Center of Internet Security Controllers (CIS Controllers)
Who are they?
The Center of Internet Security (CIS) is a non-for-profit NGO that develops their own Configuration Policy Benchmarks (CPB). The CPB are essentially guidelines by which organizations can improve their cyber security and compliance programs and posture. This initiative aims to create community developed security configuration baselines for IT and Security products that are commonly used by organizations. in addition, CIS puts out a series of protocols called CIS Controls which are updated and reviewed through an informal community process from time to time.
The CIS’s Controls are recognized as some of the most comprehensive security baselines for most existing systems and are applicable to any industry that utilizes these technologies. The CIS is recommended by industry leaders such as the National Institute for Standards and Technology (NIST).
What is the Goal of the Regulation?
The purpose of CIS’s regulations are two fold. The CIS Controls are a set of guidelines for securing a range of systems and devices. CIS Benchmarks are guidelines for specific operating systems, middle ware, software applications, and network connected devices, with a strong emphasis on proper configuration. This includes proper security settings for hardware and software on mobile devices, laptops, workstations, and servers. A substantial part of CIS’s recommendations involve proper authentication practices. The organization has laid down best practices for multi-factor authentication and password strength. CIS Control 5 which deals with access and administrative privilege advocates for applying a variety of identifying factors in an
CIS states in there official site that they are 7 key principles that guide them:
1) Improve the consistency and simplify the wording of each sub-control
3) Implement “one ask” per sub-control
4) Bring more focus on authentication, encryption, and application whitelisting
Account for improvements in security technology and emerging security problems
5) Better align with other frameworks (such as the NIST CSF)
6) Support the development of related products (e.g. measurements/metrics, implementation guides)
7) Identify types of CIS controls (basic, foundational, and organizational)
Prioritization is a key benefit to the CIS Controls. They were designed to help organizations rapidly define the starting point for their defenses, direct their scarce resources on actions with immediate and high-value payoff, and then focus their attention and resources on additional risk issues that are unique to their business or mission.
The CIS Controls are not a replacement for any existing regulatory, compliance, or authorization scheme. The CIS Controls map to most major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA. Mappings from the CIS Controls have been defined for these other frameworks to give a starting point for action.
The NIST Framework for Improving Critical Infrastructure Cybersecurity calls out the CIS Controls as one of the “informative references” – a way to help users implement the Framework using an existing, supported methodology. Survey data shows that most users of the NIST Cybersecurity Framework also use the CIS Controls.