Question

WHAT YOU WILL LEARN IN THIS CHAPTER:

• CIS Basic Controls—The Top Six

As an educator, I firmly believe that humans have to know the “why” to accept change. Most of us are curious creatures of habit and do not change unless sufficiently motivated. Most of us are motivated by either the love of something or the fear of it. In our cyber society, people need to know why certain controls are important, and they have to understand why they are important on a personal level. Knowing something and understanding it are very different. As a cybersecurity trainer, it is my personal mission to educate the public and bring understanding to cyber threats in a personal way. I believe we have to hope for the best but prepare for the worst.

When you are evaluating and auditing your environment for managing your processes and systems, you should determine whether the options you are following are the best practices of conducting inventories, adopting computer policy, and communicating to the people using those systems. You also have to evaluate whether people in the management roles have the practical and technical expertise to assess these options and can provide support and training for users.

The Center for Internet Security (CIS) is a self‐described forward‐thinking, nonprofit entity dedicated to protecting private domains and public society against cyber threats. The controls they publish are the global standard and are the recognized best practices for security. As our cyber worries evolve, so do these best practices. As a cybersecurity professional, I refer to these CIS top 20 controls fairly often as a reminder to secure the world to the best of my ability.

The CIS top 20 controls are broken into three sections. The first six controls are the basic ones. These six controls are essential in any organization for cyber defense. The rest of the controls are divided into foundational and organizational, which focus on technical best practices and processes.