Recent

  • Show all results for ""
quiz image
By @jimmy_jazz

Nevada's Cybersecurity Governance and CIS Controls

UnmatchedMandolin avatar
UnmatchedMandolin
·
·
Download

Start Quiz

Study Flashcards

14 Questions

What was the Nevada legislature's action regarding Senate Bill 302 in 2019?

Passed with language changes to NRS 603.2.10

What does NRS 603.2.10 require government entities to do?

Implement the most current version of CIS or NIST cybersecurity standards

What is the main purpose of the CIS Controls?

To prioritize activities for organizations to enhance their cybersecurity

What was the initial reaction to implementing CIS Controls in the state of Nevada?

Reluctance

What is the purpose of Implementation Group 1 in CIS Controls?

Consists of 43 safeguards and is geared towards small to medium enterprises

What is the focus of Critical Security Control 3?

Continuous Vulnerability Management and Patch Management

What are the added safeguards for Implementation Group 1 in Critical Security Controls Version 8?

Requirement for default deny policy in firewalls

What does the term 'offense informing defense' refer to in CIS Controls?

Providing specific and practical steps to enhance cybersecurity

What does Critical Security Control 4 focus on?

Controlled Use of Administrative Privileges

What is the primary focus of CIS Controls Version 8?

Incorporating cloud and mobile technologies

What does Implementation Group 2 in CIS Controls focus on?

Varying sub-controls for each critical security control depending on the implementation group.

What is the role of the Multi-State Information Sharing and Analysis Center (MS-ISAC) within CIS?

Assisting with information sharing and analysis related to cybersecurity

What is the main benefit of the CIS Controls implementation according to the text?

Identifying and filling gaps in cybersecurity coverage

What is the purpose of the implementation groups introduced in CIS Controls version 7.1?

To help organizations prioritize and implement controls based on their resources and evolving threats

Study Notes

  • Welcome to the call, agenda includes an introduction to Office of Cyber Defense Coordination (OCDC), updates to NRS 603, state of Nevada's critical security control utilization, and introduction to Eats, as well as resources and alignment through Palo Alto Networks.
  • Cynthia introduces panelists: Sean Romeier (OCDC administrator), Bob Denhart (State CISO), Phyllis Lee (Senior Director for Controls, Center for Internet Security), and Shane Markley (Cybersecurity professional).
  • Shane Markley: 20 years in technology and cybersecurity across various verticals, worked on implementing critical security controls for industrial control systems, offers free guide for implementation from Center for Internet Security.
  • Sean Romeier: Administrator for OCDC since its inception, served in the U.S. Air Force before, Nevada legislature passed Senate Bill 302 in 2019 with language changes to NRS 603.2.10, requiring government entities to make every effort to implement most current version of CIS or NIST cybersecurity standards and make a list of controls publicly available.
  • Bob Denhart: State CISO for the past four years, initially had concerns about adopting CIS controls due to previous NIST focus but found benefits in having fewer controls to implement and focused approach, currently working on mapping NIST controls to CIS controls.- The text discusses the adoption of Critical Security Controls (CIS Controls) as the baseline for cybersecurity governance in the state of Nevada.
  • The process began around January 2020 and involved remapping all existing governance, standards, and policies to the CIS Controls.
  • The implementation was initially met with reluctance but has proven to be beneficial, allowing for identification and filling of gaps in cybersecurity coverage.
  • CIS is a non-profit organization with two main sides: the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the part that creates content for security benchmarks and critical security controls.
  • The CIS Controls provide prioritized activities for organizations to improve their cybersecurity, consisting of procedural and technical safeguards.
  • The controls are based on data and principles such as offense informing defense, providing specific and practical steps, and complying with existing governance.
  • Implementation groups were introduced in CIS Controls version 7.1 to help organizations prioritize and implement controls based on their resources and evolving threats.
  • Implementation Group 1 consists of 43 safeguards and is geared towards small to medium enterprises.
  • The CIS community has developed tