Mapping and Compliance

Security and compliance frameworks require a balance. Systems must comply with regulations and remain secure. As businesses grow, they often find that they must implement one or more of these frameworks. This can be daunting at times. For example, organizations that are federally contracted may need to implement multiple frameworks, such as NIST 800-171, NIST 800-53, or NIST CSF. In the finance sector, organizations are subject to PCI DSS and GLBA. Implementing all of these frameworks individually can be incredibly inefficient, wasting time and resources. This phenomenon, coined by CIS Chief Evangelist Tony Sager as the “Fog of More,” can leave IT and security teams scratching their heads to determine where to begin and feeling overwhelmed.

In order to avoid the Fog of More and to scale a cybersecurity program efficiently, organizations must plan and prioritize their business objectives appropriately so that efforts are not duplicated, compliance is achieved, and most importantly that they remain secure.

These objectives are all achievable by using a proven and prioritized set of security best practices that help harmonize and bridge the gap between these various security and compliance frameworks. Check out our video below to learn more.

Often, organizations may identify that there are overlapping controls between different frameworks. These controls, such as taking an inventory of enterprise assets and software or establishing secure configurations, can therefore be implemented once but can satisfy multiple controls across the various frameworks to achieve business objectives. CIS offers two products — the CIS Critical Security Controls (CIS Controls®) and CIS Benchmarks® — as a starting point for organizations to establish an on-ramp to a robust cybersecurity program that addresses both security and compliance.

"Our security best practices, the CIS Controls and CIS Benchmarks, have continued to evolve with both technology and emerging threats to continue to stay relevant and to provide the best guidance for our users to be able to properly defend against these attacks as well as to show compliance, which is extremely important.”  Charity Otwell, Director of the CIS Controls at the Center for Internet Security® 

The CIS Controls are a prioritized set of defensive actions that can protect an organization from the most common types of cyber attacks. Developed by experts around the world, the Controls use a consensus-based process to not only secure an organization’s systems but also prioritize which actions need to be done first. By prioritizing, an organization is able to achieve effective cyber hygiene and build its program to scale instead of working through a long and muddled list of security controls in no particular order.

Many security and compliance frameworks mandate the use and implementation of a set of reputable secure configurations. To help organizations satisfy this requirement, our CIS Benchmark provide consensus-based recommendations for securely configuring specific technologies. The Benchmarks also facilitates implementation of the CIS Controls, as many Benchmark recommendations map to the CIS Controls. So by implementing the CIS Benchmarks, you are creating an on-ramp to security and compliance with a variety of different frameworks, including the CIS Controls.

Learn more about our CIS Controls and CIS Benchmarks in detail and how they can provide a solid foundation to address both security and compliance.