CIS controls

Introduction

GAISP and GASSP

"The CIS Critical Security Controls® (CIS Controls®) started as a simple grassroots activity to identify the most common and important real-world cyber-attacks that affect enterprises every day, translate that knowledge and experience into positive, constructive action for defenders, and then share that information with a wider audience. The original goals were modest—to help people and enterprises focus their attention and get started on the most important steps to defend themselves from the attacks that really mattered."

[CIS Critical Security Controls v8]   

The CIS controls

1. Inventory and control of enterprise assets: 
   
   
2. Inventory and control of software assets:
    
3. Data protection:
   
   
4. Secure configuration of enterprise assets and aoftware:
   
   
5. Account management:
   
   
6. Access control management:
   
   
7. Continuous vulnerability management:
   
   
8. Audit log management:
   
   
9. Email and Web browser protections:
   
   
10. Malware defenses:
    
    
11. Data recovery:
    
    
12. Network infrastructure management:
    
    
13. Network monitoring and defense:
    
    
14. Security awareness and skills training:
    
    
15. Service provider management:
    
    
16. Application software security:
    
    
17. Incident response management:
    
    
18. Penetration testing:

Controls vs countermeasures

The terms 'control' and 'countermeasure' are undefined in the document, although a footnote tells us countermeasures were known as sub-controls in the previous version. By analogy, they could be thought of as molecular and atomic controls, respectively, while atomic controls are composed of even more detailed sub-atomic controls and molecular controls form higher level control compounds. 

Important controls apparently missing from the CIS list 

Checklist security

"Whether you use the CIS Controls, and/or another way to guide your security improvement program, you should recognize that “it’s not about the list.” You can get a credible list of security recommendations from many sources—it is best to think of the list as a starting point. It is important to look for the ecosystem that grows up around the list. Where can I get training, complementary information, explanations; how have others implemented and used these recommendations; is there a marketplace of vendor tools and services to choose from; how will I measure progress or maturity; how does this align with the myriad regulatory and compliance frameworks that apply to me? The true power of the CIS Controls is not about creating the best list, it is about harnessing the experience of a community of individuals and enterprises to actually make security improvements through the sharing of ideas, tools, lessons, and collective action."

[CIS Critical Security Controls v8]