Security Best Practices: Cybersecurity & Compliance at Scale
Growing the business requires that your organization scale its cybersecurity program. Along the way, however, you will need to comply with multiple policy, regulatory, and legal security frameworks. This creates several obstacles. Take financial institutions as an example. They are subject to a complex and ever-changing regulatory landscape that includes PCI DSS, GLBA, and FFIEC CAT. Complying with all of these frameworks separately can be difficult, a waste of money, and time consuming to the point of overwhelming, a phenomenon known as the "Fog of More." When coupled with tool sprawl, the Fog of More could leave your security teams suffering from alert fatigue and feeling burned out.
To prevent this from happening and to scale your cybersecurity program more efficiently, you want to know how to plan out all of your compliance objectives so that you don't duplicate efforts.
"As an organization, you need to determine what framework is a priority and then map those requirements to the other frameworks to lessen the overlapping requirements," explained Stephanie Gass, Director of Governance, Risk, and Compliance at the Center for Internet Security® (CIS®). "You should also understand if your compliance objectives are required through regulations, contracts, or customer preference."
You can do both of these things using proven, prioritized security best practices that map to or are referenced by other frameworks and standards. Check out our video below to learn more.
Security Best Practices for Security Compliance
Although requirements vary, there is often overlap in the facets of security on which they focus. These are generally security best practices you can use as a starting point to scale your cybersecurity program and realize your compliance objectives.
For instance, the CIS Critical Security Controls® (CIS Controls®) are a prioritized set of actions for protecting your organization and data from known cyber attack vectors. They’re developed through a unique community consensus process, and they tell you not only how to be more secure but also how to prioritize the actions you should take to get there. This prioritization helps your organization work toward achieving effective cyber hygiene and scale from there rather than work through a list and hope to recognize some benefits along the way.
For a more granular take on security configuration, the CIS Benchmarks™ provide consensus-based guidance for specific technologies. Implementing these configuration recommendations helps you meet some of the CIS Controls, as each Benchmark maps to the Controls.
The CIS Controls map to the following frameworks:
- AICPA Trust Services Criteria (SOC2)
- Cloud Security Alliance Cloud Control Matrix (CSA CCM) v4
- Criminal Justice Information Services (CJIS) Security Policy
- Cybersecurity Maturity Model Certification (CMMC) v2.0
- Cyber Essentials v2.2
- Federal Financial Institutions Examination Council (FFIEC-CAT)
- Health Insurance Portability and Accountability Act of 1996 (HIPPA)
- ISACA Control Objectives for Information Technologies (COBIT) 19
- MITRE Enterprise ATT&CK v8.2
- National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) v2.0
- NIST Special Publication 800-53 Rev.5 (Low and Moderate Baseline)
- NIST Special Publication 800-171 Rev.2
- Payment Card Industry (PCI) Data Security Standard v4.0
Once you know which frameworks to measure against, the next step is to manage your prioritization and implementation of those frameworks. The CIS Controls Self Assessment Tool (CIS CSAT), particularly the pro version, enables your security teams to prioritize their implementation of the CIS Controls. With that plan, your teams can track their efforts and verify whether specific CIS Controls and CIS Safeguards have been assigned, implemented, automated, documented, and reported. They can leverage that insight to comply with other security frameworks and scale your organization's cybersecurity accordingly.
CIS Benchmarks Referenced in Industry Standards
The CIS Benchmarks are recognized as industry standards for cyber protection around the world, particularly as they relate to different types of information. Some references include the following:
- Financial data — PCI DSS recommends CIS standards for hardening.
- Government information — The DoD Cloud Computing Security Requirements Guide mentions CIS Benchmarks as an acceptable alternative to the STIGs and SRGs (Section 5.5.1).
- Products and services in the cloud — FedRAMP suggests the use of CIS Benchmarks if U.S. government configuration guidelines aren’t available for a specific platform.
- Medical details — The CIS Benchmarks function as a complement to the HIPAA security rule, with overlap of the same provisions.
A configuration assessment tool helps determine if your systems are securely configured. CIS-CAT® Pro allows you to assess for conformance to the CIS Benchmarks using its Assessor component both remotely and at scale. You can also use CIS-CAT Pro's Dashboard component to track conformance (and thus compliance) over a recent period of time.
Scaling and Compliance with CIS SecureSuite Membership
Both the CIS Controls and CIS Benchmarks provide an “on-ramp” toward compliance with various frameworks. Indeed, they provide a starting point for securing your assets and scaling your organization's cybersecurity program, all while moving you toward compliance objectives.
Your organization can enjoy these benefits by implementing the CIS Controls and CIS Benchmarks on your own. Alternatively, your can gain access to additional resources and tools, such as CIS CSAT Pro and CIS-CAT Pro, by purchasing a CIS SecureSuite® Membership. It is a cost-effective way to achieve compliance, ensure the protection of data assets, and scale your cybersecurity efforts.
"SecureSuite helps to create baselines, whether it is benchmarking or hardening systems," noted Gass. "Using the CIS Controls and the CIS Benchmarks, you are able to identify potential gaps within the organization."
Want to take a closer look?