Defensible Tech TeamSeptember 10
CIS implementation groups are very influential components of a cybersecurity program - and yet very few people have heard of them. Whether you’re aware of them or not, CIS implementation groups affect the process of implementing a cybersecurity vulnerability assessment framework, which every organization should have.
These implementation groups help determine the best way to prioritize cybersecurity defense actions for your enterprise, using a number of vulnerability assessment framework criteria. These groups help to:
Evaluate where there may be gaps in your current cybersecurity approach
Define the minimum standards the cybersecurity regulations that each company should follow
And outline a phased roadmap for implementation of CIS controls
Assessing which CIS implementation group is right for you and how it fits into your organization’s vulnerability assessment framework can be daunting and time-consuming, feelings which are often the result of not knowing where to start.
Through this guided blog, we walk you through the steps to get started with CIS implementation groups (IGs). By gaining a greater understanding of CIS IGs, you will become more informed about cybersecurity and your own company’s cybersecurity initiatives. Let’s get started.
Originally developed by the Center for Internet Security (CIS), CIS controls are designed to help organizations across a variety of industries and sizes drive enterprise IT and cybersecurity decisions; and help them better understand their cybersecurity needs as information security threats become more and more prevalent. If CIS implementation groups are the roadmap toward regulatory cybersecurity compliance, CIS controls are the well-organized boxes that each organization can check off in order to achieve it.
The controls set forth by the CIS identify the baseline requirements for any vulnerability assessment framework, and each one includes a number of safeguards that satisfy each implementation group’s qualifications for each control. Similar to food groups, the CIS controls are grouped logically in a way that allows for a prioritization of initiatives that can be phased over time. They are designed to map directly to actual products and solutions that fulfill your IG’s safeguards within all of the controls. With a total of eighteen, CIS controls cover all essential areas of cybersecurity, including:
Inventory & Control of Enterprise Assets: Actively manage all enterprise assets connected to the infrastructure to accurately understand the totality of assets that need to be monitored and protected.
Inventory & Control of Software Assets: Actively manage all software on the network so that only authorized software is installed, and that unauthorized software is identified and prevented from installation.
Data Protection: Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data.
Secure Configuration of Enterprise Assets & Software: Establish and maintain the secure configuration of enterprise assets.
Account Management: Use processes and tools to assign and manage authorization to credentials for user accounts.
Access Control Management: Use processes and tools to create, assign, manage and revoke access credentials and privileges for enterprise assets and software.
Continuous Vulnerability Management: Develop a plan to continuously assess and track vulnerabilities and monitor industry sources for new threat and vulnerability information.
Audit Log Management: Collect, alert, review and retain audit logs of events that could help detect, understand or recover from an attack.
Email Web Browser & Protections: Improve protections and detections of threats from email and web vectors.
Malware Defenses: Prevent or control the installation, spread and execution of malicious applications, code or scripts on enterprise assets.
Data Recovery: Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets.
Network Infrastructure Management: Establish, implement and actively manage network devices to prevent attackers from exploiting vulnerable network services and access points.
Network Monitoring & Defense: Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats.
Security Awareness & Skills Training: Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and skilled.
Service Provider Management: Develop a process to evaluate service providers who hold sensitive data to ensure they are protecting the data appropriately.
Application Software Security: Manage the security life cycle of in-house developed, hosted or acquired software to prevent, detect and remediate security weaknesses.
Incident Response Management: Establish a program to develop and maintain an incident response capability.
Penetration Testing: Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls.
According to the Center for Internet Security, implementation groups “are the recommended guidance to prioritize implementation of the CIS Controls. They are based on the risk profile and resources an enterprise has available to them to implement the CIS Controls.”
Why does this matter? CIS IGs are your checklist for developing and fulfilling vulnerability assessment framework methodology. In order to successfully implement cybersecurity solutions that protect your organization, clients, regulatory compliance and budget, you’ll need to follow the roadmap your implementation group illustrates.
By understanding CIS implementation groups, you will be in a greater position to assess if your organization’s current cyber capabilities and resource allocation are sufficient and to make actionable decisions to quickly address any gaps.
CIS implementation groups work within the specifics of your organization to define the minimum cybersecurity standards your company needs to meet. The groups take into account different factors that would impact the safeguards you would need to satisfy, including industry, size, clientele, and more. For example, if your organization serves clientele or has supply chain partners in the EU, it may need to meet specific cybersecurity standards to be in compliance with GDPR regulations. Your company would fall into a specific CIS implementation group that accounts for these additional and specific needs.
CIS IGs are also designed to consider your company’s current cybersecurity initiatives, resources and budget. Different CIS IGs evaluate your existing approach to cybersecurity and identify potential gaps in your approach or how resources and budget are allocated toward cybersecurity. Perhaps your company exceeds the safeguards it needs to satisfy the “Malware Defenses” CIS control but is significantly underperforming for the “Incident Response Management” control. Following the guidance of your CIS implementation group will offer solutions for reallocating budget and resources to achieve more balanced cybersecurity initiatives.
