The Center of Internet Security (CIS) in coordination with the SANS Institute and through a consortium of security experts, U.S. agencies such as the NSA, coordinated the CIS Controls Version 8 (formerly known as “Critical Security Controls” or CSC) to help simplify and prioritize list of controls that would have the greatest impact to an organization in improving risk posture against cyber threats.
Most of the security controls are also mapped back to NIST 800-53 standard (we’ll review later) and is meant to complement existing standards already in place.
A complete list of the CIS Controls v8 is listed below:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software*
- Account Management
- Access Control Management*
- Continuous Vulnerability Management
- Audit Log Management
- Email Web Browser and Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
Also, SANS has provided a nice comparison of what has changed between versions 7 and 8 of the CIS controls.
As noted in bold above (*), Secure Configuration of Enterprise Assets and Software (4) replaces two other CIS version 7 CIS controls (‘Secure Configuration’ and ‘Secure Configuration of Network Devices’). Also, Access Control Management (6) now replaces former CIS version 7 controls ‘Control of Admin Privileges’ and ‘Controlled Access Based on Need to Know.’