Reading a list of cybersecurity compliance frameworks is like looking at alphabet soup: NIST CSF, PCI DSS, HIPAA, FISMA, GDPR…the list goes on. It’s easy to be overwhelmed, and not only because of the acronyms. Many frameworks do not tell you where to start or exactly how to become compliant.
Cybersecurity best practices from the Center for Internet Security (CIS) provide prioritized and prescriptive guidance for a strong cybersecurity foundation. Also, they support your organization’s efforts toward compliance with the aforementioned alphabet soup.
When developing your cybersecurity compliance plan, consider these elements to ensure a solid foundation:
- Prioritize your approach. Focus on foundational actions that will help your organization actualize maximum cybersecurity benefits while moving toward compliance goals. Think about the ways one security action (such as implementing two-factor authentication) might work to support multiple frameworks.
- Keep accurate records.How will you know when compliance has been achieved? Ensure your organization is on the right path by documenting efforts and measuring compliance activities. Automated tooling can help your organization manage this at scale.
Trusted, no-cost resources from CIS
CIS offers multiple resources to help organizations get started with a compliance plan that also improves cyber defenses. Each of these resources is developed through a community-driven, consensus-based process. Cybersecurity specialists and subject matter experts volunteer their time to ensure these resources are robust and secure.
What they are: The CIS Controls offer an approach to cyber defense with prioritized and prescriptive security guidance. There are 18 top-level CIS Controls (in v8) and 153 Safeguards (formerly Sub-Controls), prioritized into three Implementation Groups (IGs). The CIS Controls IGs prioritize cybersecurity actions based on organizational maturity level and available resources.
Related compliance frameworks: The CIS Controls are mapped to or referenced by many industry and legal frameworks, including:
- NIST CSF
- Cybersecurity Maturity Model Certification (CMMC)
- Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
What they are: The CIS Benchmarks provide robust consensus-based guidelines for hardening operating systems, servers, cloud environments, and more. They not only explain what to do but also why that configuration is recommended. CIS Benchmarks contain annotations explaining how they relate to the CIS Controls.
Compliance frameworks they support: The CIS Benchmarks are referenced by several industry frameworks and standards, including:
While each of these no-cost options can go a long way towards helping you develop a solid compliance plan, these resources need to be manually implemented. By investing your resources in the right tools, your organization can speed development of policy to implementation.
Assessing and remediating at scale
If the first step toward compliance is identifying how you will do it and measure success, the second step is to figure out how to do it at scale so your entire organization is protected.
CIS SecureSuite Membership
Organizations around the world leverage CIS SecureSuite Membership to help them implement cybersecurity best practices and reach compliance. Membership provides security tools and resources to help you accelerate from policy to implementation:
- To assess configuration, CIS SecureSuite Members use CIS-CAT Pro Assessor and its Dashboard component. From the Dashboard, you can conduct remote endpoint assessments to check a target’s conformance to the CIS Benchmark configuration guidelines.
- CIS-CAT Pro Dashboard provides interactive graphs displaying endpoint conformance over time, allowing users to drill down into each assessment to examine non-compliant settings.
- Members receive access to full-format CIS Benchmark files as well as CIS Build Kits for rapid Benchmark application to endpoints.
Compliance is a journey
Achieving full compliance to any cybersecurity standard is a challenge – but it’s a goal worth striving for. With CIS’s consensus-developed resources, the task gets a little easier. Your team can build out a compliance plan, implement best practices, and limit the effectiveness of cybersecurity attacks.
To kick-start your compliance journey with automated tools and proven, trusted resources, apply for CIS SecureSuite Membership today. Learn more about CIS SecureSuite Membership