CIS Controls v8 - Implementation Group 1 (IG1)

  • Published: Tuesday, July 27, 2021

The Center of Internet Security (CIS) recently released version 8 of the Critical Controls. These controls set to prioritize and provide guidance for organizations to secure and mitigate the most prevalent cyber attacks against networks and systems. In this iteration, the controls have been reduced from 20 to 18 and include updated technology and threats.

To assist organizations with implementing these strategies the controls have been organized into three implementation groups (IGs). The aim is to help different classes of organizations to focus on their own resources.

IG1 is considered Basic Cyber Hygiene and serves as the starting point for all organizations. This represents the minimum standard of information security for all. There are 56 cyber defense safeguards outlined through this phase of implementation.

Download and read details about all the implementation groups.

Here are the basic strategies outlined in the 18 controls for IG1.

1. Inventory and Control of Enterprise Assets 
Maintaining a detailed list of assets can reduce time and money. Know what you have and where it is. This can assist with finding trouble spots before they become incidents. Recognize how you will handle unauthorized assets.

10. Malware Defenses
Anti-malware software can help to prevent of control the threats from malware. Disable auto run features.

2. Inventory and Control of Software Assets
As with hardware assets, software inventory is equally important. Document the software asset regarding support and updates. Address the use of unauthorized software as far as permissions and use.

11. Data Recovery
Establish and maintain a back up process. Insure automation and off site backups

3. Data Protection
Know what data you have. Give access to only those that need it. Follow organizational policies of retention and disposal of data. Install software on end user devices for encryption.

12. Network Infrastructure Management
Keep your network up-to-date.

4. Secure Configuration of Enterprise Assets and Software
Establish & maintain secure configurations for end user devices, software, firewalls and network infrastructure.

13. Network Monitoring and Defense
There are no implementation strategies in IG1.

5. Account Management
Establish and maintain an inventory of accounts, restrict administrator privileges, disable old accounts and use unique passwords

14. Security Awareness and Skills Training
Establish, maintain and train workforce ton security best practices, recognizing social engineering attacks and reporting incidents.

6. Access Control Management
Create and control access credentials and privileges. Impose MFA for critical processes.

15. Service Provider Management
Develop a process for maintaining an inventory of service providers.

7. Continuous Vulnerability Management
Continuously assess and track vulnerabilities. Perform automated patch management.

16. Application Software Security
There are no implementation strategies in IG1.

8. Audit Log Management
Collecting and reviewing audit logs can help to detect, understand or recover from an attack.

17. Incident Response Management
Establish a team to manage incident handling. Establish a process for reporting incidents

9. Email and Web Browser Protections
Use fully supported and up-to-date browsers. Enable DNS filtering.

18. Penetration Testing
There are no implementation strategies in IG1.

This navigation tool, CIS Navigator, can assist you with securing your organization. Start with IG1 and build on it from there. Get the basic cyber hygiene in place and you are well on your way to improving your overall security posture.