<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">

Understanding the CIS Framework

How to Simplify CIS Compliance and Control Management

CIS-Dashboard 01

What is the CIS Framework?

CIS is a cybersecurity framework that represents best practice recommendations from the Center for Internet Security to protect your organization from cyber threats. You can use controls from CIS as a foundation for your cybersecurity program, and like many cybersecurity frameworks, you can adopt some of the CIS controls to establish your core cybersecurity program and then build and scale with additional controls and sub-controls over time.

CIS released CIS v8 in the spring of 2021. Controls within CIS v8 are similar to action items. You can adapt them to create a defense against common and pervasive cyber threats. Unlike some more extensive cybersecurity frameworks, the list of 18 CIS controls is considered a high priority for organizations regardless of program maturity.

In this CIS knowledgebase, we’ll explore these controls, examine implementation groupings, and share information about who should be CIS compliant, as well as benefits of adopting CIS best practices.

Here’s What You’ll Find:

What is the CIS Framework?

Overseen by the Center for Internet Security, the CIS cybersecurity framework represents globally recognized best practices for information security.

Learn More

What are CIS Benchmarks?

CIS Benchmarks represent configuration guidelines that align with CIS standards across a variety of target systems and devices.

Learn More

What are CIS Hardened Images?

CIS hardened images are virtual machines configured to limit weaknesses threat actors could exploit and put your organization at risk.

Learn More

Your Guide to CIS Compliance

Apptega’s CIS compliance guide will help you get started on your CIS compliance journey.

Learn More

Should My Organization Be CIS Compliant?

While there are no mandatory certification or attestation processes, CIS compliance is a great foundation to establish your cybersecurity program.

Learn More

The 7 Principles of CIS

When a team of IT and security experts from around the world united to develop CIS controls, they relied on seven core principles for guidance.

Learn More

Understanding CIS v8 Controls

CIS v8 has been consolidated to 18 controls that align with an additional 153 sub-controls you can use to build and mature your information security program.

Learn More

CIS Implementation Groups

Unsure of where to begin? CIS is broken into three implementation groups. You can start with group 1, then build on those controls to mature your security practices.

Learn More

CIS Webinar Snapshots

There are many cybersecurity frameworks to consider. Explore our webinars to learn more about which one may be the best for your organization’s unique needs.

Learn More

CIS v8 Frequently Asked Questions

Have questions about CIS v8? This FAQ is a great place to start.

Learn More

CIS Marketplace

Searching for tools, guidance, and assistance with CIS v7 compliance? Try the CIS v7 Marketplace.

Learn More

The Apptega Solution for CIS

Apptega is the industry’s best solution to help simplify and streamline all of your CIS compliance needs and give you better security oversight.

Learn More

Understanding the CIS Framework

CIS is a cybersecurity framework that represents actions you can take to protect your organization from cyber threats. The 20 controls outlined in CIS are prioritized actions to help protect your systems, data and networks. There are more than 170 related sub-controls that form action-specific items you can implement to build or mature your cybersecurity practices.

Overseen by the Center for Internet Security, a group of IT and security experts united to define controls outlined in CIS, which are considered industry best practices. As cyber breaches and attacks continue to increase across most industries around the globe, over time, cybersecurity professionals have become inundated with recommendations for how to best protect their attack surfaces. To address the growing threats, CIS defined this framework to focus on the most effective and critical controls an organization needs for security .

While CIS controls are great tools for preventing breaches, they can also help you deal with systems attackers that have been breached and guide you on ways to prevent additional damage, data loss, or exfiltration.

There are five primary tenants that underpin CIS controls:

1. Offense informs defense: You can apply knowledge from real-world attacks to learn how to build an effective defense.

2. Prioritization: Start your program by implementing controls that will decrease the greatest amount of risk.

3. Measurements and metrics: Understand and share program metrics with your executives and key stakeholders so you can continuously adapt and improve your program.

4. Continuous diagnostics and mitigation: Continuously evaluate your program’s effectiveness to ensure your controls work as designed and make plans to mitigate gaps and weaknesses.

