There are mobile and IoT companion documents for the CIS (Top 20) Critical Security Controls

Security practitioners are familiar with the Center for Internet Security (CIS) Critical Security Controls. Did you know there are versions of these controls tailored to mobile and Internet of Things?

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

Most people who have anything to do with cybersecurity are familiar with the Center for Internet Security (CIS) Critical Security Controls, also commonly known as the SANS Top 20, or more simply the Controls. This list consists of a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks.

Implementing the Controls is no guarantee an organization will have a bullet-proof defensive posture, but it significantly reduces both the risk that a breach will happen and the impact to the organization if such an event were to occur. What's more, theControls constitute a minimum level of security that any organization that collects or maintains personal or sensitive information should meet.

According to SANS Institute, which for years has been a leading proponent of the Controls, a principle benefit is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work—NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation's top forensics and incident response organizations.

This group of experts attempted to answer the question, "What do we need to do to stop known attacks?" and reached consensus on the most current Controls.

The key to the continued value is that the Controls are updated based on new attacks that are identified and analyzed by expert security groups so the Controls can stop or mitigate those attacks. We are now on version 6 of the Controls:

CSC 1      Inventory of Authorized and Unauthorized Devices

CSC 2      Inventory of Authorized and Unauthorized Software

CSC 3      Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers

CSC 4      Continuous Vulnerability Assessment and Remediation

CSC 5      Controlled Use of Administrative Privileges

CSC 6      Maintenance, Monitoring, and Analysis of Audit Logs

CSC 7      Email and Web Browser Protections

CSC 8      Malware Defenses

CSC 9      Limitation and Control of Network Ports, Protocols, and Services

CSC 10   Data Recovery Capability

CSC 11   Secure Configurations for Network Devices such as Firewall Routers, and Switches

CSC 12   Boundary Defense

CSC 13   Data Protection

CSC 14   Controlled Access Based on the Need to Know

CSC 15   Wireless Access Control

CSC 16   Account Monitoring and Control

CSC 17   Security Skills Assessment and Appropriate Training to Fill Gaps

CSC 18   Application Software Security

CSC 19   Incident Response and Management

CSC 20   Penetration Tests and Red Team Exercises

(To learn more about the CIS Critical Security Controls and download a free detailed version please visit:

Did you know that the Center for Internet Security also has companion lists of controls for mobile devices and the Internet of Things? As you can imagine, there are slight differences in how you would secure, say, an iPhone compared to a Windows-based laptop computer. For example, Critical Security Control 8 covers malware defenses. On a laptop or server, you can implement anti-virus/anti-malware software, but these traditional techniques don't apply to a device running the iOS operating system. Thus the mobile device version of the Top 20 Controls offers suggestions of how to implement malware controls that are appropriate for the mobile platform.

Likewise there are subtle differences in how some of the Controls must be implemented for the IoT. CIS points out, for example, that SCADA systems can be considered to be IoT devices. While CSC 1 indicates the need to inventory authorized and unauthorized devices, using traditional network scanning techniques can actually be dangerous to some industrial control systems, putting them into error states. Thus the Controls document prescribes other ways to achieve the same goal.

The companion documents for mobile and IoT controls can both be accessed via  You will need to register to get a token to access the documents, but it's free to do so.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10