CIS Controls
The Center for Internet Security (CIS), a non-profit organization with a mission to develop and disseminate cyber defense best practices to organizations around the world, has developed a set of safeguards with the assistance of a talented group of global IT leaders. The top security safeguards, more commonly known as controls, are called CIS controls. Version 8 was officially launched at the RSA Conference in 2021. The goal of these critical security controls is to promote more secure IT systems while minimizing and mitigating cyber risks.
The CIS emphasizes that its flagship CIS controls and benchmarks are more than a checkbox list of “good things to do”, or “things that could help” in the realm of cybersecurity. They are a definitive, prioritized, and actionable set of prescriptive guidelines that have a solid support foundation to make them usable, scalable, and mappable to all industry and government standards.
Who uses CIS Controls?
The CIS Controls have been implemented by thousands of businesses and agencies across the globe. From international enterprises to SMBs, they are widely embraced and supported by security teams and risk managers.
Among the CIS controls’ well known users you’ll find the Federal Reserve Bank of Richmond, Corden Pharma, Boeing, Citizens Property Insurance, Butler Health System, the University of Massachusetts, the states of Idaho, Colorado, and Arizona; the cities of Portland, and San Diego, and many others.
What is new in CIS Controls v8?
Version 8 has been redesigned to sync with today’s hybrid systems, cloud computing environments, mobile and remote workplaces, and ever-evasive attack vectors. All these time stamped 2020’s factors prompted the much-needed update and drove the position of some previously less-important controls from way down at the bottom of the top 20 in v7 to the top of the controls list in v8.
Let’s dive in and take a look at some new features of CIS controls Version 8.
The CIS controls have been reduced from 20 to 18.
After re-assessing the controls and aligning them to today’s threat landscape, the top security controls have been reduced from 20 to 18 and take on a “task-based grouping by activity” approach that the CIS has developed with version 8.
In contrast, version 7 was people-focused, and the controls were categorized according to which group in an organization managed the processes and devices relevant to each control.
Three Outdated Controls Were Removed: (9, 12, and 15)
Rick Doten, CIS editorial panel member, says, “We had three controls that were outdated in version 7: the limitation of ports and protocols (9), boundary defense (12), and then the wireless access control (15). It was confusing. And so, we got rid of those and we split up the safeguards that were in it into more relevant things.”
Some Juggling Of Positions Occurred
The list is still ordered according to priority and importance, but there are some drastic changes to the order. Notably, data protection was raised to the top “surface” of the list to get more air to breathe in today’s environment where data loss and protection are so central to information security systems. Moving Data Protection to such a prestigious place on the controls list is a clear response to the modern threat landscape that has been dominated by data breaches. Data is the most valuable asset in an IT system hence the high placing on the list!
Revised Terminology
Some concepts and safeguards have been absorbed, grouped, or worded differently in this version to more naturally reflect the current cyber realities and the state of digital technology.
In addition, Version 8 includes a new glossary to clarify terminology and remove ambiguity geared to novice users.
In line with the CIS’s actionable approach to security, emphasis was put on the 153 safeguards to ensure that each safeguard “asks for only one thing” in a clear way that requires minimal interpretation and focuses on simplified language and measurable actions.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
The Addition Of An Entirely New Control: Service Provider Management
The controls now include a focus on vendors and third-party services. Control 15 now addresses highly prevalent cloud-based Saas platforms and the sensitive data they often access, store, and process. The new control category now requires assessments, contracting policies, and monitoring of service providers.
Recent attacks like the AWS Confused-Deputy attack and a similar attack on Alibaba Cloud highlight the importance of this control.
Implementation Groups
Arguably, the most notable change in this new version is the new approach to implementation groups.
What are Implementation Groups?
In reality, implementation groups 1, 2, and 3 were introduced in version 7. The three groups build on each other, with IG1 (implementation group 1) being defined as a minimum foundational pillar of basic cyber hygiene. IG2 and IG3 respectively require greater resources and expertise to implement and are geared toward larger and more well-funded enterprises that are more likely to be mandated to comply with complex regulatory requirements.
The problem with version 7’s implementation groups was that they were developed far too simplistically, and quite honestly, dysfunctionally. In version 7, the top 6 controls and all their sub-controls were grouped as minimum requirements for IG1. The problem with this logic was that some of these sub-controls required significant investment, resources, and expertise, which was completely out of reach for modest businesses that wanted to achieve minimum basic cyber hygiene. Most small enterprises with modest cyber goals got stuck in a rut along the path to implementation group 1, and never fully implemented the total IG1 requirements.
It was only further down the line that the CIS took note that this approach to implementation groups was far too simplistic and needed some revamping.
So the focus in version 8 is a horizontal focus, where the editorial board handpicked the most foundational controls among all the top 18 controls. IG1 requires the implementation of 56 safeguards that are scattered across all controls. With this approach, the easiest of the tasks for each control family can be accomplished and a very broad foundation is created in all security domains rather than getting stuck trying to solve some very complex internal issues before moving on to an equally important security domain.
IG2 includes all of IG1 plus an additional 74 specific safeguards, and IG3 is a complete adherence to all of the safeguards in the full CIS controls.
How to Implement CIS Controls
The CIS controls are a great way to adopt the industry’s best practices for data security. Whether you adopt CIS controls or another framework, it’s important to remember that security is not about controls or rules. These are just starting points in developing an ecosystem that thrives around safeguards and controls.
Centraleyes consultants have been helping organizations achieve compliance and enterprise risk management for years. Our innovative platform provides complete visibility into your cyber risk level, saving you time and resources while gaining accurate data and streamlined risk and compliance. Reach out to us to see how Centraleyes can help your organization.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
