Learning the Control Groups
The first six controls make up the Basic category and are commonly referred to as the “cyber hygiene” controls. The basic controls focus on security guidelines like monitoring, vulnerability assessment, and configuration management.
The Foundation Controls group empowers companies to lay the framework of a good security program. This group is defined by controls 7 through 16 and covers various defense tactics, data loss, data recovery, and access controls.
The final category is the Organizational Controls group which are also known as the final four controls. These controls are primarily targeted at defining guidelines that are aimed at the people and processes within the organization.
Basic Controls
The first six controls are the cyber hygiene controls, but what are they?
- Inventory and Control of Hardware Assets
- This step consists of making sure that only authorized physical devices are given access to the system. During this process, unmanaged devices are identified and prevented from gaining access.
- Inventory and Control of Software Assets
- Similar to control #1, this control looks at software that is installed on authorized devices within the organization. Making sure authorized software is the only software active on a network enables an organization to quickly identify rogue platforms.
- Continuous Vulnerability Management
- Control #3 is designed to incorporate a vulnerability management program that will perform comprehensive and credentialed scans regularly across the organization.
- Controlled Use of Administrative Privileges
- Any administrator on a network should have at minimum two accounts. The first account should be for their day-to-day activities and other accounts can be elevated depending on their need. Administrator accounts should not be used for daily user activities like web browsing or email.
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Control #5 encompasses establishing a baseline security configuration for all hardware within an organization. This configuration should have a documented implementation and change control process. It should also be visible through reporting on every endpoint device.
- Maintenance, Monitoring, and Analysis of Audit Logs
- Detecting, understanding, and recovering from a cybersecurity attack is all in the logs. This control is meant to establish the collection, management, and analysis of audit logs.
The basic control group aims to identify all the pieces of a network, their legitimacy on the network, and their ability to communicate.
Foundation Control Group
The foundation control group contains 10 controls (7-16) that lay the groundwork for a great cybersecurity posture.
- Email and Web Browser Protections
- Bad actors are looking to gain access to your systems through the people in your organization. This control looks to minimize their interaction with your users in web browsers and email.
- Malware Defenses
- Catching malware at the time of installation can prevent the spread and execution of malicious code throughout the enterprise. Ensuring your malware defense is continuously updated and somewhat restricting can prevent a widespread event.
- Limitation and Control of Network Ports, Protocols, and Services
- Electronic communication is transported via protocols, and services and happens through often specific network ports. Instilling limitations on the who, what, and where electronic communication happens, minimizes vulnerabilities and makes it harder for bad actors to operate in your network.
- Data Recovery Capabilities
- In the event of an event, retrieving data is the number one priority. Proper backup, documentation, and a plan need to be in place.
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- To prevent bad actors from exploiting services and settings, this control is meant to establish, implement, and actively track the security configuration of network devices to track reports, and correct gaps.
- Boundary Defense
- When all your systems were in-house or pointed to one single location, boundary defense was a slightly easier topic. Today, information and entry points can be pinpointed in several ways. These entry points require a perimeter of defense.
- Data Protection
- Creating a classification scheme for data within an organization is key when ensuring the information needed to perform a job duty is accessible only to those it should be accessible to. This classification scheme should be documented and distributed to ensure organizational buy-in.
- Controlled Access Based on the Need to Know
- Control #14 echoes the principle of least privilege described in Control #13. Users should only have access to information that is needed to perform their job duties.
- Wireless Access Control
- Wireless access points should be configured to track and control access while simultaneously preventing unauthorized access. Wireless access has the potential to expose a network to problems if not controlled properly.
- Account Monitoring and Control
- All accounts within the organization should be managed in a way that promotes clean account hygiene.
The foundation control group is meant to keep data and access out of the hands of those that do not need it. This control group lives in what we like to refer to as the Principle of Least Privilege. Limiting access to places and devices within the organization is the first step in keeping data out of the hands of those who don’t need it.
Organizational Controls
The final control group revolves around providing the organization with ways to complete their security journey.
- Implement a Security Awareness and Training Program
- Teaching users to be aware of ways in which bad actors currently try to infiltrate organizations is the first line of defense.
- Application Software Security
- This control looks at keeping applications and stored customer data from being exposed.
- Incident Response and Management
- Incident response plans (IRPs) have been a steadily growing topic between IT professionals and business owners. Being prepared in the event of a breach can help maintain relationships between businesses and their clients as well as reducing productivity losses.
- Penetration Tests and Red Team Exercises
- Penetration tests are used to test the security controls put in place by an organization.
The organizational control group trains, responds to and assesses the security posture of an organization.
The Center for Internet Security and Tenable have configured a comprehensive guide that reviews all of the controls in-depth. Understanding, implementing, and reviewing these controls can become a task not all companies are equipped to take on. ERGOS assists clients by reviewing current controls, assessing the needs of the organization, and putting controls and monitoring systems in place. Contact our offices today to learn more about having a better cybersecurity posture for your business.