How To Use CIS Cybersecurity Controls

By: Charles Brandt
August 1, 2024

Small to mid sized organizations face many challenges, including shifting supply chains, staffing shortages, product development limitations, and staying competitive in an increasingly global marketplace. It’s no wonder cybersecurity can sometimes fall by the wayside. Attackers understand this all too well, which is why small businesses are their favorite targets.

Fortunately, cybersecurity is one burden no organization has to bear alone. The Center for Internet Security (CIS) maintains a current list of best practices for preventing the most common forms of cyberattack. Of course, not every organization has the same risk, so these recommendations are thoughtfully organized into three implementation groups. 

In this blog, I’ll explore the guidelines for each group and provide tips on the best ways to implement them.

CIS Implementation Groups, Explained

Implementation Groups (IGs) help businesses prioritize implementing CIS Controls based on their risk. Find your group in the infographic below! 

Pro tip: If your organization falls somewhere in between groups, in most instances, you should follow the recommendations of the group with the higher number. IG1 is considered a baseline for cybersecurity hygiene for all businesses, but these days, it is highly recommended that companies begin evaluating at least some of the controls in higher implementation groups to increase their security posture and decrease their risk.

Small Business-3

Implementation Group 1 (IG1)

Size: Small to medium-sized 
Resources: Limited IT resources and infrastructure
Industry: Not highly regulated
Data use: May handle a small amount of customer information and financial data
Examples: Local retail stores that do business online, small law firms, nonprofits

Medium Business

Implementation Group 2 (IG2)

Size: Medium to large 
Resources: Moderate IT and cybersecurity resources 
Industry: May require specific cybersecurity measures 
Data use: May have access to larger volumes of sensitive data or critical systems 
Examples: Regional banks, healthcare providers, universities, state governments 

Large Business

Implementation Group 3 (IG3)

Size: Large to enterprise-scale
Resources: Significant IT and cybersecurity resources with specialized teams 
Industry: Often highly regulated and/or associated with critical infrastructure
Data use: Handles large volumes of highly sensitive data (e.g. personal, financial, and/or natural security-related) 
Examples: Multinational institutions, large government agencies, critical infrastructure

An Overview of CIS Critical Security Controls 

CIS Controls are also segmented into basic, foundational, and organizational controls. In total, there are currently 18 controls

Each control is further broken down into multiple safeguards, but not every group needs to implement every safeguard — or every control, for that matter. Under each control, I’ll spell out what each group should be responsible for.

Security Controls Implementation by Group

Click through each of these to see additional context and resources, and get advice for your organization’s implementation group. 

1. Inventory and Control of Enterprise Assets

It’s important to keep track of every device connected to your network because, after all, you can’t protect what you don’t know about! Use the safeguards listed next to your group (below) to make sure you’re sufficiently checking the box with this one. 

Safeguards: 

  1. Establish and maintain a detailed enterprise asset inventory
  2. Address unauthorized assets
  3. Utilize an active discovery tool
  4. Use dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
  5. Use a passive asset discovery tool

IG1: 1–2

IG2: 1–4

IG3: 1–5

2. Inventory and Control of Software Assets

Just like with hardware, you first need to know what software you have to protect it properly. Outdated or unmanaged software can pose security risks, but this control can also save you money if you find you’re using overlapping tools! 

Safeguards:

  1. Establish and maintain a software inventory
  2. Ensure authorized software is currently supported
  3. Address unauthorized software
  4. Utilize automated software inventory tools
  5. Allowlist authorized software
  6. Allowlist authorized libraries
  7. Allowlist authorized scripts

IG1: 1–3

IG2: 1–6

IG3: 1–7

3. Data Protection

This control is designed to help organizations identify, manage, and protect their data from theft, loss, or misuse. 94% of companies that experience a severe data loss don’t survive. 

Fortunately, proper data governance does a lot more than just prevent bad things from happening. It can also help you become more competitive. But to get started with protection, follow the safeguards for your group below. 

