General security

The Center for Internet Security (CIS): Top 20 Critical Security Controls

Ravi Das
October 30, 2018 by
Ravi Das


The cyber-threat landscape is constantly changing on a daily basis. Each cyberattack seems to get worse, more sophisticated and even more covert, making them that much more difficult to detect.

Each organization has its own unique security requirements. Therefore, what may work for one entity may not necessarily work for another. In other words, security models simply cannot be just replicated and expected to work the same each and every time. What is needed is a coherent and unified set of guiding principles and best practices.

One such example of principle is what is known as the “Center for Internet Security Critical Security Controls for Effective Cyber Defense.” This is the focus of this article.

The Goals of the Project

The primary thrust of this document is to give organizations a techno jargon free approach in order to fortify their lines of defenses, so that they do not become the next victim of a large-scale cyberattack, with a strong emphasis on using automated security technologies. The other four, overarching goals can be described as follows:

  1. Make sure there is a strong balance between both cyber-offense and cyber-defense
  2. Make sure that only the right security technologies are deployed, so that businesses and corporations can yield a very quick return on investment (ROI)
  3. Implement security automation to the greatest extent possible
  4. Utilize a team framework and unanimous consensus approach in order to keep the best Security interests of the organization in mind

The Top 20 Controls

This section will provide an overview into all 20 controls:

1-2. The Inventory and the Control of Hardware Assets & The Inventory and the Control of Software Assets

Although these are two independent controls, they are very often grouped together, because in many instances, the same concepts apply to both. In this set of controls, you are tasked with inventorying, tracking all of the hardware devices and software applications that reside on your network infrastructure so that only authorized hardware/software applications are given the appropriate permissions to help the employee do the tasks that they need to do.

3. The Secure Configurations for Hardware and Software That Reside on Mobile Devices, Laptops, Workstations and Servers

This control mitigates the risks that are posed by exposure to any misconfiguration to any of these items, whether it is intentional or just done by sheer mistake. Corrections here involve resetting default passwords, sealing off network ports that were left open, re-evaluating the use of administrative privileges, reconfiguring digital certificates and so forth.

4. The Continuous Vulnerability Management

This control mandates that your IT staff on a regular basis (frequency will be determined by your security policy) scan your entire IT infrastructure in order to unearth any unknown security flaws or vulnerabilities before they are exposed and used by a cyberattacker against your organization. This particular involves the use of automated scans.

5. The Controlled Use of Administrative Privileges

To the cyberattacker, gaining access to an administrative privilege is like getting a coveted trophy. When they get access to your key critical IT assets with this, your organization is at grave risk. Therefore, this control calls for the tracking down and inventorying of all administrative privileges, so that they are appropriately assigned to your IT staff.

6. The Maintenance, Monitoring and Analysis of Audit Logs

The audit log is a key element in your Security arsenal – because it offers the most unbiased and clearest evidence of any cyberattack that occurs, whether it is from the inside or outside of the organization. Therefore, this control mandates that the logging functionalities are turned on for all of your networking devices, and that they are carefully studied (when they are needed) and securely stored for subsequent access.

7. Email and Web Browser Protections

The cyberattacker of today still uses these tools to launch their threat vectors. Examples of this include Business Email Compromise, phishing and SQL injection/cross-site scripting attacks. As a result of this control, you are trying to minimize the attack surface primarily by examining how your employees interact with their email and web browsing applications, and enforcing the “right kind” of behavior, so that they do not leave themselves open to a social engineering attack.

8. Malware Defenses

Malware is still yet another favored tool of attack, and this can come in many varieties, such as malicious email attachments, links to phony and fraudulent websites, using infected media (such as USB or flash drives) and so forth. Therefore, this control calls for the use of automated tools in order to stop the spread and execution of malware at all points in any business or corporation.

9. The Limitation and Control of Network Ports, Protocols and Services

The cyberattacker is constantly on the lookout for remote network services that are left open to be exploited. Some examples of this include misconfigured web, email and print servers. This control mandates that such devices be routinely scanned for any vulnerabilities that might exist and limiting usage that is absolutely needed.

10. Data Recovery Capabilities

After you have been hit by a cyberattack, the ability to restore business operations within hours is a must. They key here is to make use of the backups you have created of your information and data. Therefore, this control mandates that all organizations must back up their datasets on a regular basis and use a proven a backup and restore methodology.

11. The Secure Configuration for Network Devices, Which Includes Firewalls, Routers and Switches

When your business or corporation gets new hardware from a particular vendor, they are only configured at the default security settings, not set to your unique requirements. You need to change these right away. If this condition is not met, you will fall victim to a cyberattack very quickly.

Because of this, this control calls for the proper configuration of these devices, regular audits on them and implementing the proper change management process in order to prevent the cyberattacker from discovering any settings and further exploiting them.

12. The Boundary Defense

In any modern IT Infrastructure, there are obviously both many wired and wireless communications, especially when your employees log in remotely. The cyberattacker is always on the prowl for any holes and vulnerabilities that might exist in these lines of communications and using that to hijack confidential information and data. Because of this, this control requires that organizations continuously monitor the flow of such network communications, by using such automated tools as network intrusion devices and other types of intrusion prevention systems. Special attention must be given to the origination and termination points as well.

13. Data Protection

Although this task may sound easy, it is in fact one of the most difficult ones for an organization to accomplish. This control mandates for businesses entities to deploy and implement all sorts of encryption that are possible so that any data leakage can be mitigated. Also, it calls for a constant investigation into the robustness of the algorithms and their respective key sizes.

14. Controlled Access Based on the Need to Know

It can be a common routine to assign an employee more privileges than they really need, especially as their job responsibilities expand. This control makes it compulsory for businesses and corporations to constantly evaluate the permissions that their employees are assigned. In other words, they should be given just the minimum access that is needed in order to conduct their daily tasks.

15. Wireless Access Control

In today’s workforce, many employees work remotely, using all sorts of wireless devices. Improper usage of these devices (such as that of BYOD) and not following the required security protocols can leave an organization open to all types of cyberattacks. Because of this, this control mandates that organizations the monitoring of Local Area Networks (LANs) on a continual basis, as well as auditing the usage of wireless devices. As a result, this should mitigate the deployment of rogue wireless access points.

16. Account Monitoring and Control

This control makes it a requirement for businesses and corporations to proactively manage the account creation, usage, dormancy, and deletion lifecycle from the very beginning to the very end. This holds especially true when you hire contractors or outside third-party vendors.

17. Implementing a Security Awareness and Training Program

Many organizations today still lack an effective security training program for their employees to make sure that they maintain good levels of cyber-hygiene. Therefore, this control requires that your business entity develop and maintain a Security Awareness Training program that keeps your employees motivated and proactive in upholding the Security Policies and Procedures which have been set forth.

18. Application Software Security

This control mandates that business entities should proactively and effectively manage the entire Software Development Life Cycle, again, from the very beginning to the very end. This is an effort to an ensure that only “clean source code” is ultimately used in the end for all software applications that are used.

19. Incident Response and Management

As previously described, the ability for your business or corporation to literally “come back to life” within hours after it has been hit by a cyberattack is a huge must. After all, your brand, your hard-earned reputation and most importantly, your customers are all at stake here. The only way that you can bounce back quickly is by having the appropriate incident response and management plan in place, and that it has been well-rehearsed. Not only does this control require these steps to be successfully met, but it also mandates that the following items must be included as well in your plan:

  • Risk mitigation procedures
  • The appropriate mechanism for reporting anything out of the ordinary
  • How data and forensics should be collected
  • The responsibilities of upper management;
  • Any legal protocols that needs to be undertaken;
  • The communications strategy

20. Penetration Tests and Red Team Exercises:

Probably the only way to discover all of the security vulnerabilities which could exist in your organization is to conduct penetration testing. Therefore, this control calls on the organization to routinely conduct these kinds of tests, especially when it comes to using the Red Team. They essentially get into the mindset and tactics of the cyberattacker, by conducting deep dive, real world cyberattacks against your lines of defense. From here, they report back any weaknesses that have been found, and how they should be corrected.


We’ve taken a look at the CIS Top 20 Controls List, the history behind it and its goals. These controls provide a standardized set of best security practices to follow, and if they are implemented correctly, it is quite likely that you will not become a victim of a cyberattack.

In fact, it has been estimated that if your business or corporation would just implement five of these controls, you could potentially eliminate 85% of cyberthreats; if you were to implement all of them, your probability of avoiding a cyberattack can be as high as 97%. Although it may take time and a lot of hard work to implement each and every one of them, the rewards will be tremendous in the end.



Make the Most of the New CIS Controls, The State of Security

CIS Top 20 Critical Security Controls Solutions, Rapid 7

Implementing the CIS 20 Critical Security Controls: Slash Risk of Cyber Attacks by 85%, Qualys Blog

Introduction to the Center for Internet Security (CIS) 20 Critical Security Controls, Hartnell College

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Guide to Automating CIS 20 Critical Security Controls, Qualys

Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at (or; and contact Ravi at