The CIS Critical Security Controls are a collection of cybersecurity practices, principles, and defensive actions. They’re provided by the CIS or Center for Internet Security, a collective organization that provides frameworks and standards for organizations to understand and meet modern cybersecurity needs.
In a nutshell, the CIS Controls are recommendations that organizations can use in order to identify, anticipate, and respond to modern digital threats. That’s especially important in this day and age, as malware, ransomware, and other cybersecurity problems have only become more dangerous and more varied over time.
The CIS Controls are continually updated using an informal community process. In this way, the Controls stay relevant and usable to modern organizations, ranging from businesses to government agencies to academic institutions and more. When leveraged properly, the CIS Controls can provide benefits such as:
· Helping organizations discover their cybersecurity weak points
· Assisting with tracking cyber risks
· Providing effective defensive steps to maximize security
· And more
With the CIS Controls, businesses can assign implementation groups to enact each cyber defense strategy and reduce cyberattack likelihood and effectiveness. They’re key elements of modern information security and cyber hygiene approaches, especially for small businesses. However, it’s best to think of the CIS benchmarks as starting points for risk management, not an end-all, be-all guide to indefinite internet security.
What is the Latest Version of CIS Controls?
As of May 18, 2021, CIS launched the most recent version of the CIS Controls: Version 8 or “v8”. This version of the CIS Controls was released to the world at the global RSA Conference of 2021.
The purpose of the update was to keep the Controls relevant in the ever-changing, evolving cyber landscape. It has also been simplified where possible – now, each Control safeguard or guideline asks for just one action or approach whenever possible. This is clear and doesn’t require a lot of interpretation. As a result, v8 of the CIS Controls is more approachable and understandable than ever before.
Furthermore, Version 8 is task-based no matter who executes the Control. It combines and consolidates CIS Controls by activities instead of who manages different devices. All in all, it’s a significant improvement that has already seen widespread adoption amongst cybersecurity professionals.
What is the Difference Between CIS Controls v8 and v7?
The big difference between CIS Controls v8 and v7 is that v8 has fewer Controls overall. This is the result of consolidating some previous Controls.
For example, CIS Control 4 was previously called, “Control of Admin Privileges.” Alongside Control 14, “Controlled Access Based on Need to Know,” both Control 4 and Control 14 were consolidated into a new version of Control 6: Access Control Management.
This happened again with Controls 5 and 11, “Secure Configuration” and “Secure Configuration of Network of devices, respectively. These two Controls were consolidated into the new Control 4, “Secure Configuration of Enterprise Assets and Software.
The last two changes see some Controls repositioned in the Controls list prioritization. Control 13, “Data Protection,” is now Control 3. Meanwhile, Control 16, “Account Monitoring and Control,” is now Control 5, “Access Control Management.”
In essence, v8 of the CIS Controls List has 18 Controls instead of 20. It’s streamlined, easier to use and understand, maps more accurately to other cybersecurity frameworks like the NIST CSF, and overall better for cybersecurity professionals seeking to protect their organizations.
CIS Controls List
Here’s a detailed breakdown of the new and refined CIS Controls v8 list, which includes 18 distinct principles, practices, and recommendations.
Control 1 – Inventory and Control of Enterprise Assets
The first Control is all about actively managing enterprise assets. The purpose is to ensure that cybersecurity teams have an accurate picture of all the assets in a given business so they can monitor and protect those assets accordingly. “Asset management” is defined in this Control as inventorying, tracking, and then correcting all enterprise assets as they are discovered. This can include user devices, Internet of Things (IoT) devices, servers, and more, as well as hardware assets that are connected to enterprise infrastructure.
Control 2 – Inventory and Control of Software Assets
Control 2 focuses on protecting and inventorying (i.e., cataloging and organizing) software assets. That’s because digital attackers frequently attack outdated and/or unpatched software to access enterprise systems remotely. This Control often involves updating and patching vulnerable software, particularly antivirus software. But it may also include going through each software asset an organization has and checking for updates or digital security breaches one by one, often through removing unauthorized software and maintaining a new, comprehensive inventory of software assets.
