CIS Controls – A Quick Overview of CIS Controls

2 How do the CIS Controls work?

The CIS Controls consist of a total of 18 packages of measures. Three implementation groups IG1, IG2 and IG3 are distinguished. Each implementation group builds on the previous one: IG2 includes IG1, and IG3 includes all CIS protection measures in IG1 and IG2.

• IG1 (56 individual measures): Measures in implementation group 1 are defined by the CIS Controls as the cyber hygiene minimum standard and must be implemented by every company in any case. This includes a total of 56 individual measures, which they distribute across almost all packages of measures. In most cases, these are very small companies with limited IT security know-how and resources. The individual measures are designed in such a way that they work with commercially available hardware and software, especially for small companies or home offices.
• IG2 (contains IG1, 130 individual measures): An IG2 company employs own employees who are responsible for the management and protection of the IT infrastructure. Such companies often store and process sensitive customer or company data and can withstand short interruptions in service. A major concern is the loss of public trust when a breach occurs. The individual measures selected at Implementation Group 2 help security teams manage increased operational complexity. Some safeguards require more sophisticated security technology and specialised expertise.
• IG3 (contains IG1 and IG2, 153 individual measures): An IG3 company has IT security experts who specialise in various aspects of cyber security (e.g. risk management, penetration testing, application security). In this context, the processed data are often subject to regulatory requirements that go beyond data protection. The company must guarantee the confidentiality and integrity of sensitive data and ensure the availability of services. Successful attacks can cause considerable damage to the public good. The individual measures selected for Implementation Group 3 should also be effective against targeted attacks by sophisticated adversaries.

Table – Overview CIS Controls and Individual Measures in Implementation Groups

3 The 18 CIS Controls

Below we briefly summarise the 18 CIS Controls. The complete list with all details on IG1, IG2 and IG3 can be downloaded as PDF and Excel directly from the Center of Internet Security download.

01 – Inventory and management of hardware (corporate IT)

A company can only protect an IT infrastructure if it knows what it consists of. For this purpose, an inventory of all hardware components used should be available. This includes in particular all devices connected to the corporate network such as clients (workstations, laptops, smartphones, and IoT devices) and servers. But it also includes cloud infrastructure.

02 – Inventory and management of the software used in the company.

Since software vulnerabilities are a common entry point, a list of currently used software is important to identify potential risks to the deployment. Without such a software inventory, reliable updating and patching is not possible.

03 – Data security and data protection

Our data is no longer just within our own borders, but on mobile devices such as smartphones or laptops, or in the cloud – and often shared with partners around the world. Without an understanding of who has access to what data, who can authorise such access and how data is protected on mobile devices, it is difficult to protect against data leakage. Data leakage can be very unpleasant for confidential customer data or business secrets.

04 – Secure configuration of the company’s IT and the software used

Often, newly deployed hardware or software is set up with default passwords and configurations for ease of use in the enterprise rather than security. A comprehensive hardening and of all clients, servers, firewalls used should be carried out after each productive switch-on.

05 – User administration

It is often easiest for an attacker to abuse an already existing user account by using weak or phishing obtained credentials and passwords, active user accounts of people who have already left the company, test accounts or the like.

To counter this, it is necessary to have an overview of the accounts currently in use and to separate normal users from administrative accounts.

06 – Rights management

Building on 05, the rights used must be managed. Multi-factor authorisation should be used for remote access or, if possible, for access with administrative rights.

The management of users and their access is called IAM (Identity Access Management) – building on this, the management of privileged access is called PAM (Privileged Access Management).

07 – Vulnerability Management

Patching security vulnerabilities quickly and applying updates would have already prevented many data leaks. A good look at the operating systems and software used in the company is also important.

08 – Audit Log Management

Log files of system and user events are important to find out what happened and which data was stolen or changed.

This log data can also be processed in a SIEM (Security Information and Event Management) to trigger alerts in real time.

09 – E-mail and browser protection

The use of up-to-date and fully supported software for e-mails and browsers should be a matter of course. More extensive protection such as a web proxy or a DNS filter often makes sense.

10 – Malware protection

If malware does run on a system, it is unpleasant, but often difficult to prevent completely in an organisation. At this point it is all the more important that the malware finds itself in a restricted, non-administrative user account on a fully patched system in a hardened IT environment without security gaps in order to minimise the damage that can be done. Backups are also often irreplaceable at this point to allow work to continue quickly.

