Know Your Vulnerability Assessment Frameworks: CIS Implementation Groups

CIS implementation groups (IGs) are very influential components of a cybersecurity program, yet very few people have heard of them. 

CIS implementation groups (IGs) are very influential components of a cybersecurity program, yet very few people have heard of them. CIS IGs affect the process of implementing a cybersecurity vulnerability assessment framework, which is a must-have for any organization.

IGs help determine the best way to prioritize cybersecurity defense actions for your enterprise, using a number of vulnerability assessment framework criteria. These groups help to: 

  1. Evaluate where there may be gaps in your current cybersecurity approach

  2. Define the minimum standards of cybersecurity regulations that each company should follow

  3. Outline a phased roadmap for implementation of CIS controls

Assessing which CIS IG is right for you and how it fits into your organization’s vulnerability assessment framework can be daunting and time consuming, which often is the result of not knowing where to start.

Read on as we walk you through the steps to get started with CIS IGs. By gaining a greater understanding of IGs, you will become more informed about cybersecurity and your own company’s cybersecurity initiatives. Let’s get started.

What Are CIS Controls?

Originally developed by the Center for Internet Security (CIS), CIS Controls are designed to help organizations drive enterprise IT and cybersecurity decisions, and help them better understand their cybersecurity needs as information security threats become more and more prevalent. If CIS IGs are the roadmap toward regulatory cybersecurity compliance, CIS Controls are the well-organized boxes that each organization can check off in order to achieve it.

The Controls set forth by the CIS identify the baseline requirements for any vulnerability assessment framework, and each one includes a number of safeguards that satisfy each IG’s qualifications for each control. Similar to food groups, the CIS Controls are grouped logically in a way that allows for a prioritization of initiatives that can be phased in over time. They are designed to map directly to actual products and solutions that fulfill your IG’s safeguards within all of the Controls. With a total of eighteen, CIS Controls cover all essential areas of cybersecurity, including: 

  1. Inventory & Control of Enterprise Assets: Actively manage all enterprise assets connected to the infrastructure to accurately understand the totality of assets that need to be monitored and protected.

  2. Inventory & Control of Software Assets: Actively manage all software on the network so that only authorized software is installed, and that unauthorized software is identified and prevented from installation.

  3. Data Protection: Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data.

  4. Secure Configuration of Enterprise Assets & Software: Establish and maintain the secure configuration of enterprise assets.

  5. Account Management: Use processes and tools to assign and manage authorization to credentials for user accounts.

  6. Access Control Management: Use processes and tools to create, assign, manage and revoke access credentials and privileges for enterprise assets and software.

  7. Continuous Vulnerability Management: Develop a plan to continuously assess and track vulnerabilities and monitor industry sources for new threat and vulnerability information.

  8. Audit Log Management: Collect, alert, review and retain audit logs of events that could help detect, understand or recover from an attack.

  9. Email Web Browser & Protections: Improve protections and detections of threats from email and web vectors.

  10. Malware Defenses: Prevent or control the installation, spread and execution of malicious applications, code or scripts on enterprise assets.

  11. Data Recovery: Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets.

  12. Network Infrastructure Management: Establish, implement and actively manage network devices to prevent attackers from exploiting vulnerable network services and access points.

  13. Network Monitoring & Defense: Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats.

  14. Security Awareness & Skills Training: Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and skilled.

  15. Service Provider Management: Develop a process to evaluate service providers who hold sensitive data to ensure they are protecting the data appropriately.

  16. Application Software Security: Manage the security life cycle of in-house developed, hosted or acquired software to prevent, detect and remediate security weaknesses.

  17. Incident Response Management: Establish a program to develop and maintain an incident response capability.

  18. Penetration Testing: Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls.

Why CIS Implementation Groups Matter

According to the Center for Internet Security, implementation groups “are the recommended guidance to prioritize implementation of the CIS Controls. They are based on the risk profile and resources an enterprise has available to them to implement the CIS Controls.”

Why does this matter? CIS IGs are your checklist for developing and fulfilling a vulnerability assessment framework methodology. In order to successfully implement cybersecurity solutions that protect your organization, clients, regulatory compliance and budget, you’ll need to follow the roadmap your implementation group illustrates.

By understanding CIS IGs, you will be in a greater position to assess if your organization’s current cyber capabilities and resource allocation are sufficient and to make actionable decisions to quickly address any gaps.

Define Standards

CIS IGs work within the specifics of your organization to define the minimum cybersecurity standards your company needs to meet. The groups take into account different factors that would impact the safeguards you would need to satisfy, including industry, size, client base, and more. For example, if your organization serves customers or has supply chain partners in the EU, it may need to meet specific cybersecurity standards to be in compliance with GDPR regulations. Your company would fall into a specific CIS IG that accounts for these specific needs.

Identify Gaps

CIS IGs are also designed to consider your company’s current cybersecurity initiatives, resources, and budget. Different CIS IGs evaluate your existing approach to cybersecurity and identify potential gaps in your approach or how resources and budget are allocated toward cybersecurity. Perhaps your company exceeds the safeguards it needs to satisfy the Malware Defenses CIS Control but is significantly underperforming for the Incident Response Management control. Following the guidance of your CIS IG, it will offer solutions for reallocating budget and resources to achieve more balanced cybersecurity initiatives.

