The Secret Security Wiki


Center of Internet Security Controllers

Who are they?

The Center of Internet Security (CIS) is a not-for-profit NGO that develops its own Configuration Policy Benchmarks (CPB). The CPB are essentially guidelines by which organizations can improve their cybersecurity and compliance programs and posture. This initiative aims to create community developed security configuration baselines for IT and Security products that are commonly used by organizations. in addition, CIS puts out a series of protocols called CIS Controls which are updated and reviewed through an informal community process from time to time.

Which Industries?

The CIS’s Controls are recognized as some of the most comprehensive security baselines for most existing systems and are applicable to any industry that utilizes these technologies. The CIS is recommended by industry leaders such as the National Institute for Standards and Technology (NIST).

What is the Goal of the Regulation?

The purpose of CIS’s regulations is two-fold. The CIS Controls are a set of guidelines for securing a range of systems and devices. CIS Benchmarks are guidelines for specific operating systems, middleware, software applications, and network-connected devices, with a strong emphasis on proper configuration. This includes proper security settings for hardware and software on mobile devices, laptops, workstations, and servers. A substantial part of CIS’s recommendations involves proper authentication practices. The organization has laid down the best practices for multi-factor authentication and password strength. CIS Control 5  which deals with access and administrative privilege advocates for applying a variety of identifying factors in an

  • What are the main principles of CIS Controls

    CIS states in the there official site that they are 7 key principles that guide them:

    1. Improve the consistency and simplify the wording of each sub-control
    2. Implement “one ask” per sub-control
    3. Bring more focus on authentication, encryption, and application whitelisting
    4. Account for improvements in security technology and emerging security problems
    5. Better align with other frameworks (such as the NIST CSF)
    6. Support the development of related products (e.g. measurements/metrics, implementation guides)
    7. Identify types of CIS controls (basic, foundational, and organizational)
  • What is the benefit of the CIS Controls?

    Prioritization is a key benefit to the CIS Controls. They were designed to help organizations rapidly define the starting point for their defenses, direct their scarce resources on actions with an immediate and high-value payoff, and then focus their attention and resources on additional risk issues that are unique to their business or mission.

  • Are the CIS Controls a replacement for the other frameworks?

    The CIS Controls are not a replacement for any existing regulatory, compliance, or authorization scheme. The CIS Controls map to most major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series, and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA. Mappings from the CIS Controls have been defined for these other frameworks to give a starting point for action.

  • What is the relationship between the CIS Controls and the NIST Cybersecurity Framework?

    The NIST Framework for Improving Critical Infrastructure Cybersecurity calls out the CIS Controls as one of the “informative references” – a way to help users implement the Framework using an existing, supported methodology. Survey data shows that most users of the NIST Cybersecurity Framework also use the CIS Controls.