The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls), is a prioritized set of best practices created to stop the most pervasive and dangerous threats of today.

The controls were originally developed after the US government experienced a major data loss in 2008.  In the current version of the CIS 20, three tiers have been established with tier 1 controls covering the basics and tier 3 organizations expected to implement all controls.

The 20 controls are broken down into:
  1. Basic (6 controls) The “must do” for every organization that cover about 85% of risks
  2. Foundational (10 controls) added protection for more sophisticated attacks, roughly another 10% of risk
  3. Organizational (4 controls) Going beyond tools and tactics to make sure users are trained, controls are tested, and incident response is in place to address remaining risk and the fact that no one can eliminate 100% of their risk

Each control is rated with a maturity level of 1-5 as follows:

  • Level 1: Initial – Processes ad hoc
  • Level 2: Repeatable – Processes are planned and repeatable
  • Level 3: Defined – Processes are defined and understood and are part of standard procedures
  • Level 4: Quantitatively Managed – Processes are audited and deficiencies are corrected
  • Level 5: Optimized – Processes are constantly evaluated and improved

We will do a deeper dive into each group of controls in upcoming posts.