Control 3 – Data Protection
The Data Protection Control is vital because modern enterprises access and store data in many different locations, such as on the cloud, within the enterprise itself, and on end-user devices. Control 3 calls for focusing on 5 “Ws,” including:
· What kind of data the enterprise handles and stores
· Who gets access to the data
· Where the data is both stored and accessed
· When the data needs to be deleted
· Why the data needs protection
Following this Control ensures that enterprises adhere to modern data privacy laws and regulations, like the GDPR in Europe. The Control includes many suggested action steps, such as maintaining current data inventory, documenting data flows, securely disposing of data when it is no longer needed, and encrypting sensitive data both whenever it is in transit and while it is “at rest” or stored within an organization.
Control 4 – Secure Configuration of Enterprise Assets and Software
Control 4 focuses on securely configuring all enterprise software and hardware assets. While most assets are preconfigured, some may not be, or they may be configured for poor enterprise security. This CIS Control advises configuring enterprise assets and software individually to ensure that they adhere to organizational security policies. Sometimes, this can involve installing firewalls on end-user devices. In other cases, it can involve applying device lockouts on end-user devices under certain circumstances. Regardless, this Control emphasizes using multiple security layers at every stage.
Control 5 – Account Management
The Account Management Control is all about preventing unauthorized hacker access via valid, stolen user credentials. This is especially important when considering administrator accounts, which often have important privileges but which are also often vulnerable to malware and ransomware attacks. Control 5 requires visibility of user accounts in the enterprise environment and advises businesses to always know who owns what credentials and where different credentials are assigned. Some account management practices recommended by this CIS Control include using unique passwords, disabling dormant accounts, and maintaining an inventory of all service accounts currently in use.
Control 6 – Access Control Management
The Access Control Management Control focuses on the type of access the different accounts should have within an organization. Under this Control, all businesses should follow the principle of least privilege; all users are given the lowest level of access needed for their job responsibilities. This Control frequently recommends responses like centralizing access control, using role-based access control, and requiring multi-factor authentication or MFA for administrative access (e.g., requiring a password and fingerprint for administrator privileges).
Control 7 – Continuous Vulnerability Management
Control 7 is a series of guidelines to help establish a vulnerability management program, which is important for cybersecurity best practices. Under this Control, organizations will create a plan for assessing and tracking digital threats to their enterprise assets ahead of time. Control 7 includes recommendations such as designing and implementing remediation processes, automating patch management for applications and operating systems, and creating and implementing a comprehensive vulnerability management process.
Control 8 – Audit Log Management
The Audit Log Management Control is one of the most important CIS Controls, as it’s included in regulatory compliance guidelines like HIPPA. Organizations need to collect, manage, monitor, and analyze audit logs. The Control recommends collecting and reviewing audit logs regularly, as well as establishing a standardized audit log management process. Standardizing time synchronization is also helpful so that cybersecurity teams can identify and respond to digital threats and attacks promptly and immediately when they are first detected.
Control 9 – Email and Web Browser Protections
Email and web protection are vitally important, so Control 9 includes recommendations and steps to help organizations protect their organizations from attacks that come from these vectors. Its suggested safeguards include blocking unnecessary file types and recommending using supported email clients and web browsers. It also recommends that enterprises should use anti-malware protections for all email servers, plus enforce DNS filters for external web traffic (as well as network-based URL filters when needed).
Control 10 – Malware Defenses
Since malware is one of the oldest and most common cybersecurity threats, Control 10 focuses exclusively on stopping it. Malware can be used for many different activities and objectives, so the CIS Control for it covers basic yet effective malware defenses. These include automating anti-malware scans across your organization, using updated anti-malware solutions, and disabling autoplay and autorun functionalities for any removable media. These might seem rudimentary, especially to cybersecurity experts, but they’re good steps for those new to IT security. More importantly, they’re easy ways to bolster organizational security overall.
