How do I find legitimate vendors?If any vendor tells you that using their tool guarantees compliance with a given regime, consider them suspect. When you speak with a vendor, ask them to explain how their products’ capabilities support a larger information security program. For example, a tool might contribute to cybersecurity asset management by integrating with a CMDB (configuration management database). However, it doesn’t provide total compliance unless there is 100% conformance to each sub-control in CIS Control 1 and CIS Control 2. Another tool might automatically assess endpoints against an enterprise-standard configuration. But it’s important to ensure endpoints are being tested against a robust standard, such as a consensus-developed CIS Benchmark™.
What resources are available to help me build a compliance plan?CIS® offers multiple resources at no cost to help organizations get started with a compliance plan and improve their cybersecurity posture:
- The CIS Controls™ provide prioritized security guidance to help defend against common cyber threats
- CIS RAM (Risk Assessment Method) helps businesses organize the CIS Controls and sub-controls based on a customized assessment of risk
- The CIS Benchmarks are specific configuration guidelines for securing over 140 technologies including servers, operating systems, and software
How are these resources mapped to each other?As part of the CIS Benchmark development process, each recommendation is reviewed for applicability to the CIS Controls. CIS Benchmark guidelines may be mapped to one or more:
- Top-level CIS Controls (such as CIS Control 18)
- Specific sub-controls (such as CIS Control 3.3)
CIS RAM maps each question in the Risk Assessment Method to a specific CIS Control or sub-control. It helps organizations put the CIS Controls into action in a customized, risk-informed way.
With so many risk management methods out there (Binary Risk Analysis, FAIR, etc.), what makes CIS RAM different?The three principles and ten practices of CIS RAM lend themselves directly to supporting the legal concept of duty of care. In fact, CIS RAM is the first risk assessment method to provide very specific instructions for analyzing information security risk in a way that regulators define as "reasonable" and judges (in the United States) evaluate as "due care."
By implementing CIS RAM, organizations will follow a method that takes into consideration legal ramifications of risk management, as interpreted by courts of law in the United States. CIS RAM highlights the balance between the harm a security incident might cause and the burden of safeguards – the foundation of "reasonableness."