NZ Incident Response Bulletin – July 2024

New Centre for Internet Security (CIS) Control Version 8.1

CIS has just released an iterative update to the CIS security controls version 8.0. The CIS Controls version 8.1 is guided by the design principles of context, clarity, and consistency.   The CIS Controls aim to simplify the design, implementation, measurement, and management of enterprise security which involves:

  • Simplifying language to reduce duplication.
  • Focusing on measurable actions with defined metrics.
  • Ensuring each safeguard is clear and concise.

What has changed?

Specific Updates in CIS Controls v8.1 include:

  • Realigned NIST CSF Security Function Mappings: Adjustments have been made to match NIST CSF 2.0.
  • Expanded Glossary Definitions: New and expanded definitions for terms such as “plan,” “process,” and “sensitive data” have been included.
  • Revised Asset Classes and Mappings: Asset classes have been revised, and new mappings to safeguards have been introduced.
  • Typographical Corrections: Minor typos in safeguard descriptions have been fixed.
  • Clarified Safeguard Descriptions: Clarifications have been added to several safeguard descriptions to ensure they are clear and actionable.

We have reviewed the specific changes to the safeguard descriptions in IG1 and outline below what you need to know about these.

For each of the IG1 controls listed below the safeguard descriptions have each been updated to prescribe and emphasise the need for “documented” processes. CIS 8.0 safeguard descriptions highlighted the need for a process in each area however CIS 8.1 clarifies that each of these should be a “documented” process.

  • CIS 2.1 Establish and Maintain a Software Inventory
  • CIS 3.1 Establish and Maintain a Data Management Process
  • CIS 4.1 Establish and Maintain a Secure Configuration Process
  • CIS 5.1 Establish and Maintain an Inventory of Accounts
  • CIS 6.1 Establish and Access Granting Process
  • CIS 8.1 Establish and Maintain an Audit Log Management Process
  • CIS 11.1 Establish and Maintain a Data Recovery Process

For some safeguards CIS 8.1 clarifies scope or adds additional detail to the safeguard as follows:

  • CIS 12.2 Establish and Maintain a Secure Network Architecture (Adds a requirement for policy and design components to be reflected in the implementation)
  • CIS 14.2 Train workforce members to recognise social engineering attacks (Adds a specific requirement for Business Email Compromise training).

An additional addition to v8.1 is the inclusion of the “Governance” security function. Effective governance is crucial for steering a cybersecurity program towards achieving enterprise goals. The Controls now specifically identify governance topics as recommendations, helping users implement these to enhance their cybersecurity governance.

A full log of all changes made in this version is available here.

Next Steps

The CIS controls strive to balance addressing current cybersecurity challenges while maintaining a stable foundational cyber defence strategy. Rapid developments in technology, including artificial intelligence, augmented reality, and ambient computing, are constantly under review and CIS note that they are already working on ideas for version 9 of the CIS Controls to stay ahead of these advancements.

However, this latest update ensures minimal disruption for existing users by not modifying any Implementation Groups and maintaining the core intent of each safeguard. As such, we believe it is perfectly reasonable to remain scoring on the CIS version 8.0 if this is your current practice and update to CIS v8.1 when next practical.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.