CIS Critical Security Controls

In the earlier post, we discussed CIS Security Benchmarks and how it can be useful to public or private organizations. In this post, we will explore some of the CIS Critical Security Controls.

The CIS Critical Security Controls, also known as CIS Controls, are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. The CIS controls are developed, refined and validated by a community of leading experts around the world. Though it’s widely considered that by applying top 5 CIS controls, an organization should be able to reduce 85 percents of risk related to cyberattack, we will review all 20 CIS controls here for clarity sake.

  1. CSC # 1: Inventory of Authorized and Unauthorized Device
  2. CSC # 2: Inventory of Authorized and Unauthorized Software
  3. CSC # 3: Secure Configurations for Hardware and Software
  4. CSC # 4: Continuous Vulnerability Assessment and Remediation
  5. CSC # 5: Controlled Use of Administrative Privileges
  6. CSC # 6: Maintenance, Monitoring, and Analysis of Audit Logs
  7. CSC # 7: Email and Web Browser Protections
  8. CSC # 8: Malware Defenses
  9. CSC # 9: Limitation and Control of Network Ports
  10. CSC # 10: Data Recovery Capability
  11. CSC # 11: Secure Configurations for Network Devices
  12. CSC # 12: Boundary Defense
  13. CSC # 13: Data Protection
  14. CSC # 14: Controlled Access Based on the Need to Know
  15. CSC # 15: Wireless Access Control
  16. CSC # 16: Account Monitoring and Control
  17. CSC # 17: Security Skills Assessment and Appropriate Training to Fill Gaps
  18. CSC # 18: Application Software Security
  19. CSC # 19: Incident Response and Management
  20. CSC # 20: Penetration Tests and Red Team Exercises

Each of these controls has its own sub-control, which has it’s own threshold metrics (from Low Risk, Medium Risk, or High Risk). For example, our first control states that we should have an inventory of authorized and unauthorized devices. First sub-control requires us to deploy an “automated” asset inventory discovery tool and as a part of that our metric should be How many “Unauthorized” Devices present in our network at a given time. If that number is somewhere between 0-1%, that’s considered Low Risk. If that number is between 1-4%, it’s medium risk while anything above 4% is considered High Risk – and appropriate actions should be taken to mitigate such risks!

CIS Security Benchmarks

In the earlier post we talked about CIS (Center for Internet Security) and now we will take a deep dive into one of the area where CIS is focused on – Security Benchmarks.



CIS Security Benchmarks are consensus-based best practices derived from industry and they are completely vendor agnostic – thus no need to worry if today you are working with one vendor and next week you decided to move on to another vendor.

It covers multiple grounds for managing security in private or public organizations but mainly it covers:

  • secure configurations benchmarks
    • These are the recommended technical settings for operating systems, middleware, software applications and network devices. It also includes some of the cloud-related benchmarks, such as AWS Foundation Benchmarks where how to secure your AWS components – such as best practices with IAM, CloudTrail, CloudWatch etc.
  • automated configuration assessment tools and content
    • CIS’s Configuration Assessment Tool (CIS-CAT) is a tool for analyzing and monitoring the security status of information systems and the effectiveness of internal security controls and processes. This tool reports a target system’s conformance with the recommended settings in the Security Benchmarks.
  • security metrics
    • CIS has identified set of security metrics to be watched, create data related to those metrics, identify the results of such metrics and present them in an effective manner to stakeholders. Per CIS, there are twenty metrics to choose from distributed across business functions – such as Incident Management, Vulnerability Management, Patch Management, Configuration Management, Change Management, Application Security and Financial metrics.
  • security software product certifications


CIS: Center for Internet Security

The Center for Internet Security (CIS) is an organization dedicated to enhancing the Cybersecurity readiness and response among public and private sector entities. Utilizing its strong industry and government partnerships, CIS combats evolving Cybersecurity challenges on a global scale and helps organizations adopt key best practices to achieve immediate and effective defenses against cyber attacks. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), CIS Security Benchmarks, and CIS Critical Security Controls.
CIS mission is to:
  • Identify, develop, validate, promote, and sustain best practices in cybersecurity;
  • Deliver world-class security solutions to prevent and rapidly respond to cyber incidents; and
  • Build and lead communities to enable an environment of trust in cyberspace.

CIS live by the values as published:

  • Operate with Integrity
  • Commit to Excellence
  • Embody Collaboration
  • Focus on our Partners
  • Support our Employees
  • Promote Teamwork
  • Remain Agile

There are two resources of CIS which we will take a deep dive on:

  • Secure Configuration Guides (aka “Benchmarks”)
  • “Top 20” Critical Security Controls (CSC)
Benchmarks vs. Critical Security Controls:
  • Benchmarks are technology specific checklists that provide prescriptive guidance for secure configuration
  • CSCs are security program level activities:
    • Inventory your items
    • Securely configure them
    • Patch them
    • Reduce privileges
    • Train the humans
    • Monitor the access
CIS Benchmarks:
  • 140 benchmarks available here
  • AWS CIS Foundations Benchmark here