How to Develop and Maintain

an Ironclad Security Framework

Maximizing the CIS Controls with Pax8

pax8.com | ©2022 Pax8 Inc. All rights reserved.

Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What are the CIS Critical Security Controls & Why Are They Important to MSPs . . . . . . . . . . . . . . .2

CIS Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-20

1. Inventory and Control of Enterprise Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Inventory and Control of Software Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
3. Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Secure Configuration of Enterprise Assets and Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
5. Account Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6. Access Control Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7. Continuous Vulnerability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8. Audit Log Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9. Email and Web Browser Protections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10. Malware Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
11. Data Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
12. Network Infrastructure Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
13. Network Monitoring and Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
14. Security Awareness and Skills Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
15. Service Provider Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
16. Application Software Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
17. Incident Response Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
18. Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Pax8 and CIS Controls

Introduction

The threat of cyberattack should not be taken lightly. That’s why there will be increased pressure on
Every year, more and more businesses experience businesses to implement an effective security
cyberattacks, with estimates suggesting cybercrime framework, as regulation and compliance becomes
will cost the world $10.5 trillion in damages by 2025. a major focus of the IT world.

Pax8 is working hard to make the digital world a safer place.

The security software tools offered in the Pax8 Marketplace are an investment in the future of your cybersecurity
effort. With over 23,000 managed service providers (MSPs) operating in more than 25 countries, Pax8 is the
fastest growing IT supply chain worldwide. We’re helping MSPs prepare for the future by mitigating risks,
maturing their business, and bringing more value to their customers.

[email protected] | +1 (855) 884-7298 | pax8.com

1
Pax8 and CIS Controls

What are CIS Critical Security Controls

and Why Are They Important?

The Center for Internet Security (CIS) Critical Security Controls

(referred to as CIS Controls) are a recommended set of actions
for cyber defense, providing specific and actionable ways to
thwart cyberattacks.

There are 18 high-priority actions – and 153 specific safeguards – that

18 153
High-priority actions Specific safeguards
present a strong starting point for any organization looking to
enhance their security framework.

A security framework is a combination of tools, policies, people and documentation – defining policies and
procedures for establishing and maintaining a set of security controls. Implementing CIS Controls endorsed by
PCI, HIPAA, NIST, and cyber insurance agencies, can keep your organization compliant and insulated from cyber
threats. This will also set you up for future success as compliance measures continue to expand. Between supply
chain attacks, compliance and regulatory concerns, and subrogation from insurers, it is vital that you create a
defensibility posture for your business.

The most popular of all security and compliance frameworks, having been implemented by 18% of top MSPs,
the CIS Controls framework is built to protect any business.

This document presents a high-level overview of all 18 controls, tips on how to implement them within your
business, and what Pax8 software solutions will help you with implementation. It’s a useful reference guide in
your journey toward a strong security framework. And as always, you can reach out to your channel account
manager or sales rep for more details.

Security Framework is a Combination of

Tools Policies People Documentation

[email protected] | +1 (855) 884-7298 | pax8.com

2
CIS Control 1

Inventory and Control

of Enterprise Assets

Control Overview
Control 1 keeps track of your assets so you can
manage them properly. Inventory should be reviewed
and updated on a regular basis, with counts compared
against one another to establish a “true” count.
It’s important to identify all organizational assets
connected to your infrastructure physically, virtually,
and remotely. That way, you’ll understand the scope
of what needs to be monitored and protected. Without
keeping a proper record, you’re vulnerable to insider
threats, loss risk, and external attackers scanning for
unprotected assets.

How To Implement It
Implementing this CIS Control requires both technical of using both active and passive asset discovery tools to
and procedural actions to create a process that search for and address unauthorized assets.
accounts for and manages the inventory of all
Unauthorized assets should be removed from the
company assets and critical data. Maintaining an
network, denied from connecting remotely, or
accurate view of organizational assets can be a
quarantined. The active tool should be executed daily
challenging process because rarely there is a single
(or more frequently), and the passive tool should be used
definable answer – to have a high-confidence asset
to update the asset inventory at least weekly.
count, assets should be scanned and assessed using
a variety of safeguards, with counts compared You can also use Dynamic Host Configuration Protocol
against one another to establish a “true” count. (DHCP) logging or IP address management tools as
additional resources to update the asset inventory.
Implementing this CIS Control requires both technical
and procedural actions. You should implement a process

The Pax8 Marketplace offers solutions

to help you manage your critical assets, including

[email protected] | +1 (855) 884-7298 | pax8.com

3
CIS Control 2

Inventory and Control

of Software Assets

Control Overview
Control 2 involves the active management (inventory,
track, and correct) of all software assets on the network,
so only authorized software can be executed. It’s critical
to understand what’s running on your systems, with
unauthorized and unmanaged software identified and
prevented installation on the network.
As attackers continually scan organizations for
software vulnerabilities, one of the key defenses is
ensuring that all software assets are up to date and
patched. By establishing an inventory of software
assets, you can determine if vulnerable or outdated
software is connected to your network.

How To Implement It
Begin by establishing and maintaining a detailed
inventory of all licensed software installed on your
systems. The inventory should document the title,
publisher, initial install/use date, and the business
purpose of that software, logging additional
categories such as URL and version as needed.
Now ensure that only currently supported software,
designated as authorized, is installed on organizational
assets. Implement a process for documenting software
exceptions if the software is unsupported yet necessary
for the fulfillment of the organization’s mission. This
exception process should include detailing mitigating
controls and residual risk acceptance. If unauthorized
software is identified, and does not have a documented
exception, that software should be removed from
organizational assets.
And automate the discovery and documentation
of installed software with technical controls such as
application allow listing. Technical controls can also be
used to ensure that only authorized software libraries
are allowed to load into a system process and to ensure
that only authorized scripts are allowed to execute.

The Pax8 Marketplace offers solutions to help you

monitor and manage your software assets, including

[email protected] | +1 (855) 884-7298 | pax8.com

4
CIS Control 3
The Power of
Data Protection
Control Overview
Control 3 will help you develop processes and technical
controls to identify, classify, securely handle, retain,
and dispose of data. When an attacker infiltrates an
organization’s infrastructure, one of the first things they
How To Implement It
Implement a process that includes a data management
framework, data classification guidelines, and
requirements for handling, retention, and disposal of
data. There should also be an incident response plan
developed in the event of a data breach, including a
compliance and communication plan.
Data should be organized according to sensitivity
level – key types of data need to be cataloged
according to the overall criticality to the organization
using labels such as “Sensitive,” “Confidential,” and
“Public” to classify the data.
Once the sensitivity of company data has been outlined,
a data inventory (or mapping) should be implemented
that identifies the software accessing sensitive data
along with the hardware being used.
The Pax8 Marketplace offers solutions to help you implement data
protection, encryption, and management for your organization, including
[email protected] | +1 (855) 884-7298 | pax8.com
will do is find and download company data. If the
company does not monitor data outflows, they are at
risk of losing and exposing their sensitive data.
Encryption is the most obvious solution to implement
data protection. Data should be encrypted on end-user
devices, removable media, services, applications, and
databases containing sensitive data.
Data retention should be enforced accordingly and
must include minimum and maximum retention timelines,
and when those timelines expire data must be securely
disposed. Additionally, a data loss prevention tool can
be implemented to identify all sensitive data stored,
processed, or transmitted through company assets.
The Pax8 Security Solution Consultant team can
also evaluate your existing tech stack to make
recommendations on what you can implement to better
protect company data, as well as best practices to
enhance your data protection process.
5
CIS Control 4

Secure Configuration of
Enterprise Assets and Software

Control Overview
Control 4 establishes and maintains a secure
configuration of assets and software to prevent
exploitation from attackers. When a company orders
new computers for their business, this is when the
hardware is at its most vulnerable due to the lack of
any security configuration on the devices. The preset
configuration can be exploitable in its default state as it
uses basic controls, default accounts/passwords, and
comes installed with unwanted software.

How To Implement It
You can utilize many different existing security baseline
resources that are publicly developed and vetted, such
as the CIS Benchmarks Program and the NIST National
Checklist Program Repository.
software on all assets, configuring trusted DNS services,
managing default accounts, and configuring devices t
o automatically lock after a defined period of inactivity
or after several failed authentication requests.

