What Are CIS Critical Security Controls? A Comprehensive Guide to the 18 Controls

The CIS Controls comprise 18 crucial actions that form a prioritized list of best practices for bolstering an enterprise's cybersecurity defenses.

In a world flooded with cybersecurity information, these controls aim to simplify the process, guiding organizations on key actions to take, ensuring a robust and effective security approach

What Are CIS Critical Security Controls?

Understanding the Basics

The CIS Critical Security Controls, often simply referred to as CIS Controls, are a meticulously crafted and regularly updated set of cybersecurity best practices, principles, and defensive actions. They are provided by the Center for Internet Security (CIS), a collective organization that plays a crucial role in establishing frameworks and standards for organizations to meet contemporary cybersecurity needs.

At their core, the CIS Controls serve as actionable recommendations that organizations can leverage to identify, anticipate, and respond to digital threats effectively. In today's landscape, characterized by the ever-evolving and increasingly dangerous nature of cyber threats, having a robust cybersecurity strategy is imperative.

Evolution and Continuous Updates

One of the key strengths of the CIS Controls lies in their adaptability. These controls are continually updated through an informal community process, ensuring their relevance and usability for various organizations, from businesses to government agencies and academic institutions. These updates keep pace with the rapidly changing cybersecurity landscape, making them a valuable resource for addressing modern threats.

The Latest Version: CIS Controls v8

As of May 18, 2021, the most recent version of the CIS Controls, Version 8 (v8), was introduced to the world at the global RSA Conference of 2021. This update aimed to maintain the controls' relevance in the ever-changing cyber landscape while simplifying their implementation.

Streamlined and User-Friendly

Version 8 represents a significant leap forward in user-friendliness. Each safeguard or guideline now calls for just one action or approach, reducing the need for interpretation. This clarity makes v8 more approachable and understandable for organizations of all sizes and levels of expertise.

Task-Based Approach

A notable shift in v8 is its task-based approach to controls. This approach focuses on activities rather than specific device management. By adopting this methodology, organizations can streamline implementation and improve alignment with other cybersecurity frameworks, such as the NIST Cybersecurity Framework (CSF).

Fewer Controls, Enhanced Efficiency

The transition from v7 to v8 resulted in a reduction in the total number of controls, from 20 to 18. Several controls were consolidated for greater efficiency and clarity. For example, Control 4 and Control 14 were merged into Control 6, streamlining access control management.

A Deep Dive into CIS Controls v8: The 18 CIS Critical Security Controls

Control 1 – Inventory and Control of Enterprise Assets

Overview: Control 1 emphasizes actively managing enterprise assets to maintain an accurate inventory. It includes user devices, IoT devices, servers, and hardware assets connected to the enterprise infrastructure. By maintaining a comprehensive inventory, organizations can better monitor and protect their digital assets.

Key Recommendations:

• Regularly update and maintain an inventory of all enterprise assets.
• Correctly categorize and track assets as they are discovered.
• Include hardware assets connected to the enterprise infrastructure.

Control 2 – Inventory and Control of Software Assets

Overview: Protecting and inventorying software assets is crucial to mitigate vulnerabilities. Control 2 focuses on cataloging and organizing software assets, ensuring that they are up to date and secure. This control involves updating and patching software and maintaining a comprehensive inventory of software assets, which is essential for reducing security risks.

Key Recommendations:

• Create and maintain an inventory of all software assets.
• Regularly update and patch software to address vulnerabilities.
• Remove unauthorized or vulnerable software from the inventory.

Control 3 – Data Protection

Overview: Control 3 revolves around safeguarding sensitive data, a task that is paramount in today's data-driven world. This control addresses the "5 Ws": what kind of data is handled, who has access to it, where it's stored, when it should be deleted, and why it needs protection. Following Control 3 ensures that organizations adhere to modern data privacy laws and regulations, such as the GDPR in Europe.

Key Recommendations:

• Maintain an up-to-date data inventory.
• Document data flows and storage locations.
• Securely dispose of data when no longer needed.
• Encrypt sensitive data in transit and at rest.

Control 4 – Secure Configuration of Enterprise Assets and Software

Overview: Security begins with the secure configuration of software and hardware assets. While most assets come preconfigured, some may not adhere to robust security standards. Control 4 advises configuring each asset individually to ensure compliance with organizational security policies. This control emphasizes the use of multiple security layers at every stage to reduce vulnerabilities.

