Everything you need to know about CIS Critical Security Controls v8

CIS Critical Security Controls (CIS Controls) are a set of best practices and guidelines developed by the Center for Internet Security (CIS) to help organizations enhance their cybersecurity posture. These controls are designed to mitigate the most prevalent and dangerous cyber threats. The primary purpose of CIS Controls is to provide a prioritized, highly focused set of actions that organizations can follow to improve their cyber defenses. 

In this blog, we'll cover: 


The evolution of CIS Controls  

The Evolution of CIS Controls

  • Initial development and early versions 
    The first version of the controls, then known as the Consensus Audit Guidelines, was introduced in 2008. They were designed to provide clear and actionable guidance for organizations to protect their information systems. Renamed as the Critical Security Controls, in 2009-2011, the guidelines went through several iterations to refine and expand the list of recommended practices. In 2013-2015, the controls gained widespread recognition and adoption across various industries and government agencies.
  • Version 6 and 7
    Version 6 of the Controls was released in 2015, it introduced more detailed implementation steps and enhanced the prioritization of controls. Version 7, released in 2018, further refined the controls, focusing on making them more actionable and measurable.
  • Version 8 
    The latest version, Version 8 was released in 2021. CIS Controls Version 8 represents a significant evolution. It consolidated and restructured the controls to align with current technologies, practices, and security environments. It also reinforced the importance of cloud security and remote work considerations, reflecting the changes in the modern IT landscape. 

Why CIS Controls are increasingly adopted worldwide

CIS Controls are being increasingly adopted due to their practicality, effectiveness, and comprehensive nature in addressing contemporary cybersecurity threats. Developed through a collaborative, community-driven process involving experts from various sectors, these controls provide prioritized, actionable steps that are both practical and scalable, making them accessible to organizations of all sizes and resource levels.

The benefits of adopting CIS Controls

Adopting CIS Controls offers several significant benefits for organizations seeking to enhance their cybersecurity posture.

The Benefits of Adopting CIS Controls

  • Prioritized and actionable guidance

    The CIS Controls provide clear, prioritized steps that organizations can follow to improve their cybersecurity defenses. This helps in focusing efforts on the most critical areas, ensuring efficient use of resources.
  • Resource optimization

    By providing a clear framework and prioritization, CIS Controls help organizations allocate their cybersecurity resources more effectively, ensuring that critical areas receive the necessary attention and investment.
  • Scalability

    The Implementation Groups (IGs) within the CIS Controls allow organizations of different sizes and maturity levels to adopt the controls incrementally. This scalability makes it feasible for both small businesses and large enterprises to implement effective cybersecurity measures.
  • Comprehensive coverage

    The controls cover a wide range of cybersecurity domains, including asset management, vulnerability management, access control, and incident response. This comprehensive approach ensures that all critical aspects of cybersecurity are addressed.
  • Alignment with industry standards

    CIS Controls are aligned with various industry standards and regulatory frameworks, such as NIST, ISO, and GDPR. This alignment helps organizations achieve compliance more easily and ensures that they meet industry best practices. 
    CIS Controls alignment with industry standards

The 3 key elements of CIS Controls

CIS Controls Version 8 follows a structured approach organized around three "Implementation Groups" (IGs) and eighteen "Controls", with each Control broken down into specific "Safeguards". Every Safeguard has its targeted "Asset Type" pointing to a particular "Security Function", also, every Safeguard is categorised by the three IGs. 

The 3 Implementation Groups (IGs) 

Implementation Groups (IGs) are aimed to prioritize cybersecurity efforts based on the organization's size, resources, and risk profile. These groups help organizations of different sizes and capabilities to implement the CIS Controls more effectively and efficiently. Organizations can benchmark their security posture and track progress as they implement controls within their assigned IG. 

Implementation Groups

  • Implementation Group 1 

    IG1 is designed for small to medium-sized enterprises with limited IT and cybersecurity expertise. This group focuses on basic cyber hygiene, providing essential protections that defend against the most common attacks.
  • Implementation Group 2 (Includes IG1)

    IG2 targets organizations with more resources and a more complex IT environment. It includes all IG1 safeguards plus additional measures to address more sophisticated threats. IG2 requires more advanced cybersecurity measures and expertise. 
  • Implementation Group 3 (Includes IG1 and IG2)

    IG3 is aimed at organizations that handle sensitive or regulated data, or with significant cybersecurity risks. IG3 encompasses all IG1 and IG2 safeguards, plus additional controls to protect against the most advanced threats. It involves comprehensive and rigorous cybersecurity practices. 

Tips: How to decide which IG your organization should be in?

To determine which IG your organization falls into, consider the following factors:

  • Size and complexity: Small organizations with limited IT infrastructure and staff generally fit into IG1. Mid-sized organizations with more complex IT environments fit into IG2. Large organizations with complex, distributed environments and dedicated security teams fit into IG3.

