A Midwestern State Credit Union uses CIS Controls

A Midwestern State Credit Union Relies on CIS Controls

We recently spoke with the Information Security Manager (ISM) of a large credit union with over 200,000 members who use the Center for Internet Security Critical Security Controls (CIS Controls) as their primary framework.  The credit union is recognized as one of the largest in their home state providing an array of financial services including a wide array of consumer loan products, checking, savings, investment products, credit and debit cards, as well as many electronic services.  The credit union’s ISM with over 25 years of experience stated, “The CIS Controls are the primary tool used to determine what we need to do first and extremely valuable from a strategy standpoint.”

Prioritization and Buy-In

When asked why they selected the CIS Controls, the ISM stated, “I have been aware of the CIS Controls for a long time.  When joining the credit union, it was an opportunity for a fresh build and we had buy-in from the Board on down.  We adopted the CIS Controls from a measurement standpoint and to lay out an overall timeline for projects and prioritizing those projects.  We address all 20 of the CIS Controls to be able to report to leadership actionable things and to show progress as well”.  The credit union also refers to the NIST framework.

Risk Register

The ISM created a risk register spreadsheet as the methodology to establish the risk for an extensive list of IT assets.  The risk register is not limited to vulnerability scans, audit findings, pen test findings, standard questions, etc. but also for risk scoring.  The FFIEC assessment tool is used to measure the maturity of inherent risk to IT risk along with the likelihood and impact.  Overlaps are identified for inherent risk which is compared to the IT risk.  From there, a list to remediate overlaps are noted.  Having an assessment which is point-in-time is beneficial to having an up-to-date scorecard with a risk burn down.

Commitment to Cybersecurity

As with any effective cybersecurity strategy, organizational buy-in and a deep understanding of the framework is essential. This major credit union relies on excellent management and executive support in their plan to implement the CIS Controls. By investing in a stronger security posture and automated tools, this organization is demonstrating a commitment to achieving cyber maturity.