CIS Controls Framework (Center for Internet Security)

What is a cybersecurity framework?

A cybersecurity framework is a structured set of guidelines, best practices, standards, and methodologies designed to help organizations manage and mitigate cybersecurity risks effectively. These frameworks serve as a blueprint for organizations to establish, implement, and improve their cybersecurity posture.

There are several cybersecurity frameworks available, developed by various organizations and governments, each with its own focus, approach, and target audience. These frameworks are not mutually exclusive, and organizations often choose to adopt elements from multiple frameworks based on their specific needs, industry regulations, and compliance requirements. The adoption of a cybersecurity framework helps organizations establish a systematic approach to identifying, protecting against, detecting, responding to, and recovering from cybersecurity threats and incidents.

What is the CIS Controls Framework?

The CIS Controls Framework is a model for codifying and promoting cybersecurity best practices. The Center for Internet Security, Inc. (CIS) created and maintained the framework. The CIS Controls Framework is the result of input from cybersecurity experts around the world. The framework includes their view of best practices based on their experience defending their organizations against a broad set of cyber threats. 

The CIS Controls Framework helps organizations better identify and assess threats and rapidly adapt to new advanced threats. As a result, your security operations center can better share information and ultimately faster select and implement the best defensive mitigations. It is also essential that cyber defenders can share their tools. 

The SANS Institute released the framework in 2008 in response to cyberattacks targeting the U.S. Department of Defense and military contractors. The SANS Institute is a private U.S.-based company specializing in information security, cybersecurity training, and selling certification. SANS training topics include penetration testing, cyber and network defenses, digital forensics, incident response, and auditing.  In 2013 SANS approved transferring the framework to the Council on Cybersecurity. It was then moved again to the Center for Internet Security in 2015.

It might surprise you that in 2008 the very first version of the framework was known as the Consensus Audit Guidelines. Many other names and acronyms describe the framework. You may have heard of it as the CIS Critical Security Controls (CSC), the SANS Top 20, and more. More important is that the CIS CSC is used by over 30 percent of organizations today. 

The CIS CSC Framework defines five critical areas to build a robust cybersecurity defensive posture. The first area is based upon the experience of using information from actual attacks. By better understanding how the cyberattacks compromised the targeted systems, cyber defenders will benefit from these critical learnings and be better able to design and deploy a comprehensive and highly effective defense. The second area is about prioritizing security controls necessary to provide the best risk reduction against the threats likely in your environment. The third area is about metrics. Standard metrics allow the entire cyber defense team to understand how security measures should perform. CIS CSC also brings visibility to the importance of continuous measurement and mitigation. You need to understand the relative performance of your security controls and then adjust your plans accordingly. Finally, the rapid speed of response and future growth and scale won’t be achievable without automation.

All in all, the CIS CSC includes 20 critical security controls. You will find that each of these security controls, in turn, consists of various sub-controls. All of these together support the five crucial areas defined above. The broad set of capabilities offered by the CIS CSC provides your cyber defense team with one of the best practices available to identify, meet, and defeat dangerous cyber attackers and their tools. 

How does CIS CSC Work?

The first step in utilizing CIS CSC is to decide on the specific selection and use of the controls based upon the cybersecurity attributes of the organization which will use them. CIS CSC uses the concept of controls implementation groups (IGs) which enable your organization to match the critical characteristics of your organization and then map the priority of how you implement controls to fit your risk profile. 

The criteria for the self-classification include how the data used by the organization must be managed, the relative sensitivity and privacy required by that data, and the available services that must be offered and delivered by that organization. Further, the specific technical capabilities of the organization’s cybersecurity team may limit the ability of any organization to implement certain types of controls and the complex automation and integration that they require. Funding and available personnel are also critical limiting factors to be considered carefully. Finally, the CIS Controls Framework requires that organizations perform a risk assessment – it is preferred that organizations use the risk model provided by CIS. The CIS calls its model the CIS Risk Assessment Model (RAM).

CIS Controls user organizations must self-select their implementation group. There are three implementation groups as follows:

• IG1 Implementation Group. The IG1 implementation group is typically a small business with less than ten employees. 
• IG2 Implementation Group. A larger organization providing services and products across a more distributed geography might classify as an IG2. Organizations of this size might include several dozen to hundreds of employees.
• IG3 Implementation Group. The largest enterprise with thousands of employees would likely be self-classified as IG3.

CIS Controls

CIS Controls are assigned into several categories. Categories include the basic controls (1-6), foundational controls (7-16), and organizational controls (17-20). Basic controls are those that should be implemented in every organization. Basic controls are defined as necessary for essential cyber defense readiness. Foundational controls sharpen your technical defenses. Foundational controls provide technical best practices, deliver more security benefits, and are highly recommended by CIS. Finally, organizational controls are often used by larger enterprises. They focus on people and processes supporting, delivering, and maintaining security controls.  

The 18 controls are:

1. Inventory and control of enterprise assets
2. Inventory and control of software assets
3. Data protection
4. Secure configuration of enterprise assets and software
5. Account management
6. Access control management
7. Continuous vulnerability management
8. Audit log management
9. Email and web browser protections
10. Malware defenses
11. Data recovery
12. Network infrastructure management
13. Network monitoring and defense
14. Security awareness and skills training
15. Service provider management
16. Application software security
17. Incident response management
18. Penetration testing

The CIS CSC Controls are Compelling

The growth brought by the digital transformation makes it almost impossible for organizations to secure these devices with legacy architectures. The challenge is that too many tools exist in separate and incomplete security stacks. In addition, security policies are often misaligned between these varying security stacks. As a result, while the digital transformation has been significant for enterprises, it has also introduced many new network vulnerabilities for threat actors to compromise. 

CISOs are struggling to protect their organizations. The CIS Controls Framework provides the guidance and scale they need to scale up more effective protection. In addition, they need to move quickly to protect their enterprise’s brand and reputation. As a result, using and adopting CIS CSC will bring compelling value to most commercial and government organizations. 

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.