How to Implement the CIS Security Control Framework

You may not have heard of the Center for Internet Security (CIS), but this organization already has your business's best interests in mind. The CIS is a nonprofit organization that specializes in cyber defense solutions and has created a framework outlining 20 controls to improve business security. These actionable steps help businesses and IT experts meet shifting compliance requirements and proactively address network weaknesses. Of the 20, we will be exploring eight of these controls - addressing issues related to IT governance and vulnerabilities within remote workforces.

Here Are 8 CIS Controls Your Business Should Have:

Control 1: Inventory and Control of Enterprise Assets 

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; on-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. - CIS

Under Control 1, unauthorized devices are prevented from gaining access to your network - stopping threats at the perimeter. This can reduce insider threat and loss risk, tidy up your IT environment, and improve the efficacy of other CIS controls. Implementing this successfully typically involves bridging an existing system with host-based network access control.  

Control 2: Inventory and Control of Software Assets 

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. - CIS

Control 2 prioritizes an organized approach to software. Your IT team needs to know what software runs on your systems and network, while preventing unauthorized and unmanaged software from being installed. These shadow IT resources make it harder to respond to security incidents and enforce user policies. A few ways to approach Control 2 include:

1. Installing administrator rights and limiting local administrator access

2. Outlining (un)approved software and sharing this information with employees

3. Using software inventory tools to track usage on business systems
   
   

Controls 3 & 4: Data Protection & Secure Configuration of Enterprise Assets and Software

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. - CIS, Control 3

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). - CIS, Control 4

Controls 3 and 4 underscore the need to minimize your organization's attack surface, and closely monitor anything connected to your network. Developing these configuration settings can be a lengthy and complex process without proper assistance. As part of the configuration process, make sure your IT team:

1. Documents and standardizes security configurations for authorized OS and assets

2. Keeps templates for all systems based on approved figuration standards

3. Has configuration management tools enforce settings automatically to systems on a routine basis 
   
   

Controls 5 & 6: Account and Access Control Management

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. - CIS, Control 5

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. - CIS, Control 6

Access control management is one of the most effective means of protecting end-users. Under Controls 5 and 6, your IT team should:

1. Change default passwords on deployed devices

2. Require multi-factor authentication for administrators and employees

3. Have system administrators maintain two accounts: a regular user account for most operations, and their admin account for select processes

4. Implement system alerts for suspicious administrative sign-on attempts
   
   

Control 7: Continuous Vulnerability Management 

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. - CIS

In order to identify vulnerabilities, remediate issues, and minimize opportunities for cybercriminals to attack, it's important to have several levels of vulnerability scanning. Your business should have an internal, external, and host-based scan to cover the networks. Solutions such as iCorps Vulnerability Management can help meet these requirements. 

Control 8: Audit Log Management 

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. - CIS

This control covers best practices for leveraging logging solutions such as SOC-as-a-Service. Control 8 provides steps for addressing and reporting anomalies. To help meet Control 8 requirements, your IT team needs to:

1. Implement logging on all relevant systems and networking devices

2. Ensure audit logs include a date, timestamp, destination address, source address, and other elements of each transaction

3. Send appropriate logs to a central log management systems for analysis and review

By addressing these eight controls, you can help reduce your cyber risk. If you want to learn more about implementing CIS controls within your business, schedule a free IT consultation.