26 Year Healthcare Industry Veteran and the CIS Controls

Certified Information Systems Auditor uses the Center for Internet Security’s Contol for Effective Cyber Defense Version 6.0 to Audit Internal Cyber Security Compliance.

We recently spoke with a 26-year healthcare industry veteran of Information Technology with Certified Information Systems Auditor (CISA) and GIAC Critical Security Controls (GCCC) credentials about the CIS Critical Security Controls (CIS Controls). This CISA/GCCC, at the direction of the IT Internal Audit Cybersecurity Group, is formalizing his organization’s cybersecurity program. For security and privacy purposes, his name and company will not be disclosed.

The organization relies on the CIS Controls as the basis of their internal cybersecurity auditing program. Specifically, they adopted and modified the AuditScripts Critical Control Assessment Tool as their guiding framework. The tool allows for assessment maturity ratings across all the Controls. “The process began with sending engagement letters to their stakeholders, socializing the risk assessment within the organization, providing a background document on the Controls, and conducting interviews with 30 organizational representatives to gain insight about the state of cybersecurity in the organization”. The CISA/GCCC leading this project, with whom we spoke, has been with the organization nearly two and half years. He said, “The CIS Controls are an easy tool to use because they help establish our security priorities.”

Developing a Maturity Rating

“The CIS Controls are the easiest to understand and to map back to other frameworks. You do not have to be a subject matter expert to understand,” he explained. By utilizing the Audit Scripts Assessment Tool to enter the feedback, they can quantify and track the maturity rating for the organization. The expansion of the spreadsheet was important to rank additional areas such as tracking of team ownership, standards, and procedures, and to also include a risk ranking by control. In this way, they can make a comparison year over year…an advantage for leadership.

“The CIS Controls are the easiest to understand… you do not have to be a subject matter expert to understand.”
– Certified Information Systems Auditor

Awareness and Expectations

Awareness of the risk assessment within the organization includes 30 IT individuals including subject matter experts, supervisors, and upper management who learned about the program. There is strong interest in developing a long-term plan for implementing the CIS Controls. The CISA plans for his organization to engage in an audit of the top five CIS Controls every six months. Additionally, every eight to twelve months they will review additional controls. Continuing to re-evaluate as part of a holistic approach to cybersecurity, the organization’s leadership expects a multi-year effort to support as many controls as possible and plan to automate as many processes as possible along the way.

Commitment to the Controls

The organization is committed to standing above others in the same industry with cybersecurity by developing a long-term plan. They expect that the results of their assessment will guide and prioritize their audits for the future, and help them determine the intervals of assessment for each CIS Control.