Today, the Center for Internet Security (CIS) is releasing its next revision of the top 20 Critical Security Controls.

Initially developed by the SANS Institute, these controls have been used by organizations both large and small. By adopting these sets of controls, organizations can prevent the majority of attacks. A study of the previous release found that by adopting just the first five controls, 85% of attacks can be prevented. Adopting all 20 controls will prevent upwards of 97% of attacks.

With this release, one of the main goals was to be consistent with the workflow of each set of controls. Even existing controls that did not change much in terms of content saw a shuffling of the order of requirements. For each control, we will now see an abstract version of assess, baseline, remediate, and automate.

Additionally, the language has been cleaned up considerably from previous revisions. Now we see very concise wording, which has a higher abstraction than previous releases. This will be great in terms of allowing the set of controls to fit a wider range of platforms and attacks. However, it leaves it up to the organization and the tools at their disposal on how to actually implement the controls. This may be challenging for organizations going it alone, so enterprises should work with their security vendors, as they can provide guidance on the “in the weeds” details of various controls.

Many of the existing controls have stayed the same, albeit with some consolidation to remove duplicate requirements or simplify some wording.

The top five foundational controls remain the same (with some ordering changes), which makes sense since they can block the majority of the attacks.

Over the next few weeks, I will be providing a review of each individual control to offer my thoughts on (Read more...)