How to Create an Efficient Governance Control Program

By Sean Atkinson, Chief Information Security Officer at CIS


Your success as an organization, especially in the cyber realm, depends on your security posture. To account for the ongoing evolution of digital threats, you need to implement robust governance control programs that address the current control environment and help you to prepare for the future risk environment.

In this blog post, we’ll discuss what goes into a robust governance control program, the challenges you might face, steps you can use to overcome those challenges, and how a CIS SecureSuite® Membership can help you along the way.

Fundamentals and Challenges of Governance

At its heart, governance should be about security practices and focus on risk mitigation as a security concept rather than as a compliance driver. Compliance will be a by-product of good security practices that can be guided by security governance frameworks. These include the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry’s Data Security Standard (PCI DSS) v4.0, among others to which our security best practices map.


Frameworks Provided with CIS Controls Mapping


But you may face challenges along the way. The most prominent obstacles are time, resources, and engagement. A program is only as good as its weakest link, and things are always changing. In a chain of events, something which is your strongest element one day can with a single vulnerability become a top priority the next.

It's a similar story with your compliance obligations. Your regulatory landscape is changing constantly, which means you need to take a proactive approach by streamlining your compliance efforts where you can. To do this, you need to look for opportunities to consolidate time and resources around activities that span multiple frameworks and/or regulations.

Fortunately, building a robust governance control program is about agility and adaptation. It’s a journey, not a destination.

A Four-Step Process for Sustainable Governance

Addressing risks in not just about the capabilities of today but forward-looking approaches to assess the business context of strategic decisions and their impact on operational controls. Failing to plan is planning to fail. We’ve therefore come up with the following four-step process that provides success in building a governance program founded on sustainability.


SecureSuite How to Build Governance Program No-Tools


Establishing a Foundation

Your journey toward robust governance control begins with establishing a solid foundation. A house built on a shaky foundation will collapse over time. The framework of foundational practices and addressing cultural shift to security as a business concept, not a technology problem, is therefore key. It is an incremental development of proven practices to then start gauging your overall maturity and path to continuous improvement. You will need to measure and plan for today and look ahead to where you want to be. To get this view, you need to stand on solid ground, and that starts off with your governance program.

While navigating this step, it’s important for you to understand your regulatory environment and build capabilities to support the compliance of your internal program to that of your sector. Bringing in stakeholder and business context will align practices to support risk management and also compliance to specific regulations that apply to your organization's size, type, and data security activities. The controls in place will have the benefit of being informed of the requirements for control as well as a capability that will enforce a by-product of compliance. Context and business alignment is key, not the implementation of a control for no reason other than compliance.

Standardizing Configurations

Standardizing the configuration of your systems is a foundational step to controlling and managing your applications and data. The house analogy works here, as we need the foundational elements strong enough to support the respective application and data being processed within them. A baseline Level 1 configuration profile is a good practice for all types of processing. If you have systems with patient data, student data, financial data, or other highly sensitive information along with controlled application process activities, a more resilient and restrictive configuration profile is needed. Not all systems require a foundation fit for a skyscraper. Nor should skyscrapers be built on bare ground.

Consistency and continuous assessment are key for completing this step. Some organizations are inclined to approach system configuration with a “set it and forget it” mentality. In reality, system configuration fits into change management; as such, you need to address any deviation from the set image for system configuration as part of a process of continuous review and assessment. The plan for the system may have started with a small home, but it soon can turn into a hotel.

Continuous Monitoring and Assessment

As with any program over time, your governance program needs maintenance, as it will face many structural stresses, including organizational growth, strategic focus, upgrades, and new systems/applications. Addressing these as a program of continuous assessment requires care and attention for risks, evolving regulatory requirements and frameworks that apply to your industry, and the technology to conduct business operations change over time. Each change is part of the intake process to assess the viability and sustainability of the current governance controls program.

During this step, technology is less of an issue. The process here is one of alignment and change management. It may be upgrades or add-ons that help to assist in providing a continuous assessment capability, but the planning and preparation of the program should have built-in checks and balances for the program itself. Much like assessing controls that change over time, the overarching governance program should have the same assessment. It may have started as an internal program to perform self-assessments, but over time, it is required to comply with privacy regulations, changes in business dynamics, or even new regulation for your sector.

Implementing Controls Using the Assessment of Threat-Based Intelligence

Context is consistently mentioned, and we have a few avenues for applying context. One of the most important is the threat landscape. Why address specific threats when a cyber threat actor (CTA) is not specially targeting your industry? You should focus on those threats that are most likely to target your organization and thus have the greatest impact.

For this step, control with context and do not overvalue the control in light of the asset being controlled. The simple example here is to not pay $1,000 to control a $1 asset. Distribution of the resources for controls should be distributed with the same context. Put the most resources where respective threats exist but not all your eggs in one basket.

Building a Governance Program with CIS SecureSuite

The process of establishing a foundation, standardizing configurations, continuous monitoring and assessment, and implementing controls using the assessment of threat-based intelligence can be difficult to do on your own. But you don’t have to do it alone. CIS SecureSuite offers a variety of resources designed to aid you in safeguarding your systems and data. It comprises benefits, tools, and resources that can help you implement adequate security measures and control governance using our consensus-driven security best practices.

Looking to streamline your compliance objectives? Here's how a SecureSuite Membership can help.



Let’s now take a look at how you can use a CIS SecureSuite Membership to navigate the four-step process we discussed above.

1. Establish a Foundation with CIS Controls

The CIS Critical Security Controls® (CIS Controls®) consist of 18 prioritized best practices based on your risk profile and available resources that you can use to improve your cybersecurity defenses. They encompass various areas like inventory and control of hardware assets, continuous vulnerability management, secure configuration for hardware and software, incident response, and more.

Each CIS Control breaks down into individual Safeguards, sub-steps which help you to work your way through implementing a Control in a way that supports your unique goals, regulatory compliance efforts, and cybersecurity maturity. For ease of use, we’ve also organized the CIS Controls and Safeguards into different Implementation Groups (IGs). We recommend that you start with Implementation Group 1 (IG1), as you can use this subset of Controls and Safeguards to achieve essential cyber hygiene against today’s most common threats. As your cybersecurity posture matures, you can then move onto Implementation Group (IG2) and Implementation Group 3 (IG3), the latter of which encompasses all 18 Controls and 153 Safeguards.

Applying these Controls ensures that you’re addressing the most significant threats first and doing so in a controlled, measured manner. As a governance tool, the Controls also establish consistent rules for security measures across your organization.

2. Standardize Configurations with CIS Benchmarks

Employing CIS Benchmarks™ ensures that your systems are configured securely. These guidelines help you configure various aspects of your IT infrastructure — from operating systems and software applications to network devices. What’s more, the Benchmarks map to the Controls, which means you can extend the fundamentals of a cyber defense program and concerted compliance effort across individual operating systems that you’ve deployed in your environments.

The CIS Benchmarks are consensus-based and developed with input from a vast community of security professionals. This means your configuration standards will be current and align with industry best practices. Standardization is a crucial governance principle; CIS Benchmarks help you to achieve this by providing clear configuration guidelines for your organization based upon the level of protection you need. Most Benchmarks contain multiple configuration profiles, with the Level 1 profile providing base-level recommendations. For added security, you can implement the Level 2 profile or the STIG profile that contains all recommendations specific to the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG).

CIS Benchmarks are available for free to everyone, but in this form, they require you to manually implement each of their hardening recommendations. This changes when you become a CIS SecureSuite Member and receive access to the CIS Build Kits. Available as Group Policy Objects (GPOs) on Windows devices and Bash shell scripts on Linux machines, CIS Build Kits automate the remediation section of the CIS Benchmarks, thus saving you time and money in applying secure configurations on your systems.

3. Continuous Monitoring and Assessment with CIS-CAT Pro

As we discussed above, monitoring and assessment form the core of a robust governance control program. The pro version of the CIS Configurations Assessment Tool (CIS-CAT® Pro) helps you compare your system configurations and settings against the secure recommendation of the CIS Benchmarks. It provides real-time and continuous assessment, enabling you to understand your security posture accurately and make necessary adjustments promptly. CIS-CAT Pro also comes with its Dashboard functionality, which helps you to track your compliance over a recent period of time so that you can measure your progress and plan ahead. This ensures that you’ve not only implemented but also followed your security measures. As a governance tool, this allows for transparency, accuracy, and accountability in your security management.

CIS SecureSuite’s impact on monitoring and assessment doesn’t end there. As a Member, you also receive access to the pro version of the CIS Controls Self Assessment Tool (CIS CSAT Pro). You can use this resource to track and prioritize your implementation of the Controls over time, including by identifying gaps and planning out tasks for the future. As a result, you can take a strategic approach to strengthening your cyber defenses and complying with industry regulations/frameworks in a way that works for your organization.

4. Utilizing the Community Defense Model

Lastly, the CIS Community Defense Model (CDM) v2.0 emphasizes the value of implementing Controls using the assessment of threat-based intelligence along with attack tactics and techniques. When paired with CIS CSAT Pro, CDM v2.0 provides you with a plan for defending against today’s most common cyber threats. In fact, it shows how you can defend against at least three-quarters of the MITRE ATT&CK (sub-)techniques associated with malware, ransomware, phishing, and other top cyber attacks by implementing the IG1 Safeguards.


Figure 1 CDM v20 attack pattern analysis


In the context of your operations, by incorporating this model into your governance control program, you will be able to protect your organization, introduce a capability to assess threat-based strategies, and complement an approach to the continuous alignment of control and threat vector prevention.

Get Your Governance Control Program Going

Leveraging CIS SecureSuite resources helps you to build a comprehensive and efficient governance control program. Its components provide you with a blueprint to design, implement, and monitor cybersecurity controls, aiding you in managing digital risks better, fostering a robust cybersecurity culture, and meeting compliance obligations in your industry. 

Cybersecurity isn't just a technical issue; it's a governance issue. By effectively using CIS SecureSuite’s complement of practical guidance, you can lay the groundwork for a robust governance control program that ensures security measures are in place, adhered to, and continuously improved.

In the next blog post, we’ll discuss how you can shift your focus to risk mitigation as a means of preparing for an audit.

Want to learn more about what comes with a CIS SecureSuite Membership?

About the Author

Sean Atkinson
Chief Information Security Officer

Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.

Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.

Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certifications in the IT arena.

In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.