The world has changed, and the CIS Controls have evolved to reflect those changes. The increased use of cloud computing, remote working, virtualisation, and outsourcing have all redefined and blurred the edges of the corporate network. The latest version 8 of the CIS Controls provides a practical framework for organisations of all sizes to identify the right security controls for their situation.
The 18 Controls published by the Centre for Internet Security have been updated to reflect the types of attacks and attackers organisations of all sizes face in 2021 and they propose a guided set of steps organisations can follow based on their risk profile. The latest version continues with the use of three Implementation Groups first introduced in version 7.1. Simply put, the three groups correspond to lower, medium and higher risk organisations and make it easier for security managers to focus on the controls most relevant to their organisation’s risk profile.
The CIS produces a library of resources and publications that are well respected by the global cyber security community. SecureTeam uses the CIS security baselines as the foundation for our own Configuration Reviews for example.
CIS Implementation Groups
The CIS Controls contain 153 safeguards which are organised into three implementation groups.
Basic Cyber Hygiene – IG1
Implementation Group 1 defines a set of controls and safeguards that provide a basic level of Cyber Hygiene for small to medium sized organisations. Similar in scope to the Cyber Essentials scheme, the 56 safeguards in IG 1 provide a foundational set of controls that every organisation should implement to defend against the most common attacks, yet should be achievable with limited IT and cyber security expertise.
Enterprise level protection for regulated businesses – IG2
Implementation Group 2 adds 74 additional safeguards on top of those included in IG1. Specialised expertise will be needed to implement and configure some of the technologies and systems required with some individuals dedicated to managing and protecting the IT infrastructure. Organisations with a regulatory or compliance burden will likely fall into this group as they process sensitive information.
Protection against targeted and zero-day attacks – IG3
23 additional safeguards come in Implementation Group 3 for organisations that process the most sensitive data or face the highest risk. Likely requiring security experts with specialised knowledge of different aspects of cyber security, organisations choosing IG3 will be responsible for critical national infrastructure, health care, large volumes of sensitive personal information or operate systems where a breach or outage would cause significant public harm.
As an example of the progression of safeguard complexity across the implementation groups, Control 18 – Penetration testing, only applies to IG 2 and IG 3. For IG 1, there is no requirement for a penetration testing program. In IG 2 external penetration testing is needed, and for IG 3 internal penetration testing is added in addition to the external testing.
CIS Controls Overview
Version 8 of the CIS Controls has rationalised the number of Controls down to 18 (previously there were 20). Each Control is made up from a number of Safeguards – the number of Safeguards per control growing as you move from IG 1 up to IG 3.
The controls are now organised by activity (previously they were organised based on how things are managed) as follows:
1: Inventory and Control of Enterprise Assets
You can’t protect what you don’t know about. This control focuses on identifying all the assets (devices) that form part of your organisation, regardless of where they live.
2: Inventory and Control of Software Assets
This control provides safeguards to ensure you know what software is present in your network and unauthorised software is identified
3: Data Protection
Identify, locate, and categorise the sensitivity of data and manage it through the collection>protect & use>disposal life cycle.
4: Secure Configuration of Enterprise Assets and Software
Escape the tyranny of the default by actively choosing how to configure firewalls, servers and other devices against secure baselines.
5: Account Management
Actively manage how, when, and why user accounts are issued and ensure they are disabled and revoked when no longer needed.
6: Access Control Management
Ensure user accounts have the least privilege access required and are protected by strong passwords and multi-factor authentication.
7: Continuous Vulnerability Management
Keep your patching up to date, and ensure you take steps to mitigate known vulnerabilities where patches are not yet available.
8: Audit Log Management
The answers and evidence is always in the logs, so make sure the logs are collected, protected and looked at.
9: Email and Web Browser Protections
Deploy anti-malware to scan incoming email and protect your users from visiting website that are high risk.
10: Malware Defenses
Deploy anti-malware protections and ensure the protections are active and update themselves automatically to the latest signatures.
11: Data Recovery
Make sure your backups are running, test them to ensure they work and confirm the backups are isolated from your network and protected against any ransomware attack.
12: Network and Infrastructure Management
Don’t forget to patch the firmware on firewalls, routers and other infrastructure devices. Their admin accounts need multi-factor protection just as much as your database servers. Keep the network diagram up to date.
13: Network Monitoring and Defense
Monitor your network and gather logs into a centralised location for real time monitoring and alerting. Host and Network based intrusion detection and prevention systems help identify unauthorised activity. Segment the network to hinder lateral movement. Only allow remote access via a VPN with multi-factor authentication.
14: Security Awareness and Skills Training
Activate your human firewall through an ongoing culture of security awareness and education.
15: Service Provider Management
Protect your network and data against supply chain attacks. Ensure the people you trust to process your data or support your infrastructure take at least as much care as you do.
16: Application Software Security
Ensure the software you write, or commission, is security tested and vulnerabilities that are discovered in the future will be fixed. Make sure third party libraries are also checked and updated.
17: Incident Response Management
When disaster strikes it is too late to prepare, so work out today how you will manage a security breach and test the plan you come up with – regularly.
18: Penetration Testing
You will never know if your safeguards are working unless you test them, so commission a penetration test from a security testing firm to validate your safeguards, and how your team identifies and responds to the breach.
Resources and further reading
For organisations that are not subject to another regime (such as PCI-DSS), the CIS Controls provide an comprehensive starting point for designing an information security architecture or assessing what your organisation has already got in place.
You can download a copy of the CIS Controls here.