You may not have heard of the Center for Internet Security (CIS), but this organization already has your business's best interests in mind. The CIS is a nonprofit organization that specializes in cyber defense solutions and has created a framework outlining 20 controls to improve business security. These actionable steps help businesses and IT experts meet shifting compliance requirements and proactively address network weaknesses. Of the 20, we will be exploring eight of these controls - addressing issues related to IT governance and vulnerabilities within remote workforces.
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; on-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. - CIS
Under Control 1, unauthorized devices are prevented from gaining access to your network - stopping threats at the perimeter. This can reduce insider threat and loss risk, tidy up your IT environment, and improve the efficacy of other CIS controls. Implementing this successfully typically involves bridging an existing system with host-based network access control.
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. - CIS
Control 2 prioritizes an organized approach to software. Your IT team needs to know what software runs on your systems and network, while preventing unauthorized and unmanaged software from being installed. These shadow IT resources make it harder to respond to security incidents and enforce user policies. A few ways to approach Control 2 include:
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. - CIS, Control 3
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). - CIS, Control 4
Controls 3 and 4 underscore the need to minimize your organization's attack surface, and closely monitor anything connected to your network. Developing these configuration settings can be a lengthy and complex process without proper assistance. As part of the configuration process, make sure your IT team:
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. - CIS, Control 5
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. - CIS, Control 6
Access control management is one of the most effective means of protecting end-users. Under Controls 5 and 6, your IT team should:
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. - CIS
In order to identify vulnerabilities, remediate issues, and minimize opportunities for cybercriminals to attack, it's important to have several levels of vulnerability scanning. Your business should have an internal, external, and host-based scan to cover the networks. Solutions such as iCorps Vulnerability Management can help meet these requirements.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. - CIS
This control covers best practices for leveraging logging solutions such as SOC-as-a-Service. Control 8 provides steps for addressing and reporting anomalies. To help meet Control 8 requirements, your IT team needs to:
By addressing these eight controls, you can help reduce your cyber risk. If you want to learn more about implementing CIS controls within your business, schedule a free IT consultation.