CIS Critical Security Controls (CSC) Policies, Standards & Procedures
ComplianceForge currently offers one (1) product that offers comprehensive-enough coverage to address the controls found in the Center for Internet Security (CIS) v7.1 & 8.0 Critical Security Controls (CSC). This product is the Digital Security Program (DSP). The DSP is the most comprehensive document we’ve made and it is targeted for enterprise-class organizations that have a need to align to the following frameworks. It is “best in class” hybrid that leverages numerous leading frameworks to create a comprehensive security program for your organization! Our products offer coverage to over 100 laws, regulations and industry standards, including the CIS CSC:
American Institute of CPAs (AICPA) Service Organization Control (SOC2)
The CIS CSC is in the "moderate coverage" of the cybersecurity frameworks spectrum. The Digital Security Program (DSP) uses the Secure Controls Framework (SCF) as its control set that has mappings to all CIS CSC controls.
Safety Component – Taking Industrial Control Systems (ICS), Operational Technology & The Internet Of Things (IOT) Into Account
For years, the “CIA Triad” stood as the foundation for what a security program was designed to address – the Confidentiality, Integrity and Availability of both systems and data. That has now changed, since there are real-world safety considerations from Operational Technology (OT) and the Internet of Things (IoT). This has caused the evolution of the CIA Triad into the Confidentiality, Integrity, Availability and Safety (CIAS) model.
The DSP is designed around the CIAS model by adopting the best of leading security frameworks.
Important-Ready For GRC Tools - The DSP Comes In Both Microsoft Word & Excel Formats
The DSP is ready to import into your Governance, Risk & Compliance (GRC) solution, since it comes in both Microsoft Word and Excel formats. This makes the import from Excel easy. For many GRC tools, this provides you the ability to perform your customization and collaboration directly from your GRC portal.
If you do not currently have a GRC tool, but want to deploy the DSP from a user-friendly internal website, we can help with that. We offer a fixed-cost service to convert the DSP into an internal website using GRAV, a Content Management System (CMS). If that interests you, please contact us at email@example.com and we can provide you with more details on that option.
The Excel version of the DSP comes with the following content so it is easy to import into a GRC solution (e.g., ZenGRC, MetricStream, Ostendio, Archer, RSAM, MetricStream, etc.):
- Policy statements
- Policy intent
- Control objectives
- Metrics - including suggested Key Performance Indicators (KPIs) &
- Key Risk Indicators (KRIs)
- Indicators of Compromise (IoC)
- Indicators of Exposure (IoC)
- Target Audience Applicability
- Scoping - Basic or Enhanced Requirement
- Recommended roles / teams with responsibility for each standard (basically a RACI for key stakeholders)
[click to see an example of the Excel content]
Comprehensive Documentation – Coverage For Your Security Program's Needs
The DSP consists of thirty-two (32) policies. Nested within these policies are the control objectives, standards and guidelines that make your security program run.
The structure of the DSP makes is easy to add or remove policy sections, as your business needs change. The same concept applies to standards – you can simply add/remove content to meet your specific needs.
|1||Digital Security Governance||GOV||
|3||Business Continuity & Disaster Recovery||BCD||19||Mobile Device Management||MDM|
|4||Capacity & Performance Planning||CAP||20||Network Security||NET|
|5||Change Management||CHG||21||Physical & Environmental Security||PES|
|7||Compliance||CPL||23||Project & Resource Management||PRM|
|8||Configuration Management||CFG||24||Risk Management||RSK|
|9||Continuous Monitoring||MON||25||Secure Engineering & Architecture||SEA|
|10||Cryptographic Protections||CRY||26||Security Operations||OPS|
|11||Data Classification & Handling||DCH||27||Security Awareness & Training||SAT|
|12||Embedded Technology||EMB||28||Technology Development & Acquisition||TDA|
|13||Endpoint Security||END||29||Threat Management||THR|
|14||Human Resources Security||HRS||30||Third-Party Management||TPM|
|15||Identification & Authentication||IAC||31||Vulnerability & Patch Management||VPM|
|16||Incident Response||IRO||32||Web Security||WEB|