CIS 18 Control Assessment

Organizations (private and public sector) managing or processing electronic information and personal data in order to ensure their protection and in order to comply with the General Data Protection Regulation (GDPR) and the laws of the Republic of Lithuania regulating the security of electronic information, cyber security and personal data protection should implement appropriate organizational measures and technical means.

CIS Critical Security Controls Version 8 methodology prepared by the SANS Institute allows to properly assess the state of information security and cyber security and personal data protection management of organizations, as well as the sufficiency of technical and organizational measures and compliance with global best practices.

SANS methodology helps to evaluate eighteen areas of cyber security management (hereinafter – CIS control measures) and to determine the level of maturity and sufficiency of the measures to manage the risks of information and cyber security and personal data protection and to properly ensure compliance with the established requirements. The following CIS control measures are evaluated – Inventory and Control of Enterprise Assets; Inventory and Control of Software Assets; Data Protection; Secure Configuration of Enterprise Assets and Software; Account Management; Access Control Management; Continuous Vulnerability Management; Audit Log Management; Email and Web Browser Protections; Malware Defenses; Data Recovery; Network Infrastructure Management; Network Monitoring and Defense; Security Awareness and Skills Training; Service Provider Management; Application Software Security; Incident Response Management; Penetration Testing.

Timely evaluation of organizational and technical security measures allows to determine their level, possible security gaps, as well as to select directions for their effectiveness and the necessary resources.

• We organize interviews with persons responsible for processes (process owners)
• We assess the level and maturity of information and cyber security and personal protection management processes
• We evaluate the control measures
• We prepare and provide recommendations for making processes more efficient
• We prepare and provide recommendations on the effectiveness of organizational and technical measures (the control measures)
• We prepare and submit an evaluation report as needed

• Information and cyber security and personal data protection management processes and their maturity were evaluated. The maturity of information and cyber security and personal data protection management processes is assessed, during which one of five levels is assigned – Initial, Repeatable, Defined, Managed, Optimizing
• Evaluated organizational and technical control measures
• Prepared report as required
• Recommendations are given on the efficiency of processes and measures

Benefit

• The level and maturity of the organization’s information and cyber security and personal data protection management processes were assessed
• Organizational and technical control measures and their sufficiency were evaluated
• Ensured compliance with the requirements of GDPR and Republic of Lithuania legal acts regulating electronic information and cyber security and personal data protection

• Cyber security and personal data protection management process services project at the JSC StrongPoint
• The project “Information Security Risk and Conformity Assessment” at the State Tax Inspectorate
• Assessment of compliance of state information resources and communication and information systems managed and managed by the Department of Informatics and Communications under the Ministry of the Interior of the Republic of Lithuania with the requirements of legal acts and standards
• The Independent Electronic Health Services and Collaboration Infrastructure Information System (ESPBI IS) Security Audit Project of SE Center of Registers