The Center for Internet Security (CIS) is a nonprofit organization that seeks to “identify, develop, validate, promote and sustain best practice solutions for cyber defense.” But what exactly is this organization? How does it work? And how does it relate to third-party security?
The CIS Model
CIS uses a closed crowdsourcing model to suggest ingenious new security measures and perfect existing ones. Professionals within the network introduce new ideas to the community, and a consensus-based decision-making process ensures that only the best ideas move forward in the process. CIS is important for helping global organizations form new security policies and make important security-based decisions.
Within CIS there are many different program areas operating simultaneously. These include the multi-state information sharing and analysis center (MS-ISAC), CIS controls, CIS benchmarks, CIS communities and the CIS CyberMarket. The CIS works with the government, academia, the private sector and even the general public to improve security and effectiveness.
Below we delve into each program individually.
The Multi-State Information Sharing and Analysis Center (MS-ISAC)
The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a partnership between the CIS and the Office of Cybersecurity and Communications in the United States Department of Homeland Security (DHS). Together, these organizations provide ongoing, 24/7 monitoring for state and local governments, looking for potential threats and responding to them to mitigate the threats if necessary.
Originally established in 2002, the MS-ISAC now includes all 50 states, the District of Columbia, and all U.S. territorial, tribal and local governments. Working closely with federal law enforcement, government agencies are equipped with the best resources and support for mitigating state- and local-level cyberthreats. At MS-ISAC, the cybersecurity operations center provides ongoing network monitoring, issues important advisories and warnings, and has an incident response plan just in case things go south.
Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), established by the Election Infrastructure Subsector Government Coordinating Council (GCC), is designed to improve the cybersecurity of state, local, territorial and tribal (SLTT) election offices through the collaboration, sharing and mutual work of its members. With federal partners like the Department of Homeland Security (DHS) and private sector partners, this branch of CIS can effectively identify potential weaknesses, monitor and respond to threats and mitigate risks related to elections.
CIS Controls and CIS Benchmarks
CIS Controls and CIS Benchmarks are designed to provide global-level standards for internet security, ultimately protecting IT systems and data from external and internal attacks.
“The CIS Controls” is an especially popular and well-known set of security controls to map compliance standards – they’re even useful in relation to the Internet of Things.
- CSC 1: Inventory and Control of Hardware Assets
- CSC 2: Inventory and Control of Software Assets
- CSC 3: Continuous Vulnerability Assessment and Remediation
- CSC 4: Controlled Use of Administrative Privileges
- CSC 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CSC 7: Email and Web Browser Protections
- CSC 8: Malware Defenses
- CSC 9: Limitation and Control of Network Ports, Protocols, and Services
- CSC 10: Data Recovery Capabilities
- CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- CSC 12: Boundary Defense
- CSC 13: Data Protection
- CSC 14: Controlled Access Based on the Need to Know
- CSC 15: Wireless Access Control
- CSC 16: Account Monitoring and Control
- CSC 17: Implement a Security Awareness and Training Program
- CSC 18: Application Software Security
- CSC 19: Incident Response and Management
- CSC 20: Penetration Tests and Red Team Exercises
Together, these CIS controls help organizations establish an in-depth, comprehensive system they can use to prevent, detect and possibly respond to malware.
Despite these protocols being largely free and accessible, the majority of organizations in the United States fail to comply with these security measures, leaving them with massive vulnerabilities. This is an especially prominent security concern among organizations that work closely with a number of third parties; each third party in your network is going to introduce new security vulnerabilities and new types of threats to monitor. If you don’t take third-party security seriously, it could cost your organization dearly.
Additionally, CIS benchmarks are a combined effort by the Consensus Community and CIS SecureSuite members. These benchmarks provide more than 100 different configuration guidelines for more than 25 vendor product families, such as Microsoft Azure, Google Cloud and Kubernetes. These are especially important for determining third-party security vulnerabilities and ensuring your organization is following best practices for third-party security.
The CIS CyberMarket
The CIS CyberMarket is: “CIS’s collaborative purchasing program that serves U.S. State, Local, Tribal and Territorial (SLTT) government organizations, nonprofit entities and public health and educational institutions to improve cybersecurity through cost-effective group procurement.” In other words, it is designed to help all partner organizations gain access to group purchasing opportunities to save money and address their cybersecurity needs.
Additionally, CIS Communities are a collection of volunteer IT professionals who write, evaluate and refine CIS best practices. It’s the engine responsible for CIS being up-to-date about, and prepared for, the latest security threats.
Why CIS Is Important for Third-Party Security
As you’re well aware, third-party security is vital for any organization to minimize vulnerabilities, maintain compliance and improve overall security. Even a single vulnerability in one of your third-party partners could jeopardize the security of your entire operation. Fortunately, CIS helps provide information and refine process approaches for third-party security. This helps ensure that your organization is effectively managing third-party risk.
If you’re looking for an automated solution to provide comprehensive, in-depth visibility into your third-party security risk, request a demo today!