7.5 KiB
CIS Critical Security Controls
https://www.cisecurity.org/controls
Cyber attacks exploit bad cyber hygiene CIS are security best practices for strengthening your security posture to defend agains top threats
maps to lots of frameworks
Safeguards are identified by attack patterns from the MITRE ATT&CK* framework We verified that the CIS Controls are effective at defending against 86% of the ATT&CK (sub-)techniques found in the ATT&CK framework. More importantly, the Controls are highly effective against the top five attack types found in industry threat data.
Source: CIS Community Defense Model version 2.0
3 levels: IG1, 2 and 3 These CIS Controls Implementation Groups (IGs) are ment as a guidance to prioritize implementation.
IG1 is defined as “essential cyber hygiene”, targeted to small to medium-sized enterprises with limited IT and cybersecurity expertise. Their main concern is operational continuity. IG1 Safeguards are aimed to thwart general, non-targeted attacks.
IG2 enterprises have dedicated security staff, multiple departments with differing risk profiles, and regulatory compliance burdens. A major concern is loss of public confidence if a breach occurs. IG2 Safeguards help security teams cope with increased operational complexity.
IG3 enterprises employ security experts that specialize in the different facets of cybersecurity. IG3 assets contain sensitive information or functions that are subject to regulatory and compliance oversight. An IG3 enterprise must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare. Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.
Source: CIS Controls v8.1 PDF, pp 8-12
List of the CIS Controls in v8, and how many Safeguards in each are applicable to each Implementation Group. source
See CIS_Controls_Version_8.1_6_24_2024.xlsx for a table that shows all safeguards mapped to the three Implementation Groups.
CIS version 8 has 18 controls, you only gave me 9. Can you make this complete?
Certainly! Here's a complete table including all 18 CIS Controls in Version 8, with simplified implementation group indications. This serves as a high-level overview and the specifics for each safeguard would need to be obtained from the official CIS documentation.
| CIS Control | Safeguard (Control ID) | IG 1 | IG 2 | IG 3 |
|---|---|---|---|---|
| 1. Inventory and Control of Enterprise Assets | 1.1 Inventory of Assets | ✓ | ✓ | ✓ |
| 1.2 Address Unauthorized Assets | ✓ | ✓ | ✓ | |
| 2. Inventory and Control of Software Assets | 2.1 Inventory of Software | ✓ | ✓ | ✓ |
| 2.2 Address Unauthorized Software | ✓ | ✓ | ✓ | |
| 3. Data Protection | 3.1 Data Management | ✓ | ✓ | ✓ |
| 3.2 Data Recovery | ✓ | ✓ | ||
| 4. Secure Configuration of Enterprise Assets and Software | 4.1 Establish Secure Configurations | ✓ | ✓ | ✓ |
| 4.2 Secure Configuration Management | ✓ | ✓ | ||
| 5. Account Management | 5.1 Account Inventory | ✓ | ✓ | ✓ |
| 5.2 Admin Account Management | ✓ | ✓ | ✓ | |
| 6. Access Control Management | 6.1 Access Control Policy | ✓ | ✓ | ✓ |
| 6.2 Access Granting | ✓ | ✓ | ✓ | |
| 7. Continuous Vulnerability Management | 7.1 Vulnerability Scanning | ✓ | ✓ | ✓ |
| 7.2 Vulnerability Remediation | ✓ | ✓ | ||
| 8. Audit Log Management | 8.1 Log Retention and Management | ✓ | ✓ | ✓ |
| 8.2 Log Review | ✓ | ✓ | ||
| 9. Email and Web Browser Protection | 9.1 Email Protection | ✓ | ✓ | ✓ |
| 9.2 Web Browser Protection | ✓ | ✓ | ✓ | |
| 10. Malware Defenses | 10.1 Malicious Code Detection | ✓ | ✓ | ✓ |
| 10.2 Malware Defenses | ✓ | ✓ | ✓ | |
| 11. Data Recovery | 11.1 Data Recovery Mechanisms | ✓ | ✓ | ✓ |
| 12. Network Infrastructure Management | 12.1 Network Inventory | ✓ | ✓ | ✓ |
| 12.2 Network Segmentation | ✓ | ✓ | ||
| 13. Security Awareness and Skills Training | 13.1 Security Awareness Program | ✓ | ✓ | ✓ |
| 13.2 Training and Exercises | ✓ | ✓ | ||
| 14. Security Operations Center (SOC) Functions | 14.1 Threat Detection | ✓ | ✓ | ✓ |
| 15. Security Incident Management | 15.1 Incident Response Planning | ✓ | ✓ | ✓ |
| 15.2 Incident Response Testing | ✓ | ✓ | ||
| 16. Application Software Security | 16.1 Software Development Security | ✓ | ✓ | ✓ |
| 16.2 Application Testing | ✓ | ✓ | ||
| 17. Penetration Testing | 17.1 Penetration Testing and Red Teaming | ✓ | ✓ | |
| 18. Cloud Security | 18.1 Cloud Security Posture Management | ✓ | ✓ | ✓ |
| 18.2 Cloud Workload Protection | ✓ | ✓ |
This table presents an overview of the CIS Controls with a basic distinction of which implementation groups might adopt each safeguard as part of their cybersecurity strategy. The tick marks (✓) are placed based on the assumption that lower IG numbers cover more fundamental controls, while higher IG numbers represent more sophisticated measures. Always refer to the official CIS documents for precise guidelines and safeguards as they relate to your organization's needs.