The 17 CIS Critical Security Controls 

The CIS Controls consist of 17 critical security controls that address various aspects of an organization's cybersecurity posture. These controls are designed to provide a comprehensive and prioritized approach to improving cybersecurity defenses. Here’s a closer look at each of these controls: 

1. Inventory and control of enterprise assets 

This control focuses on creating and maintaining an accurate inventory of all hardware assets within the organization. By knowing what assets are present and ensuring they are properly managed, organizations can prevent unauthorized devices from being connected to their networks. 

2. Inventory and control of software assets 

Similar to the first control, this one emphasizes the importance of maintaining an inventory of all software assets. This includes identifying authorized software and ensuring that only approved applications are installed and running on organizational systems. This is also a key step in helping to understand your security stack. If you are able to inventory all of your software and applications, you can find the gaps you might have in protection or identify areas of duplication that could benefit from streamlining in order to potentially reduce costs and boost productivity.  

3. Protection of data 

Data protection is a critical aspect of cybersecurity. This control involves implementing measures to safeguard sensitive information, both in transit and at rest. This includes encryption, access controls, and data loss prevention mechanisms. 

4. Secure configuration 

Secure configuration involves establishing and maintaining secure settings for hardware and software. This includes disabling unnecessary features, services, and ports, as well as ensuring that default configurations are replaced with secure settings. 

5. Management of accounts 

Proper account management is essential for preventing unauthorized access. This control includes implementing strong authentication mechanisms, regularly reviewing user accounts, and promptly disabling or removing accounts that are no longer needed. 

6. Vulnerability management 

Vulnerability management involves regularly scanning systems and applications for vulnerabilities and promptly applying patches and updates. This helps organizations stay protected against known threats and reduces the risk of exploitation. 

7. Auditing of log management 

Effective log management is crucial for detecting and investigating security incidents. This control involves collecting, analyzing, and retaining logs from various sources to identify suspicious activities and support forensic investigations. 

8. Web browser and email protection 

Web browsers and email clients are common vectors for cyberattacks. This control focuses on securing these applications by implementing measures such as email filtering, web content filtering, and disabling unnecessary browser plugins. 

9. Defense of malware 

Malware defense involves implementing measures to detect and prevent malware infections. This includes using antivirus software, regularly updating malware signatures, and employing advanced threat detection technologies. 

10. Recovery of data 

Data recovery is essential for ensuring business continuity in the event of a cyber incident. This control includes implementing regular data backups, testing backup procedures, and having a robust disaster recovery plan in place. 

11. Management of network infrastructure 

Proper management of network infrastructure is crucial for maintaining a secure environment. This control involves implementing measures such as network segmentation, access controls, and monitoring to ensure the security of network devices and traffic. 

12. Monitoring and defense of network 

Continuous monitoring and defense of the network are essential for detecting and responding to security incidents. This control includes implementing intrusion detection and prevention systems, network traffic analysis, and security information and event management (SIEM) solutions. 

13. Skill training and security awareness 

Human error is a significant factor in many cybersecurity incidents. In fact, recent research shows that human factors create significant cybersecurity risks for small and medium-sized businesses. This CIS control emphasizes the importance of providing regular training and awareness programs to educate employees on cybersecurity best practices and potential threats. 

14. Evaluate and manage service providers 

Organizations often rely on third-party service providers for various functions. This control involves assessing and managing the security practices of these providers to ensure they meet the organization's security requirements. 

15. Security of application software 

Application security is crucial for preventing vulnerabilities that can be exploited by attackers. This control involves implementing secure coding practices, conducting regular security assessments, and addressing identified vulnerabilities promptly. 

16. Managing incident response 

Effective incident response is critical for minimizing the impact of security incidents. This control includes establishing an incident response plan, conducting regular drills, and ensuring that all relevant personnel are trained to respond to incidents effectively. 

17. Penetration testing 

Penetration testing involves simulating cyberattacks to identify and address vulnerabilities in the organization's systems and networks. This control helps organizations understand their security weaknesses and improve their defenses. 

You can find further information about CIS using link below.