São Paulo/SP – March 24, 2023 – The CIS Controls (or CIS Controls) is a publication that presents good practices and recommendations for the area of Information Security. The purpose of this article is to present a brief summary of what is CIS Control V8 and its main aspects. You can access the document in full at: https://www.cisecurity.org/controls/v8
*Dylan Ribeiro
Overview
O CIS Controls (or CIS Controls) is a publication that presents good practices and recommendations for the area of Information Security. The initiative began in the 2000s with American business and government leaders and today is the responsibility of the non-governmental organization Center for Internet Security (CIS). The purpose of this article is to present a brief summary of what is CIS Control V8 and its main aspects. You can access the document in full at: https://www.cisecurity.org/controls/v8
The CIS Control V8 has 18 Controls, where each one has a table with the following columns: “Safety Measure” that presents numerical sequence of these measures; “Security Measure Title” describing the suggested security control; “Asset Type” indicating whether the measurement is for Devices, Applications, Data, Network or User; “Security Function” indicating whether that measure is to Identify, Respond, Detect or Protect; And the last three columns present the GIs to which this measure applies.
IGs have three levels, where IG1 refers to small or medium-sized companies with a limited IT infrastructure and often focused only on sustaining the business. IG2 encompasses IG1 and is focused on companies that already have a larger IT infrastructure, with managers and who already perform some data processing. IG3, which encompasses the other two levels, is focused on companies that already have a specialized IT infrastructure, which performs various actions to mitigate risks and where the focus is on the availability, integrity and confidentiality of services.
Regardless of the IG that a certain control is recommended, with small adaptations it is possible to apply most of them in all organizations.
CIS controls Control V8
Below we will briefly address what these controls are and their main aspects.
Control 01 - Inventory and Control of Corporate Assets
This control reinforces the importance of having an inventory of all assets that are connected to the organization's environment. Whether they are mobile or handheld devices, servers or non-computing devices. The idea is to be sure of the devices that need to be monitored and protected, as well as to identify strange and non-standard elements so that it is easier to remove or correct any errors.
Control 02 - Inventory and Control of Assets of Software
Like the previous one, this control recommends that all software of the organization are inventoried, be they operating systems or applications, so that only software authorized and approved are installed unauthorized and unmanaged are located and prevented from being installed.
Control 03 - Data Protection
The main idea of this control is that processes and technical controls are established to carry out data protection, encompassing all stages from identification, through classification, safe handling, retention, storage and finally, data disposal.
Control 04 - Secure Configuration of Corporate Assets and Software
This control recommends that processes and procedures be created to maintain the secure configuration of corporate assets, such as network devices and end-user devices, in addition to the secure configuration of software.
Control 05 - Account Management
This control addresses the importance of using processes and tools to manage credentials for all accounts, whether user, administrator, service or even corporate assets and software.
Control 06 - Access Management
This control works together with the previous one, reinforcing the importance of processes and tools to create, assign, manage and revoke access credentials regardless of the level of access.
Control 07 - Continuous Vulnerability Management
The idea of this control is that the organization develops a plan to continuously assess and track all possible vulnerabilities present in the organization's assets. That monitoring is carried out and that the organization has reliable sources of information.
Control 08 - Audit Log Management
This control reinforces the importance of the organization collecting, alerting, analyzing and retaining audit logs of events that can help detect, understand and recover from an attack.
Control 09 - Browser Protections Web and Email
This control reinforces the importance of using protection measures and detection of possible threats via email and web, as they are points that can be influenced by user behavior.
Control 10 – Defenses Against Malware
The idea of this control is that the organization has tools capable of preventing or controlling the installation, dissemination and execution of any code script malicious.
Control 11 - Data Recovery
This control recommends that the organization has data recovery practices that are sufficient to restore assets to a state before a given incident.
Control 12 - Network Infrastructure Management
Here we see the importance of establishing, deploying and actively managing all network devices to avoid any vulnerable access points.
Control 13 - Network Monitoring and Protection
In this control, it is recommended that the organization have processes and tools to monitor and defend the network against threats throughout its infrastructure and user base.
Control 14 - Safety Awareness and Competency Training
This control recommends that the company establish and maintain awareness and training programs to influence user behavior so that they are aware of the risks and can act to reduce them.
Control 15 - Management of Service Providers
The idea of this control is to help the organization manage its service providers, creating processes to evaluate these providers. Ensuring the protection of sensitive data kept by them, as well as the support of critical IT processes.
Control 16 - Application Security
This control comes against the management of the organization's software security lifecycle, whether they are developed, hosted or acquired, aiming at preventing, detaining and correcting any weaknesses before they can affect the organization.
Control 17 - Incident Response Management
The main idea of this control is that the organization develops a program or processes to maintain an incident response capability, such as plans, policies, training and other aspects. All of this aimed at better preparation, detection and response in the event of an incident.
Control 18 - Penetration Test
This control recommends that the organization perform periodic penetration tests, so that the effectiveness and resilience of the assets are tested based on the identification and exploitation in the controls, including a simulation of the objectives and actions of a possible attacker.
Importance
The reasons for using the CIS Control in an organization there are many, in this article, we chose to summarize them in just two. The first is compliance with other frameworks and certifications and the second is compliance with the requirements of the LGPD.
CIS itself performs several mappings with certifications and regulations such as PCI DSS, GDPR and ISO27001. In this way, when we implement a CIS control, we can verify with which measure of these other frameworks it conforms, and the inverse relationship is also true. For example, with the need to implement a PCI DSS measure, it is possible to verify its equivalent in the CIS Control V8 and thus act more incisively to meet this measure. You can find this mapping at: https://www.cisecurity.org/cybersecurity-tools/mapping-compliance
The federal government, through its portals, makes available a series of materials containing good practices in the area of Information Security, with the main objective of assisting private organizations and public institutions in complying with Chapter VII “On security and good practices” of the General Law Protection of Personal Data (LGPD). One of these many materials is the so-called “Security Framework Guide” published in January 2022 and available in full at the link: https://www.gov.br/governodigital/pt-br/seguranca-e-protecao-de- data/guides/guide_framework_security.pdf
The material makes it clear that “adopting this guide does not necessarily mean complying with Brazilian legislation on security, privacy and protection of personal data”, but complements by emphasizing the importance of adopting the good practices contained in it and that the implementation of these recommendations may help organizations towards this goal.
Final considerations
This article briefly introduced all 18 controls that are present in the latest version of CIS Control V8 in order to take a first step towards understanding and demonstrating the importance of this material. Each of the controls and even each of the measures demand effort to be implemented, but surely, when we implement one by one, the organization's maturity level will gradually increase.
For being one of frameworks of Information Security most adopted by companies due to the ease of understanding the controls, it is important to understand the CIS Control V8. But it's worth noting that it's more than just a list of recommendations. It's important to think of it as the beginning of something bigger, a starting point. And for that reason it is necessary to understand very well where we are starting from.
— Dylan Ribeiro is a GRC Consultant at [SAFEWAY]
How can we help?
SAFEWAY is an Information Security consulting company recognized by its clients for offering high added value solutions through projects that fully meet the needs of the business. In 15 years of experience, we have accumulated several successful projects that have earned us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
Today, through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions. We have both the technical skill and the experience necessary to assist your company in assessing the maturity level of Information Security controls and processes against the CIS recommendations, as well as in implementing all applicable measures to increase this maturity level. If you want more information, contact one of our specialists!
