Center for Internet Security (CIS) Controls V8 – What's New?

With the advent of the novel Coronavirus and the subsequent lockdowns, companies were forced to innovate on how and where they did work. The workforce shifted from the familiar physical and logical boundaries of corporate offices to home offices that provided greater flexibility but also introduced new threats to the cyber environment. In turn, cybersecurity teams have had to attempt the difficult balancing act of allowing enough functionality so their users can work, while simultaneously restricting functionality to reduce their threat landscape. A challenging task to say the least!

The Center for Internet Security (CIS), a non-profit information technology entity, has been on the vanguard for years in helping organizations develop effective information security programs. Their latest framework, the CIS Controls Version 8 was particularly developed to help organizations that have moved to a remote work environment.

What Are CIS Controls?

The CIS Controls are defined by CIS as, “A prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. They are developed by a community of information technology (IT) experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices”. The controls are an ever-evolving set of actions that provide ways to stop today's most common and dangerous attacks.

Changes in Version 8

Some of the changes from the previous version (CIS Controls Version 7.1) to the current version (CIS Controls Version 8) include:

• The controls are now task-focused and are combined by activity as opposed to being grouped by who manages them. This allows the controls to be reduced from 20 to 18. CIS can now group the controls in a way that more naturally reflects the evolution of technology. The graphic below shows which controls have been combined
  
  
• Along with the reduction of controls, the safeguards that fall underneath each control have been reduced to 153 in total. They also have been simplified so that each safeguard asks for one thing whenever feasible and requires as little interpretation as possible
• The CIS Controls Version 8 has been crafted to keep up with modern systems and how we use them. This means putting more of an emphasis on cloud-based computing, virtualization mobility, outsourcing, and work-from-home environments

The new CIS Controls Version 8 provides a great framework for organizations to base their cybersecurity practices on; particularly those who are moving to a remote-work environment or are already working remotely. Compass IT Compliance’s team of cybersecurity and risk management experts are extremely well-versed on the CIS Controls, having spent the past decade conducting IT risk assessments and audits based on the framework. Contact us today to learn more about the changes that come with the CIS Controls Version 8 and how well your organization is adhering to these practices!