Security Best Practices: Cybersecurity & Compliance at Scale
Growing the business requires that organizations scale their cybersecurity programs. Along the way, however, organizations may need to comply with multiple policy, regulatory, and legal security frameworks. This creates several obstacles for organizations. Complying with all of these frameworks can be difficult and time consuming to the point of overwhelming, a phenomenon known as the "Fog of More." When coupled with tool sprawl, the Fog of More could leave security teams suffering from alert fatigue and feeling burned out.
To prevent this from happening and to scale your cybersecurity program more efficiently, you want to know how to plan out all of your compliance objectives.
"As an organization, you need to determine what framework is a priority and then map those requirements to the other frameworks to lessen the overlapping requirements," explained Stephanie Gass, Director of Governance, Risk & Compliance at CIS. "You should also understand if your compliance objectives are required through regulations, contracts, or customer preference."
You can do both of these things using proven, prioritized security best practices that map to or are referenced by other frameworks and standards.
Security Best Practices for Security Compliance
Although requirements vary, there is often overlap in the facets of security they’re focusing on. These are generally security best practices you can use as a starting point to scale your cybersecurity program and realize your compliance objectives.
For instance, the CIS Critical Security Controls (CIS Controls) are a prioritized set of actions for protecting your organization and data from known cyber attack vectors. They’re developed through a unique community consensus process, and they tell you not only how to be more secure but also how to prioritize the actions you should take to get there. This prioritization helps your organization work toward achieving effective cyber hygiene and scale from there rather than work through a list and hope to recognize some benefits along the way.
For a more granular take on security configuration, the CIS Benchmarks provide consensus-based guidance for specific technologies. Implementing these configuration recommendations helps you meet some of the CIS Controls, as each Benchmark maps to the Controls.
Achieving Compliance with CIS Controls
The CIS Controls map to the following frameworks:
- AICPA Trust Services Criteria (SOC2)
- Cloud Security Alliance Cloud Control Matrix (CSA CCM) v4
- Criminal Justice Information Services (CJIS) Security Policy
- Cybersecurity Maturity Model Certification (CMMC) v1.0
- Cyber Essentials v2.2
- Federal Financial Institutions Examination Council (FFIEC-CAT)
- Health Insurance Portability and Accountability Act of 1996 (HIPPA)
- ISACA Control Objectives for Information Technologies (COBIT) 19
- MITRE Enterprise ATT&CK v8.2
- National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
- NIST Special Publication 800-53 Rev.5 (Low and Moderate Baseline)
- NIST Special Publication 800-171 Rev.2
- Payment Card Industry (PCI) Data Security Standard v3.2.1
Once you know which frameworks to measure against, the next step is to manage the prioritization and implementation of those frameworks. The CIS Controls Self Assessment Tool (CIS CSAT), particularly the Pro version, enables security teams to prioritize their implementation of the CIS Controls. With that plan, teams can track their efforts and verify whether specific Controls and Safeguards have been assigned, implemented, automated, documented, and reported. They can leverage that insight to comply with other security frameworks and scale their cybersecurity accordingly.
CIS Benchmarks Referenced in Industry Standards
The CIS Benchmarks are recognized as industry standards for cyber protection around the world. Some references include the following:
- PCI recommends CIS standards for hardening
- The DoD Cloud Computing Security Requirements Guide mentions CIS Benchmarks as an acceptable alternative to the STIGs and SRGs (Section 5.5.1)
- FedRAMP suggests the use of CIS Benchmarks if U.S. government configuration guidelines aren’t available for a specific platform
- The CIS Benchmarks function as a complement to the HIPAA security rule, with overlap of the same provisions
A configuration assessment tool helps determine if your systems are securely configured. CIS-CAT Pro allows you to assess for conformance to the CIS Benchmarks, both remotely and at scale. You can also use the Dashboard to track conformance (and thus compliance) over time.
Scaling and Compliance with CIS SecureSuite Membership
Both the CIS Controls and CIS Benchmarks provide an “on-ramp” toward compliance with various frameworks. Indeed, they provide a starting point for securing your assets and scaling your organization's cybersecurity program, all while moving you toward compliance.
Organizations can enjoy these benefits by implementing the CIS Controls and CIS Benchmarks on their own. Alternatively, they can gain access to additional resources and tools, such as CIS CSAT Pro and CIS-CAT Pro, by purchasing a CIS SecureSuite Membership. It is a cost-effective way to achieve compliance, ensure the protection of data assets, and scale your cybersecurity efforts.
"SecureSuite helps to create baselines, whether it is benchmarking or hardening systems," noted Gass. "Using the CIS Controls and the CIS Benchmarks, you are able to identify potential gaps within the organization."
For a limited time, you can save up to 20% off a new one-year CIS SecureSuite Membership using code CYBER2022 through October 31.