Key Takeaways for Control 4

Most fresh installs of operating systems or applications come with pre-configured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any baselines to become better aligned with policies your organization is trying to adhere to.

Throughout the CIS Controls, many Controls will play off one another, or some may need data from previous Controls to get a better understanding of what is secure and what is not. An example is Control 4. This measure deals with secure configuration of those enterprise assets and software identified by Controls 1 and 2.

Remember to go with a layered approach to cybersecurity. Implementing and managing firewalls is a cornerstone of cybersecurity, but putting all your eggs in one basket and hoping you can catch or stop every threat is not realistic. Having multiple layers of security can improve your effectiveness at slowing, delaying, or hindering a threat until it can be completely neutralized.

Safeguards for Control 4

4.1) Establish and Maintain a Secure Configuration Process

Description: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Protect. This safeguard can be implemented by leveraging other benchmarks and checklists such as CIS Benchmarks or NIST NCP (National Checklist Program). With CIS benchmarks and NIST NCP, you can augment or adjust the baselines that satisfy your enterprise security policy.

4.2) Establish and Maintain a Secure Configuration (Read more...)