Updated critical information security controls: what risk managers need to know

In the face of the evolving cyber risk environment, the Center for Internet Security (CIS) recently issued a significant update of its list of critical information security controls that provide a strong foundation for organizations to evaluate the nature of risk to their organization.

Although the Critical Information Security Controls — considered the gold standard in helping organizations protect against evolving threats — are updated frequently, the most recent revision, CIS 18, is among the most significant. It may require cybersecurity teams to make multiple changes to their policies, operations, and processes to benefit from the advanced protection.

Security teams should take steps to evaluate and align with the new controls, which reflect evolving technologies and persistent threats. But risk managers — even if not at the forefront of the implementation strategy — should also understand the enhanced version. Familiarity with the language used in CIS 18 — including the change in reference to sub-controls, now called safeguards — is critical, and can help enhance alignment between risk management and security teams.

New safeguards address service provider, vendors risks

Launched in May 2021, CIS 18 includes new controls and safeguards that organizations should consider implementing. Specifically relevant to risk managers, CIS 18 includes one new control related to service provider management. Control 15 and its seven safeguards underscore the need for organizations to have a policy for reviewing service providers and keep an inventory of all their vendors. Further, organizations are encouraged to rate the risk to the company in case a vendor’s systems are breached.

The new control positions risk managers more squarely in the third-party risk management process. The change identifies what is best practice in terms of identifying potentially risky partners and actions to mitigate these risks. Control 15 specifically notes that third-party vendors that purchase cybersecurity insurance can help reduce risk; this information can help risk managers bolster their argument with senior leaders that all vendors have the necessary coverage. This control is especially relevant considering the increased threat of ransomware that could lead to loss of data and require notification procedures and other costs.

Updated guidance for today’s pressing risks

Controls 9, 10, and 11, which cover email and web browser protections, malware defenses, and data recovery, can also help organizations protect themselves from ransomware. Email is most often the initial entry point for ransomware, making it crucial for companies to have robust protections in place. Strong malware defenses can help organizations block malware, including ransomware, while isolated/offline backups can help accelerate recovery from an incident.

Like previous versions, CIS 18 includes detailed technical information to help organizations identify technology risks and implement protections, detect and respond to threats, and recover after cyber incidents. Although it provides granular recommendations — such as spelling out the maximum number of failed attempts to unlock a corporate device — CIS 18’s 153 safeguards also focus on cybersecurity governance and process controls that can help organizations minimize risks.

A long-term implementation process

Although CIS 18 includes multiple updates intended to keep up with evolving technology, the center has noted that organizations that are already in line with the recommendations included in versions 7 or 7.1 should consider moving to the newer version. Other organizations should transition to version 8 “as soon as practicable.” 

The CIS is considered a gold standard in helping organizations protect against evolving threats, with many security teams striving to align their processes with these standards. Although risk teams may be eager to ensure their organizations are in line with the enhanced controls, doing so will likely require revisions to companies’ documented policies and processes, with updates over several months even for the most advanced organizations.

Related articles