What are the CIS Controls for Effective Cyber Defense?

Table of contents

  1. Why are the CIS Controls important?
  2. Why do the CIS Controls work?
  3. What are the five critical tenets of effective cyber defense?
  4. What are the 20 CIS Controls?
  5. How UpGuard can improve your organization’s cybersecurity

1. Why are the CIS Controls important?

  • What are the most critical areas to establish a risk management program?
  • Which defensive steps provide the greatest value?
  • How can we track our risk management program maturity?
  • How can we share our insights into attacks and attackers and identify root causes?
  • Which tools are best used to solve which problems?
  • Which CIS controls map to my organization’s regulatory and compliance frameworks?

2. Why do the CIS Controls work?

  • Informed by common attacks and effective defenses
  • Reflect the knowledge of experts from companies, government and individuals, as well as sectors (government, power, defense, finance, transportation, academia, consulting, security, IT)
  • From every role (threat responders and analysts, technologists, vulnerability-finders, tool makers, solution providers, defenders, users, policy-makers, auditors, etc.)

3. What are the five critical tenets of effective cyber defense?

  1. Offense informs defense: Use actual cyber attacks that have compromised systems to provide the foundations to learn from and to build effective, practical defenses. Avoid defense that haven’t been shown to stop real-world attacks.
  2. Prioritization:Invest in controls that provide the greatest risk reduction and protection from the most dangerous attacks that can be feasibility implemented.
  3. Measurements and metrics: Use common metrics to provide a shared language for executives, security professionals, auditors and employees to measure the effectiveness of security measures within your organization.
  4. Continuous diagnostics and mitigation: Continuously monitor your security posture to test and validate the effectiveness of security controls and to help drive next steps.
  5. Automation:Automate defenses to reliably scale and continuously monitor for adherence to controls. Consider extending this to your third-party vendors and their vendors by continuously monitoring third-party and fourth-party security postures.

4. What are the 20 Critical Security Controls?

  1. Basic CIS Controls (1–6) are the starting point for any organization’s cybersecurity
  2. Foundational CIS Controls (7–16)
  3. Organizational CIS Controls (17–20)

1. Inventory and Control of Hardware Assets

2. Inventory and Control of Software Assets

3. Continuous Vulnerability Management

4. Controlled Use of Administrative Privileges

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

6. Maintenance, Monitoring and Analysis of Audit Logs

7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports, Protocols and Services

10. Data Recovery Capabilities

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control

17. Implement a Security Awareness and Training Program

18. Application Software Security

19. Incident Response and Management

20. Penetration Tests and Red Team Exercises

5. How UpGuard can improve your organization’s cybersecurity



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.