How Security Controls Can Improve Your Cybersecurity Posture
By Sean Atkinson, Chief Information Security Officer, CIS®
Security is a journey, not a destination. It is important to understand that as security and IT introduce critical configurations and security controls, management will be required over time. A single audit of a configuration in the deployment of a new system is an important check in the beginning phase. It’s equally important to confirm over time that your initial deployment configurations are still accurate and compliant.
CIS offers two helpful resources that organizations can use to improve their cybersecurity posture. CIS Benchmarks™ are secure configuration guidelines and CIS-CAT is a configuration assessment tool. These tools align control with functionality and security with compliance.
The first step for any organization is to establish a baseline of security. This will be the secure image for any system deployed within an IT environment. There can be hundreds of different configuration checks necessary to secure a particular operating system, server, or mobile device – this is where the free CIS Benchmarks recommendations can be extremely helpful. These recommendations are developed through hours of discussion and debate through our global community of volunteers via CIS WorkBench.
Are you a cloud-enabled enterprise? Check out CIS Hardened Images for a secure baseline. They’re available on AWS Marketplace, Google Cloud Platform, and Microsoft Azure.
Once you’ve established a secure baseline for your image, it’s time to see how it stacks up to the CIS Benchmarks. CIS-CAT Lite, our free tool, and CIS-CAT Pro, available through CIS SecureSuite Membership, both allow users to measure their compliance to the CIS Benchmark recommendations.
Once you’ve confirmed compliance to a baseline, there are two continuous monitoring items to consider:
- “Regular cadence” monitoring – This involves rechecking the systems to confirm their deployed compliant status is still in effect. How often this monitoring takes place could be based on criticality of the system, the size of data centers, or other factors. For example, critical systems may require weekly or monthly reviews while a large data operation may only require annual monitoring.
- Change management – This comes into play when a configuration is needed (such as the installation of particular applications or software) that is not aligned to the secure baseline. In these cases, the required change should be documented as part of a change management process. Be sure to document the impact of any configuration change on your system by running another compliance scan after the change has been implemented.
Paying attention to the process
If we maintain a process of control, compliance, and monitoring, it will allow for the creation of a complete asset management process, a configuration profile for deployed systems, and a managed process for incorporating changes into the system. Each part of this process will increase overall cyber hygiene and provide the impetus for maturing an information security program. Tools like CIS-CAT Pro can help organizations along the path to security and compliance.
Share your thoughts
How do you utilize the CIS Benchmarks?
Do you conform to regular CIS-CAT scans or only when the system is initially deployed?
Is change management “as important” or “more important” than initial deployment compliance?
Join the conversation on Twitter: @CISecurity