Back in 2018, the State of Security spent a lot of time going over v7 of the Center for Internet Security’s Critical Security Controls (CIS Controls). We noted at the time how the Center for Internet Security shuffled the order of requirements for many of the existing controls in that version. It also cleaned up the language of the CIS Controls, simplified some working, removed duplicate requirements, and created an abstract for each of the security measures.
Wait, What Are the CIS Controls Again?
Just as a reminder, the CIS Controls are a set of recommended actions that organizations can use to defend themselves against some of the most pervasive attacks in the threat landscape today. They serve as a starting point for organizations in that effort. As noted on the Center for Internet Security’s website, the Critical Security Controls use prioritization to help organizations to figure out where their digital defenses begin, focus their resources on actions that can provide protection against high-risk items, and then invest their remaining time and energy in tackling additional sources of digital risk for the business.
The Constant Flow of Change
The CIS Controls are not a static entity. On the contrary, they regularly undergo an informal community process in which industry, government, and academic actors review the CIS Controls. Those individuals can then issue updates based upon organizations’ changing network environments and on the evolving digital threat landscape.
Those factors help to explain the release of CIS Controls v8. This updated version of the security measures now includes requirements pertaining to cloud and mobile technologies. (Regarding the former, the Center for Internet Security even created an entirely new control designed to help organizations manage their cloud service providers.)
These changes reflect just how organizations altered the way they do business as part of the shift to remote work. The Center for Internet Security expanded upon that reality in a blog post:
Since networks are basically borderless — meaning there is no longer an enclosed, centralized network where all the endpoints reside — the Controls are now organized by activity vs. how things are managed.
As part of this transition, the internal community process reduced the number of CIS Controls from 20 to 18. These Controls are as follows:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skill Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing
The Center for Internet Security also grouped the Controls and a fewer number of corresponding Safeguards (formerly known as “Sub-Controls”) into three Implementation Groups (IGs). These designations help organizations to prioritize their implementation of the CIS Controls. To illustrate, the first implementation group (IG1) consists of basic hygiene that all organizations can use to lay the groundwork for defending themselves against digital threats. IG2 builds upon the practices of IG1, while IG3 encapsulates all the Controls and Safeguards.
Examining CIS Controls v8 in Detail
Researchers at Tripwire are working on a new blog series that examines each of the 18 security measures contained within CIS Controls v8. Stay tuned for the first few installments of this series over the coming weeks.
In the meantime, readers can learn more about how Tripwire’s solutions align with version 7 of the CIS Controls by clicking here.