How these controls 应用 to your organization
The Center for Internet Security (CIS) publishes the CIS关键安全控制 (CSC) to help organizations better defend against known attacks by distilling key security concepts into actionable controls to achieve greater overall cybersecurity defense.
As security challenges evolve, so do the best practices to meet them. The CIS is well-regarded in the security industry for making both current 和 concrete recommendations to help enterprises improve their security posture via their Critical Security Controls for Effective Cyber Defense, formerly known as the SANS Top 20 Critical Security Controls.
Whereas many st和ards 和 compliance regulations aimed at improving overall security can be narrow in focus by being industry-specific, the CIS CSC—currently on its seventh iteration at version 7—was created by experts across numerous government agencies 和 industry leaders to be industry-agnostic 和 universally applicable.
The CIS benchmarks also acknowledge the reality most organizations face in that resources are usually limited 和 priorities must be set. 像这样, CIS separates the controls into three categories: basic, 基础, 和组织, 无论行业类型如何. That prioritization of st和ards is what differentiates the CIS CSC recommendations from other security controls 和 lists, which may mention prioritization as a necessity but don't go as far as making concrete recommendations.
总共有20个CIS控制, with the first six in the list prioritized as “basic” controls which should be implemented by all organizations for cyber defense readiness. In iteration 7, these top six CIS controls are:
1)硬件资产的盘点与控制
2)软件资产的盘点与控制
3)持续漏洞管理
4) Controlled Use of Administrative Privileges
5) Secure Configuration for Hardware 和 Software on Mobile Devices, 笔记本电脑, 工作站和服务器
6) Maintenance, Monitoring 和 Analysis of Audit Logs
Each control is wide in scope but aligns with solid principles: making sure the right users have access to the right assets, 和 that all systems are kept up-to-date 和 as hardened as possible. Following CIS guidance for these top six controls will yield great benefits, even if these are the only controls your organization can implement.
The scope of all of the Top 20 CIS关键安全控制 is comprehensive in its view of what's required for robust cybersecurity defense: Security is never just a technological problem, 和 the CIS recommendations encompass not only data, 软件和硬件, 还有人和流程. 例如, 事件响应 红队和红队, both key components of any robust proactive defense plan, are part of CIS controls 19 和 20 respectively.
The CIS关键安全控制 also have cross-compatibility 和/or directly map to a number of other compliance 和 security st和ards, many of which are industry specific—including NIST 800-53, PCI DSS, FISMA, 和 HIPAA—meaning organizations that must follow these regulations can use the CIS controls as an aid to compliance. 此外, NIST网络安全框架, another robust tool commonly employed to better streamline 和 strengthen an organization's security posture, draws from the CIS CSC as their baseline for a number of their recommended best practices.
For organizations looking to improve their security posture 和 harden their defenses against the attack vectors they're most likely to encounter, the CIS关键安全控制 are a great starting point to reduce your risk of exposure 和 mitigate the severity of most of the attack types.