Framework: The Center for Internet Security (CIS) Top 18 Controls

Welcome to the CIS 18 Control Framework

Episode 82 — Safeguard 18.2 – Internal and red team exercises

Safeguard 18.2 extends penetration testing to include internal assessments and red team exercises that emulate an attacker with initial access. Internal testing evaluates how far a threat could move…

Episode 81 — Safeguard 18.1 – External testing programs

Safeguard 18.1 requires organizations to establish and maintain a formal penetration testing program that includes recurring external assessments. External tests simulate real-world attackers…

Episode 80 — Overview – Why penetration testing validates defenses

Control 18—Penetration Testing—closes the CIS framework by validating how well all other controls perform under real-world conditions. While vulnerability scanning identifies potential weaknesses,…

Episode 79 — Remaining safeguards summary (Control 17)

The remaining safeguards in Control 17 reinforce the full lifecycle of incident response—spanning preparation, communication, testing, and continuous improvement. These include assigning key response…

Episode 78 — Safeguard 17.2 – Tabletop exercises

Safeguard 17.2 emphasizes the importance of testing the incident response plan through structured tabletop exercises. These simulations bring together key personnel—from technical teams to…

Episode 77 — Safeguard 17.1 – IR plan and playbooks

Safeguard 17.1 requires organizations to establish and maintain a comprehensive incident response process that defines scope, roles, responsibilities, and communication procedures. This process must…

Episode 76 — Overview – Incident response principles

Control 17—Incident Response Management—defines how an organization prepares for, detects, responds to, and learns from security incidents. Even the most robust defenses can be breached, and when…

Episode 75 — Remaining safeguards summary (Control 16)

The remaining safeguards under this control expand beyond coding and testing to address the full ecosystem in which applications live. They include maintaining an inventory of third-party components…

Episode 74 — Safeguard 16.2 – Static and dynamic testing

This safeguard advances assurance by requiring a structured process to accept and address reported vulnerabilities and by embedding testing that sees both code and behavior. Static analysis inspects…

Episode 73 — Safeguard 16.1 – Secure coding practices

This safeguard directs organizations to formalize a secure application development process and set explicit standards for how code is designed, written, reviewed, and released. Secure coding…

Episode 72 — Overview – Secure software lifecycle

A secure software lifecycle integrates security activities into every stage of building and operating applications—planning, design, development, testing, deployment, and maintenance—so that…

Episode 71 — Remaining safeguards summary (Control 15)

The remaining safeguards in Control 15 round out a complete third-party risk program by adding structured assessment, continuous monitoring, and secure decommissioning. After building the inventory…

Episode 70 — Safeguard 15.2 – Security requirements in contracts

Safeguard 15.2 ensures that contracts with service providers explicitly define security expectations and obligations, creating enforceable accountability. Every vendor relationship introduces risk,…

Episode 69 — Safeguard 15.1 – Inventory of service providers

Safeguard 15.1 requires organizations to establish and maintain a complete inventory of all service providers that store, process, or access enterprise data. This inventory must include vendor…

Episode 68 — Overview – Third-party and vendor risks

Control 15—Service Provider Management—addresses the growing reliance on third-party vendors and the risks that accompany it. In today’s interconnected ecosystems, external partners often handle…

Episode 67 — Remaining safeguards summary (Control 14)

The remaining safeguards under Control 14 extend awareness beyond general staff by emphasizing continuous reinforcement, contextual learning, and cultural integration. They include training employees…

Episode 66 — Safeguard 14.3 – Role-based training for admins and developers

Safeguard 14.3 focuses on providing targeted, role-based training to employees whose responsibilities involve elevated privileges or specialized technical duties—such as system administrators,…

Episode 65 — Safeguard 14.2 – Phishing simulations

Safeguard 14.2 emphasizes the use of phishing simulations to test, measure, and improve employee awareness of social engineering attacks. Phishing remains the most prevalent method for initial…

Episode 64 — Safeguard 14.1 – Security awareness program

Safeguard 14.1 requires organizations to establish and maintain a formal security awareness program that educates the workforce on secure behaviors and threat recognition. The program should define…