How these controls apply to your organization
The Center for Internet Security (CIS) publishes the CIS关键安全控制 (CSC) to help organizations better defend against known attacks by distilling key security concepts into actionable controls to achieve greater overall cybersecurity defense.
As security challenges evolve, so do the best practices to meet them. The CIS is well-regarded in the security industry for making both current and concrete recommendations to help enterprises improve their security posture via their Critical Security Controls for Effective Cyber Defense, formerly known as the SANS Top 20 Critical Security Controls.
Whereas many standards and compliance regulations aimed at improving overall security can be narrow in focus by being industry-specific, the CIS CSC—currently on its seventh iteration at version 7—was created by experts across numerous government agencies and industry leaders to be industry-agnostic and universally applicable.
The CIS benchmarks also acknowledge the reality most organizations face in that resources are usually limited and priorities must be set. 像这样, CIS separates the controls into three categories: basic, 基础, 和组织, 无论行业类型如何. That prioritization of standards is what differentiates the CIS CSC recommendations from other security controls and lists, which may mention prioritization as a necessity but don't go as far as making concrete recommendations.
总共有20个CIS控制, with the first six in the list prioritized as “basic” controls which should be implemented by all organizations for cyber defense readiness. In iteration 7, these top six CIS controls are:
1) Inventory and Control of Hardware Assets
2)软件资产的盘点与控制
3)持续漏洞管理
4) Controlled Use of Administrative Privileges
5) Secure Configuration for Hardware and Software on Mobile Devices, 笔记本电脑, 工作站和服务器
6) Maintenance, Monitoring and Analysis of Audit Logs
Each control is wide in scope but aligns with solid principles: making sure the right users have access to the right assets, and that all systems are kept up-to-date and as hardened as possible. Following CIS guidance for these top six controls will yield great benefits, even if these are the only controls your organization can implement.
The scope of all of the Top 20 CIS关键安全控制 is comprehensive in its view of what's required for robust cybersecurity defense: Security is never just a technological problem, and the CIS recommendations encompass not only data, 软件和硬件, 还有人和流程. 例如, 事件响应 红队和红队, both key components of any robust proactive defense plan, are part of CIS controls 19 and 20 respectively.
The CIS关键安全控制 also have cross-compatibility and/or directly map to a number of other compliance and security standards, many of which are industry specific—including NIST 800-53, PCI DSS, FISMA, and HIPAA—meaning organizations that must follow these regulations can use the CIS controls as an aid to compliance. 此外, NIST网络安全框架, another robust tool commonly employed to better streamline and strengthen an organization's security posture, draws from the CIS CSC as their baseline for a number of their recommended best practices.
For organizations looking to improve their security posture and harden their defenses against the attack vectors they're most likely to encounter, the CIS关键安全控制 are a great starting point to reduce your risk of exposure and mitigate the severity of most of the attack types.