Apply security standards through practical assessment and implementation exercises.
Cybersecurity Essentials
Track your progress through this week's content
Week Introduction
💡 Mental Model
"Industry standards as security roadmaps." Security standards and benchmarks
provide battle-tested guidance distilled from thousands of breaches, compliance audits, and expert consensus.
Rather than inventing security from scratch, professionals leverage these frameworks to build mature security programs.
You cannot defend everything equally—resources are finite. Standards help you prioritize high-impact controls
and measure security maturity objectively. This week introduces the frameworks used by governments, Fortune 500
companies, and security professionals worldwide.
Learning Outcomes (Week 14 Focus)
By the end of this week, you should be able to:
LO1 - CIS Controls Mastery: Navigate the CIS Controls v8 framework and understand
Implementation Groups (IG1, IG2, IG3) for organizational sizing
LO2 - NIST 800-53 Literacy: Understand NIST SP 800-53 security control families
and how they map to compliance requirements
LO3 - ISO 27001/27002 Awareness: Recognize international security standards
and certification requirements
LO4 - Automated Assessment: Use tools like CIS-CAT Lite to assess system compliance
against benchmarks
LO5 - Risk-Based Prioritization: Map organizational needs to appropriate standard
controls and implementation levels
Lesson 14.1 · Why Security Standards Matter
The challenge: Every organization faces similar threats (ransomware, phishing, data breaches),
yet security maturity varies wildly. Some build comprehensive programs, others apply random controls hoping
for protection. Standards bridge this gap.
What Security Standards Provide
Proven baseline controls: Instead of guessing what works, standards codify lessons
from thousands of incidents. These controls have demonstrated effectiveness across industries.
Prioritization frameworks: Not all controls are equal. Standards help you focus
limited resources on high-impact defenses first.
Measurement and maturity: Objective assessment of "how secure are we?" Standards
provide scoring and maturity models.
Common language: When auditors, regulators, or customers ask "are you secure?",
standards provide verifiable answers (ISO 27001 certified, CIS IG2 compliant, etc.)
Compliance shortcuts: Many regulations (PCI DSS, HIPAA, GDPR) accept standard
frameworks as evidence of due diligence.
Types of Security Standards
1. Prescriptive Controls (CIS Controls, NIST 800-53)
Tell you WHAT to implement (enable MFA, encrypt data, monitor logs)
Best for: Implementation teams, technical security
2. Management Frameworks (ISO 27001, NIST CSF)
Tell you HOW to organize security programs (governance, risk management, policies)
Best for: Leadership, compliance, maturity assessment
3. Industry-Specific (PCI DSS for payments, HIPAA for healthcare)
Tailored to sector-specific risks and regulations
Best for: Compliance in regulated industries
What are CIS Controls? Created by the Center for Internet Security (CIS), these are
18 prioritized cybersecurity actions proven to block known attack patterns. Unlike frameworks with hundreds
of controls, CIS focuses on high-impact defenses that stop the majority of attacks.
The 18 CIS Controls (Organized by Category)
Basic CIS Controls (Foundation)
Inventory and Control of Enterprise Assets Know what devices exist on your network (you can't protect what you don't know about)
Inventory and Control of Software Assets Track approved software, block unauthorized applications
Data Protection Classify data, encrypt sensitive information, implement data loss prevention
Secure Configuration of Enterprise Assets and Software Harden systems (disable unnecessary services, apply CIS Benchmarks)
Account Management Control user privileges, implement least privilege, disable inactive accounts
Access Control Management Enforce authentication (MFA), manage access to sensitive data
Foundational CIS Controls
Continuous Vulnerability Management Scan for vulnerabilities, prioritize patching based on risk
Audit Log Management Collect logs, monitor for anomalies, retain for forensics
Email and Web Browser Protections Block phishing, filter malicious content, sandbox attachments
Malware Defenses Deploy antivirus, enable automatic updates, use allowlisting
Data Recovery Automated backups, test restoration, protect backup integrity
Incident Response Management IR plan, detection capabilities, forensics, lessons learned
Penetration Testing Regular red team exercises, vulnerability assessments, attack simulation
Implementation Groups (IG1, IG2, IG3)
💡 Key insight
Not every organization needs all 18 controls at maximum maturity.
