Reading a list of cybersecurity compliance frameworks is like looking at alphabet soup: NIST CSF, PCI DSS, HIPAA, FISMA, GDPR…the list goes on. It’s easy to be overwhelmed, and not only because of the acronyms. Many frameworks do not tell you where to start or exactly how to become compliant. Cybersecurity best practices from the Center for Internet Security (CIS) provide prioritized, prescriptive guidance for a strong cybersecurity foundation. And, they support your efforts toward compliance with the aforementioned alphabet soup.
When developing your cybersecurity compliance plan, consider the elements below to ensure you have a solid foundation:
- Prioritize your approach. Focus on foundational actions that will help your organization actualize maximum cybersecurity benefits while moving you toward compliance goals. Think about the ways one security action (such as implementing two-factor authentication) might work to support multiple frameworks.
- Keep accurate records. How will you know when you’ve reached compliance? Ensure your organization is on the right path by documenting efforts and measuring compliance activities. Automated tooling can help your organization manage this at scale.
Trusted, no-cost resources from CIS
CIS offers multiple resources to help organizations get started with a compliance plan that also improves cyber defenses. Each of these resources is developed through a community-driven, consensus-based process. Cybersecurity specialists and subject matter experts volunteer their time to ensure these resources are robust and secure.
What they are: The CIS Controls approach cyber defense with prioritized and prescriptive security guidance. There are 20 top-level CIS Controls and 171 Sub-Controls, prioritized into three Implementation Groups (IGs). The CIS Controls IGs prioritize cybersecurity actions based on organizational maturity level and available resources. Implementation Group 1 (IG1) is a specific set of Sub-Controls chosen from the overall CIS Controls. IG1 is a foundational set of actions for every enterprise, especially those with limited resources or expertise. The safeguards in IG1 can be the basis for an action plan for basic cyber hygiene.
Related compliance frameworks: The CIS Controls are mapped to or referenced by several industry and legal frameworks, for example:
- NIST CSF
- ISO 27001:2013
- Ohio Data Protection Act
What they are: The CIS Benchmarks provide robust consensus-based guidelines for hardening operating systems, servers, cloud environments, and more. They not only explain what to do but also why that configuration is recommended. CIS Benchmarks contain annotations explaining how they relate to the CIS Controls.
Compliance frameworks they support: The CIS Benchmarks are referenced by several industry frameworks and standards, including:
While each of these no-cost options can go a long way towards helping you develop a solid compliance plan, it should be noted these resources need to be manually implemented. By investing your resources in the right tools, your organization speed development of policy to implementation.
Assessing and remediating at scale
If the first step toward compliance is identifying how you will do it and measure success, the second step is to figure out how to do it at scale so your entire organization is protected.
CIS SecureSuite Membership
Organizations around the world leverage CIS SecureSuite Membership to help them implement cybersecurity best practices and reach compliance. Membership provides security tools and resources to help you speed policy to implementation:
- To assess configuration, CIS SecureSuite Members use CIS-CAT Pro Assessor and its Dashboard component. From the Dashboard, you can conduct remote endpoint assessments to check a target’s conformance to the CIS Benchmark configuration guidelines.
- CIS-CAT Pro Dashboard provides interactive graphs displaying endpoint conformance over time, allowing users to drill down into each assessment to examine noncompliant settings.
- Members receive access to full-format CIS Benchmark files as well as CIS Build Kits for rapid Benchmark application to endpoints.
Compliance is a journey
Achieving full compliance to any cybersecurity standard is a challenge – but it’s a goal worth striving for. With CIS’s consensus-developed resources, the task gets a little easier. Your team can build out a compliance plan, implement best practices, and limit the effectiveness of cybersecurity attacks. To kick-start your compliance journey with automated tools and proven, trusted resources, apply for CIS SecureSuite Membership today.