20 Actions to Take to Secure Any Organization

Have you heard of the Center for Internet Security? If not, this is definitely an organization within the cybersecurity community that we should all be following closely. Center for Internet Security is a global community of volunteers united in their mission to “make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.”

They have produced a list of the Top 20 Security Controls that can be implemented [at different levels] to help secure organizations of any size! This is not just any list! This is actionable list of standard security controls! The CIS Controls™ are a prioritized, well-vetted set of actions that organizations can take to assess and improve their current security state to mitigate the most common attacks against any systems and networks.

In this post, we’ll get familiar with what data is available and dive deeper into each “control area” in future posts.

Why was this list created?

In short, the answer is, “To help us figure out “where to focus first”! If there’s one thing we all know for sure, it’s that there is no shortage of information available to security teams on what’s needed to secure today’s IT Operations. The sheer volume of information and resources available to cybersecurity professionals can quickly become overwhelming! The purpose of this list is to help practitioners cut through the “Fog of More” and focus on the most fundamental and valuable actions that every organization should take to prevent, alert, and respond to today’s most common attacks.

That said, it’s not a one-size-fits-all list of priorities. It’s a list of security controls we should ALL be considering. The list was developed by a volunteer community of IT experts who applied their first-hand experience as cyber defenders to create a set of globally accepted security best practices that are implementable, usable, scalable, and compliant with all industry or government security requirements. But you will still need to determine what is critical to your organization’s business, data, systems, networks and infrastructure.

So, what is the Top 20 list of most critical security controls that the CIS Community of experts believes we need to assess and address?

We will review each of these security controls {and their associated sub-controls] further in future posts.

All Security Controls Are NOT Created Equal!

Depending on the size of your organization, balancing resource constraints with efforts to effectively mitigate risk could be a challenge. As a result, CIS provides guidance to help prioritize which security controls [and sub-controls] should be implemented by defining three CIS Controls Implementation Groups.

Organizations are encouraged to classify themselves as belonging to one of three Implementation Groups. For instance:

• A family-owned business with ~10 employees may self-classify as IG1;
• A regional organization providing a service may classify itself as IG2;
• A large corporation with thousands of employees may be labeled IG3.

The intention behind identifying these different Implementation Groups is to help organizations figure out where to focus and prioritize their efforts based on their mission, risks and resources available to implement proposed controls. Once a classification is determined, organizations can then focus on implementing the CIS Sub-Controls associated with that Implementation Group.

Assess Yourself!

Review the following information to help determine the Implementation Group classification [and subsequent CIS Controls guidance] that apply to your organizaiton:

Remember, while it is proposed that very small organizations will need to implement far fewer security controls, this may not actually be the case for your organization specifically. You may not have a need [or the resources] to implement all of the security controls. You’ll want to self-assess and determine which CIS Implementation Group most accurately reflects your organization’s needs based on the following characteristics:

1. Data sensitivity and criticality of services offered by the organization. Organizations providing services that must be available for any reason (e.g., public safety, critical infrastructure) or working with data that must be protected under a further restricted set of requirements (e.g., federal legislation) need to implement more advanced cybersecurity controls than those that do not.
2. Expected level of technical expertise exhibited by staff or on contract. Cybersecurity knowledge and experience are difficult to obtain, yet are necessary to implement many of the detailed cybersecurity mitigations outlined within the CIS Controls. Many of the CIS Controls require minimum core IT competencies, whereas others necessitate in-depth cybersecurity skills and knowledge to successfully implement.
3. Resources available and dedicated toward cybersecurity activities. Time, money, and personnel are all necessary in order to implement many of the best practices contained within the CIS Controls. Enterprises that can dedicate these resources toward cybersecurity can mount a more sophisticated defense against today’s adversaries. While there are open-source tools available that assist an organization’s implementation, they may come at a cost of additional management and deployment overhead that needs to be recognized and taken into consideration.

Decide Which Group Best Describes Your Organization!

Implementation Groups are defined as follows:

• Implementation Group 1: is a small to medium-sized organization with limited IT and cybersecurity expertise to dedicate toward protecting IT assets and personnel. The principal concern of these organizations is to keep the business operational as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. However, there may be some small to medium-sized organizations that are responsible for protecting sensitive data and, therefore, will fall into a higher Group. Sub-Controls selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Sub-Controls will lso typically be designed to work in conjunction with small or home office commercial-off-the-Shelf (COTS) hardware and software.

• Implementation Group 2: an organization that employs individuals responsible for managing and protecting IT infrastructure. These organizations support multiple departments with differing risk profiles based on job function and mission. Small organizational units may have regulatory compliance burdens. IG2 organizations often store and process sensitive client or company information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs. Sub-Controls selected for IG2 help security teams cope with increased operational complexity. Some Sub-Controls will depend on enterprise-grade technology and specialized expertise to properly install and configure.

• Implementation Group 3: an organization employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 systems and data contain sensitive information or functions that are subject to regulatory and compliance oversight. A IG3 organization must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare. Sub-Controls selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

Take Action!

Once you know which Implementation Group you fall into, you can download the CIS Controls spreadsheet and guide Version 7.1 [released in April 2019] to learn more about the individual security controls that are relevant to you!

Source: Center for Internet Security [CIS]