Nevada's Cybersecurity Governance and CIS Controls

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What was the Nevada legislature's action regarding Senate Bill 302 in 2019?

Passed with language changes to NRS 603.2.10 (correct)

Secured additional funding for cybersecurity

Rejected due to concerns about cybersecurity standards

No action was taken

What does NRS 603.2.10 require government entities to do?

Secure additional funding for cybersecurity initiatives

Conduct regular cybersecurity training for employees

Implement the most current version of CIS or NIST cybersecurity standards (correct)

Outsource cybersecurity measures to external vendors

What is the main purpose of the CIS Controls?

To create a community defense model

To develop software tools for vulnerability scanning

To provide guidelines for cloud computing

To prioritize activities for organizations to enhance their cybersecurity (correct)

What was the initial reaction to implementing CIS Controls in the state of Nevada?

Reluctance Signup and view all the answers

What is the purpose of Implementation Group 1 in CIS Controls?

Consists of 43 safeguards and is geared towards small to medium enterprises Signup and view all the answers

What is the focus of Critical Security Control 3?

Continuous Vulnerability Management and Patch Management Signup and view all the answers

What are the added safeguards for Implementation Group 1 in Critical Security Controls Version 8?

Requirement for default deny policy in firewalls Signup and view all the answers

What does the term 'offense informing defense' refer to in CIS Controls?

Providing specific and practical steps to enhance cybersecurity Signup and view all the answers

What does Critical Security Control 4 focus on?

Controlled Use of Administrative Privileges Signup and view all the answers

What is the primary focus of CIS Controls Version 8?

Incorporating cloud and mobile technologies Signup and view all the answers

What does Implementation Group 2 in CIS Controls focus on?

Varying sub-controls for each critical security control depending on the implementation group. Signup and view all the answers

What is the role of the Multi-State Information Sharing and Analysis Center (MS-ISAC) within CIS?

Assisting with information sharing and analysis related to cybersecurity Signup and view all the answers

What is the main benefit of the CIS Controls implementation according to the text?

Identifying and filling gaps in cybersecurity coverage Signup and view all the answers

What is the purpose of the implementation groups introduced in CIS Controls version 7.1?

To help organizations prioritize and implement controls based on their resources and evolving threats Signup and view all the answers

Study Notes

Welcome to the call, agenda includes an introduction to Office of Cyber Defense Coordination (OCDC), updates to NRS 603, state of Nevada's critical security control utilization, and introduction to Eats, as well as resources and alignment through Palo Alto Networks.
Cynthia introduces panelists: Sean Romeier (OCDC administrator), Bob Denhart (State CISO), Phyllis Lee (Senior Director for Controls, Center for Internet Security), and Shane Markley (Cybersecurity professional).
Shane Markley: 20 years in technology and cybersecurity across various verticals, worked on implementing critical security controls for industrial control systems, offers free guide for implementation from Center for Internet Security.
Sean Romeier: Administrator for OCDC since its inception, served in the U.S. Air Force before, Nevada legislature passed Senate Bill 302 in 2019 with language changes to NRS 603.2.10, requiring government entities to make every effort to implement most current version of CIS or NIST cybersecurity standards and make a list of controls publicly available.
Bob Denhart: State CISO for the past four years, initially had concerns about adopting CIS controls due to previous NIST focus but found benefits in having fewer controls to implement and focused approach, currently working on mapping NIST controls to CIS controls.- The text discusses the adoption of Critical Security Controls (CIS Controls) as the baseline for cybersecurity governance in the state of Nevada.
The process began around January 2020 and involved remapping all existing governance, standards, and policies to the CIS Controls.
The implementation was initially met with reluctance but has proven to be beneficial, allowing for identification and filling of gaps in cybersecurity coverage.
CIS is a non-profit organization with two main sides: the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the part that creates content for security benchmarks and critical security controls.
The CIS Controls provide prioritized activities for organizations to improve their cybersecurity, consisting of procedural and technical safeguards.
The controls are based on data and principles such as offense informing defense, providing specific and practical steps, and complying with existing governance.
Implementation groups were introduced in CIS Controls version 7.1 to help organizations prioritize and implement controls based on their resources and evolving threats.
Implementation Group 1 consists of 43 safeguards and is geared towards small to medium enterprises.
The CIS community has developed tools, guides, and assessments to help organizations implement the controls and assess their progress.
CIS Controls Version 8 is soon to be released, incorporating cloud and mobile technologies and updating the community defense model.- Speaker discusses changes in Implementation Group 1 (IG-1) of Critical Security Controls Version 8.
Added safeguards for IG-1 organizations, including Multi-Factor Authentication (MFA) for sysadmins and account inventory management.
Requirement for default deny policy in firewalls.
New control around service provider management.
PDF download available for details on all 20 controls in Version 7.1.
Controls version 8 focuses on implementation groups instead of basic, foundational, and organizational categories.
Control 1 (Inventory of Hardware and Software Assets) and Control 2 (Inventory of Software Assets) go hand in hand.
Maintaining a detailed asset inventory, including unauthorized assets and outdated versions.
Leveraging software inventory tools and automating documentation processes.
Maintaining an inventory of authorized software and ensuring they are supported by vendors.
Addressing unauthorized software through removal or updating.
System Entity Relationship Diagrams available for visual learners.
Critical Security Control 3 focuses on Continuous Vulnerability Management and Patch Management.
Utilizing SCAP-compliant vulnerability scanning tools and software update tools.
Removing unsupported software or updating in a timely manner.
Control 4 focuses on Controlled Use of Administrative Privileges.
Processes and tools to track, prevent, and correct use of administrative privileges.
Ensuring users use dedicated accounts for elevated activities.
Configuring systems to issue log entry alerts when administrative privileges are added or removed.
Changing default passwords as a standard process.
Importance of finding default passwords through simple Google searches.
Overview of IG-1, IG-2, and IG-3 implementation groups.
Varying sub-controls for each critical security control depending on the implementation group.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

Learn about Nevada's adoption of Critical Security Controls (CIS Controls) as the baseline for cybersecurity governance, including the state's alignment with CIS standards, the implementation process, benefits, and changes in Implementation Group 1 (IG-1) of CIS Controls Version 8.