Cybersecurity is one of the top challenges that faces every company. Fortunately, companies do not have to create their own security program and instead can use a security framework to jump-start the process. A framework documents security standards (benchmarks) and processes that help companies define policies and procedures to implement and manage information security controls.
The challenge for companies is that there are many security frameworks and the myriad of available technology causes confusion that leads to inaction. The Center for Internet Security, Inc. (CIS®) describes the current situation:
But all of this technology, information, and oversight has become a veritable ‘Fog of More’ —
competing options, priorities, opinions, and claims that can paralyze or distract an enterprise from vital action.
In this article, we introduce the CIS Controls® and CIS Benchmarks tools for companies to assess their security posture. CIS® “is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.” They created a global security standard and best practices to secure systems and information against “the most pervasive attacks”.
CIS® defines a prioritized list of 20 best practices (i.e., security controls) that help organizations improve cyber defenses. Further they group them into three implementation groups that are relevant for small, medium and large companies. This flexibility is necessary because small and medium companies cannot necessarily afford the costs to implement all possible security controls at the highest level of maturity and automation.
At Encore Electric, Inc., we used the free CIS Controls® Self-Assessment Tool (CSAT) to benchmark our current security posture. We settled on this tool for a couple of reasons. First, we wanted to benchmark our security posture with a numeric score that is simple to understand and communicate to colleagues who have limited knowledge and experience with information security. Second, we wanted a way to demonstrate our level of compliance with particular security frameworks. The CSAT cross-references to other security frameworks such as PCI DSS and NIST 800.
For each of the CIS controls, the CSAT measures the maturity against 4 levels: policy defined, control implemented, control reported and control automated. Each level of maturity adds points to an overall score for the CIS benchmarks. The total score ranges from 0 to 100. The tool maps your responses across the 20 controls, compares with averages and industry-specific data, and offers simple reports to communicate the status and results.
Once we completed the benchmark, we now can make decisions on improving our security posture. We appreciate that CIS® offers consensus-based benchmarks and controls and objective global standards to better protect our information assets. For those companies unsure of their next steps in their security posture, check out the CIS web site at https://www.cisecurity.org/