Meeting Your Compliance Needs with Security Best Practices

As a security professional, you may be tasked with achieving SOC2 compliance for your organization, adopting a NIST framework, or complying with new security laws. These are just a few examples: you likely face many requirements!

Compliance with multiple policy, regulatory, and legal security frameworks and standards is challenging and time-consuming. Most tell you what’s required but don’t clearly explain how to do it or where to begin. So where should you start? With proven, prioritized security best practices that map to or are referenced by other frameworks and standards.

Best practices for security compliance

As a starting point, there are security best practices that can be used.  The CIS Critical Security Controls (CIS Controls) are a prioritized set of actions for protecting your organization and data from known cyber attack vectors. They’re developed through a unique community consensus process, and they tell you not only how to be more secure but also how to prioritize the actions you need to get there. This prioritization helps your organization work toward achieving effective cyber hygiene rather than working through a list and hoping to recognize some benefits along the way.

Another reason to start with the CIS Controls? They work. Findings of the CIS Community Defense Model (CDM) v2.0 show they’re effective at mitigating approximately 86% of (sub)techniques found in MITRE ATT&CK Framework, including 92% of ransomware ATT&CK (sub-)techniques.

For a more granular take on security configuration, the CIS Benchmarks provide consensus-based guidance for specific technologies. Implementing these configuration recommendations helps you meet some of the CIS Controls, as each Benchmark maps to the Controls.

Achieving compliance with CIS Controls

The CIS Controls map to the following frameworks: 

• AICPA Trust Services Criteria (SOC2)
• Cloud Security Alliance Cloud Control Matrix (CSA CCM) v4
• Criminal Justice Information Services (CJIS) Security Policy
• Cybersecurity Maturity Model Certification (CMMC) v1.0
• Cyber Essentials v2.2
• Federal Financial Institutions Examination Council (FFIEC-CAT)
• Health Insurance Portability and Accountability Act of 1996 (HIPPA)
• ISACA Control Objectives for Information Technologies (COBIT) 19
• MITRE Enterprise ATT&CK v8.2
• National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
• NIST Special Publication 800-53 Rev.5 (Low and Moderate Baseline)
• NIST Special Publication 800-171 Rev.2
• Payment Card Industry (PCI) Data Security Standard v3.2.1

The mappings are available in a variety of formats to assist you on your security journey. These include Microsoft Excel format and the interactive CIS Controls Navigator, with the latter offering you the ability to view several mappings at the same time and export them to Excel. Want to track your implementation of the Controls and your compliance with those mapped frameworks? The CIS Controls Self Assessment Tool (CIS CSAT) can help with that.

In addition to mapping the CIS Controls to security frameworks that have been created with the help of our community, there are a number of entities that reference the Controls directly. For example, the National Governors Association, NIST, and legislation from the states of Ohio, California, Nevada, Idaho, and Connecticut all mention the Controls.

CIS Benchmarks

The CIS Benchmarks are recognized as industry standards for cyber protection around the world. Some references include the following: 

• PCI recommends CIS standards for hardening.
• The DoD Cloud Computing Security Requirements Guide mentions CIS Benchmarks as an acceptable alternative to the STIGs and SRGs (Section 5.5.1).
• FedRAMP’s suggests the use of CIS Benchmarks if US government configuration guidelines aren’t available for a specific platform.
• The CIS Benchmarks function as a complement to the HIPAA security rule, with overlap of the same provisions.

A configuration assessment tool helps determine if your systems are securely configured. CIS-CAT Pro allows you to assess for conformance to the CIS Benchmarks, both remotely and at scale. You can also use the Dashboard to track conformance (and thus compliance) over time.

An “on-ramp” to compliance: CIS SecureSuite membership

The CIS Controls and CIS Benchmarks provide an “on-ramp” toward compliance with a wide range of security frameworks. That’s because they’re a good starting point for securing your organization while moving you toward compliance. A CIS SecureSuite Membership offers the tools and resources to help you implement and track compliance and protection of your organization’s data and assets.

Click here to apply for CIS SecureSuite Membership