As every organization’s size, budget and compliance looks different, every organization’s approach to achieving complete cybersecurity implementation looks different, too. By utilizing the three CIS implementation groups, your cybersecurity efforts will grow as your enterprise grows, whether that growth is in size, markets and/or geography. Rather than trying to achieve everything at once when your company has not budgeted or resourced for a full-throttle cybersecurity execution, IGs create an organized outline for an iterative implementation of cybersecurity protocols that allow your company to meet all the necessary standards in a phased approach.
CIS implementation groups are broken down into three categories: IG1, IG2, and IG3. Each of these three groups touches on every or almost every CIS control of the eighteen outlined above, but they address each control in varying levels of severity, achieved through the number of safeguards.
Implementation Group 1 (IG1) is the baseline implementation group. The set of safeguards required in IG1 must be completed by every organization in order to achieve a defensible approach to cybersecurity. Not implementing the safeguards laid out in IG1 may even be grounds for cyber insurance companies to deny your organization coverage.
Typically, companies that fall into IG1 are small- and medium-sized and often have limited access to IT and cybersecurity resources. Within this group, a business’s primary objective will be to utilize what cybersecurity knowledge is available to maintain general business operations while protecting from non-targeted attacks. The CIS controls in this implementation group are designed to work with small or home office software and hardware and still achieve cybersecurity compliance for the business and its clients.
The CIS control “Inventory and Control of Software Assets” has a total of five possible safeguards. In IG1, the organization is required to implement two of the five safeguards. IG2 would implement four of the safeguards, and IG3 would implement all five.
Since every organization is likely unable to implement too many cybersecurity solutions at once, the safeguards in Implementation Group 2 (IG2) represent a second phase toward having a complete cybersecurity program and one that, if implemented well, will help protect against most threats. From a budget standpoint, a defensible cyber program includes budget coverage for solutions that are needed to implement IGs one and two.
The CIS control “Data Protection” includes a total of fourteen safeguards. In IG2, the organization is required to implement twelve of the fourteen safeguards. IG1 would only need to implement six of the fourteen safeguards, while IG3 would implement all fourteen.
Implementation Group 3 (IG3) allows for flexibility through the selection of whichever safeguards of the group may or may not be relevant based on an organization’s cybersecurity risk profile. After the safeguards in implantation groups one and two have been completed, a company can evaluate which methods in IG3 will be most beneficial for its vulnerability assessment framework. IG3 is comprised of all the safeguards in every CIS Control; it essentially “maxes out” all safeguards that can be implemented.
The CIS control “Network Infrastructure Management” includes a total of eight safeguards. At IG3, an organization would implement all eight of those safeguards. At IG1, however, the company would only implement one, and IG2 would implement seven of the eight safeguards.
Rather than responding to a direct cybersecurity threat, many organizations may find themselves exploring vulnerability assessment framework methodology and CIS implementation groups as they navigate cybersecurity compliance regulations. It is much better to be proactive and stay on top of cybersecurity compliance laws than for a governing body to find your company out of compliance and be fined, or worse yet, to suffer a data breach that puts your and your clients’ data at risk. CIS implementation groups are a great place to start.
CIS IGs are particularly beneficial in helping determine which cybersecurity compliance regulations your enterprise is required to meet and, as a result, which safeguards and solutions should be implemented to remain in compliance. Your implementation group will outline a comprehensive cybersecurity integration strategy for all kinds of compliance requirements, including:
PCI DSS: Most prevalent in the retail and ecommerce industries, the Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment. Your implementation group will outline the steps your organization can take to securely perform credit card transactions as defined by PCI DSS.
GDPR and CCPA: Protecting personal and household data for residents of the EU (GDPR) and California (CCPA), organizations with clients in these locations must stay in compliance for the collection, processing and sharing of this data. Your CIS IG will create the roadmap your company can follow to be properly transparent about data collection as outlined by GDPR and CCPA.
FERPA/HIPAA/NIST: Federal regulatory standards, FERPA, HIPAA, and NIST compliance includes the protection of data and records in education, healthcare and the federal supply chain. The cybersecurity compliance standards vary somewhat drastically within each federal area, and your implementation group will provide the ultimate checklist to ensure your company meets them.
Choosing a CIS Implementation Group and determining which fits into the puzzle of your vulnerability assessment framework can be challenging. With the right experts involved, however, you can get started with a strategy suited to your company and your budget.
During one-to-two scoping calls with the team at Defensible, we can quickly gauge where your organization stands with its required CIS controls, what CIS implementation is right for you, and provide a viewpoint on maturity of a cybersecurity program without doing a formal or costly risk assessment. Contact us today to get started.