CIS Controls
CIS (Center for Internet Security)
CIS (Center for Internet Security) is an American organization that deals with bringing order to the jungle of IT-security threats and protection measures. They have done this by creating a package of measures with a number of control points called CIS Controls. The purpose is to help companies and organizations to prioritize their security measures and create a secure cyber environment for both themselves and their co-actors. These checkpoints have been developed by IT-security experts from around the world.
Background
The origins of CIS come from an institute called SANS (SysAdmin, Audit, Network and Security) which was founded in 1989. This institute, together with the FBI, is the origin of CIS Controls, which has been further developed since 2001. International IT-security experts review every year the checkpoints and ensures that they are constantly up to date and follow the rapid development in the field of IT-security.
Latest update
The latest update, version 8 is from May 2021.
In this version, the previous 20 checkpoints have become 18. With the help of these 18 control points, organizations in a kind of priority order should be able to review and update their security status in the cyber area. For each control point, there are guides in the form of texts and graphic illustrations.
List of the 18 checkpoints with short explanations:
Control 1. Inventory and Control of Enterprise Assets
Make sure that only safe equipment is accessible. Unsafe accessories that are detected must be protected.
Control 2. Inventory and Control of Software Assets
Check all software in the system and intranet and make sure that only allowed software remains.
Control 3. Data protection
Create effective protection systems that prevent intruders from accessing important data.
Control 4. Secure Configuration of Enterprise Assets and Software
Secure configuration of all computer devices and software. Applies to for example, mobile devices, laptops, workstations, servers, firewalls and routers.
Control 5. Account Management
User accounts adapted to specific tasks must be password protected and access must be managed by a responsible administrator.
Control 6. Access Control Management
Sensitive data must be protected from unauthorized access. Create administrator privileges with needs-based access and encryption.
Control 7. Continous Vulnerability Management
Continuous review of vulnerability. Check security flaws continuously and protect against possible attacks.
Control 8. Audit Log Management
Monitor and analyze logs and journals to detect any deficiencies and simplify system recovery after an attack.
Control 9. Email and Web Browser Protections
Through these contact routes with the outside world, intruders can infiltrate computer systems. Protect these nodes to avoid attacks.
Control 10. Malware Defenses
Malware can contain viruses, worms, trojan horses, or other malware. Establish protection against these.
Control 11. Data Recovery
Save all data in backup files. Be sure to detect attacks in time. Restore changed information.
Control 12. Network Infrastructure Management
Detect and correct security vulnerabilities in network devices to prevent attacks on these devices.
Control 13. Network Monitoring and Defense
Manage processes and tools for network monitoring and protection measures in the network infrastructure.
Control 14. Security Awareness and Skills Training
Training for increased knowledge and safety awareness among the organization's staff. Develop a security plan.
Control 15. Service Provider Management
Check the security awareness of service providers who handle the organization's sensitive data. Ensure that these providers protect them.
Control 16. Application Software Security
Check the security awareness of service providers who handle the organization's sensitive data. Ensure that these providers protect them.
Control 17. Incident Response Management
Establish a program to train and prepare the organization's employees to detect and respond to attacks.
Control 18. Penetration Testing
Test the ability of the organization's employees and its processes and technology to detect vulnerabilities in the systems, by simulating attacks.
Used by organizations around the world
CIS Controls are used by companies and organizations worldwide and are recommended by leading cybersecurity experts. Such experts can also help organizations navigate this comprehensive regulatory framework.
The full action program can be downloaded from the CIS website www.cisecurity.org