The Inner Circle

 View Only
Expand all | Collapse all

Center for Internet Security (CIS) Controls and CSA CCM

  • 1.  Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 10, 2020 08:18:00 AM
    Hi All,

    I wanted to get some expert opinions on possible collaboration we should do with Center for Internet Security, particularly with their CIS controls as they are updating from ver 7 to 8 and we are updating CCM. I will be talking to CIS leadership soon and was curious what the community thought the synergy might be (beyond mapping).

    https://www.cisecurity.org/controls/cis-controls-list/

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------


  • 2.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 11, 2020 09:29:00 AM
    Their current set of 20 controls are all useful and important, but their formulation seems to currently be very "on prem" focused. If they're truly interested in expanding their scope to explicitly include cloud then there's probably a lot that the CSA could bring to the table. For example:
    1. They'd need to understand, embrace and incorporate shared security responsibility model concepts (e.g. when it comes to config and vulnerability management, logging, etc.)
    2. What it means to have and manage an inventory is different in the cloud. Different attributes are relevant and the "hardware" and "software" distinctions are less relevant.
    3. Secure network and boundary configuration in the cloud is based on software defined networking and software defined perimeter concepts, including zero trust and conditional access controls.

    Similarly the CIS defines and manages CIS secure configuration benchmarks. As cloud customers we'd like to see them define and manage secure configs for common cloud services (e.g. specific AWS, Azure and Google services). That might be another value added area of collaboration.

    ------------------------------
    Erik Johnson CISSP, CCSK, CCSP, PMP
    Federal Reserve
    ------------------------------



  • 3.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 14, 2020 12:23:00 AM
    Dear Jim,
    I think would be the best creating a dedicated CIS-CSA controls to be governed and updated regularly on a "shared governance". So definitively it's crucial to link CSA and CIS.

    ------------------------------
    Becca Danilo
    Manager
    Cornèr Banca SA
    ------------------------------



  • 4.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 14, 2020 07:28:00 AM
    Hi Becca,
    I completely agree with you. Creating a dedicated CIS-CSA controls would be the best, similar to what was done with ISO/IEC 27017:2015.

    ------------------------------
    Michael Bayere
    Principal Officer
    CAS Assurance, LLC (CPA)
    Miramar FL
    ------------------------------



  • 5.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 21, 2020 01:00:00 PM
    Becca could not find you on Linked in.  If you can connect with me here, i would very much appreciate it.
    https://www.linkedin.com/in/craigunger/
    Thanks,

    ------------------------------
    Craig Unger
    CEO
    Hyperproof
    ------------------------------



  • 6.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 14, 2020 07:36:00 PM
    Thanks for the feedback, I think the suggestions are great. I am going to suggest that we get a couple of volunteers to represent CSA at some of the CIS V8 status update calls to get a direct dialogue with CIS to help us refine the collaboration, they are definitely open to constructive input. If you are interested, let me know, I will also be tracking respondents down individually.

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------



  • 7.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 15, 2020 08:04:00 AM
    Hi!
    I am one of the contibutors of the CIS cloud companion guide.
    We have looked and made adjustments for IaaS, PaaS, SaaS and FaaS.
    This guide is out, but is for the version 7.
    Best regard
    Staffan

    ------------------------------
    Staffan Huslid
    private
    private
    ------------------------------



  • 8.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 17, 2020 03:13:00 AM
    Hi!I am interested to be in a group like that.
    best regard
    Staffan

    ------------------------------
    Staffan Huslid
    private
    private
    ------------------------------



  • 9.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 18, 2020 01:05:00 AM
    Hi Jim, i think its a good idea and could be a nice initiative to see how we can liaise with them to bring best from the security controls perspective aligned with standards and provider's services. I have been their contributor for benchmarks but i think the way public cloud vendors are offering new services almost every month, we are quite behind in terms of security benchmarks for those, i mean its evolving but still need to match up with what industry needs currently. It might also be good to have something from CSA's perspective on these controls.

    ------------------------------
    Rakesh Sharma
    Singapore
    ------------------------------



  • 10.  RE: Center for Internet Security (CIS) Controls and CSA CCM

    Posted Sep 18, 2020 02:06:00 AM
    Dear Jim,

    since you are liaising with CIS, would be nice to address (or at least start discussing) also aspects which are becoming more and more crucial. When we take into consideration today's digital transformation journey happening at all levels and sectors, it becomes in my opinion important to add environmental and temporal variables to the framework, not to mention the changing regulation and the compliance obligations and recommendation which becomes an ongoing process, aspects which might have a huge impact on the severity and applicability of the controls. So when inspecting a XaaS provider, I would add a
    -  Readiness of  the provider on changing regulations (adaptability of evolving regulation, nationally and internationally)
    -  SLA  elasticity (options available to clients to adapt upon ad-hoc  requirements)
    -   a chapter with questions to understand at least basically the readiness level against topics such digital transformation & technology innovation  (where aspects such environmental and temporal adaptability could be reviewed).

    The inputs made by Erik Johnson  are  also crucial to be taken into the discussion,  and highlight the "ZTA" and "shared  responsibility" which are key topics.  And yes,   working with major providers to define secure configs baselines, would be not only helpful, but highly recommended.

    ------------------------------
    Becca Danilo
    Manager
    Cornèr Banca SA
    ------------------------------