Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The Center for Internet Security Critical Security Controls for Effective Cyber Defense is a publication of best practice guidelines for computer security. The project was initiated early in 2008 as a response to extreme data losses experienced by organizations in the US defense industrial base and recently.[1] The publication was initially developed by the SANS Institute, ownership was transferred to the Council on Cyber Security (CCS) in 2013 and then transferred to Center for Internet Security (CIS) in 2015. It was earlier known as the Consensus Audit Guidelines and it is also known as the CIS CSC, CIS 20, CCS CSC, SANS Top 20 or CAG 20.

The guidelines consist of 20 key actions, called critical security controls (CSC), that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them.[2] The security controls give no-nonsense, actionable recommendations for cyber security, written in language that’s easily understood by IT personnel.[3] Goals of the Consensus Audit Guidelines include to:

  • Leverage cyber offense to inform cyber defense, focusing on high payoff areas,
  • Ensure that security investments are focused to counter highest threats,
  • Maximize use of automation to enforce security controls, thereby negating human errors, and
  • Use consensus process to collect best ideas.

The controls defined are

CIS ControlTitle
CSC 1: Inventory of Authorized and Unauthorized Devices          
CSC 2:Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5:Controlled Use of Administrative Privileges
 CSC 6:Maintenance, Monitoring, and Analysis of Audit Logs
 CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12:Boundary Defense
CSC 13:Data Protection
 CSC 14: Controlled Access Based on the Need to Know
CSC 15:Wireless Access Control
 CSC 16: Account Monitoring and Control
CSC 17:Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18:  Application Software Security
CSC 19:  Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises

The Security Scanner will allow any organisation to be able to automate the checks and remediation of CIS 3, CIS 4 and CIS 9 as shown above.
  • No labels