by Heath Gieson This final article in the MFA mini‑series focuses on the accounts that hold the highest level of trust within an environment. The previous safeguards address where and how access occurs. This safeguard focuses on who holds the keys....
Trending at Forthright.
CIS IG1 Control 6.2 – Establish an Access Revoking Process
by Heath Gieson If access granting is where intent is established, access revoking is where discipline is revealed. Most organizations do not struggle with revoking access because they disagree with the idea. They struggle because no one clearly owns the moment...
Access Control Management: Access Should Be Granted Intentionally
Access Should Be Granted Intentionally By Tim Marley As we move into CIS Control 6, Access Control Management, we're going to spend the next several weeks discussing how organizations determine who gets access to what. We begin with Safeguard 6.1: Establish an Access...
CIS IG1 5.4: How Everyday Admin Access Turned a Phish Into a Crisis
by Heath Gieson CIS IG1 Safeguard 5.4 states that administrator privileges should be restricted to dedicated administrator accounts, and that general computing activities such as email, internet browsing, and productivity work should be performed from a user’s...
CIS IG1 5.3 Dormant Accounts Are a Process Failure
by Heath Gieson Years ago, I worked with a client to implement multi‑factor authentication across their organization. As part of the project, they gave us a list of users who required MFA and explained that this represented all the active users in the business....
CIS IG1 Control 4.6: Securely Managing Network Gear
When the Management Plane Becomes the Attack Plane by Heath Gieson A few years ago, I was sitting in a conference room with an executive team after...
Why “Default Closed” Is a Business Advantage: CIS IG1 Controls 4.4 and 4.5
by Heath Gieson Some attacks are sophisticated. Weeks of reconnaissance, carefully crafted messages, and quiet exploitation in the...
The Unlocked Screen in the Corner Office: What CIS Control 4.3 Requires and Why Biometrics Make It Easier Than You Think
by Heath Gieson Some attacks are sophisticated. Weeks of reconnaissance, carefully crafted phishing emails, vulnerabilities quietly exploited in the...
Secure by Design, Not by Accident: CIS Controls 4.1 & 4.2
by Heath Gieson Every device you deploy and every application you install arrives configured for ease of use, not security. When was the last time...
CIS IG1 Control 3.6: Encrypt Data on End User Devices—Because Lost Doesn’t Have to Mean Exposed
by Heath Gieson As we continue our weekly journey through the CIS IG1 controls, each safeguard builds on the operational foundations we’ve been...
Global Conflicts Escalate: 4 Critical Cybersecurity Changes For Businesses
When geopolitical tensions rise, widespread cyber activity follows. Recent attacks connected to events involving Israel, the Gulf States, and India...
When It’s Time to Let Data Go
by Tim Marley Over the last few weeks, we have been building the foundation of a responsible data management program. In CIS Control 3.1, we talked...
Just Because You Can Keep It Doesn’t Mean You Should
by Tim Marley Over the last few weeks, we have talked about knowing what data you have and who has access to it. CIS Control 3.1 – We discussed the...
Not Everyone Needs the Keys to Every Room
by Tim Marley We have spent the last two weeks in the CIS Controls series talking about data management and data inventory. Knowing what you are...









