Who is CIS For?

CIS resources are designed for a wide range of organizations, including:

• Public Sector: Government agencies at the federal, state, and local levels looking to standardize and improve their cybersecurity practices.
• Private Sector: Businesses of all sizes and industries seeking to protect their information assets and reduce the risk of cyber incidents.
• Healthcare: Organizations needing to secure sensitive patient data and comply with regulations such as HIPAA.
• Education: Schools and universities aiming to safeguard student and staff information.
• Nonprofits: Mission-driven organizations requiring cost-effective cybersecurity solutions.
• Critical Infrastructure: Sectors like energy, finance, and transportation needing to protect essential services and assets.

CIS Control Families

The CIS Controls are grouped into 18 control families, each addressing a specific area of cybersecurity. These controls are prioritized to provide a clear starting point for improving cybersecurity defenses.

The control families are:

1. Inventory and Control of Enterprise Assets
   Actively manage all hardware devices on the network.
2. Inventory and Control of Software Assets
   Actively manage all software on the network.
3. Data Protection
   Ensure sensitive data is protected at rest and in transit.
4. Secure Configuration of Enterprise Assets and Software
   Establish security configurations for hardware and software.
5. Account Management
   Control access to assets through management of user accounts.
6. Access Control Management
   Limit and manage access to sensitive information.
7. Continuous Vulnerability Management
   Continuously acquire, assess, and act on information about vulnerabilities.
8. Audit Log Management
   Collect, manage, and analyze audit logs to detect and understand security incidents.
9. Email and Web Browser Protections
   Secure email and web browser use to reduce exposure to malicious content.
10. Malware Defenses
    Control the installation, spread, and execution of malicious code.
11. Data Recovery
    Ensure the integrity and availability of data by implementing appropriate data backup processes.
12. Network Infrastructure Management
    Manage and secure network devices to prevent unauthorized access.
13. Security Awareness and Skills Training
    Educate users on security policies and best practices.
14. Service Provider Management
    Secure outsourced IT services and ensure service providers meet security requirements.
15. Application Software Security
    Manage security of software development lifecycle and applications.
16. Incident Response Management
    Develop and implement incident response capabilities.
17. Penetration Testing
    Test and verify the effectiveness of security controls through simulated attacks.
18. Security Incident Management
    Ensure timely detection and response to security incidents.

CIS Implementation Groups

CIS Controls are organized into three Implementation Groups (IGs), which help organizations prioritize controls based on their resources and risk exposure:

• Implementation Group 1 (IG1)
  Focuses on essential cyber hygiene and is intended for small to medium-sized enterprises (SMEs) with limited IT and cybersecurity resources. These controls are foundational and offer the highest return on investment.
• Implementation Group 2 (IG2)
  Designed for organizations with moderate resources and higher sensitivity to risk. This group builds on IG1 and includes additional controls that address more sophisticated threats and compliance requirements.
• Implementation Group 3 (IG3)
  Aimed at larger organizations with substantial resources and a higher risk profile. IG3 encompasses all the controls from IG1 and IG2, adding more advanced security measures and practices to counter targeted and persistent threats.