Podcast Beta
Questions and Answers
What was the Nevada legislature's action regarding Senate Bill 302 in 2019?
What does NRS 603.2.10 require government entities to do?
What is the main purpose of the CIS Controls?
What was the initial reaction to implementing CIS Controls in the state of Nevada?
Signup and view all the answers
What is the purpose of Implementation Group 1 in CIS Controls?
Signup and view all the answers
What is the focus of Critical Security Control 3?
Signup and view all the answers
What are the added safeguards for Implementation Group 1 in Critical Security Controls Version 8?
Signup and view all the answers
What does the term 'offense informing defense' refer to in CIS Controls?
Signup and view all the answers
What does Critical Security Control 4 focus on?
Signup and view all the answers
What is the primary focus of CIS Controls Version 8?
Signup and view all the answers
What does Implementation Group 2 in CIS Controls focus on?
Signup and view all the answers
What is the role of the Multi-State Information Sharing and Analysis Center (MS-ISAC) within CIS?
Signup and view all the answers
What is the main benefit of the CIS Controls implementation according to the text?
Signup and view all the answers
What is the purpose of the implementation groups introduced in CIS Controls version 7.1?
Signup and view all the answers
Study Notes
- Welcome to the call, agenda includes an introduction to Office of Cyber Defense Coordination (OCDC), updates to NRS 603, state of Nevada's critical security control utilization, and introduction to Eats, as well as resources and alignment through Palo Alto Networks.
- Cynthia introduces panelists: Sean Romeier (OCDC administrator), Bob Denhart (State CISO), Phyllis Lee (Senior Director for Controls, Center for Internet Security), and Shane Markley (Cybersecurity professional).
- Shane Markley: 20 years in technology and cybersecurity across various verticals, worked on implementing critical security controls for industrial control systems, offers free guide for implementation from Center for Internet Security.
- Sean Romeier: Administrator for OCDC since its inception, served in the U.S. Air Force before, Nevada legislature passed Senate Bill 302 in 2019 with language changes to NRS 603.2.10, requiring government entities to make every effort to implement most current version of CIS or NIST cybersecurity standards and make a list of controls publicly available.
- Bob Denhart: State CISO for the past four years, initially had concerns about adopting CIS controls due to previous NIST focus but found benefits in having fewer controls to implement and focused approach, currently working on mapping NIST controls to CIS controls.- The text discusses the adoption of Critical Security Controls (CIS Controls) as the baseline for cybersecurity governance in the state of Nevada.
- The process began around January 2020 and involved remapping all existing governance, standards, and policies to the CIS Controls.
- The implementation was initially met with reluctance but has proven to be beneficial, allowing for identification and filling of gaps in cybersecurity coverage.
- CIS is a non-profit organization with two main sides: the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the part that creates content for security benchmarks and critical security controls.
- The CIS Controls provide prioritized activities for organizations to improve their cybersecurity, consisting of procedural and technical safeguards.
- The controls are based on data and principles such as offense informing defense, providing specific and practical steps, and complying with existing governance.
- Implementation groups were introduced in CIS Controls version 7.1 to help organizations prioritize and implement controls based on their resources and evolving threats.
- Implementation Group 1 consists of 43 safeguards and is geared towards small to medium enterprises.
- The CIS community has developed tools, guides, and assessments to help organizations implement the controls and assess their progress.
- CIS Controls Version 8 is soon to be released, incorporating cloud and mobile technologies and updating the community defense model.- Speaker discusses changes in Implementation Group 1 (IG-1) of Critical Security Controls Version 8.
- Added safeguards for IG-1 organizations, including Multi-Factor Authentication (MFA) for sysadmins and account inventory management.
- Requirement for default deny policy in firewalls.
- New control around service provider management.
- PDF download available for details on all 20 controls in Version 7.1.
- Controls version 8 focuses on implementation groups instead of basic, foundational, and organizational categories.
- Control 1 (Inventory of Hardware and Software Assets) and Control 2 (Inventory of Software Assets) go hand in hand.
- Maintaining a detailed asset inventory, including unauthorized assets and outdated versions.
- Leveraging software inventory tools and automating documentation processes.
- Maintaining an inventory of authorized software and ensuring they are supported by vendors.
- Addressing unauthorized software through removal or updating.
- System Entity Relationship Diagrams available for visual learners.
- Critical Security Control 3 focuses on Continuous Vulnerability Management and Patch Management.
- Utilizing SCAP-compliant vulnerability scanning tools and software update tools.
- Removing unsupported software or updating in a timely manner.
- Control 4 focuses on Controlled Use of Administrative Privileges.
- Processes and tools to track, prevent, and correct use of administrative privileges.
- Ensuring users use dedicated accounts for elevated activities.
- Configuring systems to issue log entry alerts when administrative privileges are added or removed.
- Changing default passwords as a standard process.
- Importance of finding default passwords through simple Google searches.
- Overview of IG-1, IG-2, and IG-3 implementation groups.
- Varying sub-controls for each critical security control depending on the implementation group.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about Nevada's adoption of Critical Security Controls (CIS Controls) as the baseline for cybersecurity governance, including the state's alignment with CIS standards, the implementation process, benefits, and changes in Implementation Group 1 (IG-1) of CIS Controls Version 8.