Our Views:
This month’s theme is “Implementing Cyber Controls”.
In previous bulletins we have discussed the importance of adopting a mature and trusted cybersecurity framework for guiding your cybersecurity improvement programme. We recommend the NIST cybersecurity framework for this purpose.
Additionally, we believe organisations will benefit from using an appropriate set of Cyber Controls that align with the cybersecurity framework to support their journey to cybersecurity maturity. The CIS controls provide clear, actionable items for immediate gains in cybersecurity posture.
The SANS Institute developed the CIS critical security controls in early 2008 due to an alarming number of US defence industrial base organisations suffering significant data losses. The controls were intended to act as best practice guidelines for computer security. They have since evolved to become a prioritised set of specific actions a business can implement for protection from known cyber-attack vectors.
The Controls at a glance
CIS controls version 8 were released in May 2021 consisting of 18 top-level controls and 153 safeguards (sub controls) that can guide you through the process of creating a layered or defence-in-depth cybersecurity strategy. This latest version focuses more heavily on cloud-based computing (full and hybrid environments), virtualisation, outsourcing, work-from-home and mobility. It also recognises changing attacker tactics. The list of top-level controls below displays the scope of the framework:
| 1: Inventory and Control of Enterprise Assets | 7: Continuous Vulnerability Management | 13: Network Monitoring and Defense |
| 2: Inventory and Control of Software Assets | 8: Audit Log Management | 14: Security Awareness and Skills Training |
| 3: Data Protection | 9: Email Web Browser and Protections | 15: Service Provider Management |
| 4: Secure Configuration of Enterprise Assets and Software | 10: Malware Defenses | 16: Application Software Security |
| 5: Account Management | 11: Data Recovery | 17: Incident Response Management |
| 6: Access Control Management | 12: Network Infrastructure Management | 18: Penetration Testing |
Each of the 18 controls have multiple safeguards (formally called sub-controls). We will be undertaking a deep dive of these over the coming months to describe what each one means practically and how it can be assessed and implemented.
Benefits of Implementation
The CIS Controls recognise that most organisations have limited resources which must be prioritised. The controls are tiered by way of Implementation Groups (IG), whereby organisations can continually assess their resource availability to determine whether they can increase their cyber improvements.
- IG1 is for small businesses and start-ups with limited resources and is considered “basic security hygiene”.
- IG2 is for medium enterprises with moderate resources, therefore comprising a more extensive control set.
- IG3 is for large organisations with significant resources, capable of implementing all the CIS controls and sub-controls.
The ability to prioritise and categorise the controls is what makes the CIS control set so effective in practice. It allows you to focus on a small number of actions that can significantly reduce cybersecurity risk and provide the most “bang for your buck”.
The recently released 2021 Verizon Data Breach Investigations Report identifies a core set of CIS controls that they believe all businesses should implement regardless of size to protect against the most common attack vectors seen in the report.
Combining the NIST cybersecurity framework and the CIS Controls
As the CIS controls align to the NIST cybersecurity framework, we recommend these be used together to gain control of your cybersecurity maturity in a methodical, organised way.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 