices for organizations to follow in order to improve their cybersecurity posture. The controls are broken down into 18 different categories, each with a specific focus on a different aspect of security.

The CIS controls were first developed in 2008 and have since become a widely adopted standard for cybersecurity. They are regularly updated and revised to ensure that they remain relevant and effective in the face of new threats.

The controls are designed to help organizations prioritize their security efforts, focusing on the most critical areas first. By implementing the controls, organizations can reduce their risk of a successful cyber attack and improve their overall security posture.

The 18 CIS controls are broken down into three categories:

Basic CIS Controls

The first six controls are the Basic CIS Controls. These are the most critical controls that should be implemented by all organizations. They include:

1. Inventory and Control of Hardware Assets

2. Inventory and Control of Software Assets

3. Data Protection

4. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

5. Account Management

6. Access Control Management

Foundational CIS Controls

The Foundational CIS Controls build upon the Basic Controls and provide additional security measures. These include:

1. Continuous Vulnerability Management

2. Audit Log Management

3. Email and Web Browser Protections

4. Malware Defenses

5. Data Recovery

6. Network Infrastructure Management

Organizational CIS Controls

The final set of controls are the Organizational CIS Controls. These focus on the people and processes within an organization, rather than the technology. They include:

1. Network Monitoring and Defense

2. Security Awareness and Skills Training

3. Service Provider Management

4. Application Software Security

5. Incident Response Management

6. Penetration Testing

In conclusion, the Center for Internet Security Critical Security Controls provide a comprehensive framework for organizations to follow in order to improve their cybersecurity posture. By implementing these controls, organizations can reduce their risk of a successful cyber attack and protect their valuable assets.