Published: August 7, 2020
The Center for Internet Security (CIS) is known for developing an array of cybersecurity controls and leading practices that can help organizations of all sizes protect their IT systems and data. In June, CIS recognized our cybersecurity auditors for their work applying the CIS Controls system to help Washington’s state and local governments.
A June post on the CIS website featured interviews with members of SAO’s IT audit team. CIS was particularly interested in our innovative use of the CIS Controls as an audit tool. Our auditors had long sought a set of IT security best practices that they could use as both audit criteria and the foundations of audit recommendations. In the CIS Controls, they found both.
The CIS Controls are close to unique in the cybersecurity realm. As the article notes, the Controls:
“are prioritized and prescriptive, and provide a clear path for organizations to achieve the goals and objectives described by legal, regulatory, and policy frameworks. They also emphasize automation. The CIS Controls are continuously updated, ensuring audits coming out of the State Auditor’s Office are relevant.”
When SAO begins a cybersecurity audit with a state agency or local government, our auditors explain the purpose of each Control and its associated action-item subcontrols, and describe how they will use them as audit criteria. Auditees are quick to see the connection between the control and increased IT security, and understand how the Controls easily align with state or other IT security frameworks.
During the audit, the team asks specific questions about the Controls the auditee has put in place. Auditors pay particular attention to four areas that underpin implementing a control. This includes asking whether the local government has:
- Established necessary policies
- Written down its procedures
- Automated the control-using technology
- Ensured issues are tracked and reported to management
Many governments are relieved to see recommendations that are within their capabilities – and budgets. The article quotes Erin Laska, the Team IT Security Audit manager, as she stressed this point.
“Our state and local governments don’t have an unlimited budget. This helps us say, here are the top Controls and here is where to start.”
To date, SAO has conducted 28 cybersecurity audits of state agencies and local governments, have 11 in process and many more on a waiting list. Additionally, SAO created the #BeCyberSmart resource initiative to help local governments of all sizes incorporate cybersecurity best practices into their work.
To learn more about the CIS Controls, visit the Center’s website.