Spring 2018
precise, implementing a single “ask” per sub-control. CIS Controls V7 splits the controls into three distinct categories: basic, foundational, and organizational. Basic (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense. Foundational (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a great idea for any organization to implement. Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 1720 are more focused on people and processes.
Key Principles The development of CIS Controls V7 was guided by 7 key principles which helped ensure a more robust end result.
5. Set the foundation for a rapidly growing “ecosystem” of related products and services from both CIS and the marketplace: We have much more experience with adopters and vendors since V6; for V7, we make it easier for everyone to understand, track, import, and integrate the CIS Controls into products, services, and corporate decision-making. 6. Make some structural changes in layout and format: To help keep the CIS Controls relevant and adaptive, we’ve restructured our content to be more flexible than before. 7. Reflect the feedback of a world-wide community of volunteers, adopters, and supporters: We are only as strong as the amazing volunteers that support us and hope to continue to provide a means of gathering and harnessing the global cybersecurity community for the benefit of everyone. By following these 7 key principles, the CIS Controls have become a more flexible, measurable, and useful resource for any business or organization looking to secure its systems.
1. Address current attacks, emerging technology, and changing mission/business requirements for IT: As part of our fundamental promise, the CIS A Resource for All Controls have been updated and reordered to reflect both the availability of new cybersecurity tools and The CIS Controls provide clear, prioritized guidance changes in the current threat landscape that all to help organizations tackle the most pervasive organizations are facing. cybersecurity threats. They are a free cybersecurity best practices resource for any organization to 2. Bring more focus to key topics like download and implement. To get started, visit authentication, encryptions, and application https://learn.cisecurity.org/20-controls-download. whitelisting: Guidance for each of these major security topics is covered in detail by CIS Controls V7 Philippe Langlois is a Technical Product Manager in a clearer, stronger, and more consistent fashion. for the CIS Controls. Langlois leads a community of cybersecurity experts who develop the CIS Controls, 3. Better align with other frameworks: With as well as manages the production, writing, and mapping to NIST Cybersecurity Framework, it’s never publication of a range of cybersecurity resources. been easier to function in a multi-framework world. Langlois holds an MS in Infrastructure Protection and International Security, and a BA in Criminology. 4. Improve the consistency and simplify the wording of each sub-control – one “ask” per subShannon Heesacker McClain (GISF) is a Marketing control: The community worked tirelessly to clarify Specialist at CIS, helping organizations learn how to and simplify each CIS Control, making it easier improve their cybersecurity posture and respond to for users to follow along. By eliminating multiple pervasive cyber threats. She holds a master’s degree tasks within a single sub-control, the CIS Controls in Political Science and Foreign Languages from the are easier to measure, monitor, and implement. University of Nebraska at Omaha, with a special focus on intelligence analysis and conflict resolution.
9