For a lot of small businesses, complying with security standards is a hassle. The popular standards are complex and include a lot of controls that scare the SMEs. This is largely due to a lack of funds which leads to a lack of experts and required technological controls. Since this is very common, a lot of SMEs overlook the need for security and think of incorporating it at a later stage when there are more funds available to meet the requirements.
This is where the CIS-18 comes in. We could say that this security standard was built with SMEs in mind. It has a list of 18 controls otherwise known as action points. These controls can be implemented at once where the resources are available or in groups to make it cost-effective. The CIS-18 (outcome of CIS Control v8) consists of the following controls:
1: Inventory and Control of Enterprise Assets
2: Inventory and Control of Software Assets
3: Data Protection
4: Secure Configuration of Enterprise Assets and Software
5: Account Management
6: Access Control Management
7: Continuous Vulnerability Management
8: Audit Log Management
9: Email Web Browser and Protections
10: Malware Defenses
11: Data Recovery
12: Network Infrastructure Management
13: Network Monitoring and Defense
14: Security Awareness and Skills Training
15: Service Provider Management
16: Application Software Security
17: Incident Response Management
18: Penetration Testing
It has a tiered model called the Implementation groups (IG) that SMEs can use to assess their resource availability making it ideal for them. They are based on the risk profile of the organization and the resources available to implement the CIS standard. There are three IGs explained as follows
- Implementation Group 1: Organizations in this group have very limited resources and cannot employ security experts to secure their information assets. Their focus is to keep the business running, limit downtime as much as they can and maximise profit. This IG is usually called “cyber hygiene” and represents the minimum standard of information security. It consists of 56 safeguards against the most common attacks. These controls are mainly about understanding the people, software, or devices that could have access to your company data.
- Implementation Group 2: IG2 builds upon IG1 meaning all the controls in IG2 will be implemented in addition to the controls in IG1. Organizations within this IG employ individuals that are responsible for managing IT infrastructure. It consists of 74 safeguards some of which will require special expertise to install and configure. IG2 enterprises often store and process sensitive client or enterprise information and can withstand short interruptions of service. A major concern is the loss of public confidence if a breach occurs.
- Implementation Group 3: Just like IG2, IG3 also builds on IG1 and IG2. It consists of an additional 23 safeguards bringing it to a total of 153. The organizations in this group have the resources to employ security experts that are specialized in different aspects of security e.g. (application security, risk management, penetration testing). Their information assets contain sensitive information that is subject to regulatory and compliance oversight. An IG3 organization must ensure the confidentiality, integrity, and availability of sensitive data. Successful attacks will cause significant harm to the public welfare.
Although this model is a guide for the usage of CIS controls, organizations should still strive to implement controls that are relevant to them based on the available resources, risk appetite and business objectives.
With the current rise in cyber-attacks and their devastating effect on businesses, CyberPlural is here to help provide the continuity and support businesses need to stay resilient and respond in the face of attacks. Our approach to cybersecurity is not a one-size-fits-all but a multi-faceted approach taking into consideration the people, processes and technology implemented to suit all our customers’ situations and environment.