CIS TOP 20 CONTROLS

Most organizations that handle consumer data or are vulnerable to cyberattacks are legally required to meet the appropriate security compliance standards.

What is the CIS Top 20?

Most organizations that handle consumer data or are vulnerable to cyberattacks are legally required to meet the appropriate security compliance standards. However, this does not apply to every single organization and IT department. In order to set a standard and provide a guide, the Center for Internet Security Critical Security Controls (henceforth referred to as the CIS Top 20) was published. 

The CIS Top 20 is a list of 20 actions and practices an organization’s security team can take on such that cyberattacks, or threats, are minimized and prevented. No organization is legally bound to follow the CIS Top 20; however, the controls consist of fundamental steps that all security teams are highly encouraged to implement, in addition to or regardless of regulatory compliance.

The CIS Top 20 Controls

The following are the actions, as presented by the Center for Internet Security:

CIS 20 1

Get Secure! Contact Us to Discuss CIS Top 20 Control Implementation Today:

Security Compliance Types

ISO27001

ISO27001 is an international standard for information security, published by the International Organization for Standardization. Organizations that meet ISO27001 criteria can be certified against the standard to demonstrate their ongoing commitment to data protection and information security.

SOC2

SOC2 was developed by the AICPA for managing customer data based on “trust service principles”. SOC2 is primarily used for companies operating within the United States.

DFARS/CMMC

CMMC is a standard for organizations in the United States which work with the Department of Defense (DoD). The CMMC covers the cybersecurity controls for Confidential Unclassified Information (CUI).

NIST 800-53

In order to prevent mass variance, the National Institute of Standards and Technology (NIST) – a non-regulatory part of the Department of Commerce – constructed a set of standards for all federal agencies to follow: the NIST Special Publication 800-53.

HIPAA

The Health Insurance Portability and Accountability Act is a US law enacted in1996 which governs the data protection and privacy of health records.

GDPR

The European General Data Protection Regulation is a data protection and privacy regulation for EU citizens. Any company operating within the EU borders must conform to this regulation.

CCPA

The California Consumer Protection Act is a California data protection and privacy law for residents of California. Most companies which hold information on California residents are subject to this regulation.

CIS 20

The CIS 20 is a list of 20 actions and practices an organization’s security team can take on such that cyberattacks, or threats, are minimized and prevented.

The Importance of Following the CIS 20

The Center for Internet Security classifies the first six actions as basic, actions 7-16 as foundational, and 17-20 as organizational. For organizations, these 20 principles and actions should not be the only cybersecurity measures taken and they should also be adopted in keeping with legal regulations. Nonetheless, all of these measures are vital for an organization’s security framework. 

For example, if a cyberattack were to occur then the personal data of thousands, if not millions, of customers can be stolen. That massive breach does not have to occur in such a devastating manner, especially if the organization has followed some of the guiding principles such as data protection (by encrypting everything), controlling access to assets, and incident response and management (a robust and well executed response plan can help secure an organization during an attack).

Cyber Defense Group

Cyber Defense Group specializes in Incident Response and Security Engineering, enabling agile businesses to operate at speed. We protect our clients from cyber criminals, and we create robust security programs which can withstand current and future threats.

If your organization is looking to create a security team/framework or would like to update a framework already in place, contact us at CDG for more information. Following a security guideline, such as the one set out by the CIS 20, is a powerful foundation to build on.