The Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense is a publication of best practice guidelines for computer security. The project was initiated in early 2008 in response to extreme data losses experienced by organizations in the US defense industrial base.
The guidelines consist of 18 (originally 20) key actions, called critical security controls (CSC), that organizations must implement to block or mitigate known attacks. The security controls give no-nonsense, actionable recommendations for cyber security, written in language easily understood by IT personnel.
Implementation Groups (IGs)
CIS Controls v8 defines the Implementation Group (IG1) as basic cyber hygiene and represents an emerging minimum information security standard for all enterprises.
IG1 is the on-ramp to CIS Controls and consists of a foundational set of 56 cyber defense Safeguards. The safeguards included in IG1 are what every company should apply to defend against the most common attacks.
IG2 comprises 74 additional safeguards and builds on the 56 safeguards identified in IG1. The 74 Safeguards selected for IG2 can help security teams deal with increased operational complexity. Some Safeguards will rely on enterprise-level technology and specialized expertise to install and configure properly.
IG2 companies often store and process sensitive information about customers or businesses and can withstand short service interruptions. A major concern is the loss of public trust if a breach occurs.
IG3 comprises 23 additional Safeguards. It builds on the Safeguards identified in IG1 (56) and IG2 (74), bringing the total to 153 Safeguards in CIS v8 Controls.
An IG3 company generally employs security experts who specialize in the different facets of cybersecurity (e.g. risk management, penetration testing, application security). IG3 assets and data contain sensitive information or functions that are subject to regulatory and compliance oversight.
Why CIS?
CIS is the industry standard for protection against cyber attacks, globally developed and recognized by a community of cybersecurity experts. The implementation of its controls meets legal regulatory frameworks, simplifying cybersecurity compliance. CIS controls prioritize and prescribe the best path for an organization to achieve cybersecurity.
Conclusion
CIS controls are an accurate guide for companies that want to be cyber resilient. The implementation of its various IG1, IG2 or IG3 grouped controls ensures the stability of a computational environment and adherence to privacy standards and regulations.
コメント