The CIS controls are a body of best practice for information security, curated by the Center for Internet Security, regarding how organizations can most effectively bolster their cybersecurity programs and take the proper strides to avert attacks from malicious actors. These standards are developed by security experts from around the world and periodically updated to reflect the current landscape of cybersecurity threats.
In March , 2018, the latest major version of the CIS Controls, CIS Controls v7, was introduced, and this new iteration has had a major impact on the nature and operation of organizational security programs.
Just over a year later, a minor update was released as 7.1 to add guidance that prioritizes controls utilization. These Implementation Groups (IGs) are intended to be a simple and accessible way to help organizations classify themselves and focus their security resources and expertise while leveraging the value of the CIS Controls.
There are twenty individual controls, separated into three categories: basic, foundational, and organizational:
- Basic controls (1-6) encompass the strides that should be taken by all organizations for essential cyber defense preparation.
- The foundational category (7-16) is comprised of technical cybersecurity practices that any organization with a vested interest in the strength of its security program should consider implementing.
- Finally, organizational controls (17-20) address the more human element of cybersecurity, considering the people and processes involved in the viability of an organization’s security program.
The v7 controls are organized as follows:
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privilege
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
6. Maintenance, Monitoring and Analysis of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation of Control of Network Ports, Protocols, and Services
10. Data Recovery Capabilities
11. Server Configuration for Network Devices, such as Firewalls, Routers, and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Implement a Security Awareness and Training Program
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
Though version 7 still maintains the same top-level controls as version 6.1, there are some crucial distinctions between the two iterations. First, the ordering of the controls in version 7 has been updated to reflect a more relevant picture of the current cybersecurity threat landscape. Second, the language of several of the controls has been amended to sound clearer, more precise, and more immediately actionable.
You may be wondering, “What does this mean for my organization?” More specifically, “What do I need to do about all this?” Well, simply put, there are certain strides your organization needs to take in order to remain up to date on and compliant with these new stipulations. Here are some important, actionable strategies and steps that your organization can take:
- Conduct a gap analysis to compare your security program against the recommendations outlined in the latest iteration of the Critical Controls and identify your "Implementation Group" (IG).
- No matter your chosen IG, focus first on the controls in IG1. Taking these steps will help defend against the most prevalent cyber-attacks. These controls are considered "Basic Cyber Hygiene"
- Find and assign security personnel to analyze exactly how the critical controls beyond IG1 can be implemented within your organization.
Obviously, this can be a lot of work and can benefit from experience and domain expertise. Truvantis is a leading provider of CIS Controls based services. So reach out to us to talk about how they might map to your specific environment.