11 – Backups

Automated backups are not optional, but a must. It is very important to isolate the backups from the running systems so that – for example in the event of an attack by ransomware – the backups are not encrypted or deleted at the same time. Cloud backup services or offline backups such as rolling USB hard drives can be suitable for this purpose.

12 – Network infrastructure management

A well thought-out security architecture of the company network (zoning/firewalls) can help to restrict the movement of attackers. Often, for example, it is not necessary to be able to access another client from one client in order to run the business – but this is very important for the attacker (lateral movement).

13 – Network monitoring

For advanced IT security requirements, a correlated evaluation of audit logs and in a SIEM (Security Information and Event Management) combined with solutions for Host Intrusion Detection (HIDS), Network Intrusion Detection (NIDS), packet filters and traffic flow information can be useful.

14 – Security awareness training

Regular awareness training of employees ensures that the “human firewall” is active. As currently most attacks from outside are based on social engineering techniques (often initially via phishing or by tapping user passwords), well-trained staff can be the most effective detection system for such attacks.

15 – Service provider management

In our interconnected world, organisations rely on vendors and partners to manage corporate data and use external IT infrastructure for mission-critical applications. An inventory of the service providers used should be available (e.g. Microsoft if Office365/Exchange Online are used). The use of (cloud) service providers cannot be assessed across the board. The security precautions on the part of the service provider are often much higher than a medium-sized company could ever represent – but this shifts the attack surface towards the company’s own employees.

16 – Security of deployed software and web applications

Admittedly, application security is a broad field. The goal is always to ensure that the applications and services used cannot be hacked, compromised, accessed without authorisation or switched off. Depending on whether a company primarily buys and uses software or develops software itself, the focus and the measures implemented can also be very different. As a minimum requirement, the handling of 07 vulnerability management should be established. If software is developed in-house, a process for secure software development should be used (SDLC, DevSecOps if applicable).

17 – Incident Response

Every company should be prepared for security incidents. Clearly defined policies, plans, procedures, responsibilities, training and communication are the basis for quickly identifying and responding appropriately to security incidents.

18 – Penetration testing

A successful defence strategy requires a comprehensive programme with effective policies and governance, strong technical defences and appropriate user engagement. However, it is rarely perfect. In a complex IT environment where technology is constantly evolving and new attackers with new modus operandi emerge regularly, organisations should regularly review the measures in place through Penetration Testing to identify gaps and assess their own resilience.

4 How are the CIS Controls implemented?

For IT security officers and cybersecurity professionals, planning the implementation of an IT security framework such as the CIS Controls can be a daunting task. With 18 critical packages of measures to implement and no standardised way to achieve compliance, it can quickly seem overwhelming. It is often advisable to carry out an assessment of the current status of implementation with regard to the CIS Controls in the course of developing your own IT security concept.

Nevertheless, the following guideline should serve as a little help.

Step 1 – Basic Security Measures & Cyber Hygiene (IG1)

The CIS Controls of Implementation Group 1 deal with basic cyber security best practices, also referred to as cyber hygiene. This includes knowing which people, software or IT systems have access to company or customer data.

Step 2 – Information Technology Asset Protection (IG2).

Complementing the measures of IG1, general and technical aspects of IT security are improved and refined. To this end, technical measures are now implemented that specifically protect assets: Emails and other personal data, customer data and also IT systems.

Step 3 – Further development into a security culture (IG3)

Implementation Group 3 expands the already very solidly established security programme with measures and concepts that make it possible to stop even advanced attackers. The implementation of these measures requires a high degree of available technical know-how and is often not mandatory for SMEs.

5 Mapping of CIS Controls to ISO 27002

A mapping of CIS Controls v8 to ISO 27002:2022 Controls is maintained. A detailed Excel list is also available from CIS free of charge for Download.

6 How are the CIS benchmarks used?

The Center of Internet Security has developed the CIS Benchmarks to implement the CIS Controls. The CIS Benchmarks consist of over 100 configuration and hardening guidelines in the following areas:

• Operating Systems
• Server Software
• Cloud Providers
• Mobile devices
• Network devices
• Desktop software
• Multi-function printers

The CIS benchmarks are also available for Download.