Scribd
Upload
33 views4 pages

The CIS Top 20 Controls Explained

The document outlines the CIS Top 20 Critical Security Controls, which are best practices developed by the Center for Internet Security to enhance cybersecurity for individuals and organizations. It details key controls such as inventory management, vulnerability scanning, secure configurations, and incident response plans. The implementation of these controls can be facilitated through integrated risk management solutions like CyberStrong.

Uploaded by

diljith p k
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views4 pages

The CIS Top 20 Controls Explained

The document outlines the CIS Top 20 Critical Security Controls, which are best practices developed by the Center for Internet Security to enhance cybersecurity for individuals and organizations. It details key controls such as inventory management, vulnerability scanning, secure configurations, and incident response plans. The implementation of these controls can be facilitated through integrated risk management solutions like CyberStrong.

Uploaded by

diljith p k
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

The CIS Top 20 Controls Explained

by Justin Peacock

T he Center for Internet Security (CIS) is a non-profit organization responsible for developing best
practices to improve internet security and protect against security incidences. The frameworks set
forth by CIS affect everybody from people to organizations and governments and were done to
create safe, reliable standards of protection for IT systems and cybersecurity programs from data
breaches. The CIS Controls, formerly the CIS Top 20, make a strong foundation for a newly maturing
cybersecurity program. Below we explore the top 20 Critical Security Controls and their
requirements.

The CIS Critical Security Controls


Identify devices on your organization’s network, keep them
Inventory and Control of Hardware
updated, and maintain an inventory of assets that store or
Assets
process information.

Use software inventory tools to automate all software


Inventory and Control of Software
documentation to ensure unauthorized software is blocked
Assets
from executing on assets.

Utilize a complaint vulnerability scanning tool to monitor your


Continuous Vulnerability
systems on the network to identify vulnerabilities and keep
Management
them up to date.

Controlled Use of Administrative Configure systems to issue a log entry, alert when accounts are
Privileges changed, and ensure administrative accounts have proper
access.

Secure Configuration for Hardware


and Software on Mobile Devices, Maintain documented, standard security configuration
Laptops, Workstations, and standards for all authorized operating systems and software.
Servers

Ensure that local logging has been enabled and appropriate


Maintenance, Monitoring, and
logs are aggregated to a central log management system for
Analysis of Audit Logs
analysis and review.

Email and Web Browser Ensure that only supported web browsers and email clients
Protections can execute in the organization using the latest official version.

Utilize centrally managed anti-malware software to monitor


Malware Defenses and defend each organization's workstations and servers
continuously.

Ensure that only network ports, protocols, and services


Limitation and Control of Network listening on a system with validated business needs are
Ports, Protocols, and Services running on each system, and perform automated port scans on
a regular basis.

Ensure that all system data and key systems are automatically
Data Recovery Capabilities
backed up on a regular basis.

Secure Configuration for Network Compare all network device configuration against approved
Devices, such as Firewalls, Routers, security configurations, and manage all network devices using
and Switches multi-factor authentication and encrypted sessions.

Deny communications with known malicious or unused


Boundary Defense Internet IP addresses and limit access only to trusted and
necessary IP address ranges.

Data Protection Deploy an automated tool on network perimeters that


monitors for unauthorized transfer of sensitive information
and blocks such transfers while alerting information security
professionals.

Controlled Access Based on the Segment the network based on the label or classification level
Need to Know of the information stored.

Leverage the Advanced Encryption Standard to encrypt


Wireless Access Control wireless data in transit and create a separate wireless network
for personal or untrusted devices.

Require multi-factor authentication for all user accounts, on all


Account Monitoring and Control
systems, whether managed onsite or by a third-party provider.

Perform a skills gap analysis and train the workforce on how to


Implement a Security Awareness
identify different forms of social engineering attacks, such as
and Training Program
phishing, phone scams, and impersonation calls.

Establish secure coding practices appropriate to the


Application Software Security programming language and development environment being
used.

Ensure that there are written incident response plans that


Incident Response & Management define the roles of personnel as well as phases of incident
handling/management.

Establish a program for penetration tests that includes a full


Penetration Tests and Red Team
scope of common attacks, such as wireless, client-based, and
Exercises
web application attacks.

Implementing CIS controls doesn’t need to be as daunting as it seems with the help of an integrated
risk management (IRM) solution. Thankfully, CyberStrong can streamline and automate your

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy