What are CIS Controls?
They are a set of recommended actions for cyber defense that provide 'specific' and 'actionable' ways to stop today's most pervasive and dangerous attacks.
They were previously known as 'Critical Security Controls,' but no longer. Now they have renamed only to CIS Controls. Formerly, SANS had its own set of TOP-20 Controls and Center For Internet Security (CIS) had its own set of 20-CIS Controls. But now it has changed, as there is no clash of such recommended controls. Reason is quite simple, CIS has published a new set of controls, CIS Controls, Version 8 and the SANS has been a key member of their editorial team that was responsible for developing the version 8 of CIS Control. Hence, no clash...
On May 18, 2021, CIS launched version 8 of these controls, released at the global RSA Conference 2021.
In previous version, there were 20 controls, but now there are 18-CIS Controls now, as some of old controls have been merged or consolidated together, and a few new controls have been added.
-
What was the need of CIS Controls v8?
The first thing you need to know is that CIS controls are not static, they are dynamic. There is an informal community of people from industry, government, and academics who review the CIS Controls. Their agenda is simply to issue updates, based on their observations about how the networking environments of organisations changing, and How the threat-landscape is evolving. That's why new CIS Controls are a good response to constant flow that is happening in/around IT.
You have witnessed that - there is a great movement to cloud-based things, virtualization, mobility, outsourcing, work-from-home, and a sea-change in TTPs deployed by threat-actors, in the last 2-3 years. New CIS Controls (v8) are actually enhanced controls that can help you greatly.
They are meant to serve as a STARTING-POINT for your organisation, as they use prioritization to help you to figure out WHERE your digital defenses begin. They can help you to focus your resources on ACTIONS that can provide protection against high-risk items/assets.
This new updated version of the security measures now includes requirements pertaining to cloud and mobile technologies. For example, they even created an entirely new control designed to help you manage your cloud service providers.
Since networks are basically borderless — meaning there is no longer an enclosed, centralized network where all the endpoints reside — the Controls are now organized by ACTIVITY, not by how things are MANAGED.
-
3-Implementation Groups
They have also reduced the number of 'Safeguards' (sub-controls) but they are still grouped in three IGs (Implementation Groups).
The idea is same: First destination for organisations is to reach IG1, then IG2 and IG3. This is where PRIORITIZATION comes into effect...
To illustrate, the first implementation group (IG1) consists of basic hygiene that all organizations can use to lay the groundwork for defending themselves against digital threats. IG2 builds upon the practices of IG1, while IG3 encapsulates all the Controls and Safeguards.
1. Minimum implementation (IG 1)
This is the level of basic information and information hygiene for any business. The initial list includes 56 practices to protect against mass attacks. These measures will be sufficient for small companies with limited expertise in the field of cybersecurity.
2. Extended implementation (IG 2)
In addition to the 56 minimum list, there are 74 additional practices in the expanded list – for businesses with a more complex organizational structure and several security profiles.
For example, if some of your departments work with confidential customer data and they need additional protection, including from targeted attacks. As a rule, such companies already have dedicated information security specialists, you are no exception.
3. Maximum implementation (IG 3)
Here, 23 more actions are added to the 130 practices from the expanded list. A complete list should protect against sophisticated targeted attacks and reduce the risk of exploiting zero-day vulnerabilities. This option is for large and socially significant companies that need to protect the data of a large number of users and customers. As a rule, such companies have a developed information security service with different specialists: pentesters, risk managers, etc.
In total, there are 153-safeguards now.
Each Safeguard asks you for “one thing,” wherever possible, in a way that is clear and requires minimal interpretation. Each Safeguard is focused on 'measurable actions,' and defines the measurement as part of the process. The language is simplified to avoid duplication.
-
Version 8 combines and consolidates the CIS Controls by ACTIVITIES, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important...You need to remember this, because it is a big conceptual change.
Another beauty of new CIS Controls is that -- they seek sync & cooperation with/to existing independent standards and security recommendations if you have already implemented.
My last point is that--
You should recognize that -- It is not about the list. You can get a credible list of security recommendations from many sources –think of the list as a STARTING-POINT. It is important for you to focus the ECOSYSTEM that grows up around this list. Take it as a catalyst and clearinghouse to help you in open-learning from each other.
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
You can also share with all of us if the information shared here helps you in some manner.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM