Developed by the Center for Internet Security®, the CIS Critical Security Controls are a prescriptive, prioritized set of cybersecurity best practices and defensive actions that can help prevent the most pervasive and dangerous attacks, and support compliance in a multi-framework era. These actionable best practices for cyberdefense are formulated by a group of IT experts using the information gathered from actual attacks and their effective defenses. The CIS Controls provide specific guidance and a clear pathway for organizations to achieve the goals and objectives described by multiple legal, regulatory, and policy frameworks.
The CIS Critical Security Controls comprises a set of 20 cyberdefense recommendations surrounding organizational security, split into three distinct categories: basic, foundational, and organizational. Each of these 20 CIS Controls are further divided into Sub-Controls.
These are general purpose security controls that should be implemented by every organization to ensure essential cyberdefense readiness.
These controls focuses on technical best practices that the organizations should implement to counter more specific threats.
These controls are less focused on technical aspects, and more focused on the people and processes involved in cybersecurity. These key practices must be adopted by the organization internally to ensure long-term security maturity.
In addition to the basic, foundational, and organizational controls, in the latest version of the CIS Controls, V7.1, the controls are prioritized into Implementation Groups (IGs). Each IG identifies which Sub-Controls are reasonable for an organization to implement based on their risk profile and their available resources.
Organizations are encouraged to self-assess and classify themselves as belonging to one of three IGs to prioritize the CIS Controls for a better cybersecurity posture. Organizations should start by implementing the Sub-Controls in IG1, followed by IG2 and then IG3. Implementation of IG1 should be considered among the very first things to be done as part of a cybersecurity program. CIS refers to IG1 as “Cyber Hygiene”—the essential protections that must be put in place to defend against common attacks.
Organizations with limited resources where the sensitivity of data is low will need to implement the Sub-Controls that typically fall into the IG1 category.
Organizations with moderate resources and greater risk exposure for handling more sensitive assets and data will need to implement the IG2 controls along with IG1. These Sub-Controls focus on helping security teams manage sensitive client or company information.
Mature organizations with significant resources and high risk exposure for handling critical assets and data need to implement the Sub-Controls under the IG3 category along with IG1 and IG2. The Sub-Controls that help reduce the impact of targeted attacks from sophisticated adversaries typically fall into IG3.
Download our CIS Controls solution guide to learn more about Implementation Group Sub-Control mapping.
ManageEngine's suite of IT management solutions can help you meet the discrete CIS Control requirements, and in turn aid your organization in carefully planning and developing a best-in-class security program to achieve better cyberhygiene.
Actively track and manage all hardware devices connected to your network. Maintain an up-to-date inventory of all your technology assets, and have an authentication system in place to ensure that unauthorized devices are prevented from gaining access to your network.
Scan network computers to obtain inventory data for authentication purposes.
Track and manage unauthorized devices entering your network.
Have a software inventory system in place to actively track and manage all software running on your network. Utilize application whitelisting to ensure that only authorized software is installed, and executed and unauthorized software is blocked.
Scan your system to track and manage the software installed.
Desktop Central's software asset management
Continuously scan your assets to identify potential vulnerabilities and remediate them before they become a problem. Strengthen your network security by ensuring that the software and operating systems that you use in your organization are running the most recent security updates.
Identify and evaluate the vulnerabilities in your system to remediate them with the help of patching.
Vulnerability and patch management dashboard
Monitor the access controls and user behavior of privileged accounts to prevent unauthorized access to critical systems. Ensure that only authorized individuals have elevated privileges to avoid misuse of administrative privileges.
Get reports on your domain's administrative users.
Set unique passwords for your administrative accounts.
Get reports on your AD accounts and logons, and also get alerted when there is a permission change for privileged accounts.
ADAudit Plus's permission change report
Establish and maintain security configurations based on the organization's approved configuration standards. Define a rigorous configuration management system that monitors and alerts on misconfigurations, and implement a change control process to prevent attackers from exploiting vulnerable services and settings.
Deploy security configurations automatically with the help of built-in templates, and get alerts for unauthorized changes.
Collect, manage, and analyze the audit logs of events to detect anomalies. Keep log records to understand the details of an attack in order to respond to a security incident effectively.
Analyze logs from different sources to detect anomalies, get actionable insights, and generate reports with detailed information on events for future reference.
Log360's report on anomaly trends
Set up a single server for all the systems in your network to synchronize time sources and ensure that timestamps in logs are consistent.
Secure and manage web browsers and email systems against web-based threats to minimize the attack surface. Disable unauthorized browsers and email client plug-ins, and ensure that users will be able to access only trusted websites by maintaining network-based URL filters.
Whitelist websites, manage extensions and plug-ins, and auto-update the latest versions of browsers.
Dashboard providing insights on potentially harmful extensions and plug-ins
Log URLs accessed by users to identify potential malicious activity.
Control the installation and execution of malicious code at multiple points in your enterprise to prevent attacks. Configure and deploy anti-malware software, and optimize the use of automation to enable rapid updation of defenses and quick corrective action when attacks occur.
Deduce if systems in your network are enabled with anti-exploitation features, push antivirus updates, and block malicious external devices.
Conduct anti-malware scans automatically for removable devices that connect to your network.
Audit removable devices connected to your system, and detect malware events to raise alerts by analyzing logs from anti-malware systems.
Track and control activity across ports, protocols, and services on network devices to reduce the scope of attacks through service vulnerabilities. Leverage host-based firewalls to ensure only appropriate traffic is permitted access.
Associate information on active ports and applications in your system to asset inventory, and manage ports and configure firewall rules to ensure only validated services are run on systems.
Set up processes and tools to ensure that your organization's critical information is properly backed up, and have a trustworthy data recovery system in place for data restoration to overcome attacks that jeopardize critical data.
Perform complete restoration and backup of your organization's key systems, and have an automatic backup configured for AD, Microsoft 365, and on-premise Exchange.
Dashboard in RecoveryManager Plus to track backups
Automatically back up your critical network configurations.
Establish, implement, and manage the security configurations of network devices to prevent attackers from taking advantage of vulnerable default settings. Have a strict configuration management and control process in place to ensure that configurations are not in an exploitable state.
Maintain standard security configurations with the help of baselines, and install the latest security-related updates.
Detect, prevent, and control the flow of information across your network boundaries to prevent attackers from gaining access by bypassing boundary systems. Configure perimeter monitoring, deny unauthorized access, and deploy intrusion detection systems to strengthen boundary defenses.
Maintain an inventory of network boundary devices, and get alerts when unauthorized connections are detected across boundaries.
Monitor and and record network packets passing through network boundaries.
Detect malicious traffic across network boundaries, and use the data to generate records for analysis.
EventLog Analyzer's dashboard, which gives the overview of the network and traffic trends
Use multi-factor authentication for all remote logins.
Scan enterprise devices remotely logging into your network and ensure that their security policies are set right.
Identify and segregate sensitive data, and implement a combination of processes including encryption, data infiltration protection schemes, and data loss prevention techniques to ensure privacy and integrity of sensitive data.
Audit the changes made to sensitive information stored in your servers.
Manage removable devices that connect to your system.
Protect enterprise data stored in mobile devices with the help of containerization.
Track, control, and secure access to critical assets such as information, resources, and systems. Allow access to critical information on a need-to-know basis, and establish detailed logging of servers in order to track access and investigate incidents in which data has been improperly accessed.
Allow only authorized individuals to access information stored in files and folders in your system.
Provide access to users based on their need to access the information as a part of their job responsibility.
Enforce detailed logging to collect information on sensitive AD data changes.
Track, control, and secure your wireless local area networks (WLANs), access points, and wireless client systems to prevent attackers from tampering with your perimeter defenses. Implement a wireless intrusion detection system and conduct vulnerability scanning on wireless client machines to detect exploitable vulnerabilities.
Configure vulnerability scanning to identify newly added systems, access points, and devices.
OpUtils periodically scans the network to detect unauthorized rogue systems or devices
Scan your network to get an inventory of access points, and allow only authorized wireless peripheral access and wireless networks on your client devices.
Actively manage the entire life cycle of your systems and application accounts, from their creation, use, and dormancy to deletion to prevent attackers from exploiting legitimate but inactive user accounts.
Establish a central console to maintain an inventory of authentication systems, configure account authentication, and disable or revoke access to dormant or unassociated accounts easily.
Ensure all accounts have an expiration date, and disable dormant accounts that have surpassed the expiration date with the help of automated workflows.
Monitor attempts to access deactivated accounts and alert on account login behavior deviation with the help of user and entity behavior analytics (UEBA).
Configure settings to lock workstations after a period of inactivity.
Implement an integrated plan to identify, develop, and instruct employees on the specific skills and abilities they should possess to support the defense of the enterprise according to their functional role in the organization.
Regularly test all your in-house developed and acquired software for vulnerabilities. Have an effective program to address security throughout the entire life cycle of in-house software, including establishing requirements, training, tools, and testing, and have a strict security evaluation criteria while purchasing third-party software.
Develop and implement a defined incident management system in your organization to discover attacks quickly, effectively contain the damage, eradicate the attacker’s presence, and restore operations swiftly.
Periodically test your defenses to identify gaps and assess your organization's readiness to attack by conducting penetration tests. Simulate the objectives and actions of an attacker with the help of red teams to inspect your current security posture and get valuable insights about the efficacy of your defenses.
Download this guide to take a closer look at how ManageEngine products will help you
implement the CIS Controls in your organization.
Disclaimer: The complete implementation of the CIS Controls® (developed by the Center of Internet Security) requires a variety of solutions, processes, people, and technologies. The solutions mentioned above are some of the ways in which IT management tools can help with the CIS Control requirements. Coupled with other appropriate solutions, processes, and people, ManageEngine's solutions help implement the CIS Controls. This material is provided for informational purposes only, and should not be considered as legal advice for the CIS Controls implementation. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.