Every organisation has to deal with cyber risks, no matter its size or business: a bank can be just as vulnerable as an accountant. But cybersecurity does require organisation-specific focus, and the CIS (Center for Internet Security) Critical Security Controls provide a pragmatic approach that is customised for every organisation. These controls are divided into 18 different cybersecurity categories, with practical examples and proven defences that can help to reduce the risk and impact of any cyberattacks. This is the uniform framework we employ at IS4U, and it can be applied for almost all organisations.
The main advantage of the CIS Controls is that you can choose for yourself which components are relevant for your organisation’s specific needs and risk profile. The standardised controls and their different levels (‘implementation groups’) enable us to quickly set up a cybersecurity strategy with a corresponding and complete basic structure for customers, together with an action plan in accordance with budget.
All controls at a glance
- Inventory and Control of Enterprise Assets: you can’t protect what you don’t know.
- Inventory and Control of Software Assets: has every application been identified?
- Data protection: determine and categorise data sensitivity.
- Secure Configuration of Enterprise Assets and Software: have all default passwords and settings been changed?
- Account Management: is a central account and identity and access management (IAM) already in place?
- Access Control Management: use multi-factor authentication and avoid exceptions for standard accounts.
- Continuous Vulnerability Management: automate patching and deal with vulnerabilities without a patch.
- Audit Log Management: logbooks often contain all the answers, so maintain them carefully.
- Email and Web Browser Protections: email and websites are still the most popular means of attack.
- Malware Defences: keep your protection active and up to date.
- Data Recovery: keep your back-ups secure and up to date, and don’t give ransomware a chance.
- Network Infrastructure Management: company infrastructure is critical, so protect accounts and keep schedules up to date.
- Network Monitoring and Defence: segment the network, use remote VPN and monitor your logs.
- Security Awareness and Skills Training: increase security awareness and provide security training.
- Service Provider Management: protect your network and data from attacks in supplier chains.
- Application Software Security: do all your applications and third-party ‘libraries’ pass a security test?
- Incident Response Management: do you have the right software, and do you control the process, if disaster strikes?
- Penetration Testing: security tests by an external firm measure your prevention and detection.
Three security levels
All 18 controls are important to a greater or lesser degree, according to your company’s risk profile, and there are three levels or implementation groups per control to accommodate this. The implementation groups consist of multiple security checks or safeguards that customers need to prioritise and implement.
The three risk profiles or implementation groups:
1. IG1 – essential cyber hygiene with 56 security checks
Standard cyber hygiene is sufficient for many companies, with some basic requirements for their digital security. This includes endpoint protection against malware and secure configuration of laptops, smartphones or servers, which is quite straightforward as it is quick and easy to implement. It also allows companies with limited knowledge of cybersecurity or not much critical data – and a limited budget – to still work sufficiently securely. We carry out over 50 security checks for this.
2. IG2 – additional safeguards with 130 checks
The second group covers organisations that process sensitive data. This means they run a higher cyber risk and employ personnel for their network and IT security. We take a big step for each control in this group, and do as many as 130 checks. For example, we focus more on the inventories and identify all the hardware and software, and in particular map how they interact with each other. This Configuration Management DataBase (CMDB) gains in importance as your IT infrastructure becomes more complex. We therefore also activate network security and monitoring, application security and penetration testing here.
3. IG3 – maximum security with all 153 checks
We recommend the highest security level for mature organisations with critical data. This builds on the two previous groups and performs all checks. Among other things, we automate more intensive database vulnerability scanning to discover, analyse and report all security flaws and vulnerabilities. This ensures we can identify potential risks and attacks in networks, hardware, software and systems even faster. We make it increasingly difficult for attackers to carry out targeted attacks, even with zero-day malware. We implement every CIS control to the highest level with all ‘safeguards’.
IS4U maturity workshop
To discover which implementation group matches your organisation, IS4U first organises various workshops and interviews to determine your company’s cybersecurity maturity level. This is followed by a custom report with general comments, recommendations and necessary modifications.
IS4U can then implement technologies to increase security in your organisation in accordance with the CIS Controls and safeguards. You can follow the evolution of your security level and CIS steps in a handy, online dashboard. This step-by-step plan from IS4U already has extensive proof of its effectiveness in practice. To find out more about our working method, use this form to get in touch.
The CIS Controls have become an industry standard and are compatible with other cybersecurity frameworks and rules, such as the NIST Cybersecurity Framework, NIST 800-53, NIST 800-171 and ISO 27001-series, among others.