As businesses and government agencies get more comfortable and familiar with economies functioning more and more over the internet, they have started identifying cybersecurity best practices. As a result, businesses now see requirements for compliance standards in daily operations.
If you are still trying to determine where to start to meet some cybersecurity compliance requirements, start your journey with CIS Controls v8. You may be able to end your journey there as well. The best part, CIS Controls v8 is FREE! You can download their security framework to secure your business today with no money required.
If you are wondering why it is called CIS Controls v8, CIS stands for Center for Internet Security; they are the organization that develops the framework and call their standard CIS Controls. The v8 means this is the 8th version of their standards. CIS has been developing cybersecurity frameworks for businesses for many years, and as the landscape changes, they update their framework. They call each area of their framework a control; for instance, the first control is how you should record the hardware you use in your environment. In CIS Controls v8, there are 18 controls with sub-controls within each control.
CIS Controls v8 is a cybersecurity framework that includes the requirements from most other frameworks, such as HIPAA, NIST 800-171, and SOC 2. What makes CIS Controls v8 even better is how the framework is designed and implemented.
I have heard from business owners that look at the requirements for NIST 800-171, and when they see the list of requirements, they are still determining where to start. I understand the confusion when you look at a list such as the NIST 800-171 requirements.
The different documents that makeup CIS Controls v8
CIS Controls v8 – This high-level document gives you the list of controls but does not necessarily tell you how to implement the controls. This is something that C-level business personnel would review to see how the implementation is or will be implemented.
CIS Critical Security Controls Navigator – This is a tool that they provide to help you narrow in on the accrual controls you need to implement. You select what compliance standard you need to comply with, and it will show the controls you need to implement to comply.
CIS CSAT – This tool helps you track the implementation of the controls and help you document the implementation of those controls. Note that this tool is a paid product.
CIS RAM – This is a risk assessment tool that you can use to estimate your organization’s cybersecurity posture.
CIS Benchmarks – This is where the rubber meets the road. When it comes time to implement the controls, these documents tell you what settings need to be modified.
CIS-CAT – This tool they provide displays what settings from the Benchmarks are already implemented and which still need to be implemented. There is a pro version available that you can purchase with more capabilities.
CIS Controls v8 divides its framework into different levels to make implementation easier. When you look at the list of controls, you will notice that they have ratings such as levels 1-3. Level 1 is basic cybersecurity hygiene; all organizations should look to have at least level 1 implemented. These controls protect your organization from non-targeted cyber-attacks, which most small organizations deal with regarding cybercriminals.
CIS Critical Security Controls Navigator is the tool that you will use to determine what CIS Controls you need to focus on implementing for compliance requirements. Note that all organizations should aim to have level 1 implemented, but the navigator will help identify the more advanced controls you need to implement. Once you have implemented level 1 and your specific compliance controls, don’t let that stop you from implementing more controls, you feel your organization needs.
CIS CSAT is the tool you will use to help track and document your implemented controls. CIS also includes the capability to see how well your organization stacks up to other organizations. Note that CIS does not provide the names of the other organizations, so your security implementation is confidential.
CIS RAM calculates the downtime cost for a business should your organization be afflicted with ransomware.
CIS Benchmarks are the settings that must be applied to your equipment to comply with some CIS Controls. When I counted the number of settings for a Windows 10 computer, it was about 450 settings that needed to be appropriately configured to meet all the CIS Controls v8 requirements.
CIS-CAT is a tool, and there are two flavors. One is a Pro version. Naturally, you pay for the Pro version, which will scan the computer and determine what settings have already been applied and what settings are still needed.
We use CIS Controls to help secure my business and encourage others to do the same. It is nice to implement security in your business and know why you are implementing it. For instance, know why you require your passwords to be a specific length and complexity if MFA does not secure the account. Otherwise, you make the best guesses and hope your company is secure.
Need Assistance With Your CIS Controls Implementation?
If you need any assistance with your cybersecurity implementation, please reach out. You can find our contact information at the following link. Contact Us | Horizon Technology Studio
Also, you can download a free cyber security essentials booklet from our main webpage at Managed Services Provider | Horizon Technology Studio | Stillwater OK.
Comentarios