Cloud Hosting

Now is a great time to review your security posture, as you havea new tool to help you. On May 18, 2021, the Center for InternetSecurity (CIS) released Version 8 of its CIS Controls, formerly knownas the CIS Critical Security Controls (and often called the"CIS Top 20").

CIS intends the new version to better address some of the majordevelopments in IT and cybersecurity over the past several years,including the movement to cloud solutions, increased mobility, andnormalization of remote work. CIS is also updating the ecosystem oftools that support the Controls, including self-assessment toolsand a method for risk assessments that helps to justify securityinvestments.

The Version 8 update is likely to garner a lot of attention fromcompanies looking to address the "reasonable security"requirements referenced in California law (see Cal. Civ. Code1798.81.5(b), 1798.150(a)(1)), including in the forthcomingCalifornia Privacy Rights Act (CPRA), as well as numerous otherstate laws.

Then-California Attorney General (now Vice President) KamalaHarris concluded in her 2016 data breach report that anorganization's failure to implement all applicable CIS Controls"constitutes a lack of reasonable security." Since thatreport, many companies have used the CIS Controls as a primary wayfor evaluating their compliance with reasonable securityprovisions.

At their core, the CIS Controls are a list of security bestpractices similar to security frameworks such as NIST 800-53 andthe ISO 27000-series. Prior to Version 8, the CIS Controls wereorganized into 20 top-level controls that addressed, for example,access control, vulnerability assessment, audit log maintenance,and other foundational controls that mitigate security risk. Eachtop-level control includes specific "safeguards"(previously called "sub-controls"), which are actions,tools, or other resources that support the top-level control.

The key difference between the CIS Controls and other frameworksis their organization of the controls into "ImplementationGroups" (IGs), which define a set of recommended securitycontrols based on risk. Organizations may choose the IG appropriateto their risk and budget, then implement the controls listed forthat IG.

This grouping makes the CIS Controls an attractive option forbusinesses of varying sizes and risk profiles, including small- andmedium-sized businesses focused on basic cyber hygiene anddefense.

In addition to creating IGs, Version 8 consolidates severaltop-level controls, thereby reducing the total number from 20 to18, renames many of the controls, and reorganizes the relationshipbetween the controls and many of their underlying safeguards. TheVersion 8 safeguards place much more emphasis on mobile and cloudsecurity than prior versions' sub-controls.

In large part, these changes reflect CIS's goal of focusingmore holistically on system and asset security-regardless of wherethose systems or assets reside (within the corporate network, inthe cloud, at an employee's home, etc.) and which IT teamsmight be responsible for them. For example, Version 7.1 has acontrol specifically for "Wireless Access Control," whichincludes a sub-control to "Leverage the Advanced EncryptionStandard (AES) to Encrypt Wireless Data" (among others).

In Version 8, there is no control singularly focused on wirelesssecurity. Instead, wireless safeguards are dispersed throughout,and encryption of wireless traffic is rolled into a more generalsafeguard to "Encrypt Sensitive Data in Transit" underthe "Data Protocol" control. Version 8 notes that"[p]hysical devices, fixed boundaries, and discrete islands ofsecurity implementation are less important" in computing nowthan they were when prior versions were adopted.

New data privacy and security laws are increasing pressure onorganizations to adopt "reasonable" security controls forpersonal data. For instance, the New York Stop Hacks and Improve Electronic DataSecurity (SHIELD) Act, which went into effect in March 2020,requires businesses to "implement and maintain reasonablesafeguards to protect the security, confidentiality and integrityof the private information."

On the other side of the country, the CPRA will updateCalifornia law as of January 1, 2023, to require "[a] businessthat collects a consumer's personal information [to] implementreasonable security procedures and practices appropriate to thenature of the personal information to protect the personalinformation from unauthorized or illegal access, destruction, use,modification, or disclosure in accordance with Section1798.81.5."

Likewise, the Virginia Consumer Data Protection Act, which alsobecomes operative on January 1, 2023, requires businesses to"[e]stablish, implement, and maintain reasonableadministrative, technical, and physical data security practices toprotect the confidentiality, integrity, and accessibility ofpersonal data."

The White House, too, has joined the fray with its recent Executive Order on Improving the Nation'sCybersecurity (which we previously covered here). Intentionally or not, Version 8'smore holistic approach to security and increased emphasis on cloudand mobile technologies echoes many provisions of the ExecutiveOrder.

Among other things, the Executive Order directs the governmentto accelerate its movement to cloud systems and to adopt"zero-trust architecture" (ZTA), a security model thatchallenges the traditional notion of a security"perimeter" and focuses on the defense of computingassets wherever they reside.1Government contractors and suppliers who may need to shift towardscloud-based systems and ZTA-based security might consult the newCIS Controls to evaluate and develop their security programs.

Organizations of all sizes face some degree of informationsecurity risk to confidential or personal data. CIS ControlsVersion 8 makes mitigating those risks even more accessible andprovides a great excuse to take account of your securityposture.

Footnote

The National Institute of Standards and Technology (NIST) statesthat ZTA's "focus on protecting resources rather thannetwork segments is a response to enterprise trends that includeremote users and cloud-based assets that are not located within anenterprise-owned network boundary."

Originally published 05.24.21

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.

Read the rest here:
Center For Internet Security Updates CIS Controls With Focus On Cloud, Mobile, And Remote Work - Technology - United States - Mondaq News Alerts