These baselines should be reviewed and adjusted
as needed to satisfy internal security policies and
industry/government regulatory requirements. Any
changes made to the baselines should be documented
to facilitate future reviews. A good security process
includes implementing and managing a firewall for
services and end-user devices, uninstalling unnecessary
Once a security configuration is established, it is
important that the configuration is managed and
maintained. The process should be reviewed and
updated as needed annually. Additionally, implementing
capabilities such as the ability to enforce remote
wipes on portable end-user devices is important for
maintenance in the event of lost or stolen devices.

The Pax8 Marketplace offers solutions to ensure all hardware and

software is configured and maintained properly and securely, including

[email protected] | +1 (855) 884-7298 | pax8.com

6
CIS Control 5

Account Management

Control Overview
Control 5 establishes a process to assign and manage
authorization to credentials for user accounts. This
is critical to preventing unwanted attackers from
accessing your system. Controlling administrative
access and enforcing strong passwords can mitigate
potential phishing attacks and prevent unauthorized
access to your network.
Administrative accounts are a primary target, allowing
attackers to add other accounts to the network, or alter
the organization’s security framework to make it more
vulnerable. Controlling and monitoring administrative
accounts, ensuring that they have strong credentials,
is important in preventing unwanted attackers from
accessing and modifying your systems.

How To Implement It
From an action perspective, first start by establishing
and maintaining an inventory of all accounts managed
by the organization, including user and administrator
accounts. Enforce unique passwords on all assets and
encourage users to use a longer “passphrase” for added
security, as well as enabling multi-factor authentication.
Disable dormant accounts after a defined period of
inactivity. Restrict administrator privileges to dedicated
administrator accounts and centralize account
management through a directory or identify service.
While this control is easy to implement from a software
perspective, there may be some pushback from
employees/end users as they believe that they will need
administrative access to install software or perform
other parts of their job. Work with admin user staff
to determine what tasks truly require administrative
access and establish a process or redelegate tasks to
minimize the number of active administrator accounts
in the system.

The Pax8 Marketplace offers solutions to

ensure your accounts and credentials are secure, including

[email protected] | +1 (855) 884-7298 | pax8.com

7
CIS Control 6

Access Control Management

Control Overview
Control 6 focuses on managing the access privileges what access and developing a process to enforce and
of each specific account depending on the user’s role monitor these accesses is a good step to take to make
within the organization. your system more secure.
Accounts should only have the minimal authorization
needed for the role. Determining what roles need

How To Implement It
As a baseline, a process should be established to be able
to grant and revoke user privileges as needed. Role-based
access is used to manage access requirements for each
account based on need to know, least privilege, privacy
requirements, and separation of duties.
Next, require all third-party applications to enforce MFA
through a directory service or SSO provider. MFA should
be enabled for all users accessing the system from any
organization asset. This approach is more secure than
a one-time code via SMS. However, administrator
users should utilize privileged access management
(PAM) tools for enhanced security.
High-privileged accounts should not be used for
day-to-day use such as web surfing. Administrators
should have separate accounts for daily office users,
only logging into administrator accounts when
performing tasks that require that level of authorization.
A system should also be put into place to monitor what
administrator users are doing, making sure that they
are logging into an administrator account only to
complete required tasks.

The Pax8 Marketplace has solutions to help you

monitor accounts and grant or revoke access, including

[email protected] | +1 (855) 884-7298 | pax8.com

8
CIS Control 7

Continuous Vulnerability Management

Control Overview
Control 7 helps you continuously assess and track increase as the number of software assets increase
vulnerabilities so you can minimize opportunities for to account for the different patch cycles of each
attackers. Scanning should occur frequently and new asset.

