Prepare for a Cybersecurity Incident with the Organizational CIS Controls

As cyberattacks continue making headlines, it’s more critical than ever to mitigate risk and enhance your institution’s cybersecurity posture with the proper security controls.

CIS Controls Defined

The Center for Internet Security (CIS) Controls form a cybersecurity framework developed by a public-private partnership between CIS, the SANS Institute, the Department of Defense and the National Security Administration to help organizations of all types and sizes prioritize their cybersecurity.

The CIS list includes 20 controls, divided into three categories: Basic (1-6), Foundational (7-16) and Organizational (17-20). For a refresher, read CSI’s blog on practicing cyber hygiene with the 6 Basic CIS Controls or build on the basics by referencing the blog on the 10 Foundational Controls.

The first 16 CIS Controls focus on what can be done technically to keep organizations safe from cyber threats. While technology and the associated configurations and safeguards are extremely important, organizations cannot ignore the role that people and processes play in cyber defense.

Technology and associated safeguards are important in the fight against cyber threats, but people and process play a large part in keeping organizations protected.

The speed with which a possible incident is identified and handled is critical to reducing the impact and severity of a breach. The Organizational CIS Controls are meant to help organizations better prepare for a potential incident.

Control 17: Implement a Security Awareness and Training Program

Overview: It is well known that employees are an organization’s greatest asset or weakness when trying to prevent cyberattacks. Organizations should identify gaps in cybersecurity knowledge and educate employees of all roles about potential attack vectors such as phishing, phone scams and other forms of social engineering.

Why It Matters: According to Verizon’s 2021 Data Breach Investigations Report, 85% of breaches involved the human element. Many employees do not understand their role in protecting their organization and tend to choose convenience over security.

How It Works: Organizations should create a culture that emphasizes security awareness and encourages employees to report possible incidents. Effective training and awareness programs should be ongoing, so that employees are consistently aware of new threats and how their actions will directly enhance cyber defenses. Incident reporting should receive positive reinforcement, and employees should not be punished for reporting an incident or making mistakes such as clicking on a malicious link.

Control 18: Application Software Security

Overview: Organizations must consistently review purchased and in-house developed software applications for vulnerabilities. When vulnerabilities are discovered, a remediation policy should be in place to quickly correct them.

Why It Matters: Attackers can use known vulnerabilities in applications to enter an organization’s network. Coders focus primarily on the intended performance measures of applications and not the security behind it. This trend is especially alarming with the rise of supply chain attacks, in which a bad actor targets a software vendor to deliver malicious code through seemingly legitimate products or updates.

How It Works: Supply chain attacks allow a fraudster to compromise distribution systems to deliver malware, such as ransomware, and potentially create an entryway into the networks of the supplier’s customers. Because these updates are delivered under the guise of being from a trusted source, customers often suspect no malicious activity—until it’s too late.

Organizations must be diligent in creating security best practices and reviews for all applications, especially web-facing ones. All in-house coding should adhere to secure protocols and be tested against known applicable vulnerabilities. Purchased applications should be kept up to date by patching and version upgrades. Organizations should be aware of vendor end-of-support dates, and budget time and resources to upgrade or replace software that is no longer supported.

Control 19: Incident Response and Management

Overview: All organizations should assume that they will eventually face a cyber incident and have an incident response plan in place. Response time and management is critical to reduce the damage of an incident and organizations must identify the necessary processes and personnel ahead of time.

Why It Matters: Organizations that wait for an incident to create a plan will find themselves forced to make decisions quickly and without the proper due diligence. This can lead to that organization facing significantly higher monetary and reputational damage.

How It Works: Create a playbook clearly defining what must be done in the event of a cyber incident. The playbook should include phases such as incident identification, system remediation, system/data restores and a communication plan. The playbook should define roles and responsibilities for internal staff and third-party vendors for a variety of possible incidents.

Create lists of important names and emergency contact information for any party that may play a part in an incident response. Set expectations with third parties and confirm they understand their role in your plan. Prepare for scenarios by conducting tests and involving all necessary parties.

Control 20: Penetration Tests and Red Team Exercises

Overview: Penetration tests and red team exercises can help identify an organization’s possible exploit points from an attacker’s perspective. A form of ethical hacking, penetration testing focuses on select vulnerabilities and leverages actual attacks and tactics used by cybercriminals in efforts to bypass your network security and gain control of your systems and data.

An important tool to combat cyber threats, penetration tests and red team exercises help identify an organization’s possible exploit points from an attacker’s perspective.

Why It Matters: These tests mimic how a bad actor might attempt to access a network from various attack vectors and identify the extent of possible risks. Internal, external and wireless penetration testing empowers your institution with a holistic picture of your cybersecurity posture while fulfilling compliance requirements.

How It Works: Organizations should hire a firm that will try to exploit and enter the network from all possible angles. This should include internal penetration testing, external penetration testing and social engineering tests. It is important to evaluate the firm performing the test to understand their methods and the attack vectors they will use. These tests will help organizations identify gaps and refine the use of the other 19 CIS Controls.

How to Implement the CIS Controls to Bolster Security

As you work to implement the CIS Controls, keep in mind that you may not be able to immediately implement every component. Implementing and maintaining a framework is an ongoing task and requires an organizational commitment to cyber hygiene. However, each step taken to address gaps in the controls will help your organization reduce attack opportunities and add layers to your protections.

Want more information about effectively implementing the CIS Controls? Watch this on-demand webinar to learn how to maximize utility from the CIS Controls.


Sean Martin is director of Product Strategy, CSI Business Solutions Group for Managed Services. He has worked to establish cybersecurity programs for financial institutions for over 15 years. Previously, Sean has served as Network and Security Operations Manager, Product Manager, and various engineering roles since 2001. In his role, Sean identifies and implements solutions designed to maximize security and profitability for financial institutions. Sean speaks regularly on a variety of financial technology issues, ranging from managed services to IT security best practices.



Get In Touch

Are you looking for the edge to outperform the competition? CSI is a full-service technology and compliance partner.

Let’s talk