Control 11 – Data Recovery
Control 11 focuses on data recovery since organizations can lose data from malware attacks, natural disasters, and even accidental deletion. Therefore, those organizations need plans to recover that vital data. This CIS Control offers guidelines for data recovery, most notably creating and maintaining an automatic data backup process. After ensuring an enterprise has a data backup process, further recommendations include isolating recovery data, creating a data recovery process, and testing recovery data regularly so that no critical data is ever permanently lost. This Control is an easy one to implement, even for small businesses, so it’s one of the first to be utilized.
Control 12 – Network Infrastructure Management
Network Infrastructure Management recognizes that most network infrastructure offers a broad, vast attack surface for potential hackers. Control 12 tries to remediate inherent security flaws in software assets and new hardware, such as newly installed software programs or a weak default password for a new piece of hardware. Recommend security approaches include updating one’s network infrastructure, centralizing the network authentication, authorization, and auditing (AAA) practices, and using a VPN for remote devices. The last tip is particularly relevant for organizations that send their employees away from the office frequently, as those employees may need to regularly connect to vulnerable Wi-Fi networks.
Control 13 – Network Monitoring and Defense
Control 13 approaches network monitoring and defense in a holistic way, asking organizations to use different processes and tools to monitor and defend against all types of attacks. The biggest recommendations in this Control include centralizing security event alerts and using network intrusion detection systems. After implementing those approaches, organizations should manage access control for remote access and always capture network traffic flow logs (which can help cybersecurity personnel identify a threat after the fact). The Control further notes how important humans are in monitoring, detecting, and preventing malware attacks of all types, essentially telling businesses not to rely too much on automated detection programs or firewalls.
Control 14 – Security Awareness and Skills Training
Control 14 is a human-focused CIS Control, as it emphasizes just how much risky or lazy user behavior can cause enterprise data breaches. This Control recommends both creating and continually maintaining a security awareness program, helping employees to recognize social engineering attacks and prevent themselves from inadvertently making their employer vulnerable. Its other recommendations include teaching employees to use authentication best practices, create strong passwords, and recognize and report security incidents or breaches.
Control 15 – Service Provider Management
Control 15 is important because many modern businesses work with third parties like vendors, freelancers, and service providers, all of which can introduce new security threats into an organization’s network. Service Provider Management focuses on auditing and securing any external partners with access to an enterprise’s IT systems. Its security recommendations include classifying security providers, including security requirements in service provider contracts, and assessing and monitoring service provider access to crucial systems. In this way, companies can prevent third-party vendors and other organizations from compromising their hard-won IT security.
Control 16 – Application Software Security
CIS Control 16 is all about securing application software, which can sometimes come with major security vulnerabilities like weak authentication, coding mistakes, or otherwise insecure software designs. This Control offers a clear and actionable framework to secure vital applications, such as making an inventory of third-party software apps and implementing code-level security checks (e.g., reading through a program’s code line by line to identify potential flaws). It also includes training developers to make apps securely, plus performing root cause analysis security checks.
Control 17 – Incident Response Management
The 17th Control in the CIS list focuses on responding to digital threats and other security incidents – after all, security breaches are inevitable. This Control is about limiting hacker access after a breach has already occurred and minimizing damage in the moment. It emphasizes documenting a comprehensive yet understandable incident response plan, plus performing actions like defining thresholds for security incidents, conducting incident response exercises, and assigning incident response roles and responsibilities. That last tip is especially important, as security personnel need to know where to go and what they are supposed to do in order to behave effectively and promptly in the midst of a security breach.
Control 18 – Penetration Testing
Control 18, the final CIS Control, concerns itself with identifying vulnerabilities before cyber criminals can through penetration testing. Penetration tests help organizations identify their weak spots and take steps to correct those issues before they are exploited. The Control specifically recommends making and maintaining a penetration testing program, as well as performing external penetration tests regularly. After each test, it’s important for enterprises to remediate or fix identified vulnerabilities and develop ways to prevent those flaws from cropping up again and again.
As you can see, the CIS Critical Security Controls is an important group of frameworks and cybersecurity practices that all organizations can leverage. With the CIS Controls, businesses can keep their digital infrastructure and customer data safe against modern, evolving cyber threats.