Minimum Cyber Security Policy (CIS 18 Critical Controls)

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

Minimum Cyber Security Policy (CIS 18 Critical Controls)

Updated: 3 April 2025

Protecting human lives is the highest requirement of our entire organization, whether they are employees, customers, volunteers, visitors, or part of our supply chain while under some nexus to our organization. Many times things we do online will impact people’s lives physically, financially, and emotionally.

Key Definition — “Manage or support”: Operating the program directly, or supporting others in the organization who operate it — including funding it yearly for people, process, technology, and third-party support.

Baseline: Based on CISecurity.org’s CIS Critical Security Controls v8.1 (18 controls).

General Rule: My management and support of these rules will use the Center for Internet Security (CIS) controls as a baseline, unless a stronger or different set of standards is required elsewhere in my organization.

  • I will report security concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline as soon as discovered. If they are not available and I feel unsafe, I will contact law enforcement.
  • I will manage or support — through manual and automated discovery tools and logs — a proactive inventory of all risk-impacting hardware assets under my management, including classification, criticality, and security management ownership. (CIS Control 1)
  • I will manage or support — through manual and automated discovery tools and logs — a proactive inventory of all risk-impacting software assets under my management, including classification, criticality, ownership, and comparison against the organization’s Allow List. (CIS Control 2)
  • I will manage or support — through manual and automated methods — a proactive inventory of all risk-impacting data assets under my management, with classification, zero-trust access controls, encryption, access logging, backup and retention processes, and Legal-compliant disposal. (CIS Control 3)
  • I will manage or support — through manual and automated methods — the setup and maintenance of secure configurations for all software (operating systems, applications, cloud, databases, middleware, scripts, network devices, etc.) under my management. (CIS Control 4)
  • I will manage or support — through manual and automated methods — the setup and maintenance of access accounts for all hardware, software, and data assets under my management, including provisioning, least-privilege access, monitoring, and removal as organizational needs change. (CIS Control 5)
  • I will manage or support — through manual and automated methods — the setup and maintenance of access controls (single-factor and multi-factor) for all hardware, software, and data assets under my management, including provisioning, minimizing access, monitoring, and removing access as roles change. (CIS Control 6)
  • I will manage or support — through manual and automated methods — the discovery, detection, and remediation of all vulnerabilities across hardware, software, and data assets under my management. (CIS Control 7)
  • I will manage or support the enablement, monitoring, and appropriate retention of audit logs across all hardware, software, and data assets under my management — ensuring all logs have time and content integrity controls. (CIS Control 8)
  • I will manage or support the enablement, monitoring, and management of internet access controls — including inbound and outbound email and web browsing, filtering, logging, allowlisting, and access control — for all internet access under my management. (CIS Control 9)
  • I will manage or support the installation, configuration, monitoring, and updating of anti-virus, anti-malware, and anti-breach software for all devices under my management that support such software. (CIS Control 10)
  • I will manage or support backups of critical hardware, software, data, and information — regardless of form or location — and regularly verify these backups are geographically distributed and test-restored on a quarterly basis. (CIS Control 11)
  • I will manage or support the implementation, secure configuration, monitoring, maintenance, and upgrade of network devices that impact the security of areas under my management. (CIS Control 12)
  • I will manage or support a 24×7 logging and network monitoring capability with a primary focus on internally and externally originating security events. (CIS Control 13)
  • I will manage or support a security awareness and training pathway for all personnel under my management — including a baseline for all personnel and specialized training for each unique role. (CIS Control 14)
  • I will manage or support the use of any third-party service provider under my management that impacts organizational asset risk — including due diligence, background checks, RFP/RFI/RFQ, contracts, operational requirements, metrics, security verification, formal audits, testing, training, and incident response. (CIS Control 15)
  • I will manage or support security controls for requirements, coding, pre-production, protection, and enhancement of internal and third-party application and software development — including secure coding, security testing, configuration management, license management, and open-source software (OSS) controls. (CIS Control 16)
  • I will manage or support the development, training, testing, and implementation of security incident response capabilities for all environments under my control — or support external environments — governed by the NIMS Incident Command System (ICS). (CIS Control 17)
  • I will manage or support regular security penetration testing across all OSI layers (including Layer 8 — People) for all environments under my control, using both internal and independent third-party resources. (CIS Control 18)

Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.

________________________
Print Full Legal Name

________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License

________________________
Date

🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.