Pub. 12 2023 Issue 1

What Banks Need to Know About CIS Controls

This story appears in he
The Kansas Banker Pub 12 2023 Issue 1

In the past few years, a record number of ransomware attacks have hit the banking industry. Banks, both large and small, continue to be prime targets for cybercriminals due to the large amounts of sensitive customer data they hold.

To protect this data, as well as maintain compliance with strict regulations, banks must have a strong cybersecurity strategy. There must be stronger controls, better knowledge of banking networks, better reaction time to threats, and a better ability to recover from incidents. A great way to achieve these goals is by implementing the CIS Critical Security Controls (CSC).

What Is CIS?

The Center for Internet Security (CIS) is a nonprofit organization that provides guidance and best practices for improving financial services cybersecurity. CIS is a parent of MS-ISAC, which serves as the information sharing and analysis center for state, local, tribal, and territorial governments. They offer a framework of critical security controls that are effective in protecting against the most common attacks.

Why Should Banks Use CIS Controls?

These controls are put in place to manage identified risks. They can be physical barriers like locks and walls, electronic barriers like firewalls, or software like antivirus, as well as policies, procedures, and training. Abiding by these controls helps examiners know that you’ve identified your risk for IT incidents and placed appropriate controls in place to manage them.

For a better financial services cybersecurity strategy, you need to know how your network works and be aware of any changes that might invalidate the controls you have put in place.

The Top 7 CIS Controls

Here are the top seven controls adopted by the FFIEC for
InTREx Exams:

  1. Inventory & Control of Enterprise Assets
    Your bank needs to keep track of what assets you have and where they are located. This is important because it helps you to know what needs to be protected and how best to protect it. It’s important to regularly review or use tools to generate alerts to any asset changes.
    Be especially aware of the “internet of things” (IoT). Security cameras, thermostats, IP phones, HVAC systems, etc., are often unsecured and can provide a way for attackers to gain access to your network.

  2. Inventory & Control of Software Assets
    This control helps your bank ensure that your assets are properly configured and secure. In many cases, software vulnerabilities are the root cause of attacks because attackers will exploit them to gain access to your network. You can help mitigate these risks by keeping your software up to date, regularly reviewing and removing unauthorized software, and preventing the installation of unauthorized software.

  3. Data Leak Protection
    This control helps you protect your data from unauthorized access and loss. This includes ensuring that sensitive data is encrypted, both at rest and in transit. It is also learning where data is stored and how it travels.

  4. Secure Configuration of Enterprise Assets & Software
    It is crucial to implement a solid program for software and operating system patching, to establish written policies for “hardening” new servers, workstations, and network devices, and to regularly review policies to ensure they are enabled on all devices.

  5. Account Management
    For added cybersecurity, ensure that only authorized users have access to your data and systems. This is not just for Windows login — it includes logins to core systems, email, and any hosted or internet-based accounts that potentially house confidential data.
    It’s also good to establish separate admin accounts for admin tasks. This way, if an attacker does gain access to an admin account, they will not have direct access to data.

  6. Access Control Management
    This control helps your bank manage and monitor user access to data and systems. This includes ensuring only authorized users have access to sensitive data, all access is logged, and privileged users are properly supervised.

  7. Continuous Vulnerability Management
    This control helps you identify and remediate vulnerabilities in your systems and software. This includes patching software and operating systems, using security scanning tools, and conducting regular penetration tests.

How to Incorporate CIS Controls

To help your bank incorporate these controls, look for an IT company that specializes in IT security and compliance for banks and who is also able to manage and automate many of the tasks associated with each of the CIS controls. More information about the Center for Internet Security can be found at

Mike Gilmore ( is the Chief Compliance Officer and a Certified Information Systems Auditor (CISA) with more than 30 years experience in the banking industry. In his role as COO, Mike provides compliance and risk assessments, audit, and exam support and policy documentation.