18. Center for Internet Security Controls Exercise

Center for Internet Security Controls Exercise

CIS control is a great resource you can use to secure your business. You will perform a similar analysis in the final project.

ND545 C1 L2 11 Center For Internet Security Controls Walkthrough

Jill & Roy's Accounting - Case Study

Jill and Roy provide accounting services throughout their area. They employ 7 full-time workers: 4 accountants, 1 office administrator, and themselves. They also have about a dozen seasonal workers during tax season.

They use Microsoft 365 (aka Office 365) for all of their office applications (email, word processing, spreadsheets, etc.). For their accounting, they use Intuit's Quickbooks and ProConnect online versions. They have a single office with a network router to their ISP, a Linksys LGS116P Ethernet Switch and a Linksys AC1900 WiFi Router.

The full-time accountants each have a Lenovo ThinkPad T490 and the office administrator has a Lenovo desktop. All company workstation computers use Windows 10 and all users have administrator access on their PC. They also have one internal Windows 10 Lenovo desktop that they use as a centralized print and file server that sits in the main office area. Only Roy, Jill and the office admin have an account on it. The temporary workers use their own laptops, which are a mixture of Windows and Macs.

The office has a Bring Your Own Device (BYOD) Policy for all cell phones. They have a contract with a local IT company to provide services, which includes a weekly backup of the file/print server, monthly updating of all computers, and maintenance of the network equipment.

For each of the CIS Controls below, provide your interpretation of how they may apply to Jill & Roy's Accounting. You may use the CIS CSC website https://www.cisecurity.org/controls/cis-controls-list/ to help you answer these questions.

Hardware and Software Inventory

QUESTION:

CIS Control #1 is Inventory and Control of Hardware Assets and #2 is Inventory and Control of Software Assets.

  • How do these controls apply to the company?
  • What can they do to make sure they meet them?
ANSWER:

Having a good software and hardware inventory is the starting point for any security program.

Sample Answer:

Jill & Roy should have a written inventory of all major hardware devices and computers. This includes all company-owned laptops, desktops, printers, networking equipment, and devices. They should also have an inventory of all software in use by the company, including anything installed on company PCs and cloud services. This inventory should be reviewed at least monthly and updated as needed.

CIS Controls

Select the CIS Controls that should be the top priority for Jill & Roy's Accounting. Focus on ones in the Basic and Foundational groups.
SOLUTION:
  • Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Continuous Vulnerability Management
  • Malware Defenses
  • Email and Browser Protections

Reflect on Using the CIS Controls

QUESTION:

In the box below, provide additional observations on how Jill and Roy's Accounting can use the CIS Controls to improve the security in their business.

ANSWER:

Your answers may vary. The CIS Controls helps businesses of all sizes mature their security programs by taking them through a step-by-step process for securing their infrastructure.

Next Concept