As a security professional, you may be tasked with achieving SOC2 compliance for your organization, adopting a NIST framework, or complying with new security laws. These are just a few examples; you likely face many requirements!
Compliance with multiple policy, regulatory, and legal security frameworks and standards is challenging and time consuming. Most tell you what’s required, but don’t clearly explain how to do it or where to begin. So, where should you start? With proven, prioritized security best practices that map to or are referenced by other frameworks and standards.
Security best practices for regulatory compliance
Although frameworks vary, there is often overlap in the facets of security they’re focusing on. These are generally accepted security best practices that you can use as a starting point in your plan.
For example, you can use the CIS Critical Security Controls (CIS Controls) as a starting point. the CIS Controls are a prioritized set of actions to protect your organization and data from known cyber-attack vectors. They’re developed through a unique community consensus process; they not only tell you how to be more secure, they also prioritize the actions you should take to get there. This prioritization helps your organization work toward achieving effective cyber hygiene, rather than working through a list in order and hoping to recognize some benefits along the way.
Another reason to start with the CIS Controls? They work. Findings of the CIS Community Defense Model (CDM) 2.0, show that they’re effective at mitigating approximately 86% of all MITRE ATT&CK Techniques. More importantly, the Controls are highly effective against the top five attack types found in industry threat data.
For a more granular take on security configuration, the CIS Benchmarks provide consensus-based guidance for specific technologies. Implementing these configuration recommendations helps you meet some of the CIS Controls; each Benchmark maps to the Controls.
Achieving regulatory compliance with CIS Controls
The CIS Controls are mapped to the following frameworks:
- AICPA Trust Services Criteria (SOC2)
- CMMC Cybersecurity Maturity Model Certification v1.0
- CS CCM Cloud Security Alliance Cloud Control Matrix
- HIPAA Health Insurance Portability and Accountability Act of 1996
- ISACA COBIT 19
- NIST CSF
- NIST Special Publication 800-53 Rev.5
- NIST Special Publication 800-171 Rev.2
- PCI Payment Card Industry
- Azure Security Benchmark
- CIS Controls v8 Mapping to GSMA FS.31 Baseline Security Controls
The mappings are available in a variety of formats to assist you on your security journey. The mappings themselves are available in both Microsoft Excel format and in the interactive CIS Controls Navigator. The Navigator offers you the ability to view several mappings at the same time and export them to Excel. Want to track your implementation of the Controls and your compliance with those mapped frameworks? The CIS Controls Self Assessment Tool (CIS CSAT), available exclusively to CIS SecureSuite Members, can help with that.
In addition to mapping the CIS Controls to security frameworks that have been created with the help of our community, there are a number of entities that reference the Controls directly. For example, the National Governors Association, NIST, and legislation from the states of Ohio, California, Nevada, Idaho, and Connecticut all mention the Controls.
How the CIS Benchmarks can help with compliance
The CIS Benchmarks are recognized as industry standards for cyber protection around the world. Some references include:
- PCI’s recommendation of CIS standards for hardening
- The DoD Cloud Computing Security Requirements Guide mentions CIS Benchmarks as an acceptable alternative to the DISA STIGs and SRGs (Section 5.5.1). CIS also offers five Benchmarks built to DISA STIG standards
- FedRAMP’s suggested use of CIS Benchmarks if U.S. government configuration guidelines aren’t available for a specific platform
- Complement to the HIPAA security rule and overlap of the same provisions
It’s an important next step to utilize a configuration assessment tool to help determine if your systems are securely configured. CIS-CAT Pro Assessor, included in CIS SecureSuite Membership, allows you to assess conformance to the CIS Benchmarks, both remotely and at scale. You can also use the Dashboard to track conformance (and thus, compliance) over time.
An on-ramp to compliance: CIS SecureSuite Membership
The CIS Controls and CIS Benchmarks provide an on-ramp toward compliance with a wide range of mappings to and references from regulatory frameworks. To take these resources a step further, more than 3,000 organizations utilize the benefits of CIS SecureSuite Membership, such as:
- Saving time with automated system reviews: CIS-CAT Pro Assessor saves you hours of configuration review by scanning against a target system’s configuration settings and reporting the system’s compliance to the corresponding CIS Benchmark.
- Improving your cyber defense program: CIS CSAT Pro enables security teams to track and prioritize their implementation of the CIS Controls. For each CIS Control and CIS Safeguard, CIS CSAT helps an organization track its documentation, implementation, automation, and reporting.
- Track compliance automatically: CIS-CAT Pro Dashboard consumes assessment reports and shows system(s) compliance to the CIS Benchmarks over a period of time.
- Customize benchmarks to your needs: With CIS Workbench, you can easily tailor Benchmark recommendations to fit organizational or compliance policies. Export selected CIS Benchmarks in various formats (Microsoft Word, Microsoft Excel, XCCDF, OVAL, XML).
A CIS SecureSuite Membership offers the tools and resources to help you implement and track compliance and protection of your organization’s data and assets.