The Center for Internet Security (CIS) risk assessment method is closely tied to the CIS Critical Security Controls, which are structured in Implementation Groups (IGs). These groups provide a hierarchical approach to security, starting with basic, foundational controls in IG1, which are essential for all organizations, especially small to medium-sized ones. Organizations can then progress to more advanced controls in IG2 and IG3, as their resources and maturity grow.
CIS (Center for Internet Security) offers practical, prescriptive, technical controls and benchmarks for immediate implementation of cybersecurity best practices, while NIST (National Institute of Standards and Technology) provides broader, more flexible frameworks, standards, and guidelines covering a wider range of cybersecurity and related areas. Essentially, CIS gives the "how-to" with specific actions, while NIST offers the overarching "what" for developing comprehensive cybersecurity strategies, often used together as CIS controls can support the implementation of NIST frameworks.
****
A) The CIS framework values both technical and administrative controls but does not explicitly prioritize technical controls over administrative ones based on weighted values.
B) The CIS framework does not require dual-validation of quantitative and qualitative metrics for control implementation.
C) While threat intelligence is vital in cybersecurity, the CIS framework does not use an adaptive scoring mechanism for adjusting priorities dynamically. Instead, the Implementation Groups serve as a fixed guide.