Large Banking Institution Uses CIS Controls

Major Financial Organization Relies on CIS Controls

We recently spoke with the Vice President and Chief Information Security Officer (CISO) of a large banking institution. Recognized as one of the nation’s most financially secure banking institutions, with a 125-year history of serving the financial needs of generations of families, professionals, and business owners, this organization uses the CIS Controls.

“The CIS Controls are fundamental things
that you should be doing. ... starting
with the top five, if most organizations
worked on those, they would be in a better
position with cybersecurity.”
– Vice President and CISO
Large banking institution

The bank’s V.P./CISO, who executes the information security strategy and vision, shared with us his opinion of the CIS Controls.

“As a USAF veteran with more than 15 years of experience working in the technology industry, they are ingrained in me, and are what I consider to be industry best practices,” he said. The bank’s V.P./CISO has known about the CIS Controls for a number of years. Asked about this prioritized set of cyber practices, he shared: “The CIS Controls are fundamental things that you should be doing. Some are hard to do, but even starting with the top five, if most organizations worked on those, they would be in a better position with cybersecurity.”

Gap Analysis Visibility

The institution primarily uses the CIS Controls to determine its cybersecurity baseline and conduct a gap analysis. “If we are not quite meeting the intent of a particular CIS Control, we can identify areas to focus on and improve,” said the V.P./CISO.

As managers of clients’ valuable and important information, the banking industry has had cybersecurity on their radar for years, and most organizations are aware of the CIS Controls. According to the V.P./CISO we met with, this awareness stems from industry requirements and guidance that are required for banks as referenced in the Federal Financial Institutions Examination Council handbook.

We also discussed other well-known frameworks used by financial institutions, such as PCI, ISO, and NIST. To ensure efficient and cost-effective cybersecurity strategy, the bank is working to align its CIS Controls implementation with the NIST 800-53 framework.

Tools and Challenges

In order to protect sensitive data, this bank uses several automated tools located both on- and offsite to monitor various systems and processes. Like many organizations, its biggest challenge is to secure the environment while avoiding any adverse impacts on daily operations – to be a guardrail, not a speed bump – supporting the bank’s operational needs and strategic objectives.

Commitment to Cybersecurity

As with any effective cybersecurity strategy, organizational buy-in and a deep understanding of the framework are essential. This major banking institution relies on excellent management and executive support in its plan to implement the CIS Controls. By investing in a stronger security posture, this organization is demonstrating a commitment to achieving cyber maturity.

About the Center for Internet Security

CIS is a forward-thinking, nonprofit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continually refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for state, local, tribal and territorial government entities.