What Are the CIS Controls?
The CIS Controls, officially titled CIS Critical Security Controls (CSCs), are a prioritized set of best practices developed by the Center for Internet Security (CIS) to help organizations mitigate the most common cyberattacks.
The CIS CSCs are grouped into three categories: Basic, Foundational, and Organizational, and offer a practical framework for implementing essential cybersecurity measures and significantly improving an organization’s security posture.
Here's a summary of the 18 CIS Critical Security Controls:
Basic Controls
- Inventory and Control of Enterprise Assets: Maintain a detailed inventory of all hardware devices to ensure only authorized devices are allowed.
- Inventory and Control of Software Assets: Track and control software installations to ensure only authorized software is used.
- Data Protection: Safeguard organizational data through encryption, data loss prevention, and other measures.
- Secure Configuration of Enterprise Assets and Software: Implement and maintain security configurations for hardware and software.
- Account Management: Manage the lifecycle of user accounts, including the creation, use, and deletion of accounts to prevent unauthorized access.
Foundational Controls
- Access Control Management: Implement controls to restrict access to sensitive data and systems based on user roles and needs.
- Continuous Vulnerability Management: Continuously scan for and remediate vulnerabilities in systems and software.
- Audit Log Management: Collect, manage, and analyze audit logs to detect and respond to security incidents.
- Email and Web Browser Protections: Protect against email and web-based threats through appropriate configurations and security measures.
- Malware Defenses: Implement protections against malware, including antivirus software and regular updates.
- Data Recovery: Ensure regular data backups and the ability to restore data in case of an incident.
- Network Infrastructure Management: Secure the network infrastructure, including firewalls, routers, and switches.
- Security Awareness and Skills Training: Conduct regular security training and awareness programs for employees.
- Service Provider Management: Manage the security risks associated with third-party service providers.
Organizational Controls
- Application Software Security: Develop and maintain secure software, including regular testing for vulnerabilities.
- Incident Response Management: Develop and maintain an incident response plan to handle security incidents effectively.
- Penetration Testing: Conduct regular penetration testing to identify and address security weaknesses.
- Security Monitoring: Implement continuous security monitoring to detect and respond to threats in real-time.
How Finite State Helps You Comply with CIS Critical Security Controls
Finite State offers a comprehensive solution to support compliance with CIS CSCs. Here’s how Finite State can assist your teams:
- Enforcing Secure Coding Practices: Seamless integrations into existing CI/CD pipelines automatically analyze source code and compiled binaries for common security vulnerabilities and coding errors. This allows engineers to identify vulnerabilities hidden deep within legacy code and third-party libraries and detect and address issues early in the development process.
- Real-Time Threat Detection: Integrations with vulnerability databases provide up-to-date information on the latest threats and exploits, allowing for the proactive identification of potential risks before they can be exploited.
- Automate Vulnerability Identification: Using our advanced binary and source code SCA, vulnerabilities can be identified as they’re introduced across the SDLC to help teams keep applications secure.
- Comprehensive SBOM Solutions: Automatically generate Software Bill of Materials throughout the SDLC and easily compile detailed information on all components in your products, including open-source libraries, third-party dependencies, and custom code to improve transparency and identify potential security risks in your software supply chain.
Share this
Next story
FFIEC Cybersecurity Assessment Tool →
You May Also Like
These Related Stories
Personal Information Protection Act - British Columbia
Personal Information Protection Act - British Columbia
Jul 24, 2024 4:41:44 PM
2
min read
NIST Cybersecurity Standards
NIST Cybersecurity Standards
Jul 23, 2024 4:34:21 PM
2
min read
Germany's Federal Data Protection Act
Germany's Federal Data Protection Act
Jul 24, 2024 4:44:15 PM
2
min read
No Comments Yet
Let us know what you think