We provide tailored CIS Controls assessments that evaluate your security posture against industry best practices, delivering actionable recommendations prioritized for your specific business needs.
Schedule an AssessmentThe Center for Internet Security (CIS) Controls are a prioritized set of actions that collectively form a defense-in-depth approach to cybersecurity. We help you implement these controls in a way that makes sense for your organization.
The CIS Controls are developed by a community of IT experts who continuously evolve these best practices to address the changing threat landscape. They provide:
Our audits evaluate your environment against these controls, identifying gaps and providing specific recommendations tailored to your organization's unique context.
We understand that organizations have different resource constraints and risk profiles. Our CIS Controls assessment approach is tailored to match your specific needs through Implementation Groups.
Essential cyber hygiene - the foundation for any organization regardless of size or complexity.
Intermediate cyber hygiene - for organizations with moderate resources and more complex environments.
Advanced cyber hygiene - for organizations with significant resources and complex security requirements.
Our thorough assessment methodology ensures we provide a complete picture of your security posture with actionable recommendations tailored to your environment.
We begin by understanding your organization's environment, risk profile, and specific requirements.
We systematically evaluate each applicable CIS Control against your environment using a combination of interviews, documentation review, and technical testing.
We analyze the findings to identify security gaps and prioritize them based on risk, implementation effort, and your specific business context.
We develop a detailed remediation plan with specific, actionable recommendations tailored to your environment and constraints.
We deliver comprehensive reporting that communicates findings clearly to both technical teams and executive stakeholders.
Here are some of the key CIS Controls we assess in your environment, explaining both the expected security measure and how we evaluate compliance.
Expected Security Control: Maintain an accurate inventory of all enterprise assets with the potential to store or process data.
Our Assessment Approach: We validate your asset inventory processes, verify completeness through network scanning, and check automation of discovery and monitoring.
Expected Security Control: Establish and maintain secure configuration practices for infrastructure and software.
Our Assessment Approach: We compare configurations against CIS Benchmarks, evaluate change control processes, and assess configuration drift monitoring.
Expected Security Control: Create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts.
Our Assessment Approach: We review access provisioning processes, privileged account controls, and account lifecycle management practices.
Expected Security Control: Create, assign, and manage authorization processes to allow or deny access to assets and resources.
Our Assessment Approach: We evaluate least privilege implementation, role-based access controls, and separation of duties enforcement.
Expected Security Control: Prevent or control the installation, spread, and execution of malicious applications, code, or scripts.
Our Assessment Approach: We assess anti-malware coverage, scanning frequency, and detection/response capabilities for various threat types.
Expected Security Control: Establish, implement, and actively manage network infrastructure devices.
Our Assessment Approach: We review network architecture, device configurations, segmentation implementation, and management processes.
We prioritize findings to help you focus on what matters most for your specific environment, ensuring you get the highest security return on your investment.
Security gaps that present an immediate, severe risk to your organization and should be addressed as soon as possible.
Security improvements that significantly reduce risk and should be included in near-term planning.
Important security enhancements that should be implemented as part of your security roadmap.
Security improvements that enhance your overall posture but present lower risk if not immediately addressed.
Here's how we present our findings to make them clear, actionable, and valuable for your specific environment.
Finding: The current asset inventory system is manually maintained and does not include all enterprise assets. Network scans identified 37 devices that are not in the current inventory, including 12 servers hosting sensitive applications.
Risk: Without a complete inventory, the organization cannot effectively secure all assets, potentially leaving systems unpatched, unmonitored, or misconfigured.
Finding: 27 user accounts have administrative privileges on domain controllers without business justification. Many of these accounts are used for daily activities, increasing the risk of privilege escalation attacks.
Risk: Administrative accounts used for routine tasks are more susceptible to compromise, potentially giving attackers elevated privileges to critical infrastructure.
Contact us today to schedule a CIS Controls assessment tailored to your organization's unique environment and needs.
Schedule a Consultation