Ride the Lightning

The Center for Internet Security Publishes CIS Controls Version 7

March 22, 2018

This week the Center for Internet Security (CIS) released CIS Controls Version 7, the newest (and free) iteration of 20 very important cybersecurity recommendations that we recommend whenever we lecture. The CIS Controls are a prioritized set of actions any organization can follow to improve their cybersecurity posture.

The new controls were developed to align with current cyber threats. CIS collaborated with a global community of cybersecurity experts – leaders in academia, industry, and government – to secure input from volunteers at every level.

The development of CIS Controls V7 was guided by 7 key principles to help ensure a more robust end result:

1. Address current attacks, emerging technology, and changing mission/business requirements for IT: As part of our fundamental promise, the CIS Controls have been updated and re-ordered to reflect both the availability of new cybersecurity tools and changes in the current threat landscape that all organizations are facing.
2. Bring more focus to key topics like authentication, encryptions, and application whitelisting: Guidance for each of these major security topics is covered in detail by CIS Controls V7 in a clearer, stronger, and more consistent fashion across the entire CIS Controls.
3. Better align with other frameworks: With mapping to NIST Cybersecurity Framework, it's never been easier to function in a multi-framework world.
4. Improve the consistency and simplify the wording of each sub-control – one "ask" per sub-control: The community worked tirelessly to clarify and simplify each CIS Control, making it easier for users to follow along. By eliminating multiple tasks within a single sub-control, the CIS Controls are easier to measure, monitor, and implement.
5. Set the foundation for a rapidly growing "ecosystem" of related products and services from both CIS and the marketplace: We have much more documented experience with adopters and vendors since Version 6; for V7 we make it easier for everyone to understand, track, import, integrate the CIS Controls into products, services, and corporate decision-making.
6. Make some structural changes in layout and format: To help keep the Controls relevant and adaptive to various different organizations, we've restructured our content to be more flexible than before.
7. Reflect the feedback of a world-side community of volunteers, adopters, and supporters: We are only as strong as the amazing volunteers that supports us and we hope to continue to provide a means of gathering and harnessing the global cybersecurity community for the benefit of everyone.

CIS Controls V7 separates the controls into three distinct categories: basic, foundational, and organizational.

Basic (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense readiness.

Foundational (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a smart move for any organization to implement.

Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused on people and processes involved in cybersecurity.

The new CIS Control align better with the NIST Cybersecurity Framework. John likes to refer to those as the "what" and to the CIS Controls as the "how." Together, these resources are concise and pretty readable. Both are terrific free resources.

Hat tip to Dave Ries for catching this first.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson