CIS Security Controls and Compliance

Cybersecurity is a persistent worry for CIO’s, CISO’s, Board of Directors and organizational leaders. CIO’s and CISO’s specifically are expected to provide leadership and direction to their IT staff and their broader organization to strengthen cybersecurity postures. 

Where To Begin

One question I have been asked by clients is, “where do I start?” Many organizations must comply with specific regulations such as PII (Personal Identifiable Information), HIPAA, etc. There are numerous standards and frameworks publicly available to demonstrate good security hygiene practices, data protection and general data governance. Some of the best known are NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization), as well as from FedRAMP (Federal Risk and Authorization Management Program) and more recently, GDPR (General Data Protection Regulation of the European Union) and CMMC. 

I recommend organizations should begin their improvements by adopting the Center for Internet Security (CIS) Critical Security Controls. If the organization has no specific business mandate to meet one or more of the above regulations, then it’s unlikely that the IT team will realistically attain and maintain such stringent standards. Such organizations not having specific requirements and mandates will find a happy medium in the CIS Critical Security Controls. The CIS Controls are a simplified set of best practices developed collaboratively by a global community of thousands of cybersecurity practitioners.   

The Benefit of CIS Controls

There are many reasons and benefits to incentivize organizations to adopt the CIS Controls. Most importantly, is improving one’s security posture based on the experience of the community of cybersecurity experts. Beyond this primary benefit, CIS Controls provides an objective way to track progress and to identify current risks. The documentation on your organization’s progress will be valuable to assist with internal and external audit procedures. Having the ability to provide this level of documentation to Cyber Insurance underwriters could potentially result in lowering insurance premiums. 

CIS Controls are not a replacement for other frameworks. The CIS Controls map to most major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA. Mappings from the CIS Controls have been defined from these other frameworks to give a starting point for action. More specifically, CIS Controls has been recognized as a comprehensive onramp for complying with NIST cybersecurity standards. The CIS provides an amazing tool (CIS Critical Security Controls Navigator) that cross-references the CIS Controls to twenty-seven other frameworks and regulations. The Navigator easily demonstrates where the CIS Controls maps to one of the other frameworks and regulations controls. 

The 153 Critical Security Controls Safeguards are prioritized and are a very prescriptive set of actions. These actions are a great starting point for organizations on a mission to improve their cyber defenses. CIS has organized these controls into three (3) Implementation Groups (IGs). 

  • IG1 – Basic Cyber Hygiene. 56 of the 153 cyber defense safeguards are contained in IG1 which represents the minimum standard for information security for ALL organizations. These safeguards are to protect against general, non-targeted attacks. 
  • IG2 – Better Cyber Hygiene. There are an additional 74 cyber defense safeguards in IG2. IG1 is a prerequisite to implement IG2. These safeguards will assist enterprises managing IT infrastructure that support multiple internal business functions typically with different risk profiles. IG2 safeguards strive to aid organizations cope with increased operational complexities. 
  • IG3 – Better Yet Cyber Hygiene. IG3 includes 23 additional cyber defense safeguards whose purpose is to prevent and/or lessen the impact of very sophisticated cyber-attacks. 

 

I recommend organizations should begin their improvements by adopting the Center for Internet Security Critical Security Controls. It is my opinion that CIO’s and CISO’s should strongly focus on and comply with at least IG1 and IG2 of the CIS Critical Security Controls to ensure they are protecting their organizations with best practices security hygiene and controls.   

All organizations absolutely should implement the 56 IG1 safeguards. These are the fundamentals for good cyber prevention. After getting these basics done, most organizations should venture to review and implement the additional 74 safeguards included in IG2.   

How To Document Compliance with Controls

Documenting controls and regulations compliance is painstaking. I have seen organizations utilize spreadsheets and documents to track and demonstrate their compliance. It works, but this methodology is difficult to maintain. My organization has experience utilizing Microsoft Purview – Compliance Manager to perform compliance assessments. A recent example, eGroup | Enabling Technologies was engaged by a large university hospital system. We were tasked to assist them to ensure their large Microsoft 365 tenant was HIPAA compliant. Rather than manual efforts and typical risk assessment time and research, our consultant utilized Compliance Manager within their tenant and checked for specific gaps utilizing the HIPPA assessment template offered by Microsoft. Compliance Manager provided a comprehensive report of “Improvement Actions” which was used by the customer to guide them towards resolution with a prioritized list. 

Compliance Manager provides great value to perform regulatory and compliance assessments. Organizations which have M365 subscriptions have access to Compliance Manager. Those that have E5/A5 subscriptions have access to the full suite of Purview capabilities. Compliance Manager is a source of documenting organizations’ compliance and assigning responsibilities for specific safeguards and controls.

Connect with Us!

If you are a M365 customer and you are not aware of these capabilities, eGroup | Enabling Technologies welcomes the opportunity to have a conversation with you to enlighten you regarding Microsoft Purview – Compliance Manager capabilities and how it can aid you to ensure you have implemented CIS Critical Security Controls and document proof of compliance. Contact our experts at info@eGroup-us.com to learn more today!

Picture of Bill Smith

Bill Smith

Strategic Advisor - eGroup | Enabling Technologies

Learn more about Security and Compliance

Curious about leverage your Microsoft 365 solutions to remain secure and compliant?

Contact our team of experts to get started with Microsoft Purview and learn how to implement CIS Critical Security Controls!