Need an Information Security Program? A CIS Controls Assessment is a Good Way to Start!

Posted on by

No matter what size business or organization you have, in today’s world, the ever-increasing cyber-menace we face affects all of us. To keep our heads above water, all concerns need to have at least a basic documented and monitored information security program in place. For small and medium concerns, how to accomplish this necessary task without breaking the bank can be a truly frustrating and confusing task to undertake.

For one thing, your concern has different information security needs depending on what type of organization you have. Is your network simple or complex? Do you hold or process regulated data such as personal private information, personal health information or financial information? Could compromise of your organization provide a portal for cyber-attackers to gain access to other organizations?

Another point of confusion is provided by the disparate security service organizations, security devices and security applications that are available. How do you know which of these you may need, and how do you pick between the varying offerings? What is the learning curve involved, and will you need extra personnel to handle the increased load? These are all questions that can be very difficult to get a handle on let alone answer decisively.

To help cut the confusion and avoid unnecessary frustration, it seems to me what is needed is a clear path to follow to your security goal. That means finding out where you are now, constructing a roadmap of what needs accomplishing and building a timeline for reaching each step in the process. This is where a Center for Internet Security (CIS) Critical Security Controls assessment comes into play.

The CIS was formed in 2000 with the goal of “making the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” To accomplish this goal, they publish a list of the most effective security controls available, which are arrived at through a consensus decision-making process of the cybersecurity community. These controls are constantly under scrutiny and are updated regularly. Currently, the CIS Security Controls are in version 8. In this version there are 18 safeguard categories, each with a varying number of individual information security controls to be implemented. These controls are further divided into three implementation groups (IG1, IG2 and IG3).

IG1 controls are those that provide “the basic cyber security hygiene that all organizations, regardless of size, complexity, and regulatory requirements should meet to resist basic attacks and breaches.”

IG2 controls are those at “the maturity level which is designed for distributed organizations with multiple sites, networks, and complex data structures but without regulatory concerns and a significant amount of sensitive data to protect…”

IG3Controls are at “the highest level of maturity, designed for complex environments with access to significant amounts of sensitive data who need to resist focused, well-resourced attacks.”

There are two basic factors that makes this type of information security controls paradigm most suitable for roadmapping the security needs of disparate organizations: The first factor is the effectiveness of the controls, especially when employed as a group. These are the controls that do the job and give your organization the most bang for your buck. The second factor is the granularity of the controls. The three implementation groups allow your concern to plan and implement your information security program in easy bites over a reasonable period of time.

In addition, knowing what you need to accomplish over a period of time allows your organization to choose how you want to implement your program with the end game in sight. This allows you to choose security service providers, devices and application wisely, avoiding unnecessary duplication and waste of resources. The fewer the number of these types of security assets you have, the easier they are to update and protect. This is in addition to the money savings you will incur.

In my next blog, I will describe what a CIS controls assessment entails and the different control categories that are included.