As organizations expand their digital footprints the attack surface grows, and more tools are needed to address evolving threats. Consistently evaluating security controls has become critical to ensuring even the most basic security posture. The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity—commonly known as the Cybersecurity Framework—and the Center for Internet Security (CIS) Controls (formerly known as the SANS Top 20), have evolved into best practice frameworks that can be used by organizations in all industries.

Together, the Cybersecurity Framework and CIS Controls help security teams assess current security controls and maturity, and set goals to improve the procedures that they use to protect sensitive data, perform change management, and provide access to critical assets.

Cybersecurity Framework

The Cybersecurity Framework was developed in 2013 in response to an executive order calling for the development of a voluntary, risk-based cybersecurity framework—a set of existing standards, guidelines and practices to help organizations charged with providing America’s financial, energy, healthcare and other critical systems better protect their information and physical assets from cyber attacks.

The framework documents a set of control objectives which can be read as a definition of cybersecurity, a term that has always been somewhat vague, and it started a national conversation about cybersecurity and the control measures necessary to improve it.

The Core details activities to be incorporated into a cybersecurity program that can be tailored to meet the organization’s needs. The framework is designed to augment, not replace, existing cybersecurity programs and risk management processes.

CIS Controls

The CIS Controls are a more concise set of practices that outline what organizations should do as their first steps in cybersecurity. They have been proven to mitigate 85 percent of the most common vulnerabilities.

The controls, which are aligned to NIST guidance, have been developed by experts based on first-hand experience in the security field, and are updated regularly to keep pace with the threat landscape.

Many organizations don’t know where to start with security control self-assessments. Learn how you can start leveraging the Cybersecurity Framework and CIS controls, and advance your overall security posture in our new eBook, Transforming Enterprise Cybersecurity.