Understand the Building Blocks

understanding the building blocks:
cybersecurity frameworks

All cybersecurity programs start at the same point – with a framework that helps to drive the policies and procedures in your organization. 

In order to make sure that your policies and procedures are consistent, it helps to choose a consistent framework for measuring your current and future state. 

If you are a state or local agency, it is likely you are already required to comply with a specific set of standards (NIST, ISO 27001, PCI-DSS, HIPAA, FINRA, GDPR, etc.). In addition, departments within your organization might already comply with a set of standards, while others may not have to. It is necessary, therefore, to choose a framework that can be compatible with those existing standards, and one that can give you insight into your entire organization. 

CIS Controls and the NIST-CSF are two framework with nearly identical content that frame cybersecurity controls in different ways. Regardless of which framework you choose, it’s important to start the process of measuring yourself against a baseline and tracking progress over time. 

To help provide more context for each of the security controls outlined under the CIS framework (and how they map to the NIST framework), check out our short, pre-recorded overviews at the bottom of the page. 

CIS Controls

The CIS developed their own Top 18 Controls that include a structured order for how to tackle each type of control. They use three implementation groups (IG1, IG2, IG3) and state that IG1 is basic cyber hygiene. Tackle IG1 controls before moving to 2 and 3. Each of the 18 controls has sub-controls that fall within the three IGs. In addition, CIS offers a web-based assessment tool that allows an organization to track their progress, view their strengths and weaknesses, and assign program initiatives to other coworkers. The CIS Controls Self-Assessment Tool (CSAT) is available for free on their website. 

 

NIST Framework

National Institute of Standards and Technology (NIST) created the Cybersecurity Framework in 2018. The framework contains 23 categories filed into 5 families of control functions: Identify, Protect, Detect, Respond, Recover. To measure your progress using this standard, it would be beneficial to first gain an understanding of the framework by reading the description here

The Center for Internet Security (CIS) created the National Cyber Security Review (NCSR) to help State, Local, Tribal, and Territorial jurisdictions across the country gain visibility on their cybersecurity posture. The NCSR is an annual self-assessment that maps to the NIST-CSF framework and offers jurisdictions an option to track their progress in cyber maturity over time. 

Whole of State guidance

The Whole of State has also provided some thoughts and guidance around why identifying a framework is important, and which framework might be more accessible for local jurisdictions. 

CIS Controls 1 & 2 – Inventory & Control of Enterprise and Software Assets

Walk through why these controls are important, and how to set them up in your organization. 

CIS Controls 3 & 11 – Data Protection and Data Recovery

Walk through why these controls are important, and how to set them up in your organization. 

CIS Control 4 – Secure Configuration of Enterprise Assets and Software

Walk through why this control is important, and how to set it up in your organization. 

CIS Controls 5 & 6 – Account Management and Access Control Management 

Walk through why these controls are important, and how to set them up in your organization.

CIS Control 7 – Continuous Vulnerability Management

Walk through why this control is important, and how to set it up in your organization.

CIS Control 8 – Audit Log Management

Walk through why this control is important, and how to set it up in your organization.

CIS Control 9 – Email Web Browser and Protections

Walk through why this control is important, and how to set it up in your organization. 

CIS Control 10 – Malware Defenses

Walk through why this control is important, and how to set it up in your organization. 

CIS Control 12 – Network Infrastructure Management

Walk through why this control is important, and how to set it up in your organization. 

CIS Control 13 – Network Monitoring & Defense

Walk through why this control is important, and how to set it up in your organization. 

CIS Control 14 – Security Awareness and Skills Training

Walk through why this control is important, and how to set it up in your organization. 

CIS Control 15 – Service Provider Management

Walk through why this control is important, and how to set it  up for your organization. 

CIS Control 16 – Application Software Security

Walk through why this control is important, and how to set it up for your organization. 

CIS Control 17 – Incident Response Management

Walk through why this control is important, and how to set it up for your organization. 

CIS Control 18 – Penetration Testing

Walk through why this control is important, and how to set it up for your organization.