CIS Critical Security Controls v8

Part one

Posted by Cory DeMar on Febuary 14, 2024

The Center for Internet Security® (CIS) was established in 2013 by a team of experts from various backgrounds and positions to create, adopt, and support the CIS Controls. These experts not only discuss what to add and exclude from the previous version but also use data to substantiate their claims via a platform called the Community Defense Model (CDM). However, before obtaining this data, they initially used a standard list of publicly known attacks as a simple and informal test to evaluate the usefulness of specific recommendations.

When creating this version of the framework, the team of experts wanted to establish a strong foundation based on a set of design principles. These principles provide the experts with a unified focus to deliver the best possible framework for us to implement in our security. The principles used by the team are as follows:

  1. Offense Informs Defense: This principle leads the team to prioritize controls based on the data showing how attackers are currently behaving.
  2. Focus: The team focuses on identifying critical attacks and helps us avoid unnecessary tasks.
  3. Feasible: The team ensures that the safeguards suggested are specific and practical to implement.
  4. Measurable: This principle ensures that the safeguards are clearly defined and easy to understand.
  5. Align: The controls and safeguards suggested align with other governance, regulatory, and process management schemes, frameworks, and structures.

These principles are very useful for anyone who wants to start implementing security measures. Other frameworks may be more flexible to accommodate different company needs, but they lack the focus that these principles provide. Once you have established this focus and put measurable defenses in place, you can move on to other frameworks such as NIST, CSA, SAFECode, OWASP, HIPPA, SOC, PCI-DSS, and GDPR to further enhance your security.

The CIS Critical Security Controls v8 framework comprises 18 controls with 153 sub-controls. Additionally, there are three Implementation Groups that provide safeguards to protect an organization’s digital landscape.

Implementation Group 1 (IG1)

IG1 is designed for small to medium-sized companies, including those that use commercial off-the-shelf (COTS) hardware and software. It has only 56 sub-controls and is suitable for companies that lack technical personnel. IG1 is an ideal starting point for building a strong security foundation. It can also be useful for companies that do not hold critical data which could lead to a loss of trust if a breach occurs.

Implementation Group 2 (IG2)

IG2 uses all 56 sub-controls from IG1 and adds 74 more. Companies that have either implemented all of IG1’s controls or have sensitive client or enterprise information that can still withstand short interruptions of service should start with IG2. Additionally, companies that have a major concern about losing public confidence due to a breach should also consider IG2. Certain safeguards in IG2 may require enterprise-grade technology and specialized expertise to configure and install.

Implementation Group 3 (IG3)

IG3 is for companies that have outgrown IG2. These companies may have assets and data containing sensitive information or functions that are subject to regulatory and compliance oversight and must address the availability of services, and the confidentiality and integrity of sensitive data. Successful attacks on such companies can cause significant harm to the public welfare. IG3 includes all the sub-controls of IG1 and IG2, along with 23 additional controls.

The CIS Critical Security Controls v8 framework is not a definitive endpoint but a strategic launchpad that helps fortify digital landscapes. It emphasizes the importance of understanding, prioritizing, and implementing security measures that align with evolving threat landscapes. Security is not merely a checklist; it requires an ongoing commitment to protecting the integrity and confidentiality of data and assets. As we navigate the complexities of the digital realm, the CIS Controls will guide us in establishing a resilient defense that adapts and grows alongside dynamic cybersecurity challenges.

Photo by Jose Fontano on Unsplash