Safeguards: 

  1. Establish and maintain a data management process
  2. Establish and maintain a data inventory
  3. Configure data access control lists
  4. Enforce data retention
  5. Securely dispose of data
  6. Encrypt data on end-user devices
  7. Establish and maintain a data classification scheme
  8. Document data flows
  9. Encrypt data on removable media
  10. Encrypt sensitive data in transit
  11. Encrypt sensitive data at rest
  12. Segment data processing and storage based on sensitivity
  13. Deploy a data loss prevention solution
  14. Log sensitive data access

IG1: 1–6

IG2: 1–12

IG3: 1–14

4. Secure Configuration of Enterprise Assets and Software

Cloud platforms typically provide world-class cybersecurity features, but it’s up to end-users to configure them correctly. Overly permissive settings and other vulnerabilities can easily be exploited by hackers, which is why this control is so important. 

Safeguards:

  1. Establish and maintain a secure configuration process
  2. Establish and maintain a secure configuration process for network infrastructure
  3. Ensure the use of dedicated administrative accounts
  4. Implement and manage a firewall on servers
  5. Implement and manage a firewall on end-user devices
  6. Securely manage enterprise assets and software
  7. Manage default accounts on enterprise assets and software
  8. Uninstall or disable unnecessary services on enterprise assets and software
  9. Configure trusted DNS servers on enterprise assets
  10. Enforce automatic device lockout on portable end-user devices
  11. Enforce remote wipe capability on portable end-user devices
  12. Separate enterprise workspaces on mobile end-user devices

IG1: 1–7

IG2: 1–11

IG3: 1–12

5. Account Management

When we perform in-depth cybersecurity assessments, we frequently find a wealth of users who have access to critical systems that shouldn’t. So if you haven’t yet, there’s no time like the present! Set up systems to control and monitor who can access your organization's devices, accounts, and software according to the safeguards below. 

Safeguards: 

  1. Establish and maintain an inventory of accounts
  2. Use unique passwords
  3. Disable dormant accounts
  4. Restrict administrator privileges to dedicated administrator accounts
  5. Establish and maintain an inventory of service accounts
  6. Centralize account management

IG1: 1–4

IG2: 1–6

IG3: 1–6

6. Access Control Management

I know that multi-factor authentication (MFA) isn’t everyone’s favorite cybersecurity tool, but it should be! Organizations that use it are 99% less likely to be successfully hacked. So if you haven’t added it yet, that’s an excellent starting point for implementing the other safeguards you need. 

Safeguards: 

  1. Establish an access-granting process
  2. Establish an access-revoking process
  3. Require MFA for externally-exposed applications
  4. Require MFA for remote network access
  5. Require MFA for administrative access
  6. Establish and maintain an inventory of authentication and authorization systems
  7. Centralize access control
  8. Define and maintain role-based access control

IG1: 1–5

IG2: 1–7

IG3: 1–8

7. Continuous Vulnerability Management

Be sure to patch and update promptly, so you’re not giving cybercriminals more time to exploit vulnerabilities. We’ve got additional tracking and remediation resources if you need help! 

Safeguards: 

  1. Establish and maintain a vulnerability management process
  2. Establish and maintain a remediation process
  3. Perform automated operating system patch management
  4. Perform automated application patch management
  5. Perform automated vulnerability scans of internal enterprise assets
  6. Perform automated vulnerability scans of externally exposed enterprise assets
  7. Remediate detected vulnerabilities

IG1: 1–4

IG2: 1–7

IG3: 1–7

8. Audit Log Management

If you were being attacked, would you be able to respond quickly? Proper defensive strategies are extremely effective, but even the toughest defenses can still be breached, which is why it’s helpful to get alerted to a potential cybersecurity incident quickly. 

Safeguards: 

  1. Establish and maintain an audit log management process
  2. Collect audit logs
  3. Ensure adequate audit log storage
  4. Standardize time synchronization
  5. Collect detailed audit logs
  6. Collect DNS query audit logs
  7. Collect URL request audit logs
  8. Collect command-line audit logs
  9. Centralize audit logs
  10. Retain audit logs
  11. Conduct audit log reviews
  12. Collect service provider logs

IG1: 1–3

IG2: 1–11

IG3: 1–12

9. Email and Web Browser Protections

Email and web browsers are primary entry points for many cyber attacks, like phishing and malware. Your staff should be given proper security awareness training (highlighted in control #14), but the protections listed below can reduce the number of malicious emails and websites your staff is exposed to. 

Safeguards: 

  1. Ensure the use of only fully supported browsers and email clients
  2. Use DNS filtering services
  3. Maintain and enforce network-based URL filters
  4. Restrict unnecessary or unauthorized browser and email client extensions
  5. Implement DMARC
  6. Block unnecessary file types
  7. Deploy and maintain email server anti-malware protections

IG1: 1–2

IG2: 1–6

IG3: 1–7

10. Malware Defenses

Ready for a little bit of good news? So far in 2024, ransomware attacks have actually gone down! There are a few reasons for that. In February, an international operation was responsible for the arrest of multiple members of the LockBit ransomware syndicate! Last December, the FBI disrupted the ALPHV/BlackCat ransomware group. Also, more organizations have wised up and are refusing to pay ransoms

Ransomware isn’t paying off like it used to, and there are more consequences for people who are still trying to use it. Still, we’re not out of the woods with this one, so malware defenses of some kind are still a non-negotiable necessity for all groups. 

Safeguards: 

  1. Deploy and maintain anti-malware software
  2. Configure automatic anti-malware signature updates
  3. Disable autorun and autoplay for removable media
  4. Configure automatic anti-malware scanning of removable media
  5. Enable anti-exploitation features
  6. Centrally manage anti-malware software
  7. Use behavior-based anti-malware software

IG1: 1–3

IG2: 1–7

IG3: 1–7

11. Data Recovery

Should any business experience a severe data loss for any reason, restoring business continuity quickly can be vital to the organization’s very survival. That’s why all of the following safeguards except for #5 are seen as necessary for all groups. However, I’d personally recommend that every organization test its data recovery solution. Fortunately, today’s cloud tools make it easy to back up data cost-effectively and restore it quickly. 

Safeguards: 

  1. Establish and maintain a data recovery process
  2. Perform automated backups
  3. Protect recovery data
  4. Establish and maintain an isolated instance of recovery data
  5. Test data recovery

IG1: 1–4

IG2: 1–5

IG3: 1–5

12. Network Infrastructure Management

These safeguards are designed to help you reduce vulnerabilities and attack surfaces. Group 1 — just make sure your infrastructure is up-to-date! Generally speaking, your infrastructure should be updated every 5–7 years. 

Safeguards: 

  1. Ensure network infrastructure is up-to-date
  2. Establish and maintain a secure network architecture
  3. Securely manage network infrastructure
  4. Establish and maintain architecture diagram(s)
  5. Centralize network authentication, authorization, and auditing (AAA)
  6. Use of secure network management and communication protocols
  7. Ensure remote devices utilize a VPN and are connecting to an enterprise’s AAA infrastructure
  8. Establish and maintain dedicated computing resources for all administrative work

IG1: 1

IG2: 1–7

IG3: 1–8

13. Network Monitoring and Defense

These safeguards are designed to help groups 2 and 3 respond to anomalies or threats promptly.  

Safeguards: 

  1. Centralize security event alerting
  2. Deploy a host-based intrusion detection solution
  3. Deploy a network intrusion detection solution
  4. Perform traffic filtering between network segments
  5. Manage access control for remote assets
  6. Collect network traffic flow logs
  7. Deploy a host-based intrusion prevention solution
  8. Deploy a network intrusion prevention solution
  9. Deploy port-level access control
  10. Perform application layer filtering
  11. Tune security event alerting thresholds

IG1:  0

IG2: 1–6

IG3: 1–11

14. Security Awareness and Skills Training

Creating a human firewall is one of the most important cybersecurity steps an organization can take in 2024. Ongoing security awareness training is remarkably effective against phishing and other attacks, but only when it’s done well. 

Safeguards: 

  1. Establish and Maintain a Security Awareness Program
  2. Train Workforce Members to Recognize Social Engineering Attacks
  3. Train Workforce Members on Authentication Best Practices
  4. Train Workforce on Data Handling Best Practices
  5. Train Workforce Members on Causes of Unintentional Data Exposure
  6. Train Workforce Members on Recognizing and Reporting Security Incidents
  7. Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
  8. Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
  9. Conduct Role-Specific Security Awareness and Skills Training

IG1:  1–8

IG2: 1–9

IG3: 1–9

15. Service Provider Management

Anyone with access to your systems, location, or data also represents a potential security risk. If you haven’t already, it’s time to get serious about vendor due diligence. Group 1 doesn’t have a lot of to-dos on this list, but I’d still recommend checking out this recent blog

Safeguards: 

  1. Establish and maintain an inventory of service providers
  2. Establish and maintain a service provider management policy
  3. Classify service providers
  4. Ensure service provider contracts include security requirements
  5. Assess service providers
  6. Monitor service providers
  7. Securely decommission service providers

IG1:  1

IG2: 1–4

IG3: 1–7

16. Application Software Security

Group 1 can typically skip these safeguards, but they’re critical for helping larger organizations with their own in-house software identify and resolve any related security weaknesses. 

Safeguards: 

  1. Establish and maintain a secure application development process
  2. Establish and maintain a process to accept and address software vulnerabilities
  3. Perform root cause analysis on security vulnerabilities
  4. Establish and manage an inventory of third-party software components
  5. Use up-to-date and trusted third-party software components
  6. Establish and maintain a severity rating system and process for application vulnerabilities
  7. Use standard hardening configuration templates for application infrastructure
  8. Separate production and non-production systems
  9. Train developers in application security concepts and secure coding
  10. Apply secure design principles in application architectures
  11. Leverage vetted modules or services for application security components
  12. Implement code-level security checks
  13. Conduct application penetration testing
  14. Conduct threat modeling

IG1:  0

IG2: 1–11

IG3: 1–14

17. Incident Response Management

A comprehensive cybersecurity strategy should include protection, detection, response, and recovery tools. Unfortunately, a lot of organizations neglect the last two. Prevention and detection are important, but it’s important to remember that nothing is 100% safe. And depending on the industry you’re in, reporting any incidents promptly may soon be required by law.

Safeguards: 

  1. Designate personnel to manage incident handling
  2. Establish and maintain contact information for reporting security incidents
  3. Establish and maintain an enterprise process for reporting incidents
  4. Establish and maintain an incident response process
  5. Assign key roles and responsibilities
  6. Define mechanisms for communicating during incident response
  7. Conduct routine incident response exercises
  8. Conduct post-incident reviews
  9. Establish and maintain security incident thresholds

IG1:  1–3

IG2: 1–8

IG3: 1–9

18. Penetration Testing

Group 1, you can sit this one out. However, groups 2 and 3 should use simulated attack scenarios to identify any vulnerabilities before hackers do. 

Safeguards: 

  1. Establish and maintain a penetration testing program
  2. Perform periodic external penetration tests
  3. Remediate penetration test findings
  4. Validate security measures
  5. Perform periodic internal penetration tests

IG1:  0

IG2: 1–3

IG3: 1–5

Getting Help With Implementing CIS Basic Controls

 an IT mentor advising a small to midsize business about their next steps.

If you’re in Group 1, I highly recommend using our interactive cybersecurity checklist to see if you’re currently following best practices. It’s easier to see if you’re falling short, and where you should focus your efforts moving forward. 

But implementing some safeguards is easier said than done. If you suspect you’re behind on best practices, our Cybersecurity Assessments combine the popular NIST Cybersecurity Framework (NIST-CSF) with IG1 controls. This combination works very well to help IT teams move their security program forward and communicate these needs to non-technical executive leadership.

However, depending on your organization and where you’re falling behind in terms of security, ongoing mentorship may be a better way to protect your business without over-taxing your budget. An enterprise-scale business is typically able to rely on a Chief Information Security Officer (CISO) to keep up with cybersecurity threats, but it’s often difficult for smaller organizations to access advanced skills. 

That’s unfortunate, which is why we’ve recently added IT Consulting services at Marco. For a tiny fraction of the cost of a typical CISO’s salary, smaller organizations can access the same mentorship that big businesses have relied on for years.

Explore IT Consulting Services

Learn More

Topics: Managed IT Services
;