How To Implement It
There are many vulnerability scanning tools at your
disposal to evaluate your security framework and
monitor for new vulnerabilities. Scanning should occur
frequently and increase as the number of software
assets increase to account for the different patch cycles
of each new asset.
Advanced vulnerability scanning tools can be
implemented for administrator users to scan
organization assets more comprehensively, known as
“authenticated scans.” Many businesses will link their
vulnerability scanning tools with ticketing systems
that can track the status of any issues, helping to
ensure that critical vulnerabilities are tracked and
resolved, not overlooked.
In addition to identifying, tracking, and resolving
vulnerabilities, organizations should use NIST’s
Common Vulnerability Scoring System to determine
the potential impact of an exploit and prioritize their
response accordingly. The release of a new exploit,
or new information related to a known vulnerability,
should alter the priority in which the exploits are
considered for patching.

The Pax8 Marketplace offers solutions to

scan for vulnerabilities within your systems, including

[email protected] | +1 (855) 884-7298 | pax8.com

9
CIS Control 8

Audit Log Management

Control Overview
Control 8 helps you keep track of anything happening system-level events such as process start/end times and
within your systems so you can better understand crashes, while audit logs record user-level events such
an attack and recover from it. System logs record as when a user logs in and accesses a file.

How To Implement It
If an organization has a poor log analysis process, it is
possible for an attacker to infiltrate the system and control
assets for months or years without anyone noticing.
An audit log would show that an unknown user is
utilizing assets and accessing software/data that
should not be accessed. That log could then be
used to further analyze the attack, showing when
the attack occurred and what information was
accessed, which is helpful to identify the weaknesses
in your security framework and conduct follow-up
investigations into the attack.
Audit logging should be configured for any assets
containing sensitive data. Most assets and
software have native logging capabilities, making
implementation of this control much easier. All logging
features should be activated, and the logs should be
sent to centralized logging servers.
To ensure that all assets are logging data as desired,
compare the log records to the asset inventory established
in Control 1. Firewalls, proxies, and remote access
systems should all be configured for detailed logging.
To best use logs as a defense strategy, your team
should define what constitutes a critical alert, and
regularly review logs to watch for these alerts (ideally
on a weekly basis.) Audit logs should be retained
for a minimum of 90 days, but critical logs should be
retained indefinitely to aid in future investigations.

The Pax8 Marketplace offers solutions to

capture, centralize, and retain audit logs, including

[email protected] | +1 (855) 884-7298 | pax8.com

10
CIS Control 9

Email and Web Browser Protections

Control Overview
Control 9 helps you implement tools for a secure web to entice users into disclosing credentials, providing
browser and email. It is very easy for an attacker to craft sensitive information, or exposing a vulnerability that
an innocent looking email or web page that is designed allows hackers to gain access to the system.

How To Implement It
To prevent web browser attacks, browsers should be
configured to not allow plug-ins from untrusted sources,
and a firewall should be enabled to block untrusted or
fraudulent sites asking for sensitive data. Most browsers
today automatically utilize a database of phishing and
malware sites and filter them out – these filters should
be enabled, as well as pop-up blockers.
For email attacks, there are some basic safeguards
that can be utilized to reduce the risk of attack, like
using spam-filtering and malware screening tools to
stop malicious emails and attachments from reaching
their targets. Installing an encryption tool to secure
email and communications adds another layer of
security. It can also be beneficial to only allow users to
access certain file types that they need for their role
to minimize the risk of a malicious attachment.
Along with the implementation of software tools, it’s
also important to train employees to spot suspicious
red flags in an email or web browser. A process
should also be implemented for employees to report
suspicious emails to IT security.

To The Pax8 Marketplace offers solutions to

install web-browser and email-based security tools, including

[email protected] | +1 (855) 884-7298 | pax8.com

11
CIS Control 10

Malware Defenses

Control Overview
Control 10 helps you address attacks by malicious
software (one of the most common threats to an
organization’s systems.) With modern malware being
developed with the assistance of machine learning
and artificial intelligence, it is more critical than ever
to implement a secure process of detecting and
eliminating malware before it poses a risk.
Malware can be introduced in many ways – with new
and creative methods being invented regularly. So IT
security and all company employees should not click
on anything suspicious or use any untrusted hardware/
software assets on company devices.