Outline Phased Implementation

As every organization’s size, budget and compliance looks different, every organization’s approach to achieving complete cybersecurity implementation looks different, too. By utilizing the three CIS IGs, your cybersecurity efforts will grow as your enterprise grows, whether that growth is in size, markets, and/or geography. Rather than trying to achieve everything at once when your company has not budgeted or resourced for a full-throttle cybersecurity implementation initiative, IGs create an organized outline for an iterative implementation of cybersecurity protocols that allow your company to meet all the necessary standards over time.

CIS Implementation Groups

CIS implementation groups are broken down into three categories: IG1, IG2, and IG3. Each of these three groups touches on nearly every (or every) CIS Control of the eighteen outlined above, but they address each control in varying levels of severity, achieved through the number of safeguards.

Implementation Group 1

Implementation Group 1 (IG1) is the baseline implementation group. The set of safeguards required in IG1 must be completed by every organization in order to achieve a defensible approach to cybersecurity. Not implementing the safeguards laid out in IG1 may even be grounds for cyber insurance companies to deny your organizational coverage.

Typically, companies that fall into IG1 are small and medium-sized that often have limited access to IT and cybersecurity resources. Within this group, a business’s primary objective will be to utilize what cybersecurity knowledge is available to maintain general business operations while protecting from non-targeted attacks. The CIS Controls in this implementation group are designed to work with small or home office software and hardware, and still achieve cybersecurity compliance for the business and its clients.

IG1 Safeguard Scenario

The CIS Control Inventory and Control of Software Assets has a total of five possible safeguards. In IG1, the organization is required to implement two of the five safeguards. IG2 would implement four of the safeguards, and IG3 would implement all five.

Implementation Group 2

Since not every organization is likely to implement many cybersecurity solutions at once, the safeguards in Implementation Group 2 (IG2) represent a second phase toward having a complete cybersecurity program, and one that, if implemented well, will help protect against most threats. From a budget standpoint, a defensible cyber program includes budget coverage for solutions that are needed to implement IGs one and two.

IG2 Safeguard Scenario

The CIS control Data Protection includes a total of fourteen safeguards. In IG2, the organization is required to implement twelve of the fourteen safeguards. IG1 would only need to implement six of the fourteen safeguards, while IG3 would implement all fourteen.

Implementation Group 3

Implementation Group 3 (IG3) offers flexibility through the selection of safeguards which may or may not be relevant based on an organization’s cybersecurity risk profile. After the safeguards in IG1 and IG2 have been completed, a company can evaluate which methods in IG3 will be most beneficial for its vulnerability assessment framework. IG3 is comprised of all the safeguards that can be implemented in every CIS Control.

IG3 Safeguard Scenario

The CIS control Network Infrastructure Management includes a total of eight safeguards. At IG3, an organization would implement all eight of those safeguards. At IG1, however, the company would only implement one, and IG2 would implement seven of the eight safeguards.

Cybersecurity Compliance with CIS Implementation Groups

Rather than responding to a direct cybersecurity threat, many organizations find themselves exploring vulnerability assessment framework methodologies and CIS implementation groups as they navigate cybersecurity compliance regulations. It is far better to be proactive and stay on top of cybersecurity compliance laws than for a governing body to find your company out of compliance and be fined, or worse yet, to suffer a data breach that puts your business and your clients’ data at risk. CIS implementation groups are a great place to start.

CIS IGs are particularly beneficial in helping determine which cybersecurity compliance regulations your enterprise is required to meet and, as a result, which safeguards and solutions should be implemented to remain in compliance. Your implementation group will outline a comprehensive cybersecurity integration strategy for all kinds of compliance requirements, including:

  • PCI DSS: Most prevalent in the retail and e-commerce industries, the Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure all companies that accept, process, store, or transmit credit card information maintain a secure environment. Your implementation group will outline the steps your organization can take to securely perform credit card transactions as defined by PCI DSS.

  • GDPR and CCPA: Protecting personal and household data for residents of the EU (GDPR) and California (CCPA), organizations with clients in these locations must stay in compliance for the collection, processing, and sharing of this data. Your CIS IG will create the roadmap your company can follow to be properly transparent about data collection as outlined by GDPR and CCPA.

  • FERPA/HIPAA/NIST: Federal regulatory standards, FERPA, HIPAA, and NIST compliance includes the protection of data and records in education, healthcare, and the federal supply chain. The cybersecurity compliance standards vary somewhat drastically within each federal area, and your implementation group will provide the checklist to ensure your company meets those standards.

Defend Your Enterprise. Partner With Defensible.

Choosing a CIS Implementation Group and determining which fits into the puzzle of your vulnerability assessment framework can be challenging. With the right guidance and experts, however, you can get started with a strategy suited to your company and your budget.

Speaking with the experts at Defensible Technology, we can quickly gauge where your organization stands with regards to CIS Controls, what CIS IG is right for you, and provide a viewpoint on the maturity of your cybersecurity program. Contact us today to get started.


For more information or to schedule your free 30-minute consultation, please reach out to ciso@defensible.tech