Subscribe to our blog

Articles published weekly by IT security and compliance professionals with decades of experience

  

Subscribe to our blog

Articles published weekly by IT security and compliance professionals with decades of experience

  

Subscribe to our blog

Articles published weekly by IT security and compliance professionals with decades of experience

New Version of the Critical Security Controls Released

Geoff Yeagley
Apr 25, 2018 10:00:00 AM

Last month, the Center for Internet Security (CIS) released version 7.0 of the Top 20 Critical Security Controls. This represents a significant revision from the previous version (6.1) and introduces some interesting changes. Before we dig into the changes to the controls, if you are not familiar with what they are, let’s run through a brief overview.

The CIS Top 20 Critical Security Controls (formerly known as the SANS Top 20) are a set of prioritized, specific security controls that an organization can implement to assess and improve their information security program. While all the controls are important, the first 5 controls are deemed to be the most critical and the ones that can have an immediate, positive impact on your information security posture. In addition, as with this revision, the controls are assessed and evaluated against the current threat landscape to determine the correct ordering, changes to controls, and deletion/addition of controls. The controls are developed by the CIS with input from professionals and experts from all parts of the information security ecosystem, including companies, governments, and professionals across all vertical markets and educational institutions.

Changes from Version 6.1 to Version 7.0:

There were several significant changes to this version of the Critical Security Controls, including some changes in the top 5 controls and the naming convention of several of the controls. While there were no additions or deletions to the controls, the change in order indicates that the threat landscape has changed a bit, thus the increased priority of some of the controls. In the table below, we will outline only the changed controls order. In the left column will be what the control name and number was in Version 6.1 and in the right column what the new name and number is in Version 7.0:

Control Number

Version 6.1

Version 7.0

Changes

1

Inventory of Authorized and Unauthorized Devices

Inventory and Control of Hardware Assets

Name of Control

2

Inventory of Authorized and Unauthorized Software

Inventory and Control of Software Assets

Name of Control

3

Secure Configurations for Hardware and Software

Continuous Vulnerability Management

Order of Controls

4

Continuous Vulnerability Assessment and Remediation

Controlled Use of Administrative Privileges

Order of Controls

5

Controlled Use of Administrative Privileges

Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Order of Controls

6

Maintenance, Monitoring, and Analysis of Audit Logs

Maintenance, Monitoring, and Analysis of Audit Logs

None

7

Email and Web Browser Protections

Email and Web Browser Protections

None

8

Malware Defenses

Malware Defenses

None

9

Limitation and Control of Network Ports

Limitation and Control of Network Ports, Protocols, and Services

Name of Control to Include Protocols and Services in 7.0

10

Data Recovery Capability

Data Recovery Capabilities

Name of Control to Indicate Multiple Ways to Recover Data

11

Secure Configurations for Network Devices

Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Name of Control to be More Specific

12

Boundary Defense

Boundary Defense

None

13

Data Protection

Data Protection

None

14

Controlled Access Based on the Need to Know

Controlled Access Based on the Need to Know

None

15

Wireless Access Control

Wireless Access Control

None

16

Account Monitoring and Control

Account Monitoring and Control

None

17

Security Skills Assessment and Appropriate Training to Fill Gaps

Implement a Security Awareness and Training Program

Name (See Note Below)

18

Application Software Security

Application Software Security

None (See Note Below)

19

Incident Response and Management

Incident Response and Management

None (See Note Below)

20

Penetration Tests and Red Team Exercises

Penetration Tests and Red Team Exercises

None (See Note Below)

 

The other significant change that was made to this version is controls 17 – 20 are deemed to be “less technical” and are more focused on people and processes. This underscores the point that while technology continues to be essential in your information security program, your people are just as important, if not more important, in mitigating your overall risk of a security incident.

By the Numbers

I wanted to include a quick overview, by the numbers, of the changes to this latest version of the Top 20 Critical Security Controls as I think it underscores how significant of a revision this is:

Order of Controls: 3

Name of Controls: 6

“People and Process Focused Controls: 4

When all accounted for, 13 of the 20 controls had some form of a change to them in the release of version 7.0. When broken down, 65% of the controls were changed.

There you have it, the high-level overview of the changes to the Center for Internet Security Top 20 Critical Security Controls for revision 7.0. For more detailed information and explanation, we are hosting our April webinar tomorrow on these changes. Click on the link to register below and we hope to see you there! As always, feel free to contact us to discuss your specific situation!

Changes to Top 20 Critical Security Controls Webinar

CIS Controls

 

You May Also Like

These Stories on Cybersecurity

Subscribe by Email

No Comments Yet

Let us know what you think