CIS Controls Version 8: Learn what changes with Engine Advancements
This May, the Center for Internet Security (CIS) has launched version 8 of the security control tool for critical systems, especially marked by structural progress aimed at cloud and mobile environments. The concentration of online tasks and the remote work model are becoming increasingly popular due to mobility restrictions caused by the pandemic, which generates, proportionally and positively, technological evolution to ensure the execution of work, social and entertainment activities.
What Is Different?
CIS Controls v8 is based on the activities performed, not on the user who controls the devices or on the devices themselves. Whereas previous versions focused on a centralized network that grouped all coordination and security endpoints, version 8 tracks virtual changes and assimilates new cyberattack modalities based on real threats cited in Verizon’s 2021 Data Breach Investigations Report.
Until the previous version (7.1), the set consisted of 20 main controls and 171 sub controls, but the modernization of the system condensed the total to 18 controls and 153 safeguards (yes, the term has also changed!) divided into 3 Implementation Groups (IGs), which work as a practical guide to help organizations of all sizes with their particular needs and to adapt them to current regulations.
As IG1 is the primary Implementation Group, every company needs to start with it, as it is considered the set of “basic cyber hygiene” and serves to preserve the information system from the most recurrent attacks. In the current version, it supports 56 safeguards in total, while IG2 has 74 and IG3 has 23 safeguards, making up the complete package.
To ensure essential protection, the following controls must be adopted:
4: Secure configuration of company assets and software
5: Account management
6: Access control management
14: Security awareness and skills training
v8 Extra Points:
CIS CSAT Pro self-assessment capabilities, with location tracking, optional data sharing, separation of roles and user behavior;
Community Defense Model (CDM) v2.0, with safeguards mapping and consultation of reports released by the industry, which indicate the main threats and frequent attacks;
CIS Controls Mobile Companion Guide and CIS Controls Cloud Companion Guide, which are guides for implementing CIS security best practices for mobile devices such as mobile phones and tablets; and for cloud environments, respectively.
What Does the Launch of Controls v8 Mean? That CIS understood the defense priorities of the critical data environment and streamlined the cybersecurity process. For businesses, the result is the quality of critical system security options and the practicality of complying with regulatory data protection requirements (PCI-DSS, SOx, HIPAA, and others).
Text: Priscilla Silva