5. Automation: Adopt automation to facilitate continuous security actions and related metrics.

CIS Implementation Groups

CIS Implementation

If you’re considering implementing CIS controls, it’s important to understand how controls are prioritized. You should start at control 1 and work your way through the rest. To help facilitate this scalability, the 20 controls are broken into three implementation groups, which we’ll discuss in more detail later, but here’s a quick summary:

Implementation Group 1 is suitable for organizations with limited resources and cybersecurity knowledge.

Implementation Group 2 is suitable for organizations with moderate resources and cybersecurity knowledge.

Implementation Group 3 is suitable for more mature organizations with more resources and cybersecurity knowledge.

Learn More

CIS Benchmarks

We mentioned earlier how IT and security experts worked together to establish globally recognized, cross-industry cybersecurity controls outlined in CIS. In addition to these controls, IT and security professionals helped create CIS Benchmarks that outline more than 100 configuration guidelines for more than 25 vendor product families to reduce the risk of cyber threats.

CIS benchmarks are best practices security configuration guidelines that secure target systems.

Benchmarks exist for a range of:

  • Operating systems
  • Server software
  • Cloud providers
  • Mobile devices
  • Network devices
  • Desktop software
  • Multi-functional print devices

These benchmarks are routinely updated and each one generally consists of multiple configuration profiles. These profiles are divided into two distinct profile levels:

  • Level 1: These are base recommendations you can quickly implement that should not impact performance or hinder operations.
  • Level 2: These are “defense-in-depth” recommendations and if not implemented properly may adversely affect your operations.
Learn More

CIS Hardened Images

In addition to CIS Benchmarks, CIS also has pre-configured virtual machine images configured to CIS Benchmark standards. Unlike a standard virtual machine, a hardened virtual machine is configured to limit weaknesses threat actors could exploit. You can use hardened virtual machines as secure computing environments with protection against a variety of threats including unauthorized access, data exfiltration, denial of service, and other risks.

All CIS hardened images are configured to CIS Benchmarks, meaning they employ best practices for cybersecurity. They include CIS-CAT Pro conformance and exception reports. These hardened images are available across a variety of platforms including:

  • Amazon Web Services (AWS Marketplace, AWS IC, and AWS GovCloud)
  • Microsoft Azure (Azure Marketplace and Azure Gov Marketplace)
  • Google Cloud Platform
  • Oracle Cloud Marketplace

To learn more about CIS hardened images, visit https://www.cisecurity.org/cis-hardened-images.

CIS V7 Implementation Dashboard

Manage and Implement CIS Controls with Ease with Apptega

With 18 controls and more than 150 sub-controls, you can simplify your CIS v8 framework implementation and management processes with Apptega. In the Apptega dashboard, you get instant insight into all of your controls so you know what’s working the way it should and where you need to make improvements.

Here are some of the many benefits of adopting Apptega as your comprehensive cybersecurity framework management solution:

  • Automated and customizable reports
  • Pre-built task packs, templates and policies
  • Automated alerts and notifications
  • Insight into roles and permissions
  • Cross-framework mapping
  • Reliable document repository
  • Platform personalization
  • Scalability
  • Pre-built templates and policies
See a Demo

Building a Successful CIS Engagement Strategy

If you’re new to building a cybersecurity program or you have a more mature program and you want to evaluate its effectiveness, CIS v7 controls are a great place to start. But where do you begin? How do you build a successful CIS engagement strategy for your organization to keep it secure?

In Apptega’s CIS v7.1 Compliance Guide, we start by giving you a high-level overview of who CIS is, what the organization does, and the intent of CIS controls. The compliance guide is also a wonderful resource to help you dive further into CIS control implementation groups and to better understand the role of CIS-compliant hardened images and how they can save your organization valuable time as a starting point for secure operating systems.

In addition to examining each of the 20 CIS controls, this guide also provides insight into how to implement CIS controls and what you need to ensure you have proper documentation of your security processes.

What Our Customers Are Saying

Ed Myers headshot
Ed Myers
Associate Compliance Director, Cape Henry Associates

“With Apptega, we now have the visibility needed to know the true status of our program at any time.”

Desiree D. Headshot
Desiree Davis
Operations Manager, Leap Credit

"I would absolutely recommend Apptega for anyone looking to elevate their compliance program from a static source to something that can be used to actively track and manage your compliance."

Who Needs to be CIS Compliant?

A number of professionals have asked us if their organization should be CIS compliant. The answer is a resounding yes!

Regardless of your industry or organization size or type, it’s a good idea to become CIS compliant. Why? Because adopting CIS controls can prepare your organization to build a strong defense against cyber-attacks, give you the tools you need to respond if a breach occurs, help you stop an attack from moving throughout your network, and limit compromise to other systems.

In addition to implementing and testing CIS controls, to become CIS compliant you won’t have to pass a formal certification or assessment, but you can self-evaluate planning, and mitigation.

The key here is proper documentation and measurement of your CIS control effectiveness. You should create supporting policies and procedures and be sure to document those and other critical metrics including specifications and configuration requirements.

Don’t forget validation as part of your documentation processes. It’s not enough to just implement the controls and walk away. You should also work with your team to ensure each person understands expectations and requirements and that all controls function as they should under a wide variety of circumstances. Internal testing and auditing practices are key for CIS compliance success.

Compliance Framework Crosswalking with Harmony

Harmony Design

Managing multiple security frameworks within a single organization doesn’t have to be as stressful as may you think. With a cybersecurity management platform like Apptega, you can simplify compliance across multiple frameworks. Apptega’s intelligent framework mapping tool Harmony, enables you to automatically crosswalk all of the shared controls, sub-controls, resources, and activities across all of your frameworks without duplicated processes or repeating manual tasks. You can also easily streamline task identification and management for every control and sub-control you implement.

See Apptega in Action

Understanding the Driving Principles for CIS

To help facilitate CIS implementation and adoption, the experts who worked together to develop the global, cross-industry CIS standards did so by embracing seven core principles. These core principles can help guide your organization on your journey to become CIS compliant.

Here are the principles and an overview of what they’re designed to do:

Address current attacks, tech, and changing requirements
CIS controls reflect current trends, the threat landscape, the proliferation of cybersecurity tools and resources, and other pressing challenges modern organizations face today securing their enterprises.

Key topic focus
CIS controls address and offer guidance for common security issues such as authentication, encryption, app whitelists, and more.

Framework alignment
CIS v7 controls work hand-in-hand with other cybersecurity frameworks and can easily be mapped to others.

Improve consistency and wording
The most current controls and sub-controls are clearer and simplified so it’s easier for to understand, implement, and measure.

Stronger foundation for integrations
Updated CIS controls make it easier to adopt and integrate them into other products, services, and decision-making processes.

Structural changes
The content with CIS v7 is restructured to be more responsive to diverse organizations.

CIS will continue to garner feedback about the controls to make future adjustments and approvements as needed.

Understanding CIS Controls

Basic CIS Controls
Foundational CIS Controls
Organizational CIS Controls

The 18 CIS Controls

There are 18 CIS controls. These controls are divided into three core areas: basic, foundational, and organizational. To implement an information security program from these controls, begin with basic controls (1-6), then move to foundational controls (7-16), and then finally adopt and implement the organizational controls (17-20). There are more than 150 related sub-controls in this framework.

Basic CIS Controls

Basic CIS Controls

1. Inventory and Control of Hardware Assets
This control guides how you inventory, track, manage and address all hardware on your network including controls that limit unauthorized access. There are eight sub-controls related to managing assets that cover security functions of identification, response, and protection:

  • 1.1 Utilize an Active Discovery Tool
  • 1.2 Use a Passive Asset Discovery Tool
  • 1.3 Use DHCP Logging to Update Asset Inventory
  • 1.4 Maintain Detailed Asset Inventory
  • 1.5 Maintain Asset Inventory Information
  • 1.6 Address Unauthorized Assets
  • 1.7 Deploy Port Level Access Control
  • 1.8 Utilize Client Certificates to Authenticate Hardware Assets

2. Inventory and Control of Software Assets
This control guides how you inventory, track, manage and address all software on your network including ensuring only approved software installation on your devices and management strategies for unauthorized software. There are 10 sub-controls related to managing assets that cover security functions of identification, response, and protection:

  • 2.1 Maintain Inventory of Authorized Software
  • 2.2 Ensure Software is Supported by Vendor
  • 2.3 Utilize Software Inventory Tools
  • 2.4 Track Software Inventory Information
  • 2.5 Integrate Software and Hardware Asset Inventories
  • 2.6 Address Unapproved Software
  • 2.7 Utilize Application Whitelisting
  • 2.8 Implement Application Whitelisting of Libraries
  • 2.9 Implement Application Whitelisting of Scripts
  • 2.10 Physically or Logically Segregate High Risk Applications

3. Continuous Vulnerability Management
This control guides continuous management of vulnerabilities including how you discover them, remediate issues and decrease and close security gaps. There are seven sub-controls related to managing assets that cover security functions of detection, response, and protection:

  • 3.1 Run Automated Vulnerability Scanning Tools
  • 3.2 Perform Authenticated Vulnerability Scanning
  • 3.3 Protect Dedicated Assessment Accounts
  • 3.4 Deploy Automated Operating System Patch Management Tools
  • 3.5 Deploy Automated Software Patch Management Tools
  • 3.6 Compare Back-to-back Vulnerability Scans
  • 3.7 Utilize a Risk-rating Process

4. Controlled Use of Administrative Privileges
This control outlines the processes and tools you will use to track, control, prevent, and correct administrative privileges on computers, networks and applications including use, assignment, and configuration. There are nine sub-controls related to managing assets that cover security functions of detection and protection:

  • 4.1 Maintain Inventory of Administrative Accounts
  • 4.2 Change Default Passwords
  • 4.3 Ensure the Use of Dedicated Administrative Accounts
  • 4.4 Use Unique Passwords
  • 4.5 Use Multifactor Authentication For All Administrative Access
  • 4.6 Use Dedicated Workstations For All Administrative
  • 4.7 Limit Access to Scripting Tools
  • 4.8 Log and Alert on Changes to Administrative Group Membership
  • 4.9 Log and Alert on Unsuccessful Administrative Account Login

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
This control outlines how you will create, implement and manage security configurations for mobile devices, laptops, work stations, and servers including configuration management and change control processes. There are five sub-controls related to managing assets that cover security functions of detection and protection:

  • 5.1 Establish Secure Configurations
  • 5.2 Maintain Secure Images
  • 5.3 Securely Store Master Images
  • 5.4 Deploy System Configuration Management Tools
  • 5.5 Implement Automated Configuration Monitoring Systems

6. Maintenance, Monitoring and Analysis of Audit Logs
This control outlines how you will collect, manage and analyze your audit logs. There are eight sub-controls related to managing assets that cover the detection security function:

  • 6.1 Utilize Three Synchronized Time Sources
  • 6.2 Activate Audit Logging
  • 6.3 Enable Detailed Logging
  • 6.4 Ensure Adequate Storage for Logs
  • 6.5 Central Log Management
  • 6.6 Deploy SIEM or Log Analytic Tools
  • 6.7 Regularly Review Logs Regularly Tune SIEM

Want to know more about these controls and subcontrols? Download this guide CIS:  https://learn.cisecurity.org/cis-controls-download

Foundational CIS Controls

Foundational CIS Controls

7. Email and Web Browser Protections
This control outlines how you can minimize your attack surface, specifically relating to web browsers and email. There are 10 sub-controls related to managing assets that cover the detection and protection security functions:

  • 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
  • 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins
  • 7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients
  • 7.4 Maintain and Enforce Network-Based URL Filters
  • 7.5 Subscribe to URL-Categorization Service
  • 7.6 Log all URL Requests
  • 7.7 Use of DNS Filtering Services
  • 7.8 Implement DMARC and Enable Receiver- Side Verification
  • 7.9 Block Unnecessary File Types
  • 7.10 Sandbox All Email Attachments

8. Malware Defenses
This control outlines installation, spread, and malicious code execution with optimized automation for defense strategies and remediation. There are eight sub-controls related to managing assets that cover the detection and protection security functions:

  • 8.1 Utilize Centrally Managed Anti-Malware Software
  • 8.2 Ensure Anti-Malware Software and Signatures are Updated
  • 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
  • 8.4 Configure Anti-Malware Scanning of Removable Devices
  • 8.5 Configure Devices to Not Auto-Run Content
  • 8.6 Centralize Anti-Malware Logging
  • 8.7 Enable DNS Query Logging
  • 8.8 Enable Command-Line Audit Logging

9. Limitation and Control of Network Ports, Protocols and Services
This control outlines how you will track, control, and correct issues regarding port usage, protocols, and services for your network devices. There are five sub-controls related to managing assets that cover the security functions for detection, identification, and protection:

  • 9.1 Associate Active Ports, Services and Protocols to Asset Inventory
  • 9.2 Ensure Only Approved Ports, Protocols and Services Are Running
  • 9.3 Perform Regular Automated Port Scans
  • 9.4 Apply Host-Based Firewalls or Port Filtering
  • 9.5 Implement Application Firewalls

10. Data Recovery Capabilities
This control outlines the processes and tools you should use for critical information backup and timely recovery. There are five sub-controls related to managing assets that cover the protection security function:

  • 10.1 Ensure Regular Automated Backups
  • 10.2 Perform Complete System Backups
  • 10.3 Test Data on Backup Media
  • 10.4 Protect Backups
  • 10.5 Ensure Backups Have At least One Non-Continuously Addressable Destination

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
This control outlines how you will establish, implement, and manage your network infrastructure security configuration and change control processes. There are seven sub-controls related to managing assets that cover the security functions of detection, identification, and protection:

  • 11.1 Maintain Standard Security Configurations for Network Devices
  • 11.2 Document Traffic Configuration Rules
  • 11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
  • 11.4 Install the Latest Stable Version of Any Security- Related Updates on All Network Devices
  • 11.5 Manage Network Devices Using Multi- Factor Authentication and Encrypted Sessions
  • 11.6 Use Dedicated Workstations For All Network Administrative Tasks
  • 11.7 Manage Network Infrastructure Through a Dedicated Network

12. Boundary Defense
This control outlines how you will detection, prevent, and correction information flow on networks with different trust levels. There are 12 sub-controls related to managing assets that cover the security functions of detection and protection:

  • 12.1 Maintain an Inventory of Network Boundaries
  • 12.2 Scan for Unauthorized Connections across Trusted Network Boundaries
  • 12.3 Deny Communications with Known Malicious IP Addresses
  • 12.4 Deny Communication over Unauthorized Ports
  • 12.5 Configure Monitoring Systems to Record Network Packets
  • 12.6 Deploy Network-Based IDS Sensors
  • 12.7 Deploy Network-Based Intrusion Prevention Systems
  • 12.8 Deploy NetFlow Collection on Networking Boundary Devices
  • 12.9 Deploy Application Layer Filtering Proxy Server
  • 12.10 Decrypt Network Traffic at Proxy
  • 12.11 Require All Remote Logins to Use Multi- Factor Authentication
  • 12.12 Manage All Devices Remotely Logging into Internal Network

13. Data Protection

This control outlines the processes and tools you will use to stop exfiltration of data and mitigate exfiltration effects to protect privacy for sensitive information. There are nine sub-controls related to managing assets that cover the security functions of detection, identification, and protection:

  • 13.1 Maintain an Inventory of Sensitive Information
  • 13.2 Remove Sensitive Data or Systems Not Regularly Accessed by Organization
  • 13.3 Monitor and Block Unauthorized Network Traffic
  • 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers
  • 13.5 Monitor and Detect Any Unauthorized Use of Encryption
  • 13.6 Encrypt the Hard Drive of All Mobile Devices
  • 13.7 Manage USB Devices
  • 13.8 Manage System’s External Removable Media’s Read/Write Configurations
  • 13.9 Encrypt Data on USB Storage Devices

14. Controlled Access Based on the Need to Know
This control outlines the processes and tools you will use track, control, prevent, and correct access issues for critical assets based on approved classifications. There are nine sub-controls related to managing assets that cover the security functions of detection and protection:

  • 14.1 Segment the Network Based on Sensitivity
  • 14.2 Enable Firewall Filtering Between VLANs
  • 14.3 Disable Workstation to Workstation Communication
  • 14.4 Encrypt All Sensitive Information in Transit
  • 14.5 Utilize an Active Discovery Tool to Identify Sensitive Data
  • 14.6 Protect Information through Access Control Lists
  • 14.7 Enforce Access Control to Data through Automated Tools
  • 14.8 Encrypt Sensitive Information at Rest
  • 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data

15. Wireless Access Control
This control outlines the processes and tools you will use track, control, prevent, and correct security issues for wireless local area networks (WLANs), access points, and other wireless client systems. There are 10 sub-controls related to managing assets that cover the security functions of detection, identification, and protection:

  • 15.1 Maintain an Inventory of Authorized Wireless Access Points
  • 15.2 Detect Wireless Access Points Connected to the Wired Network
  • 15.3 Use a Wireless Intrusion Detection System
  • 15.4 Disable Wireless Access on Devices if it is Not Required
  • 15.5 Limit Wireless Access on Client Devices
  • 15.6 Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients
  • 15.7 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
  • 15.8 Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication
  • 15.9 Disable Wireless Peripheral Access to Devices
  • 15.10 Create Separate Wireless Network for Personal and Untrusted Devices

16. Account Monitoring and Control
This control outlines how you will actively manage system and application account lifecycles, including creation, use, dormancy, and deletion. There are 13 sub-controls related to managing assets that cover the security functions of detection, identification, protection, and response:

  • 16.1 Maintain an Inventory of Authentication Systems
  • 16.2 Configure Centralized Point of Authentication
  • 16.3 Require Multi-Factor Authentication
  • 16.4 Encrypt or Hash all Authentication Credentials
  • 16.5 Encrypt Transmittal of Username and Authentication Credentials
  • 16.6 Maintain an Inventory of Accounts
  • 16.7 Establish Process for Revoking Access
  • 16.8 Disable Any Unassociated Accounts
  • 16.9 Disable Dormant Accounts
  • 16.10 Ensure All Accounts Have An Expiration Date
  • 16.11 Lock Workstation Sessions After Inactivity
  • 16.12 Monitor Attempts to Access Deactivated Accounts
  • 16.13 Alert on Account Login Behavior Deviation

Want to know more about these controls and subcontrols? Download this guide CIS:  https://learn.cisecurity.org/cis-controls-download

Organizational CIS Controls

Organization Controls

17. Implement a Security Awareness and Training Program
This control outlines how you will address functional roles within your organization, including identification of knowledge, skills, and abilities for the roles. This control also outlines how you will develop and execute an integrated plan for assessing, identification, and remediation of gaps using policies, planning, training, and awareness programs. There are nine sub-controls:

  • 17.1 Perform a Skills Gap Analysis
  • 17.2 Deliver Training to Fill the Skills Gap
  • 17.3 Implement a Security Awareness Program
  • 17.4 Update Awareness Content Frequently
  • 17.5 Train Workforce on Secure Authentication
  • 17.6 Train Workforce on Identifying Social Engineering Attacks
  • 17.7 Train Workforce on Sensitive Data Handling
  • 17.8 Train Workforce on Causes of Unintentional Data Exposure
  • 17.9 Train Workforce Members on Identifying and Reporting Incidents

18. Application Software Security
This control outlines how you will manage the security lifecycle for all of your software to prevent, detect, and fix security issues. There are 11 sub-controls:

  • 18.1 Establish Secure Coding Practices
  • 18.2 Ensure Explicit Error Checking is Performed for All In-House Developed Software
  • 18.3 Verify That Acquired Software is Still Supported
  • 18.4 Only Use Up-to-Date And Trusted Third-Party Components
  • 18.5 Only Standardized and Extensively Reviewed Encryption Algorithms
  • 18.6 Ensure Software Development Personnel are Trained in Secure Coding
  • 18.7 Apply Static and Dynamic Code Analysis Tools
  • 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
  • 18.9 Separate Production and Non-Production Systems
  • 18.10 Deploy Web Application Firewalls
  • 18.11 Use Standard Hardening Configuration Templates for Databases

19. Incident Response and Management
This control outlines how you will protect your organization’s information and reputation through the use of incident response practices so you can quickly identify an attack, contain the damage, remove the attack from your systems, and restore system integrity. There are eight sub-controls:

  • 19.1 Document Incident Response Procedures
  • 19.2 Assign Job Titles and Duties for Incident Response
  • 19.3 Designate Management Personnel to Support Incident Handling
  • 19.4 Devise Organization-wide Standards for Reporting Incidents
  • 19.5 Maintain Contact Information For Reporting Security Incidents
  • 19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents
  • 19.7 Conduct Periodic Incident Scenario Sessions for Personnel
  • 19.8 Create Incident Scoring and Prioritization Schema

20. Penetration Tests and Red Team Exercises
This control will simulate the objectives and actions for an attacker to help you test your organization’s security defenses including technology, people, and processes. There are eight sub-controls:

  • 20.1 Establish a Penetration Testing Program
  • 20.2 Conduct Regular External and Internal Penetration Tests
  • 20.3 Perform Periodic Red Team Exercises
  • 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
  • 20.5 Create a Test Bed for Elements Not Typically Tested in Production
  • 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert
  • 20.7 Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
  • 20.8 Control and Monitor Accounts Associated with Penetration Testing

Want to know more about these controls and subcontrols? Download this guide CIS:  https://learn.cisecurity.org/cis-controls-download

Understanding CIS Implementation Groups

The 20 CIS controls are divided among three implementation groups. These groups will help you set the foundation of your cybersecurity program and scale it. Let’s look at each of these three groups and to see which stage best suits your program now and your plans for maturing the program in the future.

  • Implementation Group 1: For organizations with limited resources and experience to implement CIS sub-controls.
  • Implementation Group 3: For organizations with significant resources and experience to allocate to CIS sub-controls.
  • Implementation Group 2: For organizations with moderate resources and experience to implement CIS sub-controls.

While there is no formal certification for CIS compliance, you can self-assess control implementation, effectiveness, and documentation through each of these three implementation groups.

Consider controls and sub-controls in Implementation Group 1 as elements of basic cyber hygiene. Group 2 builds off group one and then Group 3 continues that momentum by building off Group 1 and Group 2.

While these tiered groupings help you mature your cybersecurity practices, they also often reflect increased organizational size and complexity, which can introduce additional security risks. As you move through the implementation groups into higher levels, you may want to adopt additional controls for stronger security.

Learn More

Simplify the CIS Framework with Apptega

Cybersecurity framework management doesn’t have to be as complex as it has been in the past. You don’t have to waste weeks or even months preparing for an audit. Instead, Apptega can help you streamline processes, improve efficiencies, save time and money, and build scalable, flexible, mature cybersecurity defenses for your organization.

By using Apptega to manage your CIS v8 framework, you can:

  • Continuously assess and remediate security issues and processes with real-time insight into multiple frameworks
  • Establish continuous visibility of cybersecurity posture
  • Prepare for audits faster and manage the audit process with ease
  • Crosswalk all of your frameworks and streamline management
  • Create custom reports that your executives and key stakeholders understand
  • Reduce security burdens and expenses
  • Build a more secure and compliant infrastructure

CIS Blogs

tabletop exercise

CIS: What you Need to Know

CIS has 20 high-level controls you can use as a foundation for your cybersecurity program. Because these controls build off one another across three distinct implementation groupings, you can start with the first six most basic cyber hygiene controls and mature your program over time. In this blog, we take a closer look at those controls and can help you explore how Apptega can help you establish a CIS compliance program.

Read More

Which Cybersecurity Framework is Right for You?

The list of available cybersecurity frameworks continues to grow as regulations and compliance standards evolve to stay ahead of attackers. With so many available, how do you know which is right for you? Do you need CIS, SOC 2, CMMC, ISO, NIST, or something else? In this blog, we’ll walk you through some of the most common frameworks, explain benefits, and help you understand which (or combination) is right for your organization.

Read More

CIS Webinars

Choosing a Cybersecurity Framework Webinar Image

How to Choose Which Cybersecurity Framework to Follow

While you may be aware of which cybersecurity framework your organization must implement based on compliance and regulations, do you know if there are others that align to your security goals and can help you better protect your attack surface? How do you map multiple frameworks so you don’t duplicate processes?

In this webinar, join our panel of experts to explore:

• The most common major frameworks and how they’re used
• Where there are similarities and differences between the frameworks
• How you can simplify framework management with a single solution and automate tasks

Watch Now
Secrets To Passing an Audit Webinar Image

Secrets To Passing A Cybersecurity Audit: An Auditor's Perspective

While there is no formal certification for CIS compliance, you can undergo internal and external audits to evaluate the controls you’ve implemented and identify security gaps that need more attention. Unfortunately, audits can be time-consuming and challenging and not all organizations will pass. What can you do to ensure audit success?

