CIS Security (Center for Internet Security)

Best Practices for Data Privacy and Security for your Organization

What is CIS?

The Center for Internet Security is a 501 nonprofit organization , formed in October 2000 with the purpose of making the connected world more secure by developing, validating, and promoting timely best practice solutions that will help individuals, small businesses, and government entities safeguard themselves against prevalent cyber threats. CIS is affiliated by ISACS, AICPS, IIA, SANS Institute. Founded in 1989 by Allan Paller, SANS Institute is a company that specializes in information and cybersecurity. The SANS Institute partners with the Center for Internet Security (CIS) and industry professionals to maintain the 20 critical security controls. The CIS 20 are essential to protect the assets and data of an organization from known cyber-attack vectors. These controls should be implemented by companies that seek to strengthen their security in the Internet of Things (IoT) domain. The CIS 20 controls span across asset configurations (hardware and software), malware defenses, recovery, continuous monitoring and control, incident response plans and management, penetration tests, and Red Team exercises.

CIS + Cloud

CIS talks about three levels of security controls. The basic controls should be implemented in every organization for essential cyber defense readiness. Basic controls include continuous vulnerability management, controlled use of administrative privileges, secure configuration of hardware and software, maintenance, monitoring, and audit logs analysis. The foundation controls are the best technical practices that provide clear security benefits. These include email and browser protections, malware defenses, data recovery capabilities, data protection, boundary defense, wireless access control, and account monitoring and control. The organizational controls focus on the people and processes involved in cybersecurity. These include application software security, incident response, and management and penetration testing. Almost all of the above controls apply when using cloud infrastructure. CIS talks about three levels of security controls. Every organization should implement basic controls for essential cyber defense readiness. Basic controls include continuous vulnerability management, controlled use of administrative privileges, secure configuration of hardware and software, maintenance, monitoring, and audit logs analysis. The foundation controls are the best technical practices that provide clear security benefits. These include email and browser protections, malware defenses, data recovery capabilities, data protection, boundary defense, wireless access control, and account monitoring and control. Cybersecurity organizational controls focus on the people and processes involved. This includes software application security, incident response, incident management, and penetration testing. All of these apply to cloud-based infrastructures.

Why Cloudanix?

The CIS 20 Security Controls are not mandatory or required by law. However, since it is such a comprehensive guide to online security, focusing on basic, foundational, and organization control levels that it is highly recommended that organizations implement them. Having the three levels of controls mentioned in CIS will help your organization a long way regarding data privacy and security. CIS Security controls are not rules but a guide of best practices. Cloudanix helps you achieve CIS compliance and make your cloud infrastructure secure. Cloudanix automates audits that perform various checks consisting of different rules on a wide variety of recipes that we provide. For instance, our AWS recipe of IAM Audit contains rules like MFA on user accounts and Access key rotation, and many more. These audit rules help you comply with the CIS 1-2 and CIS1-3 clauses that emphasize ensuring that multi-factor authentication (MFA) is enabled for all IAM users with a console password and that access keys are rotated every 90 days or less, respectively. Our audit lets you know if you are violating these rules and, effectively, these clauses of CIS. We have many other recipes and rules that ensure you follow the best security practices specified by CIS while we are taking care of your security audits!

FAQ

Your questions around CIS answered.

The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls), is the most pervasive and dangerous threats of today are addressed by a set of prioritized best practices.

Few basic CIS controls include- Inventory and Control of Enterprise Assets, Inventory, and Control of Software Assets, Data Protection, Secure Configuration of Enterprise Assets and Software, Account Management, Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email Web Browser, and Protections, Malware Defenses.

CIS Benchmarks are industry-specific documents that document how to configure IT systems, software, and networks securely. CIS Benchmarks are developed by a team of cybersecurity professionals and subject matter experts around the world, who are constantly identifying, refining, and verifying security best practices in their particular areas of expertise.

The CIS-RAM is an information security risk assessment method that helps businesses to implement and assess their security posture against cybersecurity best practices.