How to Fulfill Multiple Compliance Objectives Using the CIS Controls

Image

Earlier this year, I wrote about what’s new in Version 8 of the Center for Internet Security’s Critical Security Controls (CIS Controls). An international consortium of security professionals first created the CIS Controls back in 2008. Since then, the security community has continued to update the CIS Controls to keep pace with the evolution of technology ecosystems and emerging threat vectors—all the way to Version 8 and the 18 Controls contained therein. Those security measures are as follows:

• CIS Control 1: Inventory and Control of Enterprise Assets
• CIS Control 2: Inventory and Control of Software Assets
• CIS Control 3: Data Protection
• CIS Control 4: Secure Configuration of Enterprise Assets and Software
• CIS Control 5: Account Management
• CIS Control 6: Access Control Management
• CIS Control 7: Continuous Vulnerability Management
• CIS Control 8: Audit Log Management
• CIS Control 9: Email and Web Browser Protections
• CIS Control 10: Malware Defenses
• CIS Control 11: Data Recovery
• CIS Control 12: Network Infrastructure Management
• CIS Control 13: Network Monitoring and Defense
• CIS Control 14: Security Awareness and Skill Training
• CIS Control 15: Service Provider Management
• CIS Control 16: Application Software Security
• CIS Control 17: Incident Response Management
• CIS Control 18: Penetration Testing

By implementing those Controls and their associated Safeguards (formerly Sub-Controls), organizations can build a solid foundation onto which they can layer additional security and compliance controls. But this raises an important question. Are organizations under an obligation to comply with the CIS Controls? How do the CIS Controls relate to compliance?

Connecting CIS Controls and Compliance

Not to be confused with regulations such as PCI DSS and HIPAA or frameworks such as the NIST Cybersecurity Framework, compliance with CIS Controls is not enforced within audits. However, the CIS Controls function as the building blocks of nearly all major compliance frameworks, mapping to NIST SP 800-53, the International Organization for Standardization (ISO) 27000 series, and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA.

Let’s examine a couple of these to see this alignment with the CIS Controls in practice.

PCI DSS

PCI DSS is responsible for protecting the credit card industry from digital fraud. The standard ensures that cardholder’s information remains in the right hands. It also limits the liability of card issuers and banks if a merchant suffers a breach.

The CIS Controls address a variety of aspects of PCI-DSS compliance including the following:

Firewall and Router Configurations

• CIS Control 4.2 – Establish and maintain a secure configuration process for network devices including firewalls. Under this measure, organizations can review and update documentation for that process at least once a year or when any significant changes in their environment might affect the Safeguard.
• CIS Control 4.4 – Implement and manage a firewall on servers.
• CIS Control 4.5 – Implement and manage a host-based firewall or port-filtering tool on end-user devices. This requires the use of a default-deny rule for all unspecified traffic

Patch Management

• CIS Control 7.3 – Use automated patch management on at least a monthly basis to perform OS updates on enterprise assets.
• CIS Control 7.4 – Leverage those same automated patch management capabilities to implement application updates on enterprise assets monthly or more frequently.

Access Control

• CIS Control 6.7 – Use a directory service or SSO provider to centralize access control for all enterprise assets.
• CIS Control 6.8 – Implement role-based access control by defining the access rights that are necessary for each role in the enterprise and performing access control reviews of enterprise assets at least once a year.

NIST Cybersecurity Framework

NIST’s framework guides federal information systems in the United States. It offers guidance on producing positive cybersecurity outcomes as well as on the protection of privacy and civil liberties in a cybersecurity context.

The CIS Controls address many different portions of NIST compliance including the following:

NIST SP 800-53 R4 – “Low Baseline”

As an example, this Special Publication lists “Access Management,” “Security Awareness Training,” and “Penetration Testing” within Table D-2: Security Control Baselines. Those measures align with CIS Controls 6, 14, and 18, respectively.

NIST SP 800-171 R2

This document mirrors NIST SP 800-53 in that it also lists Access Control, Awareness Training, and Configuration Management, among other best security practices.

So, What Are You Waiting for?

No matter the industry you are in, the framework that you must adhere to, or even the size of your organization, adopting and upholding the CIS Controls is an essential element to any compliance or network hardening program. PCI DSS, NIST’s Cybersecurity Framework, and others all recognize the CIS Controls as foundational to digital hygiene, and they endorse their effectiveness as evidenced in their respective compliance requirements.

These Controls are by and for cybersecurity professionals of all roles and industries, and they constitute one of the most well-rounded paths to defense and compliance imaginable. Organizations might need some help fully embracing the Controls, however. That’s where Tripwire comes in. Indeed, organizations can use its solutions to address the top CIS Controls such as device and software inventory, secure configurations, vulnerability assessment, and log management. They can also leverage Tripwire’s tools to help with nearly all the other Controls.

To learn more about meeting multiple compliance objectives simultaneously with the CIS Controls, click here: https://www.tripwire.com/misc/meeting-multiple-compliance-objectives-simultaneously-with-the-cis-controls