3 ways we’ve made the CIS Controls more automation-friendly
Compliance obligations that support data privacy and cyber risk are nearly ubiquitous. Not only that, but they’re expanding. According to Gartner, government regulations covering these areas of emphasis will apply to five billion citizens and more than 70% of global GDP through 2023.
Like all organizations, you need to make sure you get the most out of your compliance actions. You want every step to work toward fulfilling multiple compliance obligations, not just one. That way, you save time and effort by removing duplicate work.
The Center for Internet Security wants to help you streamline your compliance efforts. Toward that end, the CIS Critical Security Controls (CIS Controls) team spoke with our users and volunteers as well as looked at our goals for the future of the CIS Controls. We took that information back and used it to update our CIS Controls mappings to over 20 security frameworks.
In this article, we identify the changes that we made and explain how they support an automated future for the CIS Controls.
What to watch for in CIS Controls mappings going forward
We implemented three changes in total.
1. The “intersects with” relationship is removed
Over time, it became clear the “intersects with” information was only adding greater ambiguity to a system that’s aiming for objectivity. It was convenient for mappings that made sense to a human reader because the topics were related. Even so, it’s not valuable from a compliance standpoint.
As an example, “intersects with” was used for written policies that revolved around a similar topic but weren’t the same. Incident response, disaster recovery, data backup, and restoration all fall into this category. If you’re writing one of those policies, you probably have the others at hand because they often reference each other. But writing one of them still does not contribute to being compliant with a requirement to have another.
With this change, it’s easier for a machine to understand what you’re doing so that you can reduce manual work in your compliance program.
2. Emphasize shared effort
For the same reason we removed the “intersects with” relationship, we wanted to be sure that implementing one control will have an actual contribution to implementing a mapped control rather than just being a shared topic. This is why our mappings now emphasize shared effort.
3. Added a page of unmapped CIS safeguards
Previously, we included a page of unmapped CIS Controls from the mapping target. We then began receiving requests for the inverse from volunteers that worked in auditing or compliance efforts. Like the other changes discussed above, adding the unmapped CIS Safeguards sheet is about making it easier for a machine to read the data.
This change helps from a data input and analysis standpoint. First, a user already compliant with the CIS Controls but aiming for a second framework can start on the mapped CIS Controls since they’re not starting from scratch on those efforts. Second, the unmapped information provides a quick way to see what sections are included or left out of frameworks.
For instance, the CIS Controls contains CIS Control 16 – Application Software Security. Not all frameworks cover software development, and seeing all of those unmapped CIS Safeguards shows that the mapping target does not. On the other side, the CIS Controls do not cover physical security, only cybersecurity. This means that you can find entire sections on topics like data center security in the unmapped sections of some frameworks.
The future of compliance is automated
In a nutshell, 10 years ago, this work of mapping one framework to another consisted of a person scrolling through both frameworks and looking for similarities. That’s largely the same way it’s done today. Five years from now, however, it will be different. This is one of several things we’re doing to move security frameworks and the CIS Controls into the future.
Here’s more information on how you can meet your compliance requirements with CIS’s security best practices, including the CIS Controls.