The cybersecurity ecosystem is a constantly changing landscape of threats, controls, and protections. Keeping your organization’s security controls up to date is a constant challenge. Fortunately, there are guidelines the IT community has built in order to help organizations protect their data.

The CIS Critical Security Controls, also known as CIS Controls, are a set of safeguards developed by the global IT community. The CIS Controls Version 8 is an update to the previous version, accounting for the changes happening in the cybersecurity realm. CIS controls are in use by thousands of global enterprises of all sizes. These controls are supported by many of the top cybersecurity vendors and consultants. Consistent updates keep the CIS controls atop the cybersecurity industry as far as uniform standards are concerned. This article will aim to outline the CIS controls and the revisions made from CIS Version 7 to CIS Version 8.

Overview of CIS Controls

CIS controls were started as a joint effort by the FBI and the SANS Institute in 2001. After years of evolution, the task of maintaining and revising the controls was passed on the the Center of Internet Security (CIS) thus prompting a change in the name from the SANS Top 20, to CIS Critical Security Controls, and eventually shortened to CIS Controls. Traditionally, there were 20 controls for companies to prioritize, but Version 8 condensed the list to 18.

CIS Version 8 revised the previous Version 7 to keep up with the current cyber attack trends. The team in charge of the revisions decided to focus Version 8 on maximizing the basics. They emphasize this with a simplified set of guidelines that are very similar to the previous Version 7 controls with just a few organizational changes.

CIS Version 8 Controls

The CIS Version 8 controls are a reworked and simplified version of the previous iteration. The goal was to encourage organizations to focus on the basics to bolster the rest of their controls. The controls below are prioritized by CIS. Applying all 18 controls requires meeting 153 safeguards but will mean completing the highest level of IG3 (Implementation Group 3).

CIS Control 1 - Inventory and Control of Enterprise Assets

Actively manage all hard assets within the organization related to the physical, virtual, and remote infrastructure, as well as assets within cloud environments, to accurately account for, monitor, and protect assets within the enterprise.

CIS Control 2 - Inventory and Control of Software Assets

Actively manage all software on the network to ensure only authorized software is installed and can operate, and that unauthorized and unmanaged software is identified and prevented from installation or execution.

CIS Control 3 - Data Protection

Develop procedures and controls to identify, classify, securely handle, retain, and properly dispose of data.

CIS Control 4 - Secure Configuration of Enterprise Assets and Software

Configure enterprise hard assets and software to establish and maintain security.

CIS Control 5 - Account Management

Use processes and tools to assign and manage authorized credentials for users on enterprise assets and software, including administrator accounts and service accounts.

CIS Control 6 - Access Control Management

Use tools and processes to create, assign, manage, and revoke access credentials and privileges for all accounts of every level for assets and software within the organization.

CIS Control 7 - Continuous Vulnerability Management

Develop plans to continuously monitor and assess vulnerabilities on all assets within the enterprise's infrastructure in order to remediate and minimize opportunities for attackers. Monitor public and private industry sources for new threat and vulnerability data.

CIS Control 8 - Audit Log Management

Collect, alert, review, and retain any audit logs of events that could help detect, understand, or recover from an attack.

CIS Control 9 - Email and Web Browser Protections

Improve protections for and detections of threats from email and web vectors, as these are opportunities for attackers to implement social engineering tactics through direct engagement.

CIS Control 10 - Malware Defenses

Control or prevent the installation, spread, and execution of malware or malicious applications, code, or scripts on enterprise assets.

CIS Control 11 - Data Recovery

Establish and maintain data recovery methods that are adequate in restoring in-scope organization assets to a trustworthy pre-incident state.

CIS Control 12 - Network Infrastructure Management

Build, apply, manage and actively maintain network devices, to prevent attackers from exploiting vulnerable access points and network services.

CIS Control 13 - Network Monitoring and Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.

CIS Control 14 - Security Awareness and Skills Training

Build, implement, and maintain security awareness programs to promote positive security behaviors among the workforce to be conscious and properly skilled in security protocols to minimize cybersecurity risks to the enterprise.

CIS Control 15 - Service Provider Management

Develop an evaluation process for third-party service providers in possession of sensitive data, or are responsible for an organization's critical IT platforms or processes. This ensures these providers are sufficiently protecting those platforms and data.

CIS Control 16 - Application Software Security

Manage the security life cycle of software in use by the enterprise in order to prevent, detect, and remediate weaknesses before they can impact the enterprise.

CIS Control 17 - Incident Response Management

Build and implement a program to develop and maintain incident response capabilities such as policies, plans, procedures, defined roles, training, and communications to prepare, detect, and quickly respond to any potential cyberattack.

CIS Control 18 - Penetration Testing

Test the effectiveness of enterprise assets by simulating the objectives and actions of an attacker to identify and exploit weaknesses in controls.

Who Can Use CIS Controls?

Since CIS controls are free to use, anyone can implement CIS v8 in their enterprise cyber security. Doing so will not only provide more robust security for your enterprise, but also let your customers know that you are actively working towards keeping their data protected in a very hostile cybersecurity landscape. However, even looking through the CIS Version 8 guidelines, one can have trouble implementing all of the controls in compliance with the regulations. This is why working with security assessment professionals is a great decision.

Trava has a full catalog of assessment tools and professional consultants all well versed in CIS controls, including CIS Version 8 Controls. Tools like the Trava risk assessment tool and vulnerability scanner are designed to inform organizations on their weaknesses and vulnerabilities in the context of the CIS guidelines. We also provide vCISO (virtual Chief of Information Security Officer) consultation services to keep any enterprise up to date on current attack methods and up and coming threats in the cyber security ecosystem.

If your organization is looking to implement CIS Controls Version 8, contact Trava to learn just how much your business can benefit with industry leading cybersecurity professionals in your corner. To book your Trava demo, click the link below and fill out the form to get started.