Cybersecurity Compliance: Start with Proven Best Practices

As a security professional, you may be tasked with achieving SOC2 compliance for your organization, adopting a NIST framework, or complying with new security laws. These are just a few examples; you likely face many requirements!

Compliance with multiple policy, regulatory, and legal security frameworks and standards is challenging and time consuming. Most tell you what’s required, but don’t clearly explain how to do it or where to begin. So where should you start? With proven, prioritized security best practices that map to or are referenced by other frameworks and standards.

Security Best Practices for Security Compliance

Although requirements vary, there is often overlap in the facets of security they’re focusing on. These are generally security best practices you can use as a starting point in your plan.

The CIS Critical Security Controls (CIS Controls) are a prioritized set of actions to protect your organization and data from known cyber-attack vectors. They’re developed through a unique community consensus process and they not only tell you how to be more secure, they also prioritize the actions you should take to get there. This prioritization helps your organization work toward achieving effective cyber hygiene, rather than working through a list in order and hoping to recognize some benefits along the way.

Another reason to start with the CIS Controls? They work. Findings of the CIS Community Defense Model (CDM) 1.0 (v2.0 to be released Fall 2021), show that they’re effective at mitigating approximately 83% of all MITRE ATT&CK Techniques, including 90% of the ransomware ATT&CK Techniques.

For a more granular take on security configuration, the CIS Benchmarks provide consensus-based guidance for specific technologies. Implementing these configuration recommendations helps you meet some of the CIS Controls; each Benchmark maps to the Controls.

Achieving Compliance with CIS Controls

The CIS Controls are mapped to the following frameworks:

  • AICPA Trust Services Criteria (SOC2)
  • Cloud Security Alliance Cloud Control Matrix (CSA CCM)
  • Cybersecurity Maturity Model Certification (CMMC) v1.0
  • Health Insurance Portability and Accountability Act of 1996 (HIPPA)
  • National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
  • NIST Special Publication 800-53 Rev.5
  • NIST Special Publication 800-171 Rev.2Payment Card Industry (PCI) Data Security Standard v3.2.1

The mappings are available in a variety of formats to assist you on your security journey. The mappings themselves are available in both Microsoft Excel format and in the interactive CIS Controls Navigator. The Navigator offers you the ability to view several mappings at the same time and export them to Excel. Want to track your implementation of the Controls and your compliance with those mapped frameworks? The CIS Controls Self Assessment Tool (CIS CSAT) can help with that.

In addition to mapping the CIS Controls to security frameworks that have been created with the help of our community, there are a number of entities that reference the Controls directly. For example, the National Governors Association, NIST, and legislation from the states of Ohio, California, Nevada, Idaho, and Connecticut all mention the Controls.

CIS Benchmarks

The CIS Benchmarks are recognized as industry standards for cyber protection around the world. Some references include:

  • PCI’s recommendation of CIS standards for hardening
  • The DoD Cloud Computing Security Requirements Guide mentions CIS Benchmarks as an acceptable alternative to the STIGs and SRGs (Section 5.5.1)
  • FedRAMP’s suggested use of CIS Benchmarks if U.S. government configuration guidelines aren’t available for a specific platform
  • Complement to the HIPAA security rule and overlap of the same provisions

A configuration assessment tool helps determine if your systems are securely configured. CIS-CAT Pro allows you to assess for conformance to the CIS Benchmarks, both remotely and at scale. You can also use the Dashboard to track conformance (and thus, compliance) over time.

An “On-ramp” to Compliance: CIS SecureSuite Membership

The CIS Controls and CIS Benchmarks provide an “on-ramp” toward compliance with a wide range of security frameworks. That’s because they’re a good starting point for securing your organization while moving you toward compliance. A CIS SecureSuite Membership offers the tools and resources to help you implement and track compliance and protection of your organization’s data and assets.