CIS defines three Implementation Groups based on organization size, risk profile, and resources:
What is NIST 800-53? A comprehensive catalog of security and privacy controls
for federal information systems (and widely adopted by commercial organizations). Unlike CIS Controls
(18 high-level actions), NIST 800-53 provides 1,000+ detailed controls organized into 20 families.
The 20 Control Families
Each family addresses a security domain:
AC - Access Control: Who can access what? (RBAC, least privilege, session management)
AU - Audit and Accountability: Logging, monitoring, forensic evidence
AT - Awareness and Training: Security education programs
CM - Configuration Management: Baseline configurations, change control
CP - Contingency Planning: Business continuity, disaster recovery, backups
IA - Identification and Authentication: User identity, MFA, credential management
IR - Incident Response: Detection, response, reporting, recovery
MA - Maintenance: System maintenance, tools, personnel
MP - Media Protection: Protecting physical media, sanitization
PE - Physical and Environmental Protection: Facility security, fire suppression
PL - Planning: Security planning, system security plans
PS - Personnel Security: Background checks, separation of duties
PT - PII Processing and Transparency: Privacy protections (new in Rev 5)
RA - Risk Assessment: Vulnerability scanning, threat analysis
CA - Assessment, Authorization, and Monitoring: Security testing, continuous monitoring
SC - System and Communications Protection: Network security, encryption, segmentation
SI - System and Information Integrity: Malware protection, input validation, error handling
SA - System and Services Acquisition: Secure development, supply chain risk
PM - Program Management: Governance, enterprise architecture
SR - Supply Chain Risk Management: Vendor assessment, component authenticity
Control Baselines (Low, Moderate, High)
Similar to CIS Implementation Groups, NIST defines three impact levels based
on confidentiality, integrity, and availability requirements:
Low Baseline: ~125 controls (minimal impact if breached)
Moderate Baseline: ~325 controls (serious impact, most commercial systems)
High Baseline: ~420+ controls (severe/catastrophic impact, national security)
Example Control - AC-2 (Account Management): • Identifies authorized users
• Defines access privileges
• Enforces least privilege
• Monitors account usage
• Reviews accounts periodically
• Disables inactive accounts
Lesson 14.4 · ISO 27001/27002 - International Security Standard
What is ISO 27001? An international standard for Information Security Management
Systems (ISMS). Unlike technical controls (CIS, NIST 800-53), ISO 27001 focuses on establishing
a management system—policies, processes, risk management, continuous improvement.
The scaling problem: Manually checking hundreds of controls across dozens of systems
is impractical. Automated tools assess compliance, generate reports, and track remediation.
CIS-CAT (Configuration Assessment Tool)
What it does: Scans systems against CIS Benchmarks (secure configuration guides)
and scores compliance.
CIS-CAT Lite (free): Assess individual systems, manual execution
CIS-CAT Pro (paid): Centralized dashboard, automated scanning, multiple OSes
Lesson 14.6 · Mapping Standards to Organizational Needs
Real-world challenge: Your CISO asks, "Which standard should we adopt?"
The answer: It depends on industry, size, compliance requirements, and maturity.
Decision Framework
Organization Type
Recommended Standard
Why
Small business, startup
CIS Controls IG1
56 essential safeguards, no certification cost
Enterprise (non-regulated)
CIS IG2 + ISO 27001
Technical controls + certified ISMS for customers
US Federal / Government
NIST 800-53
Mandated by FISMA, FedRAMP
Healthcare (US)
HIPAA + NIST 800-53
Regulatory requirement + proven controls
Payment processing
PCI DSS
Mandatory for card data handling
International B2B SaaS
ISO 27001 + SOC 2
Global recognition + US customer trust
Critical infrastructure
NIST 800-53 High + CIS IG3
Maximum controls for severe impact
Pro tip: Most organizations use multiple standards:
• CIS Controls for technical implementation
• ISO 27001 for ISMS certification
• Industry-specific for compliance (PCI DSS, HIPAA, etc.)
🎯 Hands-On Labs (Free & Essential)
Apply security standards through practical assessment and implementation exercises.
🔬 Lab 1: CIS-CAT Lite - Assess System Against CIS Benchmarks
What you'll do: Download CIS-CAT Lite, run a compliance assessment against CIS
Benchmark for your OS (Windows/Linux/macOS), analyze the report, and identify top 5 misconfigurations.
Why it matters: Automated compliance tools are industry standard. Learning to
interpret compliance reports is essential for security engineers and auditors.
Prerequisites: Windows, Linux, or macOS system; CIS account (free)
Time estimate: 2-3 hours
Steps: 1. Create free account at CIS WorkBench (cisecurity.org)
2. Download CIS-CAT Lite (automated assessment tool)
3. Select appropriate benchmark for your OS
4. Run assessment (may take 10-30 minutes)
5. Review HTML report: overall score, failed rules, remediation guidance
6. Document top 5 failures and their security impact
Deliverable: Screenshot of report + summary of 5 critical misconfigurations with remediation plan
🔬 Lab 2: Map Organization to CIS Implementation Group
What you'll do: Choose a real or hypothetical organization (your university, a startup,
a hospital, etc.), assess its risk profile, and determine the appropriate CIS Implementation Group (IG1, IG2, or IG3).
Then select 10 priority controls from that IG and justify your choices.
Why it matters: Risk-based prioritization is core to security. Not every organization
needs maximum controls—matching controls to risk/resources is professional judgment.
Time estimate: 1.5-2 hours
Factors to consider: • Organization size (employees, IT staff)
• Data sensitivity (PII, health records, financial data)
• Regulatory requirements (HIPAA, PCI DSS, GDPR)
• Threat landscape (targeted attacks, opportunistic malware)
• Resources (budget, security team expertise)
Deliverable: 1-page assessment with IG selection justification + 10 prioritized controls with rationale
🔬 Lab 3: NIST 800-53 Control Selection Exercise
What you'll do: Given a scenario (web application processing customer PII), select
appropriate NIST 800-53 controls from at least 5 different control families. Document WHY each control
is necessary and HOW it would be implemented.
Why it matters: Control selection is a core skill for GRC analysts, security architects,
and compliance teams. You'll use this in CSY303 (GRC) and CSY399 (Capstone).
Time estimate: 1.5-2 hours
Scenario: E-commerce platform with customer accounts, payment processing, order database
Required control families: Select controls from AC, AU, IA, SC, SI (minimum 2 controls per family)
Resources: Use NIST 800-53 Rev 5 Control Catalog (free PDF)
Deliverable: Table with control ID, family, description, implementation details, and rationale
💡 Lab Strategy: Start with CIS-CAT Lite for hands-on tool experience. Lab 2 and 3 build
critical thinking around control selection—these skills directly apply to real security programs.
Resources
📚 Building on Prior Knowledge
This week connects to concepts you've already learned:
CSY101 Week 1 (NIST CSF): Standards like CIS and NIST 800-53 provide the "Protect" function.
They tell you WHAT controls to implement after you've "Identified" risks.
CSY101 Week 13 (Threat Modeling): After STRIDE identifies threats, standards help you
select appropriate countermeasures. Example: Information Disclosure threat → Apply CIS Control 3 (Data Protection)
or NIST 800-53 SC family (System and Communications Protection).
Looking ahead:
CSY203 (Web Security): CIS Control 16 (Application Software Security) + NIST SI family
CSY302 (Cloud Security): CIS Benchmarks for AWS/Azure/GCP, cloud-specific controls
CSY303 (GRC): Deep dive into compliance frameworks, ISO 27001 certification, audit preparation
CSY399 (Capstone): Map findings to NIST 800-53 controls, recommend control implementation
💡 Reflection Prompt: If you were a CISO at a 50-person startup handling customer payment data,
which standard(s) would you adopt and why? Consider compliance requirements, resources, and customer expectations.
Weekly Reflection Prompt
Write 200-300 words answering this prompt:
You are advising two different organizations on security standards adoption:
Organization A: 20-person SaaS startup, handles customer business data (not regulated),
limited security budget, no dedicated security team
Organization B: 500-employee healthcare provider, handles patient health records (HIPAA-regulated),
has 5-person security team, moderate budget
For EACH organization, recommend:
Which standard(s) to adopt (CIS Controls, NIST 800-53, ISO 27001, or combination)
Which implementation level (CIS IG1/2/3, NIST Low/Moderate/High)
Top 3 priority controls to implement first
Justification for your choices (consider: compliance, resources, risk, customer expectations)
What good looks like: You demonstrate understanding that standards selection is context-dependent.
You balance ideal security with practical constraints (budget, staffing). You show awareness of compliance drivers
and customer requirements.