The CIS Critical Security Controls (CIS Controls) are a set of best practices guidelines, created by the Center for Internet Security (CIS), designed to help organizations protect themselves against cyber threats. CIS Controls have been in existence since 2008, and with each new version, they have become increasingly comprehensive and effective. The latest version of the CIS Controls, Version 8, was released in 2021, including updates and changes from the previous Version 7.
Importance of CIS Controls
CIS Controls are important for organizations of any size and from any sector, as they provide a simple, yet effective way to implement a range of cybersecurity protocols that can significantly reduce the chances of a successful cyberattack. This article provides an overview of CIS Controls, discusses what is new in Version 8, explains how to implement CIS Controls, and how Kiteworks can help organizations meet CIS Controls guidelines.
Overview of CIS Critical Controls
CIS Controls are designed to help organizations protect themselves against the most common and successful cyberattacks. They are a set of best practices and recommendations, developed over many years and based on the experiences of cybersecurity experts around the world. Organizations should integrate them into their broader cybersecurity risk management strategy.
CIS Controls provide organizations with a cybersecurity framework that reduces the likelihood a cyberattack will compromise their systems. CIS Controls are divided into three categories: Fundamental Security Controls, Advanced Security Controls, and Organizational Security Controls.
Fundamental Security Controls
Fundamental Security Controls are the most important controls for organizations to implement, as they are designed to protect against the most common and successful cyberattacks. The controls focus on proactive and preventive measures, such as patch management, user access control, and secure configuration.
Advanced Security Controls
Advanced Security Controls are designed to provide additional protection to organizations and are usually more complex to implement. These controls focus on protecting against more advanced cybersecurity threats and include topics such as defending against malware and malware-based attacks, implementing an enterprise security architecture, and instituting incident response.
Organizational Security Controls
Organizational Security Controls are designed to ensure the effectiveness of the other two categories of control and focus on the development, implementation, and review of security policies, procedures, standards, and guidelines.
What Are the Most Recent CIS Controls v8?
CIS Controls are organized into 18 controls that cover the three categories. The controls are prioritized in order of importance and effectiveness, so that organizations can focus their resources on the most important controls first. These have been reordered and reorganized from the previous sub-controls. They are grouped by different cybersecurity activities and include:
1. Inventory and Control of Hardware Assets
This control involves maintaining an accurate and up-to-date inventory of all hardware assets, including physical and virtual, on the network. This helps organizations understand the entry points for malicious actors.
2. Inventory and Control of Software Assets
This control involves maintaining an accurate and up-to-date inventory of all software assets, including both open source and commercial, on the network. This helps organizations identify known vulnerable software components.
3. Continuous Vulnerability Management
This control involves monitoring system configurations and patching vulnerable software and firmware components.
4. Controlled Use of Administrative Privileges
This control involves restricting administrative access to privileged accounts to only those with a legitimate need for access. Concepts such as zero trust are very important in this control.
5. Secure Configuration for Network Devices
This control involves configuring network devices, including routers, switches, and firewalls, according to industry standards and best practices.
6. Boundary Defense
This control involves establishing a defense-in-depth strategy for protecting the network by implementing multiple layers of protection.
7. Maintenance, Monitoring, and Analysis of Audit Logs
This control involves capturing and analyzing system and user activity logs to detect malicious activities and potential threats.
8. Email and Web Browser Protection
This control involves using anti-malware and web filtering solutions to protect the organization from malicious emails and websites.
9. Malware Defenses
This control involves using anti-malware solutions to detect, prevent, and remove malicious code from the network.
10. Limitation and Control of Network Ports, Protocols, and Services
This control involves limiting network communication to only the ports, protocols, and services that are necessary for the operation of the organization.
11. Data Protection
This control involves implementing solutions to protect sensitive data from unauthorized access, modification, or disclosure.
12. Wireless Access Control
This control involves implementing solutions to secure the organization’s wireless network from unauthorized access.
13. Account Monitoring and Control
This control involves monitoring user accounts for suspicious activity and implementing account lockout policies.
14. Implementation of a Security Awareness and Training Program
This control involves implementing a security awareness program to educate users on security best practices.
15. Application Software Security
This control involves securing applications from known and emerging threats by implementing secure coding practices, static and dynamic code analysis tools, and application whitelisting.
16. Incident Response and Management
This control involves having a plan for responding to and managing security incidents.
17. Penetration Tests and Red Team Exercises
This control involves conducting periodic penetration tests and red team exercises to identify weaknesses in the organization’s security controls.
18. Data Recovery Capability
This control involves implementing solutions to ensure that information can be recovered in the event of a disaster.
Why Were the Updates of the CIS Controls Necessary?
The updates and changes in Version 8 of the CIS Controls were necessary to help organizations address the latest cyber threats and advances in technologies used by bad actors. With the increasing use of mobile devices, cloud computing, and the Internet of Things (IoT), organizations need to ensure they have the right policies and controls in place to protect their systems and data.
New CIS Controls Version 8 help organizations ensure that they are properly protecting their systems and data. For example, Control 14 helps organizations control the kind of information that is shared, while Control 15 helps them to secure and protect their wireless networks. Control 16 helps organizations monitor and control user accounts, and Control 17 helps them ensure they have the right level of security expertise and knowledge.
How to Implement CIS Controls Version 8
Implementing CIS Controls is a process that should be planned and managed carefully. The process involves the following steps:
Start by assessing the existing security posture and identifying gaps.
Prioritize the implementation of CIS Controls based on the organization’s risk profile.
Develop a detailed implementation plan for CIS Controls.
Test the implementation of CIS Controls in a controlled environment.
Regularly monitor the effectiveness of CIS Controls and update as needed.
What Tools and Resources Are Needed to Implement CIS Controls?
There are numerous tools and resources available to help organizations implement CIS Controls. These include:
1. CIS Controls Evaluation Tool
The CIS Controls Evaluation Tool helps organizations assess their existing security posture and identify gaps.
2. CIS Benchmark Security Validation Tool
The CIS Benchmark Security Validation Tool is designed to help organizations ensure their systems comply with CIS Controls.
3. CIS Critical Security Controls Implementation Toolkit
The CIS Critical Security Controls Implementation Toolkit provides organizations with a step-by-step guide to implementing CIS Controls.
4. CIS Controls Database
The CIS Controls Database provides organizations with detailed information on each of the controls, including detailed steps, best practices, and resources.
Kiteworks Private Content Network and CIS Controls
CIS Controls are an important and effective set of best practices and guidelines for organizations looking to protect themselves from cyber threats. The latest version, Version 8, includes updates that help organizations address the latest cyber threats and new technologies.
CIS Controls are free for any organization seeking to improve their own cybersecurity. The Kiteworks Private Content Network unifies, tracks, controls, and secures file and email data communications in one platform, enabling organizations to govern who accesses sensitive content, who can edit it, to whom it can be sent, and where it can be sent. Kiteworks embodies cybersecurity best practices and frameworks such as CIS Controls, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), NIST Privacy Framework, ISO 27001, and SOC 2.
Schedule a custom demo of Kiteworks to see how it aligns with global cybersecurity standards like CIS Controls and to learn more about how it provides the framework for organizations to protect their data in transit and at rest.
Get email updates with our latest blogs news