Faith-based Nonprofit Uses CIS Controls as the Baseline Framework

A worldwide faith-based, non-profit organization uses the CIS Controls as its basis for enterprise technical security controls.

A security program manager (PM) for the organization noted that the CIS Controls provide basic, effective security safeguards that can be implemented across a variety of business units within the organization.

Adopting the CIS Controls

For the past four years, the organization has been steadily integrating the CIS Controls into its cybersecurity program. According to the PM, the CIS Controls help the organization detect, prevent, and respond to both common and advanced attacks. During 2016, the organization updated to version 6 of the controls, and organized them into three maturity levels:

  1. minimum security controls that everyone should be expected to meet,
  2. moderate security controls to protect systems that have confidential information, and
  3.  advanced security controls for the most sensitive systems.

The PM and his team are always mindful of how CIS Controls impact operations and activities within the organization, and regularly communicate with a wide variety of stakeholders to discuss security control prioritization and effectiveness. Additionally, they hold an annual review meeting to get direct feedback from providers and implementers. These practices improve both business and security decisions.

When asked why the organization selected the CIS Controls, the PM stated, “They are practical and effective.” He explained that most security practitioners are aware of the CIS Controls. “When we talk about them, we never receive pushback, because they are something that everybody understands we need to do.” CIS Controls are well known even to upper management.

Fitting the Organization’s Needs

Preparedness is key according to the PM. While the organization uses ISO and other frameworks in their security program, he noted that, “We focus on practical means that are simple and efficient. That is why our technical controls are based on the CIS Controls and we map those to other regulations such as HIPAA, ISO, and PCI. It suits our needs.”

The organization tracks progress by business unit and communicates to management through dashboards and other reports. The PM emphasized that organizations need to dig into each control to understand how the recommendations could apply to the organization; they track more than 500 unique implementations by technology. Each of these has a clear owner, description, and expected result. Though controls are self-assessed, they are reviewed by an internal auditing group that checks the outcomes and provides feedback for remediation. This independent assessment is essential to maintaining quality over the long term. The PM expects to continue to improve this program over the next five years as a commitment to the organization.