Key Recommendations:

• Securely configure hardware and software assets.
• Apply enterprise security policies to all assets.
• Implement multiple security layers to enhance protection.

Control 5 – Account Management

Overview: Preventing unauthorized access through valid, stolen credentials is the primary focus of Control 5. This control requires organizations to maintain visibility of user accounts in the enterprise environment. By knowing who owns what credentials and where they are assigned, organizations can proactively protect against unauthorized access. Recommended practices include using unique passwords, disabling dormant accounts, and maintaining an inventory of all service accounts.

Key Recommendations:

• Maintain visibility of user accounts.
• Use unique passwords and strong authentication methods.
• Disable dormant or unnecessary accounts.
• Keep an inventory of service accounts and their purposes.

Control 6 – Access Control Management

Overview: Access Control Management (Control 6) focuses on the type of access granted to different accounts within an organization. It adheres to the principle of least privilege, ensuring that users have the lowest level of access necessary for their job responsibilities. This control frequently recommends responses such as centralizing access control, using role-based access control, and requiring multi-factor authentication for administrative access.

Key Recommendations:

• Implement the principle of least privilege.
• Centralize access control.
• Use role-based access control (RBAC).
• Enforce multi-factor authentication (MFA) for administrative access.

Control 7 – Continuous Vulnerability Management

Overview: Control 7 is all about establishing a comprehensive vulnerability management program. This is crucial for proactive cybersecurity. Organizations create a plan for assessing and tracking digital threats to their enterprise assets. Control 7 includes recommendations such as designing and implementing remediation processes, automating patch management, and creating a comprehensive vulnerability management process to stay ahead of potential threats.

Key Recommendations:

• Create a vulnerability management program.
• Assess and track digital threats regularly.
• Automate patch management for applications and operating systems.
• Implement a comprehensive vulnerability management process.

Control 8 – Audit Log Management

Overview: The Audit Log Management control (Control 8) is one of the most crucial controls, especially for regulatory compliance. Organizations need to collect, manage, monitor, and analyze audit logs effectively. Control 8 recommends collecting and reviewing audit logs regularly and establishing a standardized audit log management process. Standardizing time synchronization is also essential, enabling cybersecurity teams to identify and respond promptly to digital threats and attacks.

Key Recommendations:

• Collect and review audit logs regularly.
• Establish a standardized audit log management process.
• Ensure time synchronization for accurate threat detection.

Control 9 – Email and Web Browser Protections

Overview: Email and web protection are vital in today's threat landscape. Control 9 provides recommendations and steps to protect against attacks originating from these vectors. Safeguards include blocking unnecessary file types, using supported email clients and web browsers, employing anti-malware protections for email servers, and enforcing DNS filters for external web traffic.

Key Recommendations:

• Block unnecessary file types in email and web traffic.
• Use supported and secure email clients and web browsers.
• Implement anti-malware protections for email servers.
• Enforce DNS filters and network-based URL filters when necessary.

Control 10 – Malware Defenses

Overview: Malware is a persistent and common cybersecurity threat. Control 10 focuses exclusively on stopping malware. Recommendations include automating anti-malware scans across the organization, using up-to-date anti-malware solutions, and disabling autoplay and autorun functionalities for removable media. These measures, while basic, are highly effective in bolstering overall organizational security.

Key Recommendations:

• Automate anti-malware scans across the organization.
• Use up-to-date anti-malware solutions.
• Disable autoplay and autorun for removable media.

Control 11 – Data Recovery

Overview: Control 11 centers on data recovery strategies. Organizations can lose data due to malware attacks, natural disasters, or accidental deletion. Therefore, it's essential to have plans in place for data recovery. This control recommends creating and maintaining an automatic data backup process, isolating recovery data, establishing a data recovery process, and regularly testing recovery data to prevent permanent data loss.

Key Recommendations:

• Establish an automatic data backup process.
• Isolate recovery data to prevent tampering.
• Create a data recovery process.
• Regularly test recovery data to ensure its effectiveness.

Control 12 – Network Infrastructure Management

Overview: Network infrastructure often presents a vast attack surface for potential hackers. Control 12 addresses inherent security flaws in software assets and new hardware installations. Recommendations include updating network infrastructure, centralizing network authentication, authorization, and auditing (AAA) practices, and using a VPN for remote devices. This is particularly relevant for organizations with employees frequently connecting to vulnerable Wi-Fi networks outside the office.

Key Recommendations:

• Keep network infrastructure updated.
• Centralize network AAA practices.
• Implement VPNs for remote device connections.

Control 13 – Network Monitoring and Defense

Overview: Control 13 takes a holistic approach to network monitoring and defense. It calls for organizations to use various processes and tools to monitor and defend against all types of attacks. Recommendations include centralizing security event alerts, using network intrusion detection systems, managing access control for remote access, and capturing network traffic flow logs. This control underscores the importance of human involvement in monitoring and preventing malware attacks, discouraging over-reliance on automated detection programs or firewalls.

Key Recommendations:

• Centralize security event alerts.
• Employ network intrusion detection systems.
• Manage access control for remote access.
• Capture network traffic flow logs.

Control 14 – Security Awareness and Skills Training

Overview: Control 14 emphasizes the role of human behavior in data breaches. It recommends creating and maintaining a security awareness program to educate employees about recognizing social engineering attacks and preventing vulnerabilities. Other recommendations include teaching employees authentication best practices, creating strong passwords, and encouraging them to recognize and report security incidents or breaches.

Key Recommendations:

• Establish and maintain a security awareness program.
• Educate employees about social engineering attacks.
• Promote best practices for authentication and password security.
• Encourage employees to report security incidents promptly.

Control 15 – Service Provider Management

Overview: Many modern businesses work with third-party entities such as vendors, freelancers, and service providers, introducing potential security threats. Service Provider Management (Control 15) focuses on auditing and securing external partners with access to an enterprise's IT systems. Recommendations include classifying security providers, incorporating security requirements into service provider contracts, and assessing and monitoring service provider access to crucial systems.

Key Recommendations:

• Classify and assess security providers.
• Include security requirements in service provider contracts.
• Monitor and assess service provider access to critical systems.

Control 16 – Application Software Security

Overview: Control 16 centers on securing application software, which can often contain significant security vulnerabilities. Recommendations include creating an inventory of third-party software apps, implementing code-level security checks, and training developers to create secure applications. Additionally, it emphasizes performing root cause analysis security checks to address vulnerabilities at their source.

Key Recommendations:

• Create and maintain an inventory of third-party software apps.
• Implement code-level security checks.
• Provide training to developers for secure application development.
• Perform root cause analysis to identify and address vulnerabilities.

Control 17 – Incident Response Management

Overview: Control 17 focuses on responding to digital threats and security incidents. It involves limiting hacker access after a breach has occurred and minimizing damage in the moment. Recommendations include documenting a comprehensive yet understandable incident response plan, defining thresholds for security incidents, conducting incident response exercises, and assigning incident response roles and responsibilities.

Key Recommendations:

• Document a comprehensive incident response plan.
• Define thresholds for security incidents.
• Conduct incident response exercises to prepare for real incidents.
• Assign and communicate incident response roles and responsibilities.

Control 18 – Penetration Testing

Overview: The final CIS Control, Control 18, is all about identifying vulnerabilities before cybercriminals can exploit them. Penetration tests help organizations discover their weak spots and take steps to correct them proactively. Recommendations include establishing and maintaining a penetration testing program and performing external penetration tests regularly. After each test, organizations should remediate identified vulnerabilities and develop strategies to prevent their recurrence.

Key Recommendations:

• Establish and maintain a penetration testing program.
• Conduct regular external penetration tests.
• Remediate identified vulnerabilities promptly.
• Develop strategies to prevent the recurrence of identified vulnerabilities.

Leveraging Tentacle for CIS Mapping and Implementation

The CIS Critical Security Controls, represented in Version 8, provide a robust framework for organizations to strengthen their cybersecurity defenses. By implementing these controls, businesses can proactively protect their digital assets, ensuring the security and privacy of their data and systems.

Tentacle simplifies the process of mapping your existing security program to the CIS controls.

Through AI Control Mapping, you can import existing security responses to quickly map to the specific controls outlined in CIS.

This powerful feature provides a clear overview of how your organization's security measures correspond to the defined controls, highlighting strengths and areas that require enhancement.

Get started today by signing up for a free account at Tentacle. Ready to try out some of our Premium features? Contact us at sales@tentacleco.com to set up a trial.