The Center for Internet Security also known as CIS is a non profit organization committed to developing an understanding and implementation of cybersecurity standards within the public and private sector. They provide information on industry best practices through the use of their three departments: Multi-State Information Sharing and Analysis Center (MS-ISAC), CIS Security Benchmarks and CIS Critical Security Controls.
MS-ISAC allows companies to submit incidents so they have the opportunity to trade information and discuss strategies or challenges being faced across the industry. The objectives of MS-ISAC are as follows:
- Provide an avenue to share information
- Create a database where information on incidents can be shared and commented upon
- Allows for an information exchange on critical infrastructure required for a secure logical and physical environment
- Provide ideas for training and awareness programs among employees
This portion of the program was created to help set benchmarks while implementing device configurations, security metrics and choosing product certifications. Additionally, recommendations for technical settings can be found in this section.
CIS has created a highlighted list of controls that lower the risk of a successful cyberattack by a great deal. The top 5 controls are listed below.
- Inventory of Authorized and Unauthorized Devices: It is imperative to have an up-to-date knowledge of all devices on the network. This will help the IT department have a better idea of which devices should not be within the environment and can promptly react in the case that an unauthorized device has gained access.
- Inventory of Authorized and Unauthorized Software: Companies should keep a whitelist of authorized software. This can help prevent the possibility of vulnerabilities that could negatively impact the environment.
- Configurations for Hardware and Software on Network Devices are Secured: Configurations should be standardized and access should be restricted to better secure the environment and prevent unauthorized changes from entering into the system.
- Continuous Vulnerability Assessment and Remediation: Going through the process of continuously understanding the vulnerabilities that may impact a network environment and identifying tasks that will mitigate those risks is imperative to protecting and enhancing a company’s security environment.
- Controlled Use of Administrative Privileges: Only those with a logical reason for access should hold administrative privileges. Entitlement reviews should be done on a regular basis to ensure that there are no accounts with unauthorized privileges.
While the Center for Internet Security does have a section that is subscription based, it contains an extensive amount of free resources that can be utilized to better protect companies against cyberattacks. More information can be found at the link below.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.