How To Implement It
Malware protection includes the typical endpoint
malware prevention tools, and these should be
managed centrally to provide consistency across
the system. These tools function by scanning for,
identifying, and blocking malware before it has the
chance to damage the system. Automatic updates
should be enabled to ensure that the software is
always up-to-date and providing the best protection.
In the last decade there has been an increase in
“living-off-the-land” attacks where malicious code
is embedded within trusted software to minimize the
risk of being detected by anti-malware tools. Keeping
careful logs will make it easier to track where the
malware came from, why it happened, and what
was compromised.

You should also collect logs to ensure all threat records

are recorded and retained for audit purposes and
future investigations.

The Pax8 Marketplace offers solutions to

implement anti-malware software, including

[email protected] | +1 (855) 884-7298 | pax8.com

12
CIS Control 11

Data Recovery

Control Overview
Control 11 ensures that a system is in place to secure and making changes to key configurations, adding accounts,
recover data. It is important to have recent backups or or adding software or scripts. Ransomware attackers
mirrors of data to restore assets back to a trusted state will even try to encrypt an organization’s data and
in the event of an attack. demand money for its restoration.
Attackers can take advantage of an organization’s
neglect to backup data by infiltrating the systems and

How To Implement It
Expand on data security safeguards including backup
procedures based on data value and sensitivity. Full
backups should be conducted once a week, and
incremental backups with highly valuable/sensitive
data should be conducted more frequently.
Once per quarter, or whenever a new backup process
or technology is introduced, a testing team should
evaluate a random sampling of backup data and
attempt to restore them in a testing environment. The
backups should be evaluated to ensure that all data
from the backup is intact and functional. Backups
should be properly protected via security or encryption,
ensuring key systems have at least one backup that
is not continuously addressable through operating
system calls.

Pax8 Marketplace offers solutions to implement

data backup and recovery tools, including

[email protected] | +1 (855) 884-7298 | pax8.com

13
CIS Control 12

Network Infrastructure Management

Control Overview
Control 12 helps you create a secure network infrastructure
by managing devices such as physical and virtual
gateways, firewalls, wireless access points, routers, and
switches. Default configurations for network devices
are often geared for ease-of-use, not security. Attackers
search for vulnerable default settings or gaps in a
firewall ruleset to infiltrate the system.

How To Implement It
Network security is an ever-evolving issue that requires
regular re-evaluation of configurations and access
controls. Potential default vulnerabilities include open
services and ports, default accounts and passwords,
out-of-date versions, and pre-installation of unnecessary
software. Establish a process to ensure that all assets
have been securely configured before deploying.
Network configurations tend to become less secure
over time when firewall exceptions are granted to
fulfill a business need but then are never removed
from the exception list. When enhancing network
infrastructure management, a process for evaluating
firewall exception risk should be defined.
The exception list should also be regularly evaluated
to determine if the exception is still necessary (with as
few exceptions granted as possible).
Organizations should ensure that network infrastructure
is fully documented, and architecture diagrams are
established, maintained, and reviewed regularly.
Remote devices should be monitored and fitted with an
organization-managed VPN and authentication service
which must be utilized before accessing company
resources. All assets should always be kept up to date
with the latest secure and stable version.

The Pax8 Marketplace offers solutions to help with

network infrastructure management, including

Firewall

[email protected] | +1 (855) 884-7298 | pax8.com

14
CIS Control 13

Network Monitoring and Defense

Control Overview
Control 13 continually monitors your network for threats
so your security team can be alerted and respond in a
timely manner. Every moment counts when malware
is discovered, credentials are stolen, or sensitive data
is compromised, so having a plan in place is critical.
Organizations should use software tools in conjunction
with establishing security team process used to
prevent, detect, and quickly respond to cyber threats.