In this webinar, you’ll hear from first-hand experience to help you:

• Understand best practices for audit success
• Learn more about common pitfalls and how to overcome them
• Adopt time-saving tips that simplifies your auditor engagements

Watch Now

CIS Marketplace

CI-Marketplace 02

Searching for Tools, Guidance, and help with CIS compliance?

Do you need resources, tools, guidance, or help with CIS compliance? CIS Marketplace in CyberXchange is mapped to all defined controls in the CIS framework. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. No more guesswork. The research is already done for you. Join thousands of CISOs, CIOs and other cyber professionals who already discovered perfect-fit solutions.

Simplified Control Management


Searching for Tools, Guidance, and help with CIS compliance?

When compared to other cybersecurity frameworks, CIS with only 20 core controls may seem easier to manage. However, when you add in additional sub-controls, soon you’ll find that managing everything on paper, spreadsheets, or static documents is time-consuming and inefficient.

Instead, you can use a single cybersecurity framework management solution that streamlines processes, automates key practices, and gives you insight into how well your program functions at any point in time. And, if you’re using more than one cybersecurity framework, you’ll want to adopt the benefits of crosswalking them within one platform so you don’t waste time repeating steps for one framework that you’re already effectively doing in another. Apptega can simplify your processes by consolidating all of your framework controls and sub-controls, as well as related activities and resources.

Frequently Asked Questions about CIS (FAQs)

What is CIS?
CIS consists of 20 high-level cybersecurity controls and more than 170 sub-controls you can implement to build or mature your information security program. These controls start with basic cyber hygiene best practices and then build upon one another for more scalable and secure information security programs. A group of IT and security professionals, representing a range of experiences from around the world, worked together to establish these globally-recognized practices to decrease cyber risks for all organizations, regardless of location, size, or industry.
Who oversees CIS controls?
The Center for Internet Security oversees CIS controls, benchmarks, and hardened images. However, a diverse group of IT and security professionals works together to maintain these best practices based on the current threat landscape and emerging technologies.
Does my organization need to be CIS compliant?
Regardless of your organization size or industry, it’s a good idea to comply with CIS standards. If you’re a small organization with limited resources, you may find the first six of 20 controls in Implementation Group 1 sufficient for your needs. However, as your organization scales over time (or if you’re already a medium or large-scale organization) you can benefit from adopting additional CIS controls and sub-controls for a more secure technology environment.
How many CIS controls are there?
There are 20 controls in CIS.
How many CIS sub-controls are there?
There are more than 170 CIS sub-controls directly related to the 20 core CIS controls.
How do I implement CIS?
Unlike other more complex cybersecurity frameworks, organizations of all sizes can tackle CIS implementation. First, review CIS controls and sub-controls. Next, evaluate your organization’s resources and experience. If you discover you have limited resources and security expertise, begin your program with the controls in Implementation Group 1. If you have moderate resources and expertise, implement Group 1, then move on to Group 2. Finally, as your program and organization mature, move to Implementation Group 3.
What are the benefits of adopting CIS controls?
There are a number of benefits your organization could reap from adopting CIS controls. First, these controls, which are globally recognized as industry best practices, can help you reduce cybersecurity framework and tools overload so you can focus on adopting and implementing critical security practices to secure your organization now and then build onto your program over time. Adopting CIS controls can help give you the insight you need to detect vulnerabilities and other security issues, identify which ones may have the most critical impact on your organization, build defenses to protect your most critical applications and services, and then respond to threats as they occur to quell damage and prevent future attacks.
What is the most current version of CIS controls?
CIS v7.1 is the most current version.
What are CIS benchmarks?
CIS Benchmarks are best-practice security configuration guidelines to secure target systems such as operating systems, server software, cloud providers, mobile devices, network devices, desktop software, and multi-functional print devices.
What is a CIS hardened image?
A CIS hardened image is a hardened virtual machine configured to limit weaknesses and potential exploitation. CIS hardened images are configured to CIS best practices and can be used across a variety of cloud-computing environments including AWS, Azure, and GCP.
Where can I find compliance resources for CIS?

CIS compliance resources are in Apptega’s CIS Marketplace. Within the marketplace, you can quickly access products and services to help you with CIS compliance, including access to consultants with expertise in your specific compliance areas of need.

Companies on the Journey to CIS Compliance

CounterTrade Logo
Cortland Logo
HCTec logo
Focus on the Family logo
Greenhouse Software logo-1