CIS Critical Security Controls

What Are the CIS Controls?

The CIS Controls, officially titled CIS Critical Security Controls (CSCs), are a prioritized set of best practices developed by the Center for Internet Security (CIS) to help organizations mitigate the most common cyberattacks. 

The CIS CSCs are grouped into three categories: Basic, Foundational, and Organizational, and offer a practical framework for implementing essential cybersecurity measures and significantly improving an organization’s security posture.

Here's a summary of the 18 CIS Critical Security Controls:

Basic Controls

1. Inventory and Control of Enterprise Assets: Maintain a detailed inventory of all hardware devices to ensure only authorized devices are allowed.
2. Inventory and Control of Software Assets: Track and control software installations to ensure only authorized software is used.
3. Data Protection: Safeguard organizational data through encryption, data loss prevention, and other measures.
4. Secure Configuration of Enterprise Assets and Software: Implement and maintain security configurations for hardware and software.
5. Account Management: Manage the lifecycle of user accounts, including the creation, use, and deletion of accounts to prevent unauthorized access.

Foundational Controls

6. Access Control Management: Implement controls to restrict access to sensitive data and systems based on user roles and needs.
7. Continuous Vulnerability Management: Continuously scan for and remediate vulnerabilities in systems and software.
8. Audit Log Management: Collect, manage, and analyze audit logs to detect and respond to security incidents.
9. Email and Web Browser Protections: Protect against email and web-based threats through appropriate configurations and security measures.
10. Malware Defenses: Implement protections against malware, including antivirus software and regular updates.
11. Data Recovery: Ensure regular data backups and the ability to restore data in case of an incident.
12. Network Infrastructure Management: Secure the network infrastructure, including firewalls, routers, and switches.
13. Security Awareness and Skills Training: Conduct regular security training and awareness programs for employees.
14. Service Provider Management: Manage the security risks associated with third-party service providers.

Organizational Controls

15. Application Software Security: Develop and maintain secure software, including regular testing for vulnerabilities.
16. Incident Response Management: Develop and maintain an incident response plan to handle security incidents effectively.
17. Penetration Testing: Conduct regular penetration testing to identify and address security weaknesses.
18. Security Monitoring: Implement continuous security monitoring to detect and respond to threats in real-time.

How Finite State Helps You Comply with CIS Critical Security Controls 

Finite State offers a comprehensive solution to support compliance with CIS CSCs. Here’s how Finite State can assist your teams:

• Enforcing Secure Coding Practices: Seamless integrations into existing CI/CD pipelines automatically analyze source code and compiled binaries for common security vulnerabilities and coding errors. This allows engineers to identify vulnerabilities hidden deep within legacy code and third-party libraries and detect and address issues early in the development process.
• Real-Time Threat Detection: Integrations with vulnerability databases provide up-to-date information on the latest threats and exploits, allowing for the proactive identification of potential risks before they can be exploited.
• Automate Vulnerability Identification: Using our advanced binary and source code SCA, vulnerabilities can be identified as they’re introduced across the SDLC to help teams keep applications secure.
• Comprehensive SBOM Solutions: Automatically generate Software Bill of Materials throughout the SDLC and easily compile detailed information on all components in your products, including open-source libraries, third-party dependencies, and custom code to improve transparency and identify potential security risks in your software supply chain.

Strong cybersecurity requires a collective effort. Talk to the team today to discover how Finite State can help you comply with CIS CSCs.