Faith-based Nonprofit Uses CIS Controls as the Baseline Framework
A worldwide faith-based, non-profit organization uses the CIS Controls as its basis for enterprise technical security controls.
A security program manager (PM) for the organization noted that the CIS Controls provide basic, effective security safeguards that can be implemented across a variety of business units within the organization.
Adopting the CIS Controls
For the past four years, the organization has been steadily integrating the CIS Controls into its cyber security program. According to the PM, the CIS Controls help the organization detect, prevent, and respond to both common and advanced attacks. During 2016, the organization updated to version 6 of the controls, and organized them into three maturity levels:
- minimum security controls that everyone should be expected to meet,
- moderate security controls to protect systems that have confidential information, and
- advanced security controls for the most sensitive systems.
The PM and his team are always mindful of how CIS Controls impact operations and activities within the organization, and regularly communicate with a wide variety of stakeholders to discuss security control prioritization and effectiveness. Additionally, they hold an annual review meeting to get direct feedback from providers and implementers. These practices improve both business and security decisions.
When asked why the organization selected the CIS Controls, the PM stated, “They are practical and effective.” He explained that most security practitioners are aware of the CIS Controls. “When we talk about them, we never receive push back, because they are something that everybody understands we need to do.” CIS Controls are well known even to upper management.
Fitting the Organization’s Needs
Preparedness is key according the PM. While the organization uses ISO and other frameworks in their security program, he noted that, “We focus on practical means that are simple and efficient. That is why our technical controls are based on the CIS Controls and we map those to other regulations such as HIPAA, ISO, and PCI. It suits our needs.”
The organization tracks progress by business unit and communicates to management through dashboards and other reports. The PM emphasized that organizations need to dig into each control to understand how the recommendations could apply to the organization; they track more than 500 unique implementations by technology. Each of these has a clear owner, description, and expected result. Though controls are self-assessed, they are reviewed by an internal auditing group that checks the outcomes and provides feedback for remediation. This independent assessment is essential to maintaining quality over the long term. The PM expects to continue to improve this program over the next five years as a commitment to the organization.
About the Center for Internet Security
CIS is a forward-thinking, nonprofit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continually refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for state, local, tribal and territorial government entities.