Data protection and regulatory compliance go hand in hand. Ensuring your business maintains a robust cybersecurity posture supports compliance exercises, while compliance frameworks help you identify gaps and improvements across your data protection measures.
Data privacy and compliance exercises are an ongoing and sometimes grueling process, especially at smaller companies who have limited resources available to juggle the various regulations and requirements that impact the business. Few professionals responsible for compliance exercises are aware of the downstream system configuration best practices that underpin global, regional and industry requirements.
What are the CIS benchmarks and how do they fit into larger compliance requirements?
The CIS (Center for Internet Security) benchmarks are un-biased and consensus-based best practices that were developed by a group of global cybersecurity professionals and subject matter experts. The benchmarks focus on the secure configuration of multiple systems commonly used in business environments. More than 100 CIS benchmarks cover 25 product families and today, the CIS benchmarks remain the only globally accepted secure configuration best practice guide by government, academia, industries and businesses.
Why the benchmarks matter
A large number of reported breaches note misconfigurations as root cause. It’s a trend that’s not going away; misconfigurations are often caused by unintentional mistakes or oversights. Unfortunately, these mistakes can expose highly sensitive personal data. The 2021 Verizon Data Breach Investigations Report logged 919 incidents last year, with 99% of those incidents linked to internal actors (human error). Of those incidents, compromised data included personal data (79%), medical information (17%), banking information (13%) and credentials (13%).
Compliance frameworks are designed to protect sensitive data. They focus on ensuring that businesses have the ability to know what sensitive data they have, how it’s being used and what measures are in place to protect it. Ensuring basic controls are in place mitigate the risk of misconfigurations not only protect data, but help achieve compliance, too.
The CIS benchmarks are a guide that IT teams can use to institute controls and safeguards to protect against cyber-attacks and protect business networks and systems. The controls are broken down into three categories:
- Level 1 – the simplest to implement in organizations of all sizes
- Level 2 – controls considered for defense-in-depth (for more mature organizations)
- STIG Profile (formerly level 3) – overlapping recommendations from both Level 1 and Level 2 for more comprehensive benchmarks coverage
CIS Benchmarks and data discovery
The best security defense starts with industry accepted and battle-tested best practices, and an accurate inventory of all of your data and assets. The inventory is essential when it comes to classifying data types to determine individual level of risk and which controls apply.
The Cavelo platform supports CIS Controls V8, a list of prioritized safeguards that are mapped to and referenced by compliance frameworks and guides like NIST CSF, NIST Special Publication 800-Rev.5, NIST Special Publication 800-171-Rev.2, the Cybersecurity Maturity Model Certification (CMMC), Cloud Security Alliance Cloud Control Matrix (CSA CCM), AICPA Trust Services Criteria (SOC2), the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry (PCI).
The platform provides a single pane of glass, continuous data and vulnerability discovery, and configurable policies that support 14 of the 18 CIS Controls including:
✔️Control 01: Inventory and control of enterprise assets
✔️Control 02: Inventory and control of software assets
✔️Control 03: Data protection
✔️Control 04: Secure configuration of enterprise assets and software
✔️Control 05: Account Management
✔️Control 06: Access Control Management
✔️Control 07: Continuous vulnerability management
✔️Control 08: Audit log management
✔️Control 09: Network infrastructure management
✔️Control 10: Malware Defenses
✔️Control 11: Data Recovery
✔️Control 12: Network Infrastructure Management
✔️Control 13: Network Monitoring and Defense
Control 14: Security Awareness and Skills Training
Control 15: Security Provider Management
✔️Control 16: Application Software Security
Control 17: Incident Response Management
Control 18: Penetration Testing
Source: cisecurity.org/controls/v8/
Regulatory compliance is a team sport. IT teams that consider and regularly revisit how networks and systems controls map to CIS benchmarks ultimately support a stronger overall security posture and equally, a lighter compliance lift.
Wondering which compliance requirements and frameworks apply to your business?
