CIS Controls Compliance Consulting Services

CIS Cybersecurity & Vulnerability Management

Center for Internet Security (CIS) Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks. A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results.

CIS stands for Control Objectives for Information security and Information Technology. Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards for IT governance and management.

CyberSecOp team of CIS controls expert will work with you to improve security posture and harden defenses against the attack vectors you're most likely to encounter.

Why are the CIS Controls important?

Center for Internet Security Cybersecurity Services

Over the years CyberSecOp CIS IT auditors ensuring compliance with statutory requirements. Specifically, CIS is an IT governance framework and supporting toolset that allows security and compliance managers to bridge the gap among control requirements, technical issues, and business risks. CIS Controls complement the HIPAA security rule and contain many of the same provisions. Since the CIS Controls and Sub-Controls are regularly updated based on real-world attack patterns, the CIS Controls can help healthcare and other organizations “round out” their cybersecurity program to address risks outside the HIPAA security rule.

Security Assessment & Consulting

Our unique value proposition is that we have the domain knowledge spreading across different verticals, the technical competence, hands-on experience, the industry recognized certifications (e.g. ISO27001, COBIT , ISO20000, CISSP, CISM , CISA ). We are cost sensitive, which enables us to pass on the benefit to our customers.

CIS Controls  Security Compliance Services

Our Cybersecurity and Infrastructure Security services give you a better security posture.

• CIS Controls Information Security Assessments to analyze the maturity of your information security program, as well as CIS Controls identify gaps, weaknesses, and opportunities for improvement. The assessment is conducted by certified consultants. Someone with decades of real-world experience of implementing IT and enterprise governance. GRC gap assessment is key to learning where your organization stands in its compliance journey. In our gap assessment, we’ll collect and review your organization’s security documentation and summarize gaps in policies, procedures, and supporting evidence when compared to your compliance standard.

CIS CONTROLS ALIGNMENT & GAP ASSESSMENTS

CIS Controls as a Security Program

CIS Controls Compliance Advisory Services: Everything is designed to help bridge the gap between control requirements, technical issues, and business risks in a way that supports your organization’s specific challenges when implementing and meet CIS Controls. We recognize these challenges and always strive to align our solutions’ functions, reporting within the laws, regulations, and technologies.

Alignment to the Center for Internet Security (CIS) Critical Security Controls can be a major asset to your organization. With its thorough approach and relatively simple structure, the CIS Controls framework has become incredibly popular among mid-market and emerging companies.

Understanding the CIS Controls

CIS Basic Controls

CIS Control 1: Inventory and Control of Hardware Assets 

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

CIS Control 2: Inventory and Control of Software Assets 

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution. 

CIS Control 3: Continuous Vulnerability Management 

Continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for attackers.

CIS Control 4: Controlled Use of Administrative Privileges 

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Establish, implement and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. 

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs 

Collect, manage and analyze audit logs of events that could help detect, understand, or recover from an attack.  

CIS Foundational Controls

CIS Control 7: Email and Web Browser Protections 

Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems. 

CIS Control 8: Malware Defenses 

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering and corrective action.

CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services 

Manage (track/control/correct) the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.

CIS Control 10: Data Recovery Capabilities 

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches 

Establish, implement and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

CIS Control 12: Boundary Defense 

Detect/prevent/correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.

CIS Control 13: Data Protection 

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.

CIS Control 14: Controlled Access Based on the Need to Know 

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

CIS Control 15: Wireless Access Control 

The processes and tools used to track/control/prevent/correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.

CIS Control 16: Account Monitoring and Control 

Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. 

CIS Organizational Controls

CIS Control 17: Implement a Security Awareness and Training Program 

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps and remediate through policy, organizational planning, training and awareness programs.

CIS Control 18: Application Software Security 

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect and correct security weaknesses.

CIS Control 19: Incident Response and Management 

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence and restoring the integrity of the network and systems.

CIS Control 20: Procedures and Tools 

After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents. It is inevitable that exercise and training scenarios will identify gaps in plans and processes and unexpected dependencies. 

CIS Control 21: Penetration Tests and Red Team Exercises 

Test the overall strength of an organization’s defense (the technology, the processes and the people) by simulating the objectives and actions of an attacker.