Simple Security Starting Point
Center for Internet Security Critical Security Controls
The Center for Internet Security (CIS) Critical Security Controls are a set of guidelines and best practices for organizations to follow in order to improve their cybersecurity posture. The controls are broken down into 18 different categories, each with a specific focus on a different aspect of security.
The CIS controls were first developed in 2008 and have since become a widely adopted standard for cybersecurity. They are regularly updated and revised to ensure that they remain relevant and effective in the face of new threats.
The controls are designed to help organizations prioritize their security efforts, focusing on the most critical areas first. By implementing the controls, organizations can reduce their risk of a successful cyber attack and improve their overall security posture.
The 18 CIS controls are broken down into three categories:
Basic CIS Controls
The first six controls are the Basic CIS Controls. These are the most critical controls that should be implemented by all organizations. They include:
Inventory and Control of Hardware Assets
Inventory and Control of Software Assets
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Access Control Management
Foundational CIS Controls
The Foundational CIS Controls build upon the Basic Controls and provide additional security measures. These include:
Continuous Vulnerability Management
Audit Log Management
Email and Web Browser Protections
Network Infrastructure Management
Organizational CIS Controls
The final set of controls are the Organizational CIS Controls. These focus on the people and processes within an organization, rather than the technology. They include:
Network Monitoring and Defense
Security Awareness and Skills Training
Service Provider Management
Application Software Security
Incident Response Management
In conclusion, the Center for Internet Security Critical Security Controls provide a comprehensive framework for organizations to follow in order to improve their cybersecurity posture. By implementing these controls, organizations can reduce their risk of a successful cyber attack and protect their valuable assets.