CIS has 18 controls, but the most important controls for achieving the introductory IG1 standard are the first two. These are documenting physical assets and digital assets. This is because it's difficult to reach any other compliance objectives without knowing what you're protecting.

Think of this as an introductory credit card to building your credit score. IG1 is a benefit because not only does it prevent 75 plus percent of attacks, it also sets the foundation for other standards you plan to comply with (like SOC2, NIST, ISO27001, etc.). Overall, this "cyber credit score" gives the organization an optimal reputation for other entities you want to get into business with, including cyber insurance providers.

Usually it's best to start with introductory policies to understand how to sign off on these documents and properly store them. We recommend starting with an Acceptable Use Policy because you get all of the above while not changing the operations too much. Then we recommend moving to the high impact policies, like Business Continuity & Disaster Recovery (BCDR) and Vulnerability & Patch Management policies.

There are thousands of solutions, but they can be boiled down to one of three classifications - Technical Controls, Administrative Controls, and Physical Controls. When considering the proactive and reactive defenses, meaning before and after an attack starts, different classifications of controls will be recommended. For example, automated Technical Controls can handle a lot of the proactive side, such as Microsoft and Cisco's suite of products. However, on the reactive side, it's mostly going to be human based. This is why Administrative Controls really shines when the attacks inevitably happen, because they determine whether a playbook is effective or not.

This is the hardest thing to achieve under IG1 because it's difficult to automate this. This key is to build a system where you can seamlessly add the inventory, but also have a hierarchy that you can sort through to find even the most specific items (such as IP Addresses). Software tools can help, but these controls are mostly human based. Hire someone that is systems-oriented. Signs of these skills are finding optimal credit card strategies, staying fit and healthy, etc.

You must have an Access Control and Termination policy, which defines requirements for access and removal of access to the organization's data, systems, facilities, and networks.

IG1 Control 14 is an entire control that documents these requirements. The program must influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. Luckily, there are providers that can satisfy this requirement in a turn-key fashion, such as Proofpoint, Huntress, and Microsoft.

Update your cybersecurity playbook to continuously ensure that monitoring is actually being done on the technical side (sometimes this is turned off by default). Then, there are tools that can streamline the log management side for humans, such as Security and Information and Event Management (SIEM) platforms. These take in logs from all different types of sources and then displays them in one dashboard. Splunk is a great provider.

For IG1 compliance, Bizcare Inc follows a comprehensive patch management process. This includes protection from known vulnerabilities by installing applicable vendor-supplied security patches, and other patches not identified as critical are applied on a regular maintenance schedule defined by system maintenance and support procedures. Bizcare Inc applications are patched in accordance with the Change Management Policy. For high-risk or critical patches, the rollout may follow a compressed schedule. The patch management process is part of a broader vulnerability management process that includes third-party security tests and

We document our IG1 compliance through annual reviews of our vendors, which are retained for audit purposes. These reviews may include the gathering of applicable compliance audits such as SOC 1, SOC 2, PCI DSS, HITRUST, ISO 27001, among others. We also review our in-place security controls as part of this process.