How To Implement It
Start by developing a process to understand critical
business functions, network and server architectures,
data and data flows, vendor service and business
partner connections, and end-user devices and accounts.
At the core of this process should be a trained and
organized team that can use this understanding to develop
processes for incident detection, analysis, and mitigation.
Next, the team should utilize technology to collect and
analyze logs on network and data access, as well as
generally monitor networks and assets for unrecognized
activity. Tech solutions to analyze logs, such as security
information and event management software, should be
complemented by weekly log reviews by your security
team. As this process develops, the organization
should create and maintain a knowledge base to
better document and understand the business risks.
As the security team becomes more comfortable with
the organization’s threat intelligence capabilities,
they will be able to understand which alerts are false
positives and which are relevant threats. And they
can use this knowledge to become proactive instead
of reactive, stopping attackers before they have a
chance to infiltrate.

The Pax8 Marketplace offers solutions to implement

network monitoring tools, including

[email protected] | +1 (855) 884-7298 | pax8.com

15
CIS Control 14

Security Awareness and Skills Training

Control Overview
Control 14 ensures every employee has the training to Human vulnerability is one of the biggest risks for any
identify and report suspicious behavior. No security security framework.
solution alone can effectively address cyber risk.

How To Implement It
A security training program should be implemented to
help employees understand the risks, how to avoid them,
and how to report potential and actualized threats to the
security team. This training should be updated regularly
to comply with the latest security standards.
There should also be more frequent, topical messages
about security. When an incident does occur internally,
or there is a media story about a severe security
incident at another company, timely messages should
be sent out to remind staff about best practices like
strong passwords and tips to avoid phishing.
Additionally, your security team can implement social
engineering training, such as phishing tests, as a more
frequent reminder of the security threat any organization
faces. These are used so that the employee can become
familiar with what suspicious emails may look like and
how to report them. It should also identify which users
passed or failed the test so that training can be assigned
as needed to those who pose more of a security risk.
A combination of an annual training program,
social engineering training, and timely newsletters/
reminders of security best practices should be
implemented to create a strong framework for
security awareness and skills training.

The Pax8 Marketplace has solutions available to help you

implement security training, including

[email protected] | +1 (855) 884-7298 | pax8.com

16
CIS Control 15

Service Provider Management

Control Overview
Control 15 ensures vendors, partners, and third parties where many companies’ sensitive data is threatened
are properly vetted so they handle your sensitive unless a hefty payment is made. The most difficult part is
information properly. there’s nothing your team can do in this situation – they
just have to wait and see what happens. That’s why it’s
Why? There are many cases where third party servicers
important to only work with trusted vendors who care
were breached, sensitive data was exposed, and there
just as much about security as you do.
was a significant impact to all companies relying on that
servicer. A ransomware attack is a good example of this,

How To Implement It
Establish and define a policy for reviewing third party of information to make an informed risk decision. Look
service providers and taking inventory of vendors to see if the company has a managed security service
under review, while associating a risk rating to vendors contract and holds cyber security insurance.
based on potential impact to the business if there
Even if a vendor is deemed trustworthy, review
were an incident. Make sure that contracts with a
them every quarter to ensure that their risk level
vendor include language holding them accountable if
has not increased. When contracts are completed
an incident occurs.
or terminated, ensure the account is properly
There are many online platforms that can be utilized to deactivated (with data flow terminated, and any
determine which third-party vendors are trustworthy data held by the third party disposed securely.)
and right for your business. These platforms have an
inventory of thousands of businesses, providing a lot

Pax8 is proud to work with reputable companies who are serious

about data security. You can find them in the Pax8 Marketplace.

[email protected] | +1 (855) 884-7298 | pax8.com

17
CIS Control 16

Application Software Security

Control Overview
Control 16 helps you monitor software to prevent,
detect, and remediate security weaknesses before
they can make an impact. This includes in-house
developed or third-party software deployed in any
type of organization.
Unfortunately, many applications are developed with
short development cycles, and assembled using a
complex mix of development frameworks, existing code,
and new code. This makes security control a lot more
challenging as it’s difficult to test every aspect of the
application for vulnerabilities before releasing it.
Software-as-a-service (SaaS) platforms are no
different. Application vulnerabilities can be present
for many reasons, such as insecure design and/or
infrastructure, coding mistakes, weak authentication,
and a failure to test for unexpected conditions. These
are the types of vulnerabilities that attackers exploit.

How To Implement It
Application security is an important topic, and there
are different ways to implement it depending on the
scale of your organization.
• Smaller organizations that do not require
custom-built applications rely heavily on
off-the-shelf software packages. This helps
the organization apply basic operational and
procedural best practices to manage their
vendor-supplied software.
• Medium-sized businesses may rely on some
in-house code applications in conjunction with
third-party components, applying software
development best practices to their original
code and basic operational best practices to
vendor-supplied software.
• Large organizations make a major investment
in custom software to run the business, hosting
software on their own infrastructure. This work
should be completed by expert software developers,
applying security and software best practices to
the code, while incorporating trusted third-party
open-source software components as needed.

The Pax8 Marketplace has solutions for

application software security, including

[email protected] | +1 (855) 884-7298 | pax8.com

18
CIS Control 17

Incident Response Management

Control Overview
Control 17 helps you put a documented plan in
place before an incident occurs. Knowing the right
investigative procedures, legal protocols, and
communications strategy will help you manage the
incident and recover.
If there are no plans in place for how to respond and
recover from an incident, the system is severely at risk.
Without fully understanding what happened and
what can be done to prevent it from happening again,
nothing will be gained to prevent future incidents.

How To Implement It
All organizations should implement a plan that
includes the sources for protection and detections,
whom to call when an incident arises, and
communication plans for conveying information to
leadership, employees, regulators, and customers.
It’s ideal to establish an incident response team and
assign key roles and responsibilities to each member
so they’re prepared to act when an incident arises.
Action plans should be put into effect for each team
member, including staff from legal, IT, public relations,
human resources, and incident responders.
The incident response team should practice their
procedures with scenario-based training, working
through different types of attack scenarios. Technical
team members need to be prepared to handle high-stress
incidents, and practicing will make the team better
prepared to respond quickly and effectively.

The Pax8 Marketplace has solutions to help implement an

incident response plan, including

[email protected] | +1 (855) 884-7298 | pax8.com

19
CIS Control 18

Penetration Testing

Control Overview
Control 18 helps you periodically perform tests to identify and may include social engineering of users to test
security gaps. Penetration testing seeks to exploit known human vulnerabilities.
weaknesses to see how far an attacker could get, and
Penetration tests are expensive and complex. But they
the level of negative impact that could be created.
can provide valuable insights into vulnerabilities and
The test may be from an external or internal network, the efficacy of defenses.
originating from an application or a specific device,

How To Implement It
Any tests which expose known vulnerabilities are
a potential risk factor for the organization. Despite
these concerns, it’s nothing compared to the impact
an actual breach may have. First, utilize scanning
tools to identify vulnerabilities within the system. Once
identified, create exploits to demonstrate specifically
how an attacker would use it to compromise the
organization’s security systems.
Experienced and trustworthy vendors must conduct
the penetration tests. The organization should define
a clear scope and rules of engagement before
beginning. The scope should include organization
assets with the highest valued information and lower-
value systems that could be leveraged to compromise
high-value systems. The rules of engagement should
describe the times for testing, duration of test(s), and
the overall test approach.
After testing is complete, analyze the results of the
test both from a personal and defensive standpoint.
Identify any human weaknesses in the process and
work on a plan to resolve them. Review the impact of
the vulnerability in order to understand what could
happen in the event of a real attack.

The Pax8 Marketplace offers a solution from Pillr,

a reputable vendor specializing in the service.

[email protected] | +1 (855) 884-7298 | pax8.com

20
Pax8 and CIS Controls

Conclusion

While any partners already have a good number Implementing these controls will help show
of controls implemented, CIS can help you mature customers your unique value as a trusted MSP.
your business by adding valuable documentation
and reporting to the mix. And if anything has been
overlooked, CIS will help identify and secure any
vulnerabilities in your security framework.

To learn more about CIS Controls, reach out to your

channel account manager or sales rep.
You can also enroll in the CIS Preparation Session, take the CIS
Readiness Assessment, and have your tech stack evaluated by the SSC team.

CIS Controls powered by Pax8 can help ensure your organization is

ready to defend against and respond to any cyberthreat.

pax8.com | ©2022 Pax8 Inc. All rights reserved.