Tuesday, March 20, 2018

Critical Security Controls v7 RELEASED

I have previously posted on the Critical Security Controls, which many still incorrectly called the "SANS Top 20" and the like, tho SANS hasn't been managing them for some time.  The current org that manages them is the Center for Internet Security, which has overseen them since around 2015.  They previously put out v6 and after about a year working on the have released v7.  You can download them from the CIS website, along with other materials.

I haven't had the chance to full look at v7 and take a look at the differences from v6.  There are still 20 "controls", but they've done some rearrangement and have made tweaks to the "subcontrols" by adding, spitting, merging, moving (from one control to another), rewording, or deleting some.


Biggest re-arrangement is how they have organized the 20 controls.  In v6, the first 5 controls were "foundational", basic controls that all orgs should implement immediately.  The remaining 15 were advanced controls.

In v7, the first *6* are basic controls that everyone should implement immediately.   Controls 7-16 are now called "foundational", and are the next set of controls that should be tackled after taking care of 1-6.  The rest of the controls (17-20) are being called "organizational" and are a little different, as in addition to including technical matters, also include people and process items.

Some controls were rearranged.  #3 (Secure Configuration) is now #5, Controls #4 & 5 are moved up to #3 & 4.  Otherwise, the controls remain the same.

The subcontrols have been changed, as I noted.  (you can download a change file with detailed info on what has been changed)  Now we have:
  • Control #1 has gone from 6 to 8, with deletions, additions, and rewording
  • Control #2 has gone from 4 to 10, with additions and rewording
  • Control #3 (the former #4) has gone from 8 to 7, with deletions and rewording
  • Control #4 (the former #5) is still 9, but has some replaced and others reworded
  • Control #5 (the former #3) has gone from 7 to 5, bur has some moved, deleted, and reworded
  • Control #6 has gone from 6 to 8, with mergers and rewording
  • Control #7 has gone from 8 to 10, with deletions, additions, and rewording
  • Control #8 has gone from 6 to 8, with additions and rewording
  • Control #9 has gone from 6 to 5, with deletions, moving, and additions.
  • Control #10 has gone from 4 to 5 with splitting and rewording.
  • Control #11 is still at 7, but there is rewording
  • Control #12 has gone from 10 to 12 with deletions, additions, and rewording
  • Control #13 is still at 9, but has deletions, additions, moving, splitting, and rewording
  • Control #14 has gone from 7 to 9 with additions, moving, splitting and rewording
  • Control #15 has gone from 9 to 10 with additions and rewording
  • Control #16 has gone from 14 to 13 with deletions, additions, and rewording
  • Control #17 has gone from 5 to 9 with deletions, additions, splitting, and rewording
  • Control #18 has gone from 9 to 11 with deletions and additions.
  • Control #19 has gone from 7 to 8 with one addition (probably the least changed of all)
  • Control #20 is still at 8 with minor work.
Version 6 has 139 subcontrols.  Version 7 has 171.  But the overall documents went from 96 pages to 73.  Also, in V6, subcontrols were noted as being foundational or advanced.  This has been dropped, but subcontrols are marked by a "security function" that matches the 5 core areas of the NIST CSF.

They have already put out some supporting materials, like a measurement & metrics document, with more promised (SME document, etc).

Hope to dig into this further and encourage others to check it out.








1 comment: