Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • How to Fulfill Multiple Compliance Objectives Using the CIS Controls
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

How to Fulfill Multiple Compliance Objectives Using the CIS Controls

4 years ago David Bisson
How to Fulfill Multiple Compliance Objectives Using the CIS Controls

Earlier this year, I wrote about what’s new in Version 8 of the Center for Internet Security’s Critical Security Controls (CIS Controls). An international consortium of security professionals first created the CIS Controls back in 2008. Since then, the security community has continued to update the CIS Controls to keep pace with the evolution of technology ecosystems and emerging threat vectors—all the way to Version 8 and the 18 Controls contained therein. Those security measures are as follows:

  • CIS Control 1: Inventory and Control of Enterprise Assets
  • CIS Control 2: Inventory and Control of Software Assets
  • CIS Control 3: Data Protection
  • CIS Control 4: Secure Configuration of Enterprise Assets and Software
  • CIS Control 5: Account Management
  • CIS Control 6: Access Control Management
  • CIS Control 7: Continuous Vulnerability Management
  • CIS Control 8: Audit Log Management
  • CIS Control 9: Email and Web Browser Protections
  • CIS Control 10: Malware Defenses
  • CIS Control 11: Data Recovery
  • CIS Control 12: Network Infrastructure Management
  • CIS Control 13: Network Monitoring and Defense
  • CIS Control 14: Security Awareness and Skill Training
  • CIS Control 15: Service Provider Management
  • CIS Control 16: Application Software Security
  • CIS Control 17: Incident Response Management
  • CIS Control 18: Penetration Testing

By implementing those Controls and their associated Safeguards (formerly Sub-Controls), organizations can build a solid foundation onto which they can layer additional security and compliance controls. But this raises an important question. Are organizations under an obligation to comply with the CIS Controls? How do the CIS Controls relate to compliance?

Connecting CIS Controls and Compliance

Not to be confused with regulations such as PCI DSS and HIPAA or frameworks such as the NIST Cybersecurity Framework, compliance with CIS Controls is not enforced within audits. However, the CIS Controls function as the building blocks of nearly all major compliance frameworks, mapping to NIST SP 800-53, the International Organization for Standardization (ISO) 27000 series, and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA.

Let’s examine a couple of these to see this alignment with the CIS Controls in practice.

PCI DSS

PCI DSS is responsible for protecting the credit card industry from digital fraud. The standard ensures that cardholder’s information remains in the right hands. It also limits the liability of card issuers and banks if a merchant suffers a breach.

The CIS Controls address a variety of aspects of PCI-DSS compliance including the following:

Firewall and Router Configurations

  • CIS Control 4.2 – Establish and maintain a secure configuration process for network devices including firewalls. Under this measure, organizations can review and update documentation for that process at least once a year or when any significant changes in their environment might affect the Safeguard.
  • CIS Control 4.4 – Implement and manage a firewall on servers.
  • CIS Control 4.5 – Implement and manage a host-based firewall or port-filtering tool on end-user devices. This requires the use of a default-deny rule for all unspecified traffic

Patch Management

  • CIS Control 7.3 – Use automated patch management on at least a monthly basis to perform OS updates on enterprise assets.
  • CIS Control 7.4 – Leverage those same automated patch management capabilities to implement application updates on enterprise assets monthly or more frequently.

Access Control

  • CIS Control 6.7 – Use a directory service or SSO provider to centralize access control for all enterprise assets.
  • CIS Control 6.8 – Implement role-based access control by defining the access rights that are necessary for each role in the enterprise and performing access control reviews of enterprise assets at least once a year.

NIST Cybersecurity Framework

NIST’s framework guides federal information systems in the United States. It offers guidance on producing positive cybersecurity outcomes as well as on the protection of privacy and civil liberties in a cybersecurity context.

The CIS Controls address many different portions of NIST compliance including the following:

NIST SP 800-53 R4 – “Low Baseline”

As an example, this Special Publication lists “Access Management,” “Security Awareness Training,” and “Penetration Testing” within Table D-2: Security Control Baselines. Those measures align with CIS Controls 6, 14, and 18, respectively.

NIST SP 800-171 R2

This document mirrors NIST SP 800-53 in that it also lists Access Control, Awareness Training, and Configuration Management, among other best security practices.

So, What Are You Waiting for?

No matter the industry you are in, the framework that you must adhere to, or even the size of your organization, adopting and upholding the CIS Controls is an essential element to any compliance or network hardening program. PCI DSS, NIST’s Cybersecurity Framework, and others all recognize the CIS Controls as foundational to digital hygiene, and they endorse their effectiveness as evidenced in their respective compliance requirements.

These Controls are by and for cybersecurity professionals of all roles and industries, and they constitute one of the most well-rounded paths to defense and compliance imaginable. Organizations might need some help fully embracing the Controls, however. That’s where Tripwire comes in. Indeed, organizations can use its solutions to address the top CIS Controls such as device and software inventory, secure configurations, vulnerability assessment, and log management. They can also leverage Tripwire’s tools to help with nearly all the other Controls.

The post ” How to Fulfill Multiple Compliance Objectives Using the CIS Controls” appeared first on TripWire

Source:TripWire – David Bisson

Tags: Compliance, Critical Severity, Encryption, Goverment, Low Severity, Privacy, TripWire

Continue Reading

Previous Will 2022 Be the Year of the Software Bill of Materials?
Next Designing a 100-Day Sprint for OT Cybersecurity: What to Consider

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists

2 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

22 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

23 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

1 day ago [email protected] (The Hacker News)

Recent Posts

  • German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists
  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT