Getting Back to the Basics: Policy, Policy, and More Policy, topped with Mind Map Planning

Part 2 of 3 in a series on the CIS Critical Security Controls


Policy, Policy, and some Policy... topped with mind map planning! Critical Controls – Part 2
So a while back I discussed the critical control basics, mentioning policy and planning as the necessary foundation before implementing any type of security methodology, specifically the Center of Internet Security (CIS) Critical Controls. Focusing on the first five (5) controls using the new CIS version 6.0:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Security Configurations for Hardware and Software (Mobile Devices, Workstations, and Servers)
  4. Continuous Vulnerability Assessment and Remediation!
  5. Controlled Use of Administrative Privileges

Each of these do not need a specific policy as there are many more controls.  Remember these are just basic controls to build a foundation upon, not an end all magical solution.  Everyone in the industry, most likely, has their own way of creating, combining, and integrating policies all together. The most important part is actually having the policy!

I recommend conducting a simple mind map, from there you can begin to map out how your existing policies or planned policies map to your desired controls, systems, processes, etc.

Here is an example (this does not represent any actual client data, only fabricated data):

This looks somewhat confusing, but remember this is just a planning exercise to begin to identify gaps and have effective conversations among multiple teams.

The above example is displaying the following:

  • Identifying the current employee signed policies and general policies, and how they related to the controls.
  • Then based on the relations of policies to controls, labeled deficient controls via a color coding method.  In this case: green, for acceptable; orange, for partial deficient; and red, for full deficiencies.
  • Then once the deficiencies are identified, you can begin brainstorming what can be created to fulfill the deficient gaps.

Also note to be aware of how the created methods relate to current policies.  If you find many arrows from a created policy pointing to another policy, then most likely you need to merge or add to the original policy.  Knowing how your policies, processes, and controls integrate and relate is key in building a roadmap to effectively implement a strong foundation of the CIS critical controls.

In part 3 we will bring this all home for a basic primer of how to plan and document the implementation roadmap for the CIS Critical Controls. If you have not already, take a look at the Critical Security Controls guidelines: https://www.sans.org/critical-security-controls/guidelines.