The Ultimate Manual to CIS Critical Security Control Mapping

CIS critical security control mapping takes a detailed approach to tiered implementation, helping organizations achieve best-practice cybersecurity. It strengthens your business‘s defensive posture through continuous, automated protection and monitoring of your IT infrastructure.

In this guide, we’ll take a deeper look at what mapping of CIS critical security controls entails and how it impacts your business.

What Is the CIS?

CIS stands for Centre for Internet Security and is a not-for-profit entity that creates its own Configuration Policy Benchmarks (CPB)— benchmarks that organizations can apply to improve their cybersecurity and compliance posture and programs.

This CIS initiative seeks to create community-developed security configuration baselines for IT and security products commonly used by companies.

The entity has also established a series of protocols called CIS controls that are regularly updated and reviewed through an informal community process. Interestingly, these controls are the standard for some of the most comprehensive security baselines for existing systems and apply to all industries that use these technologies.

What Are the CIS Critical Security Controls?

CIS’s Critical Security Controls (CSC) helps organizations defend themselves against known attacks by distilling important security concepts into actionable controls that help them achieve greater overall cybersecurity defense.

But as security challenges evolve, the best practices to meet them do, too.

The CIS makes both current and concrete recommendations to help industries improve their security posture through their Critical Security Controls for Effective Cyber Defense (formerly called the SANS Top 20 Critical Security Controls).

In total, there are 20 CIS controls, each belonging to a specific category. We’ll discuss the security controls in more detail later on in this article.

Interestingly, complying with the CIS framework isn’t mandatory for organizations. Despite no formal requirements or regulations, businesses use it in conjugation with industry-specific practices.

This is because CIS recommendations focus on data, software, and hardware—and also on people and processes. This enables you to enjoy a robust security defense that keeps threat actors at bay.

The fact that it also offers securely configured settings for an extensive list of operating systems and devices is another advantage.

Being drafted by the wider expert cybersecurity community, the CIS framework is of higher standing. Subject matter experts, professionals, and interest groups work together to update it frequently and also notify users of changes to the threat landscape.

What Is CIS Security Critical Security Control Mapping?

CIS critical security controls mapping refers to the implementation of the framework’s controls. Think of it as a type of soft compliance, as the framework itself isn’t a hard regulation.

How CIS Security Critical Security Control Mapping Works

You have to first implement the 20 controls to archive mapping—or the level at which it’s available to your business. Thereafter, your organization will undergo the CIS benchmarking process.

Let’s understand what these two terms mean in more detail below.

The 20 CIS Critical Security Controls

The CIS 20 security controls are the bulk of the CIS framework and are the application of cybersecurity best practices to key vulnerability areas. They are commonly grouped into three tiers:

  • Basic Controls
  • Foundational Controls
  • Organizational Controls

The control mapping—and eventually compliance—can be easily achieved at each level depending on your organization’s resources.

Basic Controls

As mentioned, basic controls include numbers 1-6 and are also known as cyber hygiene. 

These encompass activities that every organization—large and small—should implement if they intend to take measures for securing their systems and networks. Following CIS guidance for the top six CIS controls can significantly protect your organization, even if you cannot implement the other controls.

Each basic control has a wide scope and aligns with a solid principle: to ensure the right users have access to the right assets, with all systems being kept up-to-date and as hardened as possible. They mostly consist of taking inventory of IT assets, doing basic-level monitoring, limiting certain access and privileges, and so on.

Here are the six basic controls:

  1. Inventory and control of hardware assets
  2. Inventory and control of software assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  6. Maintenance, Monitoring, and Analysis of Audit Log

Foundational Controls

When assessing your organization’s available resources, check the foundational control group to see if control implementation is possible. This will help you gauge whether your business can comply up to this level.

The foundational control group is the tier where the CIS framework becomes more involved, with controls becoming more focused and addressing specific issues like email security.

Remember, full control mapping involves all three tiers, especially if your business operates internationally or at a high level (250 employees or more).

Also, check if there are any other regulations your industry needs to comply with. The CIS CSE framework does an excellent job of preparing organizations in a compliance landscape, yes. But there can be other regulations (GDPR, NERC, CIP) that your business must follow.

The foundational controls make up the bulk of the framework, and if you implement them across your organization, you would be following what most IT professionals would consider a best practice model.

The following are the 10 foundational controls:

  1. Email and Web Browser Protections
  2. Malware Defenses 
  3. Limitation and Control of Network Ports, Protocols, and Services
  4. Data Recovery Capability 
  5. Secure Configuration for Network Devices 
  6. Boundary Defense
  7. Data Protection 
  8. Controlled Access Based on the Need to Know
  9. Wireless Access and Control 
  10. Account Monitoring and Control 

Organizational Controls

Organizational controls are the final grouping—or the last four—CIS critical security controls mapping and mostly apply to large organizations that have to deal with critical business information and classified or sensitive data and have very extensive networks.

Think of this control grouping as a maintenance and readiness group that deals with aspects of cyber security that may not always be tangible but have a high impact on your organization’s overall cyber health.

Here are the four organizational controls:

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

If you take a step back and go through these controls, you’ll see SMEs won’t necessarily have the resources to execute many of them and that’s completely fine.

But if an organization has the resources and can execute them, it should as they’ll benefit it greatly. Unlike other control groupings, the organizational controls build the culture of security within the business, making it more likely for it to thrive in the long run.

CIS Benchmarks

The CIS organization is made up of volunteers from the cybersecurity community who actively dedicate their time to developing, updating, and communicating the CIS benchmarks. It’s a database of security configurations for:

  • Operating Systems
  • Server Software
  • Cloud Providers
  • Mobile Devices
  • Network Devices
  • Desktop Software
  • Multifunction Print Devices

The CIS website has proper security configurations for each of the above categories for different IT systems.

Security considerations for devices and software involve using just the said devices and software securely—in a way that prevents any bad actors from getting access. It allows organizations access to secure configuration databases so that the software and devices they use don’t betray their security needs.

How are these security configurations decided? The benchmarks are determined on a consensus-based model. SMEs and cyber professionals unanimously decide the best security consideration for every object in question.

At the moment, there are security configuration settings for over 140 different software and devices.

Benchmark Profile

The available benchmarks have a profile level of either 1 or 2, and the difference between these levels depends on your organization’s security needs.

  • Level 1 refers to surface-level security where it doesn’t hinder the business operations and usability of the software or device. This profile can be applied promptly with minimal disruption.
  • Level 2 is in-depth defense and is only recommended for organizations where top-notch security is non-negotiable. These types of organizations typically possess classified or highly sensitive data.

It’s important to note that if the profile level isn’t implemented properly or carelessly, it can have adverse effects on business operations. 

How To Get Started With CIS Critical Security Controls

Clearly, CIS critical security controls are a solid way to protect your organization. 

Below, we’ve created a step-by-step guide to help you implement these controls into your day-to-day operations as well as strategic plans and decision-making. 

Step 1: Take Inventory of Your Assets

Taking inventory of your assets is critical because you can’t implement any controls to protect devices if you don’t know what to protect.

This step maps to the following Critical Security Controls:

  • CSC 1: Inventory and Control of Hardware Assets
  • CSC 2: Inventory and Control of Software Assets

Step 2: Measure Asset Controls

Determine your baseline for controls you have already implemented and have invested funds and effort into. Try to understand how well you are (or aren’t) currently protected and make the same clear to your IT and upper management.

This step maps to the following Critical Security Controls:

  • CSC 3: Continuous Vulnerability Management
  • CSC 4: Controlled Use of Administrative Privileges
  • CSC 5: Secure Configuration for Hardware and Software on Mobile
  • CSC 7: Email and Web Browser Protections
  • CSC 8: Malware Defenses
  • CSC 10: Data Recovery Capability
  • CSC 13: Data Protection
  • CSC 18: Application Software Security

Step 3: Perimeter Defenses

Decide the protections to be implemented for network ingress and egress, followed by minimizing network ingress and egress and locking down access to your wireless local area networks (LANs) to only authorized suggestions.

This step maps to the following Critical Security Controls:

  • CSC 9: Limitation and Control of Network Ports, Protocols, and Services
  • CSC 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
  • CSC 12: Boundary Defense
  • CSC 15: Wireless Access Control

Step 4: Respond to Incidents In A Timely Manner

No one can accurately predict when and how a cyber attack will go down. But you can definitely be sure it will happen.

Keeping this in mind, be prepared with an action plan and document an internal process that feeds back into your overall plan by implementing and maintaining controls to improve the system and network security.

This step maps to the following Critical Security Controls:

  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • CSC 16: Account Monitoring and Control
  • CSC 19: Incident Response and Management

Step 5: Evaluate Security Gaps

Before enhancing your security program, you need to be aware of any prevalent gaps.

Identify the most critical gaps that require consensus across teams. This will take some time, but the effort is well worth it. When evaluating your organization’s critical gaps, think about getting buy-in from IT and management, compare new and existing controls, and measure the overall value to your business.

Step 6: Implement Your Controls

Decide how to approach short-term and long-term maintenance and tracking over time. Be sure to treat controls as a continuous process that requires frequent maintenance over time.

While planning and implementing your organization‘s controls, consider the following key pointers:

  • Each team (management, security, IT, and the board of directors) should define metrics and goals that are most important to them for tracking progress
  • Coordinate efforts between IT and security departments
  • Track and communicate progress consistently with management

Step 7: Train and Monitor Users

Train and test users so that they understand what to look out for while promoting creating security awareness. You should also have a backup plan where you limit privileges and monitor user behavior for any anomalies.

This step maps to the following Critical Security Controls:

  • CSC 4: Controlled Use of Administrative Privileges
  • CSC 7: Email and Web Browser Protections
  • CSC 14: Controlled Access Based on the Need to Know
  • CSC 16: Account Monitoring and Control
  • CSC 17: Implement a Security Awareness and Training Program

Step 8: Test Controls 

At this stage, all your controls are in place.

Follow this up by using tests like penetration testing and red team exercises to ensure everything is working as intended. Do this regularly to check whether your efforts are being off and safeguard your systems.

This step maps to the following Critical Security Control:

  • CSC 20: Penetration Tests and Red Team Exercises

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira