What are The CIS Controls?

The Center for Internet Security (CIS) Controls are a set of cybersecurity best practices aimed at helping organizations defend against common cyber threats. They provide a prioritized approach to implementing security measures that focus on stopping the most dangerous attacks first. There are 18 CIS Controls grouped into three implementation groups (IGs) to guide organizations on which controls to prioritize based on their resources and security maturity:

1. Implementation Group 1 (IG1): Basic cyber hygiene for small or less complex organizations.
2. Implementation Group 2 (IG2): Security measures for organizations handling sensitive data and larger infrastructure.
3. Implementation Group 3 (IG3): Advanced controls for organizations facing sophisticated cyber threats.

The 18 CIS Controls

At the time of this publication(November of 2024) there are 18 benchmark controls in accordance with CIS Controls version 8.1 :

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defenses
11. Data Recovery
12. Network Infrastructure Management
13. Network Monitoring and Defense
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing

The Center for Internet Security maintains the Controls listing and updates them frequently. The most updated list can be found here. Each of the 18 controls has subtasks called safeguards and each safeguard speaks to a different task within the control category.

What are Instance Groups

As i expressed earlier the instance groups are broken down into three groups, these groupings are stepping stones through the CIS controls process, and what I mean by that is for small to medium companies that are just beginning their security Journey i order to become fully compliant with the CIS controls it is easier to break up the controls into smaller more manageable tasks that align with the expectations of a evolving security program.

For a small Accounting firm with 12 employees it wouldn’t make logical sense for their first step in securing their environment to be setting up allowed lists for software if they haven’t yet implemented a Software inventory, the Instance groups can be thought of as the guard rails to help you take the steps towards Compliance.

1. Level 1 - Basic Security (Essential Safeguards)

• What It Is: The Level 1 CIS benchmarks provide a foundational level of security controls that aim to reduce a system's attack surface with minimal impact on functionality. They cover basic configurations, such as password policies, user permissions, and general hardening settings.
• When to Apply: This level is ideal for environments where availability and compatibility are priorities but a baseline level of security is still required. It’s typically applied in low-risk environments or for organizations just starting to implement security best practices.

2. Level 2 - Enhanced Security (Defense-in-Depth)

• What It Is: Level 2 benchmarks introduce more rigorous security configurations, adding layers of control that go beyond Level 1. These configurations might restrict some system functionality to reduce risk and provide greater defense against sophisticated attacks.
• When to Apply: Level 2 is best for environments with higher risk profiles or regulatory requirements that mandate stricter security controls, like healthcare or finance. It’s suitable when the organization can handle some reduction in functionality to gain improved security.

3. Level 3 - Specialized Security (Highly Customized)

• What It Is: The Level 3 CIS benchmarks are highly restrictive and may include specialized configurations or unique customizations tailored to specific operational needs. They’re less commonly used because they’re difficult to generalize across different organizations or setups.
• When to Apply: Level 3 is typically reserved for organizations with strict, highly sensitive security needs, such as military or government agencies, where risk tolerance is exceptionally low. It’s used when the security stakes are high enough to warrant a highly controlled environment, even if that limits usability significantly.

How To Prioritize Controls?

There are many ways to prioritize CIS controls, but here are three brief examples

1. Risk-Based Prioritization

• Explanation: This approach focuses on addressing the highest-risk areas first. Controls that protect against critical vulnerabilities, prevent common attacks, and mitigate high-impact threats are implemented as a priority.
• Example: Start with controls like asset inventory (CIS Control 1) and vulnerability management (CIS Control 7), which help identify and secure high-risk areas that could lead to significant breaches if left unprotected. Prioritizing data protection (CIS Control 3) also becomes essential since data compromise represents a substantial risk to most organizations.

2. Ease-of-Implementation Prioritization

• Explanation: Here, the organization focuses on implementing controls that are quick and straightforward to roll out, requiring minimal resources or expertise. This approach helps to quickly improve the security baseline with limited disruptions.
• Example: Begin with basic security measures such as malware defenses (CIS Control 10) and secure configurations for enterprise assets (CIS Control 4). These controls are generally easier to implement and do not require extensive customization, allowing the organization to build momentum in its security efforts.

3. Cost-Benefit Prioritization

• Explanation: This approach involves selecting controls based on the highest value for the lowest cost. Controls that offer broad protection for minimal investment are prioritized, optimizing security improvements within budget constraints.
• Example: Controls like account management (CIS Control 5) and audit log management (CIS Control 8) are often prioritized, as they provide extensive visibility and reduce unauthorized access risks at a relatively low cost. Data recovery (CIS Control 11) is also a high-value control, as it ensures critical data can be restored if an incident occurs, saving potentially large recovery costs.

Making a plan

Find Which Implementation Group your organization falls into, decide how you want to prioritize your controls. Involve the relevant stakeholders(IT department, Software Developers, Cloud teams, etc.) and set goals using  the controls safeguards and assign them to the appropriate teams. I usually like to work in 2 week sprints using a phased implementation plan, because a lot of development departments already operate under this model and it is easy to integrate into their lifecycle plans. Often It is a good idea to export the CIS Controls into a google sheet, or excel document and track ticket progress within the Document. 

You can export the sheet from the CIS Site(https://www.cisecurity.org/controls/cis-controls-navigator) by navigating to the bottom of the page and pressing export.