Center for Internet Security (CIS) Framework

Center for Internet Security (CIS) Framework.

Center for Internet Security

The Center for Internet Security is an independent non-profit organization whose mission is to "create confidence in the connected world". CIS was founded in 2000 by a small group of business and government leaders.

Over the past 20 years CIS has developed a set of controls and benchmarks to establish a framework by which organizations can help improve their cyber defenses.

CIS Framework Overview

At the Core of the CIS Framework is the CIS Controls set. The recently released version 8 includes 18 controls (recently reduced from 20). Under the eighteen controls are 153 safeguards (formerly referred to as sub-controls).

The CIS Framework can be applied through three Implementation Groups or IGs (IG1, IG2, IG3). Each IG is geared toward a level of security appropriate to individual organizations. IG1 defines basic cyber hygiene. This may be appropriate for an organization with a relatively low risk profile. However, organizations will choose the IG they will strive for based on their individual risk profile and resources they have available to implement the controls. Each IG identifies a set of Safeguards that need to be implemented in order to comply with the IG. All organizations should start with IG1 as a baseline. IG2 builds upon IG1 and IG3 signifies compliance with all 18 Controls and 153 safeguards.

The CIS provides a Control Self-Assessment Tool (CSAT) to help organizations track their progress toward compliance with the CIS controls.

A companion Risk Assessment Method (RAM) is provided to help organizations assess their security posture against CIS Controls. This method helps organizations foresee threats and assess their preparedness against them. The RAM process can guide organizations through the appropriate implementation groups for their business.

The CIS also provides CIS Benchmarks which offers specific guidance for the configuration of various hardware and software in order to comply with the CIS Safeguards.

CIS Controls v8

The CIS Controls are task based and combined by activities. The eighteen CIS controls are as follows

CIS Control 1: Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

CIS Control 2: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

CIS Control 3: Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

CIS Control 5: Account Management

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

CIS Control 6: Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

CIS Control 7: Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

CIS Control 8: Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

CIS Control 9: Email Web Browser and Protections

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

CIS Control 10: Malware Defenses

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

CIS Control 11: Data Recovery

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

CIS Control 12: Network Infrastructure Management

Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

CIS Control 13: Network Monitoring and Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

CIS Control 14: Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

CIS Control 15: Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

CIS Control 16: Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

CIS Control 17: Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

CIS Control 18: Penetration Testing

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

As stated above each control specifies a group of safeguards required to meet the standard. There are 153 safeguards in all. Implementing all 153 safeguards would achieve compliance with Implementation Group 3 (IG3). However organizations can achieve IG1 by simply meeting 56 foundational safeguards. IG2 requires organizations to comply with 130 safeguards.

CIS Controls Self-Assessment Tool and Risk Assessment Method 2.0

The CIS Control Self Assessment Tool (CSAT) helps organizations to track their documentation, implementation, automation, and reporting regarding CIS Framework compliance. It is available as a hosted service or as an on-prem tool (requires membership in SecureSuite program). It can be used to monitor alignment with other standards such as NIST.

The Risk Assessment Method (RAM) co-developed with HALOCK Security Labs provides a methodology by which organizations can implement CIS controls in a reasonable manner. Th methodology helps organizations define their acceptable risk level, achieve compliance, and devote the proper amount of resources to security.

The RAM provides instructions, worksheets, and exercises to guide organizations through the assessment process.

CIS Benchmarks

Whereas the CIS Controls are a broad set of recommended practices for a wide range of activities and devices, CIS Benchmarks are guidelines for hardening specific operating systems, middleware, software applications and network devices. This would include Windows Operating systems, software, Azure cloud Services, Office 365, firewalls, switches, etc.

Benchmarks provide guidance on specific configuration parameters on each product in order to comply with safeguards.

There are well over 100 benchmarks across over 25 product families. As new versions of software and firmware are released, benchmarks will continue to be developed