Configuration Management

Securing an environment can be a challenging task. What framework to select, NIST Cyber Security Framework, ISO27000 or others? The Center for Internet Security’s CIS Controls provide an approachable solution to that challenge.

Following on from his 'Use Security Principles to Guide Security Strategy' advisory paper, IBRS advisor Peter Sandilands conducted a webinar where he shares a simpler starting point to securing a security strategy:

CIS Controls are a pragmatic, measurable and scalable path to better security. This session will walk through the controls and show how an organisation can use them as a tactical pathway. Built around real world experience in deploying the controls the session will demonstrate usable approaches to prioritise control selection, leverage staffing and measure the impact. Log in or register to view the full webinar.

Conclusion: There are many frameworks available that can guide an organisation’s efforts to enhance its security capability. However, most are abstract and carry very little practical detail. Thus it can be difficult to establish how to implement the aims of a framework. This is a challenge to any organisation working towards minimising risk.

The Center for Internet Security (CIS) has been evolving the CIS controls for a decade or more. They are formulated in a way that makes them a superb tactical approach to cyber security. They do not subvert the available frameworks. Rather, they supplement most frameworks by filling in the details of what to do and how to do it.

Any organisation would do well to use the CIS controls as a measure of their current security stance.

Conclusion:

Complexity is the enemy of good security. Complex strategies and complex roadmaps can be contributing factors in unsuccessful security implementations.

A better practice for a simpler starting point is creating a set of security principles as the first step in the evolution of a security strategy. Carefully crafted security principles can be a bridge to business understanding and buy-in to a successful security strategy.