Appendix III:
Center for Internet Security —CIS Controls v8
CIS is a not-for-profit organization responsible for developing globally recognized best practices for securing IT systems and data. CIS has become an international community of experts having a mission ‘to create confidence in the connected world’.39
This appendix is a summary of CIS Controls, which have been updated and enhanced to keep pace with cloud-based and hybrid environments, virtualization and mobility, along with changing attacker tactics, and the recent shift to work-from-home.
The CIS Controls have been mapped to a very wide variety of formal risk management frameworks (like those from the National Institute of Standards and Technology [NIST®], Federal Information Security Modernization Act (FISMA), International Organization for Standardization (ISO), etc.).
The CIS Controls have also been structured to provide guidance according to self-assessed implementation groups or IGs:
An IG1 enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel.
An IG2 enterprise employs individuals responsible for managing and protecting IT infrastructure.
An IG3 enterprise employs security experts that specialise in the different facets of cybersecurity (e.g., risk management, penetration testing, application security).
The controls applicable to IG1 are considered to be ‘basic cyber hygiene’ and are also applicable to IG2 and IG3. Similarly, additional controls applicable to IG2 are also applicable to the IG3 group.
The presentation of controls in the guidance contains the following elements:
Overview — A brief description of the intent of the control and its utility as a defensive action
Why is this control critical? — A description of the importance of this control in blocking, mitigating, or identifying attacks and an explanation of how attackers actively exploit the absence of this control
Procedures and tools — A more technical description of the processes and technologies that enable implementation and automation of this control
Safeguard descriptions — A table of the specific actions that enterprises should take to implement the control
CIS Controls are a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks.
Overview descriptions of the 18 controls encompassed in this framework, including the proportion of safeguards for each control that are applicable to IG1 are as follows:40
Control 01. Inventory and control of enterprise assets — IG1= 2/5
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/ IoT devices; and servers) connected to the infrastructure physically, virtually, remotely and all enterprise assets within cloud environments to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Enterprises cannot defend what they do not know they have.
Control 02. Inventory and control of software assets — IG1= 3/7
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Control 03. Data protection — IG1= 6/14
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Control 04. Secure configuration of enterprise assets and software — IG1= 7/12
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Default configurations for enterprise assets and software are normally geared towards ease-of-deployment and ease-of-use rather than security.
Control 05. Account management — IG1= 4/6
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Control 06. Access control management — IG1= 5/8
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Control 07. Continuous vulnerability management — IG1= 4/7
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, to remediate (and minimize) the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Control 08. Audit log management — IG1= 3/12
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Control 09. Email and web browser protections — IG1= 2/7
Improve protections and detections of threats from email and web vectors because these are opportunities for attackers to manipulate human behavior through direct engagement.
Because email and web are the main means that users interact with external and untrusted users and environments, these are prime targets for both malicious code and social engineering.
Control 10. Malware defences — IG1= 3/7
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Control 11. Data recovery — IG1= 4/5
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Control 12. Network infrastructure management — IG1= 1/8
Establish, implement, and actively manage (track, report, correct) network devices to prevent attackers from exploiting vulnerable network services and access points.
Control 13. Network monitoring and defence — IG1= 0/11
Operate processes and tooling to establish and maintain comprehensive network monitoring and defence against security threats across the enterprise’s network infrastructure and user base.
Control 14. Security awareness and skills training — IG1= 8/9
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
An effective security awareness training program should not just be a canned, once-a-year training video coupled with regular phishing testing.
Control 15. Service provider management — IG1= 1/7
Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes to ensure that these providers are protecting those platforms and data appropriately.
Control 16. Application software security — IG1= 0/14
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can affect the enterprise.
Control 17. Incident response management — IG1= 3/9
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Even if an enterprise does not have resources to conduct incident response within an enterprise, it is still critical to have a plan.
Control 18. Penetration testing — IG1= 0/5
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