  • Resources: Assess the availability of financial and human resources dedicated to cybersecurity. IG1 is suitable for organizations with limited resources. IG2 and IG3 require progressively more resources.
  • Regulatory and compliance requirements: Organizations with minimal regulatory requirements may settle with IG1. Those with moderate to high compliance demands should choose IG2 or IG3.
  • Risk profile: Consider the organization's industry, threat landscape, and potential impact of a security breach. Higher-risk organizations, such as those in critical infrastructure or financial services, may belong to IG2 or IG3.

The 18 Controls

The Controls in Version 8 provide a comprehensive framework for enhancing an organization's cybersecurity posture. Here is an overview of all the 18 Controls.

CIS Controls -1

These Controls cover a wide range of security practices. Together, they provide a robust approach to securing an organization's digital environment. We'll dive into these Controls in greater detail in a minute. 


The 153 Safeguards

The Safeguards are a set of specific, actionable measures designed to mitigate the most common and impactful cyber threats. Each Safeguard has a targeted "Asset Type" with a specific "Security Function". Also, they are categorised into the three IGs. 
  • Asset Types

"Asset Type" refers to the specific categories of assets that the Safeguard is aimed to protect and manage. 

CIS Controls Asset Types

The six primary asset types within the Safeguards are: 

Devices These include physical devices and systems such as servers, workstations, laptops, and other hardware components.
Applications This category encompasses all software applications, including operating systems, business applications, and custom-developed software. 
Network This includes all network infrastructure components like routers, switches, firewalls, and other network-related devices.
Data Refers to all forms of organizational data, including sensitive information that requires protection from unauthorized access and breaches. 
Users This includes users, employees, and other individuals who interact with and use the organization's IT resources. 
N/A N/A refers to controls that are not specific to any particular type of asset but rather apply broadly across multiple or all asset categories. 
  • Security Function 

"Security Function" refers to the primary purpose or role each Safeguard plays within an organization's cybersecurity strategy. It helps organizations understand the objective of the Safeguard and how it contributes to overall security. 

CIS Controls Security Function

The five key Security Functions within the Safeguards are: 

Identify Understanding the business context, resources, and cybersecurity risks to prioritize efforts.
Protect Safeguarding critical infrastructure services and information from cyber threats.
Detect Implementing activities to quickly discover cybersecurity events.
Respond Taking action regarding a detected cybersecurity incident.
Recover Restoring capabilities or services impaired due to a cybersecurity incident. 

 

  • Safeguards categorized by IGs

Safeguards in CIS Controls Version 8 are categorized by Implementation Groups to help organizations decide which safeguards to implement first based on their size and resources.

CIS Controls IGs

Organizations can allocate their cybersecurity budgets and efforts more effectively by ensuring that essential protections are implemented even with limited resources, and more advanced protections are pursued as resources and capabilities grow. 

Safeguards and IGs

 

Deep dive into the 18 CIS Controls and 153 Safeguards

The 18 controls are a comprehensive set of security measures designed to safeguard organizations against cyber threats and vulnerabilities. Each control provides corresponding Safeguards for organizations to maintain the integrity and availability of their information systems and data.

  • Control 1 

    Control 1, known as “Inventory and Control of Enterprise Assets”, focuses on the hardware assets. It aims to establish an accurate inventory of authorized and unauthorized devices within an organization's network and ensure that only approved devices are allowed access. Control 1 is crucial because it forms the foundation of an organization's cybersecurity strategy. 

    • Control 1 Safeguards
      There are five Safeguards in Control 1. They involve creating and maintaining a detailed inventory of all hardware devices connected to the network. Control 1
      Effective implementation of these Safeguards ensures that all hardware assets are accounted for, properly configured, and updated. These Safeguards are crucial for establishing a secure and controlled IT environment, laying the groundwork for more advanced security measures. 
  • Control 2 

    Control 2, known as "Inventory and Control of Software Assets," focuses on maintaining an accurate and current inventory of all software applications within the network. By doing so, organizations can ensure that only authorized and necessary software is installed, reducing the risk of vulnerabilities associated with unapproved or outdated applications. 

    • Control 2 Safeguards
      Control 2 has seven Safeguards, they are aimed at identifying and managing software-related risks, ensuring compliance with licensing requirements, and enhancing the overall security posture by preventing the execution of malicious or unauthorized software.

      Control 2

      Implementing these safeguards enables organizations to have a clear understanding of their software landscape, facilitating better management and protection of their digital assets.
  • Control 3

    Control 3, known as "Data Protection," focuses on implementing measures to safeguard organizational data from unauthorized access and potential breaches. This control emphasizes the importance of securing sensitive information through encryption, data masking, and other protective techniques both in transit and at rest.

