Software Supply Chain Regulation & Compliance Guides

CIS Critical Security Controls (CSCs)

Written by Finite State Team | Jul 22, 2024 10:10:40 PM

What Are the CIS Controls?

The CIS Controls, officially titled CIS Critical Security Controls (CSCs), are a prioritized set of best practices developed by the Center for Internet Security (CIS) to help organizations mitigate the most common cyberattacks. 

The CIS CSCs are grouped into three categories: Basic, Foundational, and Organizational, and offer a practical framework for implementing essential cybersecurity measures and significantly improving an organization’s security posture.

Here's a summary of the 18 CIS Critical Security Controls:

Basic Controls

  1. Inventory and Control of Enterprise Assets: Maintain a detailed inventory of all hardware devices to ensure only authorized devices are allowed.
  2. Inventory and Control of Software Assets: Track and control software installations to ensure only authorized software is used.
  3. Data Protection: Safeguard organizational data through encryption, data loss prevention, and other measures.
  4. Secure Configuration of Enterprise Assets and Software: Implement and maintain security configurations for hardware and software.
  5. Account Management: Manage the lifecycle of user accounts, including the creation, use, and deletion of accounts to prevent unauthorized access.

Foundational Controls

  1. Access Control Management: Implement controls to restrict access to sensitive data and systems based on user roles and needs.
  2. Continuous Vulnerability Management: Continuously scan for and remediate vulnerabilities in systems and software.
  3. Audit Log Management: Collect, manage, and analyze audit logs to detect and respond to security incidents.
  4. Email and Web Browser Protections: Protect against email and web-based threats through appropriate configurations and security measures.
  5. Malware Defenses: Implement protections against malware, including antivirus software and regular updates.
  6. Data Recovery: Ensure regular data backups and the ability to restore data in case of an incident.
  7. Network Infrastructure Management: Secure the network infrastructure, including firewalls, routers, and switches.
  8. Security Awareness and Skills Training: Conduct regular security training and awareness programs for employees.
  9. Service Provider Management: Manage the security risks associated with third-party service providers.

Organizational Controls

  1. Application Software Security: Develop and maintain secure software, including regular testing for vulnerabilities.
  2. Incident Response Management: Develop and maintain an incident response plan to handle security incidents effectively.
  3. Penetration Testing: Conduct regular penetration testing to identify and address security weaknesses.
  4. Security Monitoring: Implement continuous security monitoring to detect and respond to threats in real-time.

 

How Finite State Helps You Comply with CIS Critical Security Controls 

Finite State offers a comprehensive solution to support compliance with CIS CSCs. Here’s how Finite State can assist your teams:

  • Enforcing Secure Coding Practices: Seamless integrations into existing CI/CD pipelines automatically analyze source code and compiled binaries for common security vulnerabilities and coding errors. This allows engineers to identify vulnerabilities hidden deep within legacy code and third-party libraries and detect and address issues early in the development process.
  • Real-Time Threat Detection: Integrations with vulnerability databases provide up-to-date information on the latest threats and exploits, allowing for the proactive identification of potential risks before they can be exploited.
  • Automate Vulnerability Identification: Using our advanced binary and source code SCA, vulnerabilities can be identified as they’re introduced across the SDLC to help teams keep applications secure.
  • Comprehensive SBOM Solutions: Automatically generate Software Bill of Materials throughout the SDLC and easily compile detailed information on all components in your products, including open-source libraries, third-party dependencies, and custom code to improve transparency and identify potential security risks in your software supply chain.

Strong cybersecurity requires a collective effort. Talk to the team today to discover how Finite State can help you comply with CIS CSCs.