CIS Controls V7: Information Security Recommendations

The Internet Security Center (CIS) is a non-profit organization that develops its own benchmarks and recommendations that allow organizations to improve their security and compliance programs. This initiative aims to create basic levels of system security configuration, which are commonly found in all organizations.

The center presented a new version of the information security guide CIS Controls Version 7, which includes 20 recommendations for the protection of IT infrastructure.

Key principles

The development of recommendations is based on 7 key principles to ensure reliable results, using the best practices of the global IT community and recommendations of the PCI, NIST, ISO and HIPAA methodologies:
')

• analysis of current attacks, technology development and requirements for IT technologies;
• focusing on authentication, encryption, and whitelisting of applications;
• comparison with other methodologies and guidelines;
• improvement of the wording and simplification of the concepts of checks;
• establishing the basis for the development and use of information security products;
• making a change in the format for more flexible use (designed for different organizations);
• use feedback and recommendations from volunteers and supporters.

Description CIS Controls

Describing critical elements of security management includes comprehensive checks of IT infrastructure elements, configurations, access rights, privileges, system logs, incident response measures and means, and the initiation of checks.

In the 7th edition of the manual, the elements are divided into three categories, taking into account the modern landscape of cyber threats.

Basic

This category contains recommendations necessary to ensure the information security of the organization. This category includes the following items:

• inventory of authorized and unauthorized devices;
• inventory of authorized and unauthorized software;
• vulnerability management tools;
• use of administrative privileges;
• secure configurations for mobile devices, laptops, workstations and servers;
• maintenance, monitoring and analysis of audit logs.

Fundamental

This category includes recommendations necessary to apply best practices to ensure the benefits and use of advanced cyber security technologies. This category includes the following items:

• Email and web browser protection
• malware protection;
• restriction and control of network ports;
• possibility of data recovery;
• secure configurations for network devices;
• perimeter protection;
• data protection;
• access control;
• wireless access control;
• account control.

Organizational

This category includes recommendations focused on organizational processes and administrative measures related to information security, in order to increase staff awareness and conduct Red Team / Blue Team operations. This category includes the following items:

• monitoring staff awareness;
• application software control;
• incident response;
• penetration testing / Red Team.

---

These recommendations allow you to create clear and priority guidelines for solving the tasks of ensuring the information security of the organization and can be used as the basis of information security policies.