Jumpstart Your Security Program with Essential Cyber Hygiene

New resource, "Establishing Essential Cyber Hygiene," can assist U.S. State, Local, Tribal, and Territorial public organizations apply CIS Safeguards in Implementation Group 1. 

Many cyber attacks can be attributed to a lack of good cyber hygiene. Failing to patch known vulnerabilities, poor configuration management, and inefficient management of administrative privileges are just some ways to invite risks into an enterprise's network that can put day-to-day and long-term operations in jeopardy. These failures primarily trace back to the complexity of modern systems management and "The Fog of More" – an overload of defensive support (i.e., more options, more tools, more knowledge, more advice, and more requirements, but not always more security).

Bringing Essential Cyber Hygiene into Focus

To prevent teams from getting overwhelmed, any large-scale cybersecurity program needs a way to bring focus to the most effective and fundamental things that need to be done. They need to practice essential cyber hygiene. The Center for Internet Security (CIS) defines essential cyber hygiene as Implementation Group 1 (IG1) of the CIS Critical Security Controls (CIS Controls). Essential cyber hygiene is the foundation for any good cybersecurity program and represents a minimum standard of information security for all enterprises.



CIS and its divisions, the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC), have taken the notion of essential cyber hygiene one step further with the release of "Establishing Essential Cyber Hygiene." The guide provides an overview of each Safeguard in IG1 and explains why they are important to implement. Supplementary resources, tools, and policy templates are also included in the guide. Additionally, the guide aligns with the MS-ISAC's Nationwide Cybersecurity Review (NCSR) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to help organizations measure their security improvements against their peers using industry-leading recommendations.

Getting Started with Essential Cyber Hygiene

When tasked with implementing a cybersecurity program, many enterprises ask “How do we get started?” The answer is simple: start with essential cyber hygiene.

IG1 of the CIS Controls consists of a foundational set of 56 Safeguards that defend against the most common cyber attacks. IG2 and IG3 build upon IG1, which is the on-ramp to the CIS Controls and also the definition of essential cyber hygiene. By defining IG1 as essential cyber hygiene, we're able to specify tools that can implement these essential security actions, use measurements to track an enterprise's progress or maturity, and leverage reporting to manage an enterprise improvement program. IG1 is not just another list of good things to do; it is an essential set of steps that provides a viable defense against the top attacks – malware, ransomware, web application hacking, insider and privilege misuse, and targeted intrusions – as outlined in the CIS Community Defense Model (CDM) v2.0. CDM v2.0 data backs the premise that all enterprises should start with essential cyber hygiene, or IG1, as a way to defend against these top five attack types. 

Ready to find out more on how to jumpstart your cybersecurity program? Download our Establishing Essential Cyber Hygiene guide.