Overview of CIS18 Critical Security Controls
The CIS Critical Security Controls (CIS18) are a prioritized set of cybersecurity best practices developed by the Center for Internet Security (CIS). They help organizations of all sizes defend against common and impactful cyber threats by focusing on actions that provide the most risk reduction. Each control is actionable and mapped to real-world attack scenarios.
Below are the 18 controls, with definitions and how they help secure your organization:
1. Inventory and Control of Enterprise Assets
Definition: Maintain an accurate inventory of all devices (servers, laptops, desktops, mobile, IoT, etc.) connected to your organization’s network.
How it helps: You can’t protect what you don’t know exists. An accurate inventory allows you to spot unauthorized devices and ensure all endpoints are managed and secured.
2. Inventory and Control of Software Assets
Definition: Track and manage all authorized and unauthorized software installed on organizational systems.
How it helps: Reduces risk from unapproved or vulnerable software and helps prevent malware installation.
3. Data Protection
Definition: Safeguard sensitive data throughout its lifecycle—collection, storage, processing, and transmission.
How it helps: Protects against data breaches and unauthorized access, ensuring compliance and trust.
4. Secure Configuration of Enterprise Assets and Software
Definition: Establish and maintain secure settings for hardware and software, and eliminate default or insecure configurations.
How it helps: Reduces vulnerabilities and makes it harder for attackers to exploit weak configurations.
5. Account Management
Definition: Manage the lifecycle of user and service accounts—creation, use, monitoring, and deletion.
How it helps: Prevents unauthorized access and limits potential damage from compromised accounts.
6. Access Control Management
Definition: Limit access to systems and data based on need-to-know and least privilege principles.
How it helps: Reduces the chance of insider threats or misuse by ensuring users only access what they need.
7. Continuous Vulnerability Management
Definition: Identify, prioritize, and remediate software vulnerabilities in your systems on an ongoing basis.
How it helps: Prevents attackers from exploiting known weaknesses by ensuring timely patching and mitigation.
8. Audit Log Management
Definition: Collect, review, and retain logs of system activity to support detection, investigation, and response.
How it helps: Provides crucial evidence during incidents and helps detect suspicious activity early.
9. Email and Web Browser Protections
Definition: Defend against phishing and malware by securing email systems and browser use.
How it helps: Reduces risk from common attack vectors like malicious links, attachments, and compromised websites.
10. Malware Defenses
Definition: Implement anti-malware tools and techniques across endpoints and systems.
How it helps: Detects and blocks known malware, limiting infections and their spread.
11. Data Recovery
Definition: Maintain reliable, secure, and tested backup solutions for critical data and systems.
How it helps: Enables recovery from ransomware, hardware failure, or accidental data loss.
12. Network Infrastructure Management
Definition: Secure and actively manage network devices (routers, switches, firewalls, etc.) and their configurations.
How it helps: Prevents attackers from exploiting network weaknesses and improves overall network resilience.
13. Network Monitoring and Defense
Definition: Monitor network traffic for signs of malicious activity and respond appropriately.
How it helps: Early detection of attacks, compromised systems, or policy violations.
14. Security Awareness and Skills Training
Definition: Educate users and IT staff on security best practices and current threats.
How it helps: Reduces human error and empowers users to recognize and report suspicious activity.
15. Service Provider Management
Definition: Assess and monitor the security of third-party service providers and vendors.
How it helps: Reduces supply chain risk by ensuring your partners maintain good security practices.
16. Application Software Security
Definition: Integrate security into the software development lifecycle (SDLC) and manage application vulnerabilities.
How it helps: Prevents attackers from exploiting software bugs or insecure development practices.
17. Incident Response Management
Definition: Develop and test plans for detecting, responding to, and recovering from security incidents.
How it helps: Enables quick and effective responses to minimize the impact of breaches or attacks.
18. Penetration Testing
Definition: Simulate attacks to identify and address vulnerabilities before real attackers find them.
How it helps: Validates your security controls and reveals gaps in defenses.
Summary Table
| # | Control Name | Purpose |
|---|---|---|
| 1 | Inventory of Enterprise Assets | Find/manage all devices |
| 2 | Inventory of Software Assets | Track/manage all software |
| 3 | Data Protection | Secure sensitive data |
| 4 | Secure Configurations | Harden systems & software |
| 5 | Account Management | Control user/service accounts |
| 6 | Access Control Management | Restrict access to least privilege |
| 7 | Vulnerability Management | Patch/remediate vulnerabilities |
| 8 | Audit Log Management | Monitor and investigate activity |
| 9 | Email & Web Protections | Block phishing/malware threats |
| 10 | Malware Defenses | Detect/block malware |
| 11 | Data Recovery | Restore from incidents |
| 12 | Network Infrastructure Management | Secure/manage network devices |
| 13 | Network Monitoring & Defense | Detect/stop network threats |
| 14 | Security Awareness Training | Educate and empower users |
| 15 | Service Provider Management | Assess vendor security |
| 16 | Application Security | Secure in-house/3rd-party apps |
| 17 | Incident Response Management | Plan and recover from incidents |
| 18 | Penetration Testing | Test and improve defenses |
References/Resources: