Why use the CIS-controls?
Many organizations facing the current cybersecurity environment are overwhelmed
by what we call the “Fog of More”—a constant stream of new information and problems. They are challenged by competing expert opinions, a noisy and fast-changing marketplace of potential solutions, and unclear or overwhelming regulatory and compliance requirements.
The CIS Controls are developed by a global expert community based on their first-hand experience of the threat environment to identify the most high-value practices to secure networks. Their in-depth understanding of the current threat landscape drives the priority order and focus of the CIS Controls. Further, CIS routinely incorporates feedback from the user community and ensures the best practices are vendor-neutral.
Relationship to Compliance Frameworks
The CIS Controls align with top compliance frameworks such as NIST, PCI, ISO, HIPAA, COBIT and others. Downloaded more than 65,000 times across the globe, most CIS Controls adopters use more than one framework to improve their security. CIS does not compete with any other framework; rather, we strive to offer users tools and work aids to simplify their security journey. In fact, many CIS adopters tell us they use the CIS Controls as the implementation guide to the NIST Cybersecurity Framework (CSF).
At Belarc we try to keep things simple, so here’s our recommendation on how best to implement cyber security: Establish a process to implement and regularly monitor the Center for Internet Security (CIS) Foundational Controls. We like the CIS controls because they are based on lessons learned from actual attacks and breaches and are created by people from multiple industries and government, including the NSA and DHS, who have deep knowledge of all aspects of cyber security.
The First 5 CIS Controls
CIS Control 1 – Inventory of Authorized and Unauthorized Devices.
CIS Control 2 – Inventory of Authorized and Unauthorized Software.
CIS Control 3 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers.
CIS Control 4 – Continuous Vulnerability Assessment and Remediation.
CIS Control 5 – Controlled Use of Administrative Privileges.
After reviewing and implementing the First 5 CIS Controls, you can move on and implement the comprehensive list of all 20 CIS Controls and sub-controls.
How Can Belarc Help?
Belarc’s system automatically creates an up to date central repository with detailed hardware, software and security configuration data. It does this on a near continuous basis and scales to enterprises of any size.
Complete listing of all hardware including desktops, laptops, servers, virtual machines, tablets and phones. Configuration details include make, model, serial number, BIOS or UEFI, operating system, group policies applied, USB storage device usage, encryption status, and more. (CSC 1)
Complete listing of all installed software including versions and last time used. Ability to automatically compare installed software with standard images or approved software. Flags unused software as candidates to be removed. (CSC 2)
Comparison of configurations to the US Government Configuration Baselines (USGCB). (CSC 3)
Automatic vulnerability assessment based on published vulnerabilities from Microsoft, Adobe, Oracle Java and Apple. (CSC 4)
Detailed information on both local and domain user logins by host and privileges, and the ability to automatically track user account changes such as elevated privileges. (CSC 5)
Enterprise-wide, standards-based, continuous monitoring of automated security controls.
A phased implementation approach like this helps ensure the most significant benefits because these are the highest priority controls
Belarc’s products monitor many of the technical controls in the NIST document referenced