The Top 7 CIS Controls Here are the top seven controls adopted by the FFIEC for InTREx Exams: 1. INVENTORY & CONTROL OF ENTERPRISE ASSETS Your bank needs to keep track of your assets and where they are located. This is important because it helps you to know what needs to be protected and how best to protect it. It’s important to regularly review or use tools to generate alerts to any asset changes. Be especially aware of the “internet of things” (IoT). This is the growing trend of interconnected devices, such as security cameras, thermostats, IP phones, HVAC systems, and even coffee makers. These devices are often unsecured and can provide a way for attackers to gain access to your network. It’s so easy to plug devices into your network that can act as an entry point. 2. INVENTORY & CONTROL OF SOFTWARE ASSETS This control helps your bank ensure that your assets are properly configured and secure. This includes ensuring that only authorized users have access to sensitive data and that all data is properly backed up. In many cases, software vulnerabilities are the root cause of attacks. Attackers will exploit these vulnerabilities to gain access to your network. You can help mitigate these risks by keeping your software up to date, regularly reviewing and removing unauthorized software, and preventing the installation of unauthorized software (i.e., limiting local permission, blocking internet download capabilities, etc.). 3. DATA PROTECTION This control helps you protect your data from unauthorized access and loss. It includes ensuring that sensitive data is encrypted at rest and in transit. It is also understanding where data is stored and how it travels. Data breaches are becoming more common and more costly. One way to help mitigate the risk of a data breach is by using Data Leak Protection. This makes it hard to copy and move sensitive data and will make it much more difficult for attackers to access your data if they are able to breach your network. 4. SECURE CONFIGURATION OF ENTERPRISE ASSETS & SOFTWARE It is crucial to implement a solid program for software, and operating system patching, establish written policies for “In many cases, software vulnerabilities are the root cause of attacks. Attackers will exploit these vulnerabilities to gain access to your network.” CONTINUED ON PAGE 28 NICBONLINE.COM 27
RkJQdWJsaXNoZXIy ODQxMjUw