.webp?width=2169&height=526&name=Compass%20white%20blue%20transparent%202%20website%20(1).webp "Compass IT Compliance")
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp "Compass IT Compliance")
Last month, the Center for Internet Security (CIS) released version 7.0 of the Top 20 Critical Security Controls. This represents a significant revision from the previous version (6.1) and introduces some interesting changes. Before we dig into the changes to the controls, if you are not familiar with what they are, let’s run through a brief overview.
The CIS Top 20 Critical Security Controls (formerly known as the SANS Top 20) are a set of prioritized, specific security controls that an organization can implement to assess and improve their information security program. While all the controls are important, the first 5 controls are deemed to be the most critical and the ones that can have an immediate, positive impact on your information security posture. In addition, as with this revision, the controls are assessed and evaluated against the current threat landscape to determine the correct ordering, changes to controls, and deletion/addition of controls. The controls are developed by the CIS with input from professionals and experts from all parts of the information security ecosystem, including companies, governments, and professionals across all vertical markets and educational institutions.
Changes from Version 6.1 to Version 7.0:
There were several significant changes to this version of the Critical Security Controls, including some changes in the top 5 controls and the naming convention of several of the controls. While there were no additions or deletions to the controls, the change in order indicates that the threat landscape has changed a bit, thus the increased priority of some of the controls. In the table below, we will outline only the changed controls order. In the left column will be what the control name and number was in Version 6.1 and in the right column what the new name and number is in Version 7.0:
|
Control Number |
Version 6.1 |
Version 7.0 |
Changes |
|
1 |
Inventory of Authorized and Unauthorized Devices |
Inventory and Control of Hardware Assets |
Name of Control |
|
2 |
Inventory of Authorized and Unauthorized Software |
Inventory and Control of Software Assets |
Name of Control |
|
3 |
Secure Configurations for Hardware and Software |
Continuous Vulnerability Management |
Order of Controls |
|
4 |
Continuous Vulnerability Assessment and Remediation |
Controlled Use of Administrative Privileges |
Order of Controls |
|
5 |
Controlled Use of Administrative Privileges |
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers |
Order of Controls |
|
6 |
Maintenance, Monitoring, and Analysis of Audit Logs |
Maintenance, Monitoring, and Analysis of Audit Logs |
None |
|
7 |
Email and Web Browser Protections |
Email and Web Browser Protections |
None |
|
8 |
Malware Defenses |
Malware Defenses |
None |
|
9 |
Limitation and Control of Network Ports |
Limitation and Control of Network Ports, Protocols, and Services |
Name of Control to Include Protocols and Services in 7.0 |
|
10 |
Data Recovery Capability |
Data Recovery Capabilities |
Name of Control to Indicate Multiple Ways to Recover Data |
|
11 |
Secure Configurations for Network Devices |
Secure Configuration for Network Devices, such as Firewalls, Routers and Switches |
Name of Control to be More Specific |
|
12 |
Boundary Defense |
Boundary Defense |
None |
|
13 |
Data Protection |
Data Protection |
None |
|
14 |
Controlled Access Based on the Need to Know |
Controlled Access Based on the Need to Know |
None |
|
15 |
Wireless Access Control |
Wireless Access Control |
None |
|
16 |
Account Monitoring and Control |
Account Monitoring and Control |
None |
|
17 |
Security Skills Assessment and Appropriate Training to Fill Gaps |
Implement a Security Awareness and Training Program |
Name (See Note Below) |
|
18 |
Application Software Security |
Application Software Security |
None (See Note Below) |
|
19 |
Incident Response and Management |
Incident Response and Management |
None (See Note Below) |
|
20 |
Penetration Tests and Red Team Exercises |
Penetration Tests and Red Team Exercises |
None (See Note Below) |
The other significant change that was made to this version is controls 17 – 20 are deemed to be “less technical” and are more focused on people and processes. This underscores the point that while technology continues to be essential in your information security program, your people are just as important, if not more important, in mitigating your overall risk of a security incident.
By the Numbers
I wanted to include a quick overview, by the numbers, of the changes to this latest version of the Top 20 Critical Security Controls as I think it underscores how significant of a revision this is:
Order of Controls: 3
Name of Controls: 6
“People and Process Focused Controls: 4
When all accounted for, 13 of the 20 controls had some form of a change to them in the release of version 7.0. When broken down, 65% of the controls were changed.
There you have it, the high-level overview of the changes to the Center for Internet Security Top 20 Critical Security Controls for revision 7.0. For more detailed information and explanation, we are hosting our April webinar tomorrow on these changes. Click on the link to register below and we hope to see you there! As always, feel free to contact us to discuss your specific situation!
Changes to Top 20 Critical Security Controls Webinar
Share this
IT Risk Assessment and the SANS Top 20 - Part I
Enhancing Cloud Security Posture Management (CSPM)
No Comments Yet
Let us know what you think