Skip to content ↓ | Skip to navigation ↓

Recently, the Center for Internet Security (CIS) released its next revision of the Top 20 Security Controls.

Initially developed by the SANS Institute, these controls have been used by organizations both large and small. By adopting these sets of controls, organizations can prevent the majority of attacks.

A study of the previous release found that by adopting just the first five controls, 85 percent of attacks can be prevented. Adopting all 20 controls will prevent upwards of 97 percent of attacks.

With this release, one of the main goals was to be consistent with the workflow of each set of controls. Even existing controls that did not change much in terms of content saw a shuffling of the order of requirements. For each control, we will now see an abstract version of assess, baseline, remediate, and automate.

Additionally, the language has been cleaned up considerably from previous revisions. Now we see very concise wording, which has a higher abstraction than previous releases. This will be great in terms of allowing the set of controls to fit a wider range of platforms and attacks.

However, it leaves it up to the organization and the tools at their disposal on how to actually implement the controls. This may be challenging for organizations going at it alone, so enterprises should work with their security vendors, as they can provide guidance on the “in the weeds” details of various controls.

Many of the existing controls have stayed the same, albeit with some consolidation to remove duplicate requirements or simplify some wording.

The top five basic controls remain the same (with some ordering changes), which makes sense since they can block the majority of the attacks.

Over the next few weeks, I will be providing a review of each individual control to offer my thoughts on each individual requirement.

Read more about the 20 CIS Controls here:

Control 20 – Penetration Tests and Red Team Exercises

Control 19 – Incident Response and Management

Control 18 – Application Software Security

Control 17 – Implement a Security Awareness and Training Program

Control 16 – Account Monitoring and Control

Control 15 – Wireless Access Control

Control 14 – Controlled Access Based on the Need to Know

Control 13 – Data Protection

Control 12 – Boundary Defense

Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Control 10 – Data Recovery Capabilities

Control 9 – Limitation and Control of Network Ports, Protocols, and Services

Control 8 – Malware Defenses

Control 7 – Email and Web Browser Protections

Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs

Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Control 4 – Controlled Use of Administrative Privileges

Control 3 – Continuous Vulnerability Management

Control 2 – Inventory and Control of Software Assets

Control 1 –  Inventory and Control of Hardware Assets

<!-- -->