The Inner Circle

Expand all | Collapse all

Center for Internet Security (CIS) Controls and CSA CCM

  • 1.  Center for Internet Security (CIS) Controls and CSA CCM

    Posted 11 days ago
    Hi All,

    I wanted to get some expert opinions on possible collaboration we should do with Center for Internet Security, particularly with their CIS controls as they are updating from ver 7 to 8 and we are updating CCM. I will be talking to CIS leadership soon and was curious what the community thought the synergy might be (beyond mapping).

    https://www.cisecurity.org/controls/cis-controls-list/

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------


  • 2.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 10 days ago
    Their current set of 20 controls are all useful and important, but their formulation seems to currently be very "on prem" focused. If they're truly interested in expanding their scope to explicitly include cloud then there's probably a lot that the CSA could bring to the table. For example:
    1. They'd need to understand, embrace and incorporate shared security responsibility model concepts (e.g. when it comes to config and vulnerability management, logging, etc.)
    2. What it means to have and manage an inventory is different in the cloud. Different attributes are relevant and the "hardware" and "software" distinctions are less relevant.
    3. Secure network and boundary configuration in the cloud is based on software defined networking and software defined perimeter concepts, including zero trust and conditional access controls.

    Similarly the CIS defines and manages CIS secure configuration benchmarks. As cloud customers we'd like to see them define and manage secure configs for common cloud services (e.g. specific AWS, Azure and Google services). That might be another value added area of collaboration.

    ------------------------------
    Erik Johnson CISSP, CCSK, CCSP, PMP
    Federal Reserve
    ------------------------------



  • 3.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 8 days ago
    Dear Jim,
    I think would be the best creating a dedicated CIS-CSA controls to be governed and updated regularly on a "shared governance". So definitively it's crucial to link CSA and CIS.

    ------------------------------
    Becca Danilo
    Manager
    Cornèr Banca SA
    ------------------------------



  • 4.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 8 days ago
    Hi Becca,
    I completely agree with you. Creating a dedicated CIS-CSA controls would be the best, similar to what was done with ISO/IEC 27017:2015.

    ------------------------------
    Michael Bayere
    Principal Officer
    CAS Assurance, LLC (CPA)
    Miramar FL
    ------------------------------



  • 5.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 19 hours ago
    Becca could not find you on Linked in.  If you can connect with me here, i would very much appreciate it.
    https://www.linkedin.com/in/craigunger/
    Thanks,

    ------------------------------
    Craig Unger
    CEO
    Hyperproof
    ------------------------------



  • 6.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 7 days ago
    Thanks for the feedback, I think the suggestions are great. I am going to suggest that we get a couple of volunteers to represent CSA at some of the CIS V8 status update calls to get a direct dialogue with CIS to help us refine the collaboration, they are definitely open to constructive input. If you are interested, let me know, I will also be tracking respondents down individually.

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------



  • 7.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 7 days ago
    Hi!
    I am one of the contibutors of the CIS cloud companion guide.
    We have looked and made adjustments for IaaS, PaaS, SaaS and FaaS.
    This guide is out, but is for the version 7.
    Best regard
    Staffan

    ------------------------------
    Staffan Huslid
    private
    private
    ------------------------------



  • 8.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 5 days ago
    Hi!I am interested to be in a group like that.
    best regard
    Staffan

    ------------------------------
    Staffan Huslid
    private
    private
    ------------------------------



  • 9.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 4 days ago
    Hi Jim, i think its a good idea and could be a nice initiative to see how we can liaise with them to bring best from the security controls perspective aligned with standards and provider's services. I have been their contributor for benchmarks but i think the way public cloud vendors are offering new services almost every month, we are quite behind in terms of security benchmarks for those, i mean its evolving but still need to match up with what industry needs currently. It might also be good to have something from CSA's perspective on these controls.

    ------------------------------
    Rakesh Sharma
    Singapore
    ------------------------------



  • 10.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted 4 days ago
    Dear Jim,

    since you are liaising with CIS, would be nice to address (or at least start discussing) also aspects which are becoming more and more crucial. When we take into consideration today's digital transformation journey happening at all levels and sectors, it becomes in my opinion important to add environmental and temporal variables to the framework, not to mention the changing regulation and the compliance obligations and recommendation which becomes an ongoing process, aspects which might have a huge impact on the severity and applicability of the controls. So when inspecting a XaaS provider, I would add a
    -  Readiness of  the provider on changing regulations (adaptability of evolving regulation, nationally and internationally)
    -  SLA  elasticity (options available to clients to adapt upon ad-hoc  requirements)
    -   a chapter with questions to understand at least basically the readiness level against topics such digital transformation & technology innovation  (where aspects such environmental and temporal adaptability could be reviewed).

    The inputs made by Erik Johnson  are  also crucial to be taken into the discussion,  and highlight the "ZTA" and "shared  responsibility" which are key topics.  And yes,   working with major providers to define secure configs baselines, would be not only helpful, but highly recommended.

    ------------------------------
    Becca Danilo
    Manager
    Cornèr Banca SA
    ------------------------------