Many security frameworks require that enterprises begin with creating a policy. A policy identifies procedures that implementers can use to meet the requirements of a security standard. As such, a policy helps to formalize one or more security controls as ongoing processes instead of ad hoc engagements, which provides better protection to an enterprise and its data.

The Center for Internet Security understands the importance of using policies to implement the CIS Critical Security Controls (CIS Controls). We also know how difficult it is for some to create a policy on their own, especially when they're working to establish essential cyber hygiene as a foundation via Implementation Group 1 (IG1). That's why we're excited to announce several new policy templates to help you enact IG1 in your enterprise!

Jump Off With These New Policy Templates!

The newly released policy templates include the following:

• Software Asset Management Policy Template for CIS Control 2
• Data Management Policy Template for CIS Control 3
• Secure Configuration Management Policy Template for CIS Control 4
• Account and Credential Management Policy Template for CIS Controls 5 and 6
• Vulnerability Management Policy Template for CIS Control 7
• Audit Log Management Policy Template for CIS Control 8

We designed all of our policy templates (including our Enterprise Asset Management Policy Template for CIS Control 1 we released earlier) to function as a “jumping off point” for enterprises that need help drafting their own policies. IG1 enterprises are typically still working to establish essential cyber hygiene best practices. Using these policy templates, you can work to meet your cybersecurity goals at a faster pace than if you were working alone.

Start using these policy templates to lay a foundation of essential cyber hygiene.

 

 

How To Use Each Policy

Let's be clear about how to use the six policy templates discussed above. To clarify, they will not be enough to construct a full policy suite. An enterprise will need other policies to address additional technology governance needs. Furthermore, each policy represented in a policy template is not a silo; many of the policies include applicable CIS Safeguards from multiple CIS Controls. For instance, the Secure Configuration Management Policy Template specifically addresses CIS Control 4, but it also helps enterprises accomplish many different Controls at the same time.

The true value of the policy templates is that they're designed to supplement the CIS Controls v8. An enterprise can therefore use them to help fulfill the Safeguards in IG1. Looking ahead, it's possible that future versions of these policy templates will expand their focus to the Safeguards of Implementation Group 2 (IG2) and Implementation Group 3 (IG3).

Ready to get a head start on creating a security policy for your enterprise?