The CIS 20 is perhaps the most important IT framework I’ve ever come across in my career and was introduced to it while leading a Program Management initiative for a mid size accounting firm. During a bi-weekly call we were addressing their interest in Two Factor Authentication as part of their newest security initiative. As the discussion continued, it became apparent that the firm needed to take a much broader view regarding cyber security because of issues such as associate and partner productivity during tax season.
Make the Call
As soon as the meeting concluded I placed a FaceTime call to my brother in London, England who was a Director in PwC’s cyber security practise. In relating to him the need and challenge we faced, he recomended the CIS 20.
Founded by the National Security Agency (NSA) in 2008 as a project requested by the Department of Defense (DoD). It started with a gathering of some of the smartest and best IT security folks in the world asking a simple question which went something like this.
The goal was to prioritize the multiple cybersecurity controls that existed based upon the prevalence of attack methods and frequency. Through collaboration between the public and private sectors an initial draft was published in 2009.
With a very rapid achievement of a more than 88% reduction in vulnerability-based risk across 85,000 systems, the State Department’s program became a model for large government and private sector organizations.
Brilliant at the Basics
CSC 1 through CSC 6 are the basic controls that should be deployed to create a strong foundation for any cyber security program. According to CIS, a number of studies have shown that implementation of the first five CIS controls provides an effective defense against 85% of the most common attacks.
They are:
- Inventory of Authorized and Unauthorized Devices: Actively manage (inventory, track and correct) all hardware devices on the network so that only authorized devices are given access and unauthorized and unmanaged devices are found and prevented from gaining access.
- Inventory of Authorized and Unauthorized Software: Manage (inventory, track and correct) all software on the network so that only authorized software is installed and can execute and that unauthorized and unmanaged software is found and prevented from installation or execution.
- Secure Configurations for Hardware and Software: Continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for attackers.
- Continuous Vulnerability Assessment and Remediation: The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
- Controlled Use of Administrative Privileges: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
- Maintenance, Monitoring and Analysis of Audit Logs:Collect, manage and analyze audit logs of events that could help detect, understand, or recover from an attack.
Resolve to Begin
Like with any good methodology, the best approach is a simple one and so establishing a weekly schedule beginning with the first control is key. The following week, move on Control Two and inventory the Authorized and Unauthorized Software. Note that into the third week, your resolve and that of your organization will be tested to keep going.
If you struggle at this point and you’d like assistance in implementing the remaining controls in a timely manner, get in touch with me. Just give me a call at +1 778.317.8064 or send me an email at and we’ll arrange for a complimentary half day session to help you set up the structure you need.
For more information and to get your own copy with details of the CIS 20 click here http://www.cisecurity.org/controls.