The CIS Critical Security Controls (CSC) are a set of actionable security guidelines designed to help organizations mitigate cyber threats across various industries. The framework is intended for a diverse range of entities, including businesses, government agencies, and educational institutions, emphasizing versatility, integration with existing security measures, and proactive defense strategies. The document outlines specific controls related to asset management, access control, vulnerability management, and data protection, along with a structured implementation approach through three control groups.

1. CIS Critical Controls
Made by Group 4

2. What are the CIS
Critical Security
Controls?
• The Center for Internet Security (CIS)
publishes the CIS Critical Security
Controls (CSC) to help organizations
better defend against known attacks
by distilling key security concepts into
actionable controls to achieve greater
overall cybersecurity defense.

3. Who Do the CIS Critical Security
Controls Apply To?
WHEREAS MANY STANDARDSANDCOMPLIANCE
REGULATIONS AIMED AT IMPROVINGOVERALL
SECURITY CAN BE NARROWIN FOCUS BY BEING
INDUSTRY-SPECIFIC,THECIS CSC—CURRENTLYON ITS
SEVENTHITERATION AT VERSION 7—WASCREATED BY
EXPERTS ACROSSNUMEROUS GOVERNMENT
AGENCIESANDINDUSTRY LEADERS TO BE INDUSTRY-
AGNOSTICANDUNIVERSALLYAPPLICABLE.
CIS CSCAPPLY GENERALLY TO BUSINESSESAND
CORPORATIONS,GOVERNMENTAGENCIES,
EDUCATIONALINSTITUTIONS,NON-PROFIT
ORGANIZATIONSANDHEALTHCAREORGANIZATIONS.

4. Main Aspects
and Controls
Inventory and
Control of
Hardware Assets
Inventory and
Control of Software
Assets
Continuous
Vulnerability
Management
Controlled Use of
Administrative
Privileges
Secure
Configuration for
Hardware and
Software
Maintenance,
Monitoring, and
Analysis of Audit
Logs
Email and Web
Browser
Protections
Malware Defenses
Limitation and
Control of Network
Ports, Protocols,
and Services
Data Recovery
Capabilities
Secure
Configuration for
Network Devices
Boundary Defense
Data Protection
Controlled Access
Based on the Need
to Know
Wireless Access
Control
Account
Monitoring and
Control
Implement a
Security Awareness
and Training
Program
Application
Software Security
Incident Response
and Management
Penetration Tests
and Red Team
Exercises

5. Objective of
the Framework
Primary Goal
Cyber Attack
Mitigation
Risk-Based
Approach
Strategic
Focus
Prioritization
Proactive
Defense
Scalabilityand
Adaptability
Flexible
Application
Industry
Agnostic

6. Objective of
the Framework
Comprehensive
Coverage
Holistic
Security
Alignment with
Other
Standards
Education and
Awareness
Guidance and
Best Practices
Community-
DrivenUpdates
Risk
Management
Enhancement
Actionable
Controls
Measurable
Outcomes

7. Scope
• Versatility: The controls are
designed to be applicable across
various types of organizations,
regardless of their size or the
nature of their business.
• Integration: They can be
integrated into existing security
frameworks or used as a
standalone guide for
organizations starting their
cybersecurity journey

8. Involved Security
Domains (Themes)
• Asset Management
• Access Control
• Vulnerability Management
• Incident Response
• Security Training and Awareness
• Data Security

9. Control Groups
• The CIS Controls implementation groups
(IGs) are defined as "basic cyber hygiene" are
self-assessed categories for enterprises. Each IG
identifies a subset of the CIS Controls that the
community has broadly assessed to be applicable
for an enterprise with a similar risk profile and
resources to strive to implement. Each IG builds
upon the previous one: IG2 includes IG1, and IG3
includes all CIS Safeguards in IG1 and IG2.
1. IG1
2. IG2
3. IG3

10. Control Groups
• Basic Controls
• FoundationalControls
• Organizational Controls

11. Data Protection Aspects
Data Encryption
• Encryption at Rest and in Transit
• Key Management
Access Restrictions
• Least Privilege Principle
• Role-Based Access Control (RBAC)
Data Loss Prevention (DLP)
• DLP Tools and Techniques
• Policy Enforcement

12. Data Protection Aspects
Backup and Recovery
• Regular Backups
• Tested Recovery Processes
Data Classification
• Identifying Sensitive Data
• Handling and Storage Protocols
Secure Data Disposal
• Proper Disposal Protocols

13. Data Protection Aspects
Data Encryption
• Encryption at Rest and in Transit
• Key Management
Access Restrictions
• Least Privilege Principle
• Role-Based Access Control (RBAC)
Data Loss Prevention (DLP)
• DLP Tools and Techniques
• Policy Enforcement

14. Why is Data Protection
critical?
• Although many data leaks are the
result of deliberate theft, data loss
and damage can also occur because
of human error or poor security
practices. Solutions that detect data
exfiltration can minimize these risks
and mitigate the effects of data
compromise.

15. Certification
Process
Self-Assessment Third-Party
Assessment
Continuous
Improvement

16. Thank you for
attention