    • Control 3 Safeguards 
      The fourteen Safeguards within Control 3 aim at ensuring that data is properly protected, organizations can mitigate the risk of data breaches and maintain the confidentiality, integrity, and availability of their critical information. 
      Control 3
      Implementing these Safeguards is essential for defending against data-centric threats and ensuring compliance with regulatory requirements, thereby strengthening the overall cybersecurity posture. 
  • Control 4

    Control 4, "Secure Configuration of Enterprise Assets and Software," emphasizes the importance of establishing and maintaining secure settings for all hardware and software within an organization. Adhering to Control 4 is crucial for mitigating risks associated with default settings and misconfigurations.

    • Control 4 Safeguards

      Control 4 has twelve Safeguards. They involve configuring systems to reduce vulnerabilities, removing unnecessary functions, and ensuring security settings are consistently applied across all devices and applications. 

      Control 4

      By implementing secure configurations, organizations can minimize the attack surface, prevent unauthorized access, and enhance overall security. 

  • Control 5  

    Control 5, "Account Management," is vital for ensuring the security and integrity of user accounts within an organization. This control focuses on establishing and maintaining processes for managing the lifecycle of user accounts, including their creation, use, and deletion.

    • Control 5 Safeguards

      Control 5 has six Safeguards. They emphasize the importance of enforcing strong authentication mechanisms, regularly reviewing account privileges, and promptly revoking access for inactive or unauthorized accounts.

      Control 5

      By implementing account management practices, organizations can prevent unauthorized access, reduce the risk of insider threats, and maintain control over who has access to critical systems and data. 

  • Control 6

    Control 6, "Access Control Management," focuses on managing what access the Control 5 accounts have, ensuring users only have access to the data or enterprise assets appropriate for their role, and ensuring that there is strong authentication for critical or sensitive enterprise data or functions. 
    • Control 6 Safeguards

      Control 6 has eight Safeguards. They suggest implementing policies and mechanisms to manage user permissions effectively, ensuring that access is granted based on the principle of least privilege. It also suggests regular reviewing and adjusting access rights to reduce potential internal and external threats and protect sensitive data from compromise.

      Control 6
      Effective access control management is a cornerstone of cybersecurity defense, helping to maintain the confidentiality, integrity, and availability of an organization's assets. 
  • Control 7

    Control 7, “Continuous Vulnerability Management”, aims at proactively identifying and addressing security weaknesses within an organization's IT environment. This control emphasizes the importance of conducting regular vulnerability scans, monitoring systems for new threats, and applying timely updates and patches.
    • Control 7  Safeguards
      Control 7 has seven Safeguards. They recommend developing processes to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure.
      Control 7
      Monitoring public and private industry sources for new threat and vulnerability information is important because it helps to minimize the window of opportunity for attackers.
  • Control 8 

    Control 8, "Audit Log Management," promotes the importance of implementing effective audit log management, organizations can detect and investigate suspicious activities, and ensure accountability.

    • Control 8 Safeguards 
      The twelve safeguards under Control 8. They involve audit log management, log collection, log storage, and analysis of audit logs to monitor and document system activities.  
      Control 8

      Consistently reviewing and securing audit logs helps in identifying potential security incidents early, enabling a swift response to mitigate risks. 
  • Control 9

    Control 9, "Email and Web Browser Protections," focuses on securing email safety and internet access within organizations. This control involves implementing measures to safeguard email and web browsers from cyber threats, such as phishing attacks, malware, and other malicious activities. 

    • Control 9 Safeguards
      The seven Safeguards of Control 9 suggest utilizing filtering technologies, and regularly updating, and patching email clients and web browsers. Organizations can reduce the risk of infections and breaches originating from these vectors.
      Control 9
      These Safeguards are crucial for protecting users and maintaining the integrity of the organization’s network.
  • Control 10
    Control 10, "Malware Defenses," is dedicated to protecting an organization's systems and data from malicious software. It emphasizes the importance of deploying and maintaining anti-malware solutions across all devices, ensuring regular updates and real-time scanning to detect and prevent malware infections. 
    • Control 10 Safeguards
      The seven Safeguards of Control 10 provide a robust malware defense idea for organizations to protect against a wide range of threats, including viruses, worms, ransomware, and spyware.
      Control 10

      Effective malware defense mechanisms are critical for
      preventing unauthorized access, data breaches, and system disruptions.
  • Control 11

    Control 11, "Data Recovery," focuses on ensuring the availability and integrity of an organization's data by implementing data backup and recovery solutions. It suggests setting up reliable data recovery mechanisms, so that organizations can quickly restore operations and minimize downtime in the event of data loss due to cyberattacks, hardware failures, or other disasters. 

    • Control 11 Safeguards
      The five Safeguards in Control 11 involve regularly backing up critical data, verifying the integrity of backups, and ensuring that data recovery procedures are tested and documented. 
      Control 11
      These actions are essential for maintaining business continuity and protecting valuable information assets against unforeseen events. 
  • Control 12

    Control 12, "Network Infrastructure Management," focuses on securing and managing the organization's network infrastructure. Network infrastructure includes devices such as physical and virtualized gateways, firewalls, wireless access points, routers, and switches. This Control suggests an appropriate security architecture, addressing vulnerabilities that are introduced with default settings, monitoring for changes, and reassessment of current configurations. 

    • Control 12 Safeguards
      The eight Safeguards of Control 12 include implementing measures such as network segmentation, secure configuration of network devices, and continuous monitoring for suspicious activity.
      Control 12

      Effective network infrastructure management is crucial for maintaining a secure and reliable communication environment within the organization.
  • Control 13

    Control 13, "Network Monitoring and Defense," focuses on the continuous surveillance and protection of an organization’s network to detect and respond to potential threats in real time. 

    • Control 13 Safeguards
      The eleven Safeguards of Control 13 include implementing tools and processes for monitoring network traffic, identifying suspicious activities, and promptly addressing anomalies. 
      Control 13

      Effective implementation of these Safeguards is critical for organizations to swiftly detect and mitigate cyber threats, prevent unauthorized access, and ensure the integrity and availability of their network services. 
  • Control 14
    Control 14, "Security Awareness and Skills Training," emphasizes the importance of educating employees about cybersecurity risks and best practices. This control leads organizations to build a culture of security awareness, in order to significantly reduce human error, one of the most common causes of security incidents. 
    • Control 14 Safeguards
      The nine Safeguards of this Control involve implementing ongoing training programs to educate employees about current cyber threats, safe computing practices, and the importance of their role in maintaining security. 
      Control 14

      Continuous education and training are vital for keeping employees informed about the latest threats and empowering them to contribute to the organization's overall cybersecurity posture.
  • Control 15

    Control 15, "Service Provider Management," focuses on ensuring that third-party service providers and vendors adhere to the organization's security policies and practices. By implementing Control 15, organizations can mitigate risks associated with outsourcing and third-party services, ensuring that external partners do not become weak links in their security chain. 

    • Control 15 Safeguards
      The seven Safeguards of Control 15 involve assessing the security posture of service providers, establishing clear security requirements, and regularly monitoring and managing their compliance.
      Control 15

      Effective oversight and management of service providers are crucial for maintaining the integrity and security of the organization's data and operations.
  • Control 16

    Control 16, "Application Software Security," emphasizes the importance of securing applications throughout their development and deployment lifecycle. This control suggests ensuring that applications are designed, developed, and maintained with security in mind, organizations can prevent the exploitation of software vulnerabilities and protect sensitive data from unauthorized access. 

    • Control 16 Safeguards

      The fourteen Safeguards of Control 16 involve incorporating security best practices into the software development process, conducting regular security testing, and addressing vulnerabilities promptly.
      Control 16I
      mplementing application software security measures is critical for reducing the risk of cyberattacks and ensuring the reliability and integrity of software applications.

  • Control 17

    Control 17, "Incident Response Management," is focused on preparing organizations to effectively handle and mitigate the impact of cybersecurity incidents. 

    • Control 17 Safeguards
      There are nine Safeguards under Control 17. They guide organizations to establish a structured incident response framework. They involve developing, implementing, and regularly updating an incident response plan that includes procedures for detecting, responding to, and recovering from security breaches. 
      Control 17
      By following the Safeguards, organizations can minimize damage, restore operations quickly, and learn from incidents to improve future defenses. 
  • Control 18

    Control 18, "Penetration Testing," emphasizes the importance of regularly testing an organization's defenses through simulated cyberattacks. Implementing penetration testing as part of a comprehensive security strategy helps organizations proactively address potential threats, enhance their resilience, and ensure continuous improvement of their cybersecurity defenses.

    • Control 18 Safeguards
      There are five Safeguards in Control 18. They involve conducting controlled and authorized penetration tests to identify vulnerabilities and weaknesses in systems, networks, and applications that could be exploited by attackers. Control 18
      By performing these tests, organizations can gain valuable insights into their security posture, validate the effectiveness of existing controls, and prioritize remediation efforts. 

Strengthen your cybersecurity defense with CIS Controls today

CIS Controls are invaluable for your cybersecurity defense If you want to reduce the complexity of security management.

They not only provide you with a prioritized and effective framework for your organizations to prevent the most significant cyber threats, but they also aid you in meeting regulatory and compliance requirements, as they align with various legal and industry standards.

 Get in touch with us now to learn more about CIS Controls with our security awareness program! Alternatively, you can take a look at our blog to learn how usecure could help you navigate regulations and standards around the world. 

usecure-security-awareness-training-CTA