Don’t Be Spooked by Reasonable Cybersecurity: Get the Map to CIS Controls
Boo! It’s not ghosts or goblins, but the Center for Internet Security (CIS) is here, addressing regulatory gaps in the channel with new controls that MSPs must adhere to. New regulations within the channel can be scary as MSPs are forced to navigate the gruesome, jargon-filled, hard-to-understand policies with a technical understanding of product performance. Luckily, Axcient is here to help!
As your cybersecurity guide, Axcient walks you through the scares and startles of aligning CIS controls to solution capabilities. Keep reading to see how Axcient’s products – x360Recover, x360Cloud, and x360Sync – align with the three CIS controls related to business continuity and disaster recovery (BCDR). Or download Axcient’s CIS Reasonable Cybersecurity Guide below:
Table of Contents
Meet the Center for Internet Security
The CIS is a nonprofit organization that develops best practices, tools, and resources to enhance cybersecurity readiness and response. Its flagship framework, the CIS Controls, prioritizes actions to help businesses protect themselves against the most prevalent cyber threats. The controls are designed based on real-world data and global input from cybersecurity experts, making them practical and effective for various industries.
For MSPs, adhering to CIS guidelines is becoming increasingly critical. As MSPs manage critical infrastructures and security for multiple businesses, they are prime cyberattack targets. The CIS Controls help close the gaps that could expose both MSPs and their clients to risks. By setting these standards, the CIS ensures that MSPs adopt consistent and robust cybersecurity practices, helping them better protect their clients and meet growing regulatory and compliance demands. In a time when cyber threats are continually escalating, these regulations are not only about compliance but also about safeguarding business continuity and trust.
Why MSPs Shouldn’t Fear CIS Controls
Many U.S. states now require government agencies and organizations working with them to adopt cybersecurity best practices. Several states specifically refer to the CIS Controls as an ideal framework to demonstrate a “reasonable” approach to security. For MSPs, determining what qualifies as reasonable can be challenging due to the complexity of cybersecurity.
By utilizing CIS resources and Axcient products, MSPs can provide clients with standardized, top-tier security services, minimize vulnerabilities, and meet regulatory requirements. Aligning with CIS strengthens your security offerings and fosters client trust by implementing industry-leading cybersecurity standards. With the CIS Controls, MSPs can…
- Streamline threat protection with clear Safeguards, each requiring only one action per Safeguard.
- Ensure compliance with regulations like HIPAA and GDPR.
- Enhance cyber resilience with fundamental security measures targeting common threats like unpatched software, poor configurations, and outdated systems.
- Showcase a “reasonable” level of security, as mandated by several states requiring businesses to follow cybersecurity best practices.
- Highlight your dedication to cybersecurity, building client trust, and attracting security-first prospects.
Satisfying BCDR CIS Controls and Safeguards with Axcient
Don’t get scared again – but 18 Controls and 153 corresponding Safeguards make up the CIS standards. That sounds like a lot, and it is, but with Axcient, MSPs can satisfy three of those Controls and 12 of those Safeguards – all having to do with BCDR.
- Control 3: Data Protection | Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
- Control 11: Data Recovery | Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
- Control 17: Incident Response Management | Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Keep reading or download the guide below to see how each Axcient product meets the CIS Controls and Safeguard requirements outlined for BCDR.
Control 3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
3.4 Enforce Data Retention
Objective: Retain data according to the enterprise’s documented data management process. Data retention must include both minimum and maximum timelines.
x360Recover
- Features and Functionalities: Managed backup data retention policies and tiered retention.
- How It Satisfies the Control: Ensures backups are retained according to organizational policies, supporting compliance with data retention standards.
x360Cloud
- Features and Functionalities: Long-term data retention for cloud backups.
- How It Satisfies the Control: Long-term retention that ensures cloud-stored data adheres to the enterprise’s data retention policies, facilitating regulatory compliance.
x360Sync
- Features and Functionalities: Automated retention policies for data are user-configurable.
- How It Satisfies the Control: By setting specific retention periods for different organizations, x360Sync ensures compliance with enterprise data retention requirements, allowing for both minimum and maximum retention periods.
3.5 Securely Dispose of Data
Objective: Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
x360Recover
- Features and Functionalities: Options for secure data destruction of backup data.
- How It Satisfies the Control: Ensures data no longer needed is securely disposed of, preventing unauthorized access post-deletion.
x360Cloud
- Features and Functionalities: Secure deletion tools for cloud-based data.
- How It Satisfies the Control: Allows for secure and permanent removal of cloud-stored data, adhering to security and compliance requirements.
x360Sync
- Features and Functionalities: Secure deletion features to remove data permanently.
- How It Satisfies the Control: Provides mechanisms to securely and automatically delete sensitive data, ensuring compliance with organizational data disposal policies.
3.10 Encrypt Sensitive Data in Transit
Objective: Encrypt sensitive data in transit to protect it from unauthorized access during transfer.
x360Recover
- Features and Functionalities: Encrypted data transfer protocols using TLS/SSL and SSH.
- How It Satisfies the Control: Protects backup data during transfer, ensuring its confidentiality and integrity.
x360Cloud
- Features and Functionalities: End-to-end encryption for cloud data transfers via TLS/SSL.
- How It Satisfies the Control: Protects sensitive data during upload and download processes, ensuring it remains secure during transit.
x360Sync
- Features and Functionalities: TLS/SSL encryption for data transfer.
- How It Satisfies the Control: Ensures that all data transferred between endpoints and the server is encrypted, protecting it from interception and unauthorized access during transit.
3.11 Encrypt Sensitive Data at Rest
Objective: Encrypt sensitive data at rest on servers, applications, and databases to protect it from unauthorized access.
x360Recover
- Features and Functionalities: Encrypted backups are stored using the industry-standard encryption method of AES-256.
- How It Satisfies the Control: Protects backup data at rest, ensuring its confidentiality and integrity even if physical security is compromised.
x360Cloud
- Features and Functionalities: Cloud storage encryption using robust encryption algorithms.
- How It Satisfies the Control: Secures sensitive data stored in the cloud, protecting it from unauthorized access and breaches.
x360Sync
- Features and Functionalities: AES-256 encryption for data stored on servers.
- How It Satisfies the Control: Ensures that all stored data is encrypted, providing robust protection against unauthorized access and breaches.
3.12 Segment Data Processing and Storage Based on Sensitivity
Objective: Segment data processing and storage based on the sensitivity of the data to prevent unauthorized access.
x360Recover
- Features and Functionalities: Logical segmentation of backup data.
- How It Satisfies the Control: Allows sensitive backup data to be stored separately from less sensitive data, reducing the risk of unauthorized access.
x360Cloud
- Features and Functionalities: Logical segmentation of backup data.
- How It Satisfies the Control: Ensures that sensitive data is stored and processed in isolated environments, protecting it from unauthorized access and breaches.
x360Sync
- Features and Functionalities: Role-based access control and data segmentation.
- How It Satisfies the Control: Allows for the separation of data based on sensitivity levels, ensuring that only authorized users can access sensitive information.
3.14 Log Sensitive Data Access
Objective: Log sensitive data access, including modification and disposal, to maintain an audit trail.
x360Recover
- Features and Functionalities: Logging and monitoring of backup access and modifications.
- How It Satisfies the Control: Ensures all interactions with backup data are recorded, providing an audit trail for security and compliance purposes.
x360Cloud
- Features and Functionalities: Cloud-based logging of access and modifications and logging and monitoring backup access and modifications.
- How It Satisfies the Control: Captures and stores logs of all access and changes to cloud-stored data, providing an audit trail for compliance and security.
x360Sync
- Features and Functionalities: Detailed logging of all access and modifications to data.
- How It Satisfies the Control: Provides comprehensive audit trails that capture all access, changes, and deletions of sensitive data, ensuring accountability and traceability.
Control 11: Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
11.1 Establish and Maintain a Data Recovery Process
Objective: Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur, that could impact this Safeguard.
x360Recover
- Features and Functionalities: Provides a comprehensive disaster recovery process, including complete system recovery, virtualization, and individual file restoration. The Recovery Center guides users through various recovery scenarios and offers detailed documentation on recovery procedures. Airgap feature that ensures backups can always be recovered.
- How It Satisfies the Control: Ensures a documented and maintained data recovery process for handling complete system failures, individual file losses, and virtualized recovery scenarios.
x360Cloud
- Features and Functionalities: Offers detailed recovery options for Microsoft 365 and Google Workspace, including item-level recovery for emails, documents, and other data. Supports tracking and managing recovery operations through the user dashboard.
- How It Satisfies the Control: Establishes a documented recovery process tailored to cloud applications, ensuring detailed and manageable recovery steps for various data types.
x360Sync
- Features and Functionalities: Provides file synchronization and sharing with version history and the ability to revert to previous versions of files. Ensures that users can recover deleted or previous file versions.
- How It Satisfies the Control: Maintains a process for file-level data recovery through synchronization and version control, supporting quick recovery from data loss incidents.
11.2 Perform Automated Backups
Objective: Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.
x360Recover
- Features and Functionalities: Supports automated backups for servers and workstations with configurable schedules and offers image-based backups.
- How It Satisfies the Control: Ensures that automated backups are regularly performed without user intervention, meeting requirements for consistent data protection.
x360Cloud
- Features and Functionalities: Automates backups for cloud applications like Microsoft 365 and Google Workspace, capturing data at least once a day
- How It Satisfies the Control: Guarantees regular, automated backups of cloud data, ensuring continuous protection and compliance with backup policies.
x360Sync
- Features and Functionalities: Continuously synchronize files across devices, ensuring real-time backups of the latest versions.
- How It Satisfies the Control: Provides automated, continuous backup of files as changes occur, supporting real-time data protection and recovery.
11.3 Protect Recovery Data
Objective: Protect recovery data with equivalent controls to the original data. Reference encryption or data separation based on requirements.
x360Recover
- Features and Functionalities: Employs TLS/SSL for data in transit and 256-bit AES for data at rest.
- How It Satisfies the Control: Protects recovery data with encryption standards equivalent to those used for the original data, meeting requirements for secure data protection.
x360Cloud
- Features and Functionalities: Employs TLS/SSL for data in transit and 256-bit AES for data at rest.
- How It Satisfies the Control: Ensures that recovery data is protected with strong encryption, maintaining the same security level as the original data.
x360Sync
- Features and Functionalities: Employs TLS/SSL for data in transit and 256-bit AES for data at rest.
- How It Satisfies the Control: Provides secure protection of synchronized and backed-up files through encryption, supporting secure data recovery.
11.4 Establish and Maintain an Isolated Instance of Recovery Data
Objective: Establish and maintain an isolated instance of recovery data. Example implementations include version-controlling backup destinations through offline, cloud, or offsite systems or services.
x360Recover
- Features and Functionalities: Provides a separate instance of storage for backup data to customers.
- How It Satisfies the Control: Ensures isolated storage of recovery data, preventing contamination and maintaining data integrity during recovery.
x360Cloud
- Features and Functionalities: Allows for data recovery to different user accounts, maintaining separation of restored data through defined recovery procedures.
- How It Satisfies the Control: Provides isolated recovery instances for cloud application data, ensuring data integrity and compliance with isolation requirements.
x360Sync
- Features and Functionalities: Provides version history and file recovery, allowing recovery from isolated versions of files.
- How It Satisfies the Control: Maintains isolated instances of file versions, supporting secure recovery operations.
11.5 Test Data Recovery
Objective: Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
x360Recover
- Features and Functionalities: A recovery center that allows data recovery testing through virtualization and file restoration processes is also included. AutoVerify feature ensures that the virtual machine image boots.
- How It Satisfies the Control: Supports regular testing of data recovery capabilities, ensuring that recovery processes are effective and meet organizational requirements.
x360Cloud
- Features and Functionalities: Enables administrators to perform restore tests by recovering data to different user accounts and tracking the restoration process.
- How It Satisfies the Control: Ensures the reliability of cloud data recovery through regular testing and validation of backup integrity.
x360Sync
- Features and Functionalities: Provides version history and restore options that can be used to test data recovery processes regularly.
- How It Satisfies the Control: Ensures the reliability of file recovery through regular testing and validation of restore capabilities.
Control 17: Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
17.7 Conduct Routine Incident Response Exercises
Objective: Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum.
x360Recover
- Features and Functionalities: Regular testing of recovery plans through appliance-free and virtualized recovery. Reports on backup statuses and health checks.
- How It Satisfies the Control: Enables simulation of disaster recovery scenarios, assessing communication channels and workflows during exercises.
x360Cloud
- Features and Functionalities: Efficient cloud data backup and recovery. Logs all backup and recovery activities.
- How It Satisfies the Control: Facilitates testing of data recovery processes during incident response exercises, providing a thorough analysis.
x360Sync
- Features and Functionalities: Real-time synchronization and sharing of files. Logs user activities and file changes.
- How It Satisfies the Control: Utilizes activity logs for incident response scenarios, assessing decision-making and identifying areas for improvement.
From Fright Night to Smooth Sailing: A Roadmap to Reasonable Cybersecurity
The CIS Reasonable Cybersecurity Guide is an excellent resource for MSPs and their clients, helping build a solid foundation for cybersecurity. Defining what “reasonable security” means for your MSP can help shape your network design, reference architecture, routine risk assessments, and disaster recovery planning and testing schedule. By embracing the guide’s principles and using its resources, you can effectively lower your risk profile and create a more secure digital environment for your clients.
Author
Related posts
How well could you sleep with reliable cloud-based backups and recovery?
Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what:
