Template: CIS Controls 7.1

This article covers the Center for Internet Security’s Controls 7.1 and how to create a review using myITprocess.

A while back, I wrote a Community Post of templates to use when performing a cybersecurity assessment. It was informational and did not deep dive into each standard or best practice. This article will dig more into the CIS Controls 7.1, how they benefit your organization (or a client), and where to access the template in myITprocess.

What are the CIS Controls?

Organizations around the world rely on the CIS Controls security best practices to improve their cyber defenses. CIS Controls Version 7.1 introduces new guidance to prioritize Controls utilization, known as CIS Implementation Groups (IGs). The IGs are a simple and accessible way to help organizations classify themselves and focus their security resources and expertise while leveraging the value of the CIS Controls.

CISOs, IT security experts, compliance auditors, and more use the CIS Controls to:

  •  Leverage the battle-tested expertise of the global IT community to defend against cyber attacks
  • Focus security resources based on proven best practices, not on any one vendor’s solution
  • Organize an effective cybersecurity program according to Implementation Groups:
    • IG1: An organization with limited resources and cybersecurity expertise available to implement Sub-Controls.
    • IG2: An organization with moderate resources and cybersecurity expertise to implement Sub-Controls.
    • IG3: A mature organization with significant resources and cybersecurity experience to allocate to Sub-Controls.
unnamed__5_.png

 

What is the difference between the NIST Cybersecurity Framework and CIS Controls 7.1?

There are many cybersecurity best practices of different scopes, sizes, and industries, but it can be difficult to choose which is best for your organization or your customer’s environment. One of the most popular cybersecurity best practice guides is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). This same organization designs the mandatory standards 800-53, Recommended Security Controls for Federal Information Systems and Organizations and 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (required for Federal agencies and Federal contractors).

Development of the CSF is for the other 99% of businesses that operate in the United States to voluntarily—albeit recommended—secure their environments from cyber-attacks. The standards are vendor-neutral and cover a wide variety of cybersecurity postures known as Tiers (ranked 1 through 4) to determine where your organization is today (Current Profile) and where you want to be (Target Profile). Tiers are not maturity levels, so a higher number is not better; it is dependent on your industry and level of risk.

The CSF is a comprehensive list of 112 sub-categories to secure a business environment and maintain a cybersecurity program. For a lot of organizations, this is a lot to handle and may be difficult to follow every Category. CIS Controls aims to provide organizations with a smaller, more prioritized number of actionable items that should be implemented first to yield immediate results. This prioritized approach allows organizations to get started on the process of securing their environment and establishing a cybersecurity baseline.

There are benefits of implementing the CIS Controls for your own or a customer’s environment:

  1. Easy to understand, straightforward layman’s terms of each Control and Sub-Control.
  2. Designed for organizations of varying size, industry, and complexity through the use of Implementation Groups (IG).
  3. Easy to get started and maintain from scratch.

The 20 CIS Controls

CIS created 20 Critical Security Controls, each with its own Sub-Controls, to ease the process of securing, developing, and maintaining a cybersecurity program. Each Control focuses on its own topic and how to take care of related issues. Like the CSF, each Control breaks down into smaller, more manageable Sub-Controls to determine the right set that fits your organization’s cybersecurity goals.

Basic CIS Controls

  • Inventory and Control of Hardware Assets
  • Inventory and Control of Software Assets
  • Continuous Vulnerability Management
  • Controlled Use of Administrative Privileges
  • Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  • Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  • Email and Web Browser Protections
  • Malware Defenses
  • Limitation and Control of Network Ports, Protocols and Services
  • Data Recovery Capabilities
  • Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  • Boundary Defense
  • Data Protection
  • Controlled Access Based on the Need to Know
  • Wireless Access Control
  • Account Monitoring and Control

Organizational CIS Controls

  • Implement a Security Awareness and Training Program
  • Application Software Security
  • Incident Response and Management
  • Penetration Tests and Red Team Exercises

The CIS Controls are divided into three Implementation Groups: 

Implementation Group 1

CIS Sub-Controls for small, commercial off-the-shelf or home office software environments where sensitivity of the data is low will typically fall under IG1. Remember, any IG1 steps should also be followed by organizations in IG2 and IG3. 

Implementation Group 2 

CIS Sub-Controls focused on helping security teams manage sensitive client or company information fall under IG2. IG2 steps should also be followed by organizations in IG3. 

Implementation Group 3 

CIS Sub-Controls that reduce the impact of zero-day attacks and targeted attacks from sophisticated adversaries typically fall into IG3. IG1 and IG2 organizations may be unable to implement all IG3 Sub-Controls.

The diagram above describes how the Sub-Controls apply to each Implementation Group. Group 1 gets some while Group 2 uses most and Group 3 contains all of them. Similar to the Tiers in the CSF, Implementation Groups are used to determine an organization’s current profile and determine a target profile.

unnamed__6_.png

 

CIS Controls in myITprocess

A template within myITemplates gives you the ability to perform an alignment against each Sub-Control. The benefit of myITprocess is it allows for the creation of reviews based on one, some, or all categories in the template. This gives a Technology Alignment Manager (TAM) the flexibility to perform a review solely based on the CIS Controls.

The formatting:

  • Section: The entire template is formatted within one section for ease of use and maintenance.
  • Category: Each Control is assigned to its own Category in myITprocess due to the hierarchical design of the Standards Library.
  • Question: Each Sub-Control is assigned its own question in myITprocess. By doing so, a TAM can choose which questions are relevant to the Implementation Group of the review.

Performing a review using the CIS Controls is no different than a standard review. Once you apply the section to the customer you wish to review, you can choose the question you need dependent on the Implementation Group.

unnamed__7_.png

 

Creating a Review

Creating a review and aligning your customers against the best practices of CIS Controls 7.1 is no different than a standard onsite assessment. Rather than reinvent the wheel, the links below will forward you to articles already written on certain topics.

Add New Review (select only the CIS Controls 7.1 section)

1_Create_Review__cropped_.gif

Determine your target Implementation Group using the CIS Controls (downloadable PDF).

Once an Implementation Group is chosen, there are two options:

Scroll through the Engineer technical analysis and mark non-relevant questions N/A. This will mark them N/A for the vCIO portion and allow them to perform an N/a bulk action.

Mark non-relevant questions N/A as the Engineer performs the review.

ezgif.com-video-to-gif.gif

At the end of the vCIO review, you can opt not to show N/A answers in the Alignment Report. Doing so will prevent non-relevant questions—as well as blank ones—from appearing to the customer.

Generate an Alignment Report using only the CIS section and you will have a custom report to show to the client (PDF link at the bottom of this article).

3_Alignment_Report__cropped_.gif

 

Resources

Center for Internet Security website

CIS Controls 7.1

CIS Controls 7.1 Implementation Group Navigator (controls PDF)

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us