What is CIS?
Founded in 1989 by Allan Paller, SANS Institute is a company that specializes in information and cybersecurity. The SANS Institute partners with the Center for Internet Security (CIS) and industry professionals to maintain the 20 critical security controls. The CIS 20 are essential to protect the assets and data of an organization from known cyber-attack vectors. These controls should be implemented by companies that seek to strengthen their security in the Internet of Things (IoT) domain. The CIS 20 controls span across asset configurations (hardware and software), malware defenses, recovery, continuous monitoring and control, incident response plans and management, penetration tests, and Red Team exercises.
CIS + Cloud
CIS talks about three levels of security controls. The basic controls should be implemented in every organization for essential cyber defense readiness. Basic controls include continuous vulnerability management, controlled use of administrative privileges, secure configuration of hardware and software, maintenance, monitoring, and audit logs analysis. The foundation controls are the best technical practices that provide clear security benefits. These include email and browser protections, malware defenses, data recovery capabilities, data protection, boundary defense, wireless access control, and account monitoring and control. The organizational controls focus on the people and processes involved in cybersecurity. These include application software security, incident response, and management and penetration testing. Almost all of the above controls apply when using cloud infrastructure.
The CIS 20 Security Controls are not mandatory or required by law. However, since it is such a comprehensive guide to online security, focusing on basic, foundational, and organization control levels that it is highly recommended that organizations implement them. Having the three levels of controls mentioned in CIS will help your organization a long way regarding data privacy and security. CIS Security controls are not rules but a guide of best practices. Cloudanix helps you achieve CIS compliance and make your cloud infrastructure secure. Cloudanix automates audits that perform various checks consisting of different rules on a wide variety of recipes that we provide. For instance, our AWS recipe of IAM Audit contains rules like MFA on user accounts and Access key rotation, and many more. These audit rules help you comply with the CIS 1-2 and CIS1-3 clauses that emphasize ensuring that multi-factor authentication (MFA) is enabled for all IAM users with a console password and that access keys are rotated every 90 days or less, respectively. Our audit lets you know in the audit report if you are violating these rules and, effectively, these clauses of CIS. We have many other recipes and rules that ensure you follow the best security practices specified by CIS while we are taking care of your security audits!