The Center of Internet Security (CIS) recently released version 8 of the Critical Controls. These controls set to prioritize and provide guidance for organizations to secure and mitigate the most prevalent cyber attacks against networks and systems. In this iteration, the controls have been reduced from 20 to 18 and include updated technology and threats.
To assist organizations with implementing these strategies the controls have been organized into three implementation groups (IGs). The aim is to help different classes of organizations to focus on their own resources.
IG1 is considered Basic Cyber Hygiene and serves as the starting point for all organizations. This represents the minimum standard of information security for all. There are 56 cyber defense safeguards outlined through this phase of implementation.
Download and read details about all the implementation groups.
Here are the basic strategies outlined in the 18 controls for IG1.
| 1. Inventory and Control of Enterprise Assets Maintaining a detailed list of assets can reduce time and money. Know what you have and where it is. This can assist with finding trouble spots before they become incidents. Recognize how you will handle unauthorized assets. |
10. Malware Defenses Anti-malware software can help to prevent of control the threats from malware. Disable auto run features. |
| 2. Inventory and Control of Software Assets As with hardware assets, software inventory is equally important. Document the software asset regarding support and updates. Address the use of unauthorized software as far as permissions and use. |
11. Data Recovery Establish and maintain a back up process. Insure automation and off site backups |
| 3. Data Protection Know what data you have. Give access to only those that need it. Follow organizational policies of retention and disposal of data. Install software on end user devices for encryption. |
12. Network Infrastructure Management Keep your network up-to-date. |
| 4. Secure Configuration of Enterprise Assets and Software Establish & maintain secure configurations for end user devices, software, firewalls and network infrastructure. |
13. Network Monitoring and Defense There are no implementation strategies in IG1. |
| 5. Account Management Establish and maintain an inventory of accounts, restrict administrator privileges, disable old accounts and use unique passwords |
14. Security Awareness and Skills Training Establish, maintain and train workforce ton security best practices, recognizing social engineering attacks and reporting incidents. |
| 6. Access Control Management Create and control access credentials and privileges. Impose MFA for critical processes. |
15. Service Provider Management Develop a process for maintaining an inventory of service providers. |
| 7. Continuous Vulnerability Management Continuously assess and track vulnerabilities. Perform automated patch management. |
16. Application Software Security There are no implementation strategies in IG1. |
| 8. Audit Log Management Collecting and reviewing audit logs can help to detect, understand or recover from an attack. |
17. Incident Response Management Establish a team to manage incident handling. Establish a process for reporting incidents |
| 9. Email and Web Browser Protections Use fully supported and up-to-date browsers. Enable DNS filtering. |
18. Penetration Testing There are no implementation strategies in IG1. |
This navigation tool, CIS Navigator, can assist you with securing your organization. Start with IG1 and build on it from there. Get the basic cyber hygiene in place and you are well on your way to improving your overall security posture.