This blog is part of a series of posts to highlight how Field Effect’s flagship product, Covalence, can help our customers attain their compliance goals. Whether it’s to mitigate risks, maintain a cyber insurance policy, fulfill a contractual requirement, or ensure the protection of employee and customer data, Field Effect knows how important it is for businesses to adhere to industry-standard compliance frameworks.
The right cybersecurity solutions can empower organizations to achieve and maintain compliance with numerous frameworks, including the CIS Controls
What are the CIS Controls?
The CIS Controls are a set of best practice guidelines for computer security that are published by the Center for Internet Security. Currently in its 8th version, the project to develop the controls began in 2008 in response to high-profile security incidents targeting the US defense industrial base.
According to the Center, the 18 critical security controls (CSC) and 153 sub-controls (known as safeguards) in the current version of the standard are designed to be a prescriptive, prioritized, and simplified set of best practices that can be used to help defend against today's top threats.
The CIS controls are designed to provide value to organizations of all sizes by organizing the safeguards into three Implementation Groups:
- IG1 (contains 56 essential cyber hygiene safeguards)
- IG2 (includes all of IG1 plus 74 additional safeguards)
- IG3 (includes all of IG1 and all 153 CIS safeguards)
This gradual approach makes it easier for organizations of any size or maturity level to improve their cybersecurity in a structured, systematic way.
How can Covalence help?
Covalence, our holistic cybersecurity solution, empowers organizations to confidently implement many of the safeguards outlined in the CIS Controls. Let’s take a look at a few examples:
CIS safeguard 13.2
This safeguard instructs organizations to “Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported”. The Covalence endpoint agent achieves this by providing a world-class anti-malware solution for servers and workstations running Windows, macOS, and supported versions of Linux. It easily deploys to enterprise assets and provides a combination of signature and heuristic-base analytics to detect both known and emerging threats.
CIS safeguard 13.3
This safeguard calls for organizations to “Deploy a network intrusion detection solution on enterprise assets, where appropriate”. Covalence network sensors fulfill this requirement through their ability to conduct full packet capture and deep inspection of all network traffic transiting them, providing Field Effect with another method of detecting risks and threats to the networks we defend.
CIS safeguard 13.7
Safeguard 13.7 instructs organizations to “Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported” and provides the examples of endpoint detection and response (EDR) software or a host-based intrusion prevention system (IPS) agent. Covalence can quickly respond when a threat is detected, taking on-host actions such as blocking malware installations and isolating hosts by restricting communications to the Internet and other devices. These measures can help any malware infections on your network remain minor events with limited impact on your data.
CIS safeguard 9.2
Safeguard 9.2 which advises organizations to “Use DNS filtering services on all enterprise assets to block access to known malicious domains.” As a holistic solution, Covalence includes a configurable DNS firewall which provides real-time filtering for all enterprise assets and is continuously updated with new threat intelligence. This DNS filtering service prevents access to known malware sites and other Internet content which can increase risks to your organization, and protects your devices no matter where they are.
Are the controls mandated?
For most organizations implementing the CIS Controls, the effort will be self-assessed and voluntary. However, they are widely regarded across many jurisdictions and business sectors, and even referenced in the legislation of some states. Here are a couple of examples:
- In 2021, Connecticut passed Public Act No. 21-119 which listed the CIS Controls as one of the recognized cybersecurity frameworks businesses could implement to protect themselves against lawsuits and punitive damage for data breaches concerning personal information.
- The Ohio Data Protection Act similarly lists the CIS Controls as one of the cybersecurity frameworks it encourages all businesses to adopt to protect against data breaches and secure the personal information they handle.
Beyond these two examples, the CIS Controls can also help an organization obtain agreeable insurance terms for their cyber policies. Underwriters can consider an organization's adherence to recognized frameworks like the controls as proof that they’re taking a proactive approach to risk management.
Learn more about Covalence & the CIS Controls
We've created an easy-to-read mapping guide for the CIS Controls Version 8, which shows how Covalence aligns to specific sections of the standard.
This document is a great starting point to help you better understand the regulatory compliance landscape but, because every organization is different, we still recommend consulting with a regulatory auditor for your specific requirements.
Reach out to our team to get a copy of the CIS Compliance Mapping Guide today.
