The CISA (Cybersecurity & Infrastructure Security Agency) Critical Product Guidance (CPG) provides specific advice on securing various critical infrastructure products, while the CIS (Center for Internet Security) Controls V8 is a set of best practices designed to help organizations protect themselves from security threats.
The CISA CPG's mapping to the CIS V8 framework is not a one-to-one correlation because the two are designed with different purposes in mind. However, the CISA CPG's recommendations can often be seen as supporting the implementation of certain CIS Controls. Here's how we map it in our MeasureRISK service offering Inventory and Control of Enterprise Assets and Software Assets (CIS Controls 1 & 2):
Data Protection (CIS Control 3):
Secure Configuration of Enterprise Assets and Software (CIS Control 4):
Account Management (CIS Control 5):
Access Control Management (CIS Control 6):
Continuous Vulnerability Management (CIS Control 7):
Audit Log Management (CIS Control 8):
Email and Web Browser Protections (CIS Control 9):
Malware Defenses (CIS Control 10):
Data Recovery (CIS Control 11):
Network Infrastructure Management (CIS Control 12):
Security Awareness and Skills Training (CIS Control 13):
Service Provider Management (CIS Control 14):
Application Software Security (CIS Control 15):
Incident Response and Management (CIS Control 16):
Penetration Testing (CIS Control 17):
Control Systems (CIS Control 18):
The mapping can be more specific and nuanced based on the detailed recommendations in CISA's CPGs and the specific sub-controls and implementation groups within CIS Controls V8. Organizations looking to align these two sets of guidance should review the specific recommendations and controls in detail and consider how the advice in CPGs supports the implementation of CIS Controls in their specific environment. CISA has many resources available to help you be proactive about risk |
CategoriesTom BrennanThis is my blog, there are many like it but this one is mine. Enjoy. BLOG Archives
August 2024
|