How to Build a Cybersecurity Compliance Plan (with Free CIS Resources)
Cybersecurity compliance can seem overwhelming at first. There are a multitude of standards, tools, and resources on the market. We examined some of the top questions people have about building a compliance plan. To discuss, we sat down with Adam Montville, Chief Product Architect of CIS’ Security Best Practices team.
How do I find legitimate vendors?
If any vendor tells you that using their tool guarantees you compliance with a given regime, consider them suspect. When you speak with a vendor, ask them to explain how their products’ capabilities support a larger information security program. For example, a tool might contribute to cybersecurity asset management by integrating with a CMDB (configuration management database). However, it doesn’t provide total compliance unless there is 100% conformance to each sub-control in CIS Control 1 and CIS Control 2. Another tool might automatically assess endpoints against an enterprise-standard configuration. But it’s important to ensure endpoints are being tested against a robust standard, such as a consensus-developed CIS Benchmark.
What are the free CIS resources available to help me build a compliance plan?
CIS offers multiple resources at no cost to help organizations get started with a compliance plan and improve their cybersecurity posture:
- The CIS Controls provide prioritized security guidance to help defend against common cyber threats
- CIS RAM (Risk Assessment Method) helps businesses organize the CIS Controls and sub-controls based on a customized assessment of risk
- The CIS Benchmarks are specific configuration guidelines for securing over 150 technologies including servers, operating systems, and software
Each of these resources is developed through a community-driven, consensus-based process; cybersecurity specialists and subject matter experts volunteer their time to ensure these resources are robust and secure.
How are your resources mapped to each other?
As part of the CIS Benchmark development process, each recommendation is reviewed for applicability to the CIS Controls. CIS Benchmark guidelines may be mapped to one or more:
- Top-level CIS Controls (such as CIS Control 18)
- Specific sub-controls (such as CIS Control 3.3)
The mapping doesn’t guarantee that your security program is compliant with the CIS Controls, but it does supply organizations supporting evidence to bolster their CIS Controls conformance.
CIS RAM maps each question in the Risk Assessment Method to a specific CIS Control or sub-control. It helps organizations put the CIS Controls into action in a customized, risk-informed way.
Our resources are also referenced by PCI, NIST, and other compliance frameworks.
With so many risk management methods out there (Binary Risk Analysis, FAIR, etc.), what makes CIS RAM different?
The three principles and ten practices of CIS RAM lend themselves directly to supporting the legal concept of duty of care. In fact, CIS RAM is the first risk assessment method to provide very specific instructions for analyzing information security risk in a way that regulators define as "reasonable" and judges (in the United States) evaluate as "due care."
By implementing CIS RAM, organizations will follow a method that takes into consideration legal ramifications of risk management, as interpreted by courts of law in the United States. CIS RAM highlights the balance between the harm a security incident might cause and the burden of safeguards – the foundation of "reasonableness."
Is achieving the “spirit of compliance” enough?
It’s hard to say – in our experience, some auditors are more concerned with following the letter of whatever framework they work with (PCI, NIST, HIPAA) than with the spirit of that framework. Our best advice? Document your method. For example, if the CIS Controls are your security roadmap, use CIS RAM as your Risk Assessment Method. CIS RAM will help you determine which controls make business sense and prioritize accordingly. In this example, the CIS Controls plus CIS RAM would help you document (and demonstrate) due care.
Compliance is a journey
Achieving full compliance to any cybersecurity standard is a challenge – but it’s a goal worth striving for. With free, consensus-developed resources, the task gets a little easier. To learn more about cybersecurity compliance, view the recording of our Compliance Week webinar.