The Center for Internet Security (CIS) has officially launched version 8 of the CIS Controls. This release represents a comprehensive revision of the CIS Controls (v7) and contains updated and simplified guidelines to streamline and maximize security. Changes in many of the supporting documents and guidelines surrounding CIS Controls will follow the release.
Background of CIS Controls
The SANS Institute and the FBI started the CIS Controls as the Top 20 Critical Controls in 2001. Over the years it evolved to the popular SANS Top 20. In 2015, the effort of maintaining and improving the guidelines was transferred to the Center for Internet Security. The name changed to the CIS Critical Security Controls and was eventually shortened to “CIS Controls.” During this time, the controls identified 20 major areas to focus on in data security. Since complexity often obstructs security, the v8 revisions of CIS Controls reduced the top 20 to the top 18.
What is new in CIS Controls v8?
The folks at CIS chose to make major revisions to v8 that emphasize the basics and focus on what really makes a difference. To accomplish this, they redesigned the CIS controls from scratch so that the controls are better defined and the guidelines are simplified. The new v8 guidelines reordered the v7 CIS Controls based on activities to help organizations better apply the principles of the security controls. This way, the standard itself does not dictate the application of security controls, but rather provides a flexible framework that can be applied to many environments.
The CIS team also considered the new ways systems are being designed today to include service provider management and cloud solution guidance. They have partnered with SafeCode to help provide more meaningful guidelines for developing secure applications and software.
A benefit of the CIS Controls is that the 18 controls and their safeguards can be filtered by Implementation Groups (IG) that are correlated by priority. In other words, you should implement all the controls and safeguards in IG1 if you are interested in minimum basic cyber hygiene and then you can build on IG1 and get to IG2 and IG3 to develop a more comprehensive security posture. This system really helps you know where to start instead of working from the top of the list down.
Summary of CIS Controls v8
If you are familiar with previous versions of CIS Controls, you will easily recognize the detailed safeguards (used to be called sub-controls), but they may have been reordered and grouped by different cyber security activities. So, there will not be “surprises” of radically new or different requirements in the CSI Controls v8. To see the details of the changes made between v7.1 and v8, visit the CIS Controls site.
Below is a summary of the 18 controls. Implementing all the controls would require meeting a total of 153 safeguards. If you meet all 153 safeguards, you will complete the highest level IG3 requirements.
CIS Control 1 - Inventory and Control of Enterprise Assets
Actively manage all enterprise hard assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately account for, monitor, and protect assets within the enterprise.
CIS Control 2 - Inventory and Control of Software Assets
Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
CIS Control 3 - Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
CIS Control 4 - Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise hard assets and software.
CIS Control 5 - Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts and service accounts, to enterprise assets and software.
CIS Control 6 - Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
CIS Control 7 - Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
CIS Control 8 - Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
CIS Control 9 - Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
CIS Control 10 - Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
CIS Control 11 - Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
CIS Control 12 - Network Infrastructure Management
Establish, implement, and actively manage (e.g., track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
CIS Control 13 - Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.
CIS Control 14 - Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
CIS Control 15 - Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
CIS Control 16 - Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
CIS Control 17 - Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, communications) to prepare, detect, and quickly respond to an attack.
CIS Control 18 - Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (e.g., people, processes, technology), and simulating the objectives and actions of an attacker.
Who uses the CIS Controls?
The CIS Controls have been adopted by thousands of global enterprises–large and small–and are supported by numerous security solution vendors, integrators, and consultants.
Some users of the CIS Controls include: the Federal Reserve Bank of Richmond, Corden Pharma, Boeing, Citizens Property Insurance, Butler Health System, University of Massachusetts, the states of Idaho, Colorado, and Arizona; the cities of Portland, and San Diego, and many others. As of May 1, 2017, the CIS Controls have been downloaded more than 70,000 times.
Are the CIS Controls free to use?
Yes, the CIS Controls are free to use by anyone to improve their own cybersecurity, but working with a Security Assessment team will help ensure proper implementation.
There is no general mandate or a central organization that requires compliance to the CIS Controls, but there are many individual companies, states, and local governments that have adopted CIS Control compliance at various levels and track that compliance regularly. The CIS controls are a great way to adopt the industry best practices for data security and a great way to begin to prepare for other compliance efforts that may be on the horizon for your organization, such as PCI DSS, HITRUST, and FedRAMP.
SecurityMetrics consultants have been conducting CIS assessments for many years as well as other security frameworks. We have the experience to help guide you through this process. Let us know how we can help!