Implementing
the CIS Controls
Developed by the Center for Internet Security (CIS), the CIS Critical Security Controls are a prescriptive, prioritized set of cybersecurity best practices and defensive actions that can help prevent the most pervasive and dangerous attacks and support compliance in a multi-framework era.
These actionable best practices for cyberdefense are formulated by a group of IT experts using the information gathered from actual attacks and their effective defenses. The CIS Controls provide specific guidance and a clear path for organizations to take to achieve the goals and objectives described by multiple legal, regulatory, and policy frameworks.
Learn what’s new in the
latest version of the CIS Controls®
Watch now
Implementing the CIS Critical Security Controls in your organization can effectively help you:
Develop a foundational structure for your information security program and a framework for your entire security strategy.
Follow a proven risk management approach for cybersecurity based on real-world effectiveness.
Focus on the most effective and specific set of technical measures available to improve your organization's defense posture.
Conform easily to other frameworks and regulations including the NIST Cybersecurity Framework, NIST 800-53, NIST 800-171, ISO 27000 series, PCI DSS, HIPAA, NERC CIP, and FISMA.
The latest version of the CIS Controls, version 8, is comprised of a set of 18 cyberdefense recommendations, or Controls. Version 8, an extension of version 7, consists of Implementation Groups (IGs). IGs are the new recommended guidance for prioritizing the implementation of the Controls.
In an effort to assist enterprises of every size, IGs are divided into three groups. They are based on the risk profile of an enterprise and the resources available to the organization to implement the CIS Controls.
Each IG identifies a set of Safeguards (previously referred to as CIS Sub-Controls) that the enterprise needs to implement to mitigate the most prevalent cyberattacks against systems and networks. There are a total of 153 Safeguards in CIS Controls Version 8. Every enterprise should start with IG1. IG2 builds upon IG1, and IG3 is comprised of all the Controls and Safeguards.
The CIS Controls are not a one-size-fits-all solution; based on your organization’s cybersecurity maturity, you can plan and prioritize the implementation of various Controls.
ManageEngine's suite of IT management solutions can help you meet the discrete CIS Control requirements and, in turn, help your organization in carefully planning and developing a best-in-class security program to achieve better cyberhygiene.
Actively manage all enterprise assets connected to your infrastructure physically, virtually, or remotely, or those within cloud environments, to accurately determine the totality of assets that need to be monitored and protected. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Monitor and manage assets throughout their life cycles.
Manage incidents and inventory from a single dashboard.
Ensure patch management along with asset management.
Discover and manage the devices connected to your network.
Actively manage all software in your network to ensure that only authorized software is installed and executed and that unauthorized and unmanaged software is found and prevented from being installed or executed.
Track and manage assets with an integrated configuration management database (CMDB).
Monitor and manage assets from a single console.
Allowlist applications and remove unauthorized software.
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Audit files, identity at-risk data, and prevent data leaks.
Prevent data loss through peripheral devices.
Control, manage, and audit the entire life cycle of privileged accounts and their access.
Establish and maintain the secure configuration of enterprise assets and software.
Implement configurations to harden the security of your endpoints.
Apply security polices to protect data on mobile devices.
Implement and manage configurations to ensure network security.
Schedule device configuration backups, track user activity, and spot changes by comparing configuration versions.
Ensure complete privileged access security.
Use processes and tools to assign and manage authorization to handle the credentials of user accounts, including administrator accounts and service accounts associated with enterprise assets and software.
Control, manage, and audit the entire life cycle of privileged accounts and their access.
Manage and clean up inactive or unused users in AD.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Ensure complete privileged access security.
Implement endpoint MFA, conditional access, and enterprise SSO.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within your enterprise’s infrastructure to remediate flaws and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Implement prioritization-focused enterprise vulnerability management.
Automate multi-OS patch management.
Identify vulnerabilities and remediate them by applying patches.
Collect, alert on, review, and retain audit logs of events that could help you detect, understand, or recover from an attack.
Implement integrated SIEM with advanced threat analytics and ML-driven user and entity behavior analytics.
Perform real-time Active Directory, file, and Windows Server change auditing.
Ensure firewall rule, configuration, and log management.
Monitor server logs for errors defined by the admin.
Improve protection and detection of threats from email and web vectors, because these are opportunities for attackers to manipulate human behavior through direct engagement.
Ensure browser security and management.
Manage browsers, add-ons, extensions, and plug-ins.
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Implement risk-based scoring for users to modify anti-malware software to meet specific needs.
Disable auto-run, auto-play, and auto-execute for removable media.
Establish and maintain data recovery practices sufficient for restoring in-scope enterprise assets to a trusted, pre-incident state.
Ensure Active Directory, Microsoft 365, and Exchange backup and recovery.
Establish, implement, and actively manage network devices to prevent attackers from exploiting vulnerable network services and access points.
Ensure network infrastructure is kept up to date.
Establish and maintain a secure network architecture.
Ensure least privilege permission management.
Monitor and manage assets in your network with the help of the CMDB.
Map asset dependencies with the help of an integrated CMDB.
Create processes and select appropriate tools to establish and maintain comprehensive network monitoring and defense against security threats across your enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and analysis.
Monitor the logs from your IDS or IPS and extract the required information to ensure network security.
Make sure operating system versions and applications in the enterprise endpoints are up to date.
Prevent unauthorized removable devices from connecting to your network.
Detect and prevent data leaks through USBs and email.
Provide the minimum access permissions for assets remotely connected to enterprise resources.
Block unauthorized devices from connecting to your network.
Detect network intrusions using a continuous stream mining engine.
Collect network traffic flow logs from network devices to carry out review and raise alerts on network bottlenecks.
Establish and maintain a security awareness program to make employees more security-conscious and ensure they have the proper skills to reduce cybersecurity risks to your enterprise.
Establish MFA for Windows, macOS, and Linux systems.
Ensures no privileged access pathway to mission-critical assets is left unmanaged, unknown, or unmonitored.
Report on the creation, deletion, overwriting, and renaming of files and folders.
Manage and optimize the power consumption of computer hardware to save money and energy.
Manage OS updates for iOS, Android, and Chrome OS devices.
Develop a process to evaluate service providers who hold sensitive data or are responsible for your enterprise’s critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately.
Securely decommission service providers, users, and file servers without the hassle of dealing with complex custom scripts.
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact your enterprise.
Implement prioritization-focused enterprise vulnerability management.
Identify vulnerabilities and remediate them by applying patches.
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare for, detect, and quickly respond to an attack.
Create a portal for the IT security team to handle incidents with unique notifications, SLAs, and escalation procedures.
Periodically assess your organization’s readiness to defend against attacks by conducting penetration tests. Simulate the objectives and actions of an attacker with the help of red teams to inspect your current security posture and get valuable insights about the efficacy of your defenses.
Download this guide to take a closer look at how ManageEngine products will help you with the CIS Controls implementation process.
Disclaimer: The complete implementation of the CIS Controls® (developed by the Center of Internet Security) requires a variety of solutions, processes, people, and technologies. The solutions mentioned above are some of the ways in which IT management tools can help with the CIS Control requirements. Coupled with other appropriate solutions, processes, and people, ManageEngine's solutions help implement the CIS Controls. This material is provided for informational purposes only, and should not be considered as legal advice for the CIS Controls implementation. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.
