The CIS Top 20, also known as the Critical Security Controls (CSCs), is a comprehensive set of prioritized cybersecurity practices developed by the Center for Internet Security (CIS). These controls provide organizations with a clear and actionable framework to safeguard their information systems and assets against prevalent cyber threats. Organized into three categories—Basic, Foundational, and Organizational—the controls address key areas such as asset management, vulnerability management, secure configurations, incident response, and employee training.
The CIS Top 20 Controls are widely regarded as a gold standard for cybersecurity programs. By implementing these controls, organizations can strengthen their security defenses, reduce the risk of cyber-attacks, ensure compliance with regulatory frameworks, and enhance operational resilience.
These are fundamental actions every organization should implement to establish a secure foundation-
Maintain an accurate inventory of all devices connected to the network to identify unauthorized hardware.
Track and manage software to prevent the use of unauthorized or outdated applications.
Identify and remediate vulnerabilities through regular scanning and patch management.
Restrict and monitor the use of admin privileges to reduce the risk of insider threats and unauthorized changes.
Apply and maintain secure settings for all devices and systems.
Regularly review audit logs to detect and respond to unusual activity.
These controls build on the basics and provide a deeper level of protection:
Secure email systems and browsers to reduce the risk of phishing and malware attacks.
Deploy tools to detect, block, and remediate malicious software.
Reduce vulnerabilities by disabling unused ports and services.
Implement reliable backup and recovery processes to ensure business continuity.
Maintain strong security settings for firewalls, routers, and switches.
Monitor and defend network perimeters to prevent unauthorized access.
Encrypt sensitive data at rest and in transit to prevent unauthorized access.
Restrict access to sensitive information based on user roles.
Implement secure wireless protocols to protect against unauthorized network access.
Track and manage accounts to prevent misuse.
These controls focus on processes and procedures to ensure comprehensive security:
Educate employees on cybersecurity risks and safe practices.
Secure software development and deployment processes to minimize vulnerabilities.
Develop and test a plan to respond to and recover from cybersecurity incidents effectively.
Simulate attacks to identify weaknesses and improve defenses.
Discover the immediate impact VComply can bring to your compliance program. Move beyond the limits of spreadsheets with a system of record designed for complete compliance management.
