Where Risks Meet Controls
By Sean Atkinson, Chief Information Security Officer, CIS
Using the CIS Controls to define and identify risk
The implementation of the CIS Controls is a best practice standard to help organizations align internal security controls to a consensus-based collection of cyber-risk mitigation strategies. The integration of a risk management program with the CIS Controls can define how a company identifies risk and how it can be treated. Treatment strategies come in the form of remediation steps to lower exposure to risk from vulnerabilities and threats to computer systems and business processes.
How the CIS Controls can help
CIS Controls Version 6.1 contains a total of 20 controls. How each CIS Control is implemented will vary by organization. To define the need for a control, a risk must be present that needs to be treated. Identification of these risks may go undetected by many organizations, and so the CIS Controls can provide a helpful starting point of evaluation.
By turning each of the CIS Controls into a question and analyzing your answers to each, your organization can gain major insights into its risk identification and management. Start by reviewing CIS Control 1 – Inventory of Authorized and Unauthorized Devices – as part of a risk identification exercise:
Question: Can your organization define and detail all its hardware assets? Be sure to include laptops, BYOD (Bring-Your-Own-Device) mobile devices, and printers.
Asking this question can generate additional scenarios to identify risk:
- Are there any connected assets which are not authorized to be on your network?
- Are all assets configured securely?
- What role does each asset play in your organization’s processes?
- What data is stored on each asset?
These are high-level ideas to start the conversation in regards to risk and its identification. The use of the CIS Controls can generate questions that identify gaps and weaknesses to implement a level of risk management and respective control over your organization’s assets, data and systems.