CIS Advisories (2024)

FAQs

How effective are CIS Controls? ›

How to Get Started with CIS Framework? We all want to protect our businesses or organizations from common attacks. It can be frustrating not knowing where to start. Implementing the CIS's top 20 critical security controls for effective cyber defense reduces the risk of cyberattack by 85%.

Level 1 recommends essential basic security requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality. Level 2 recommends security settings for environments requiring greater security that could result in some reduced functionality.

CIS Controls are rather generic guidelines for securing entire systems and networks, but CIS Benchmarks are very specific recommendations for secure system configurations.

The CIS (Center for Internet Security) Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks.

NIST – Coverage. CIS frameworks have the edge over NIST in many areas. However, NIST documentation is far more comprehensive and offers better cybersecurity coverage than CIS. This advantage is especially beneficial for mature organizations that want to evolve and grow their security policies.

The disadvantages of the CIS security framework include reliance on a centralized system that can be damaged during accidents . Additionally, accessing sensitive information for private information sharing can raise rights issues .

CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.

Q: What is the difference between STIG and CIS benchmarks? A: STIGs are often more specialized and cater to DoD requirements, while CIS Benchmarks offer a broader range of applicability across industries.

Implementing CIS Critical Control 13

The bad news Managerial controls can be the hardest to implement. They require executive sponsorship, leadership, and funding to set the tone for the organization, and to ensure that resources are available.

Is CIS benchmark free? ›

The CIS Benchmarks are distributed free of charge in PDF format for non-commercial use to propagate their worldwide use and adoption as user-originated, de facto standards.

Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).

For organizations starting with CIS Controls, which controls should they prioritize and why? While the CIS doesn't recommend any particular order to implementing the controls, I would recommend starting with controls 1-3, which determine your hardware, software, and most importantly, your sensitive data inventories.

Broadly speaking, CIS Benchmarks Level 1 are easier to implement and more broadly applicable than Level 2, but they're not as stringent. Level 2 benchmarks are more thorough and provide a higher level of security, but they might take more time and effort to implement on your own.

The 20 CIS Controls are broken down into three categories: Basic, Foundational, and Organizational. The Basic Controls (first six controls) are commonly referred to as the “cyber hygiene” controls.

CIS Control 3 concerns ensuring data protection through data management for computers and mobile devices. Specifically, it details processes and technical controls to identify, classify, securely handle, retain and dispose of data.

The CIS Controls are important because they minimize the risk of data breaches, data leaks, IP theft, corporate espionage, privacy loss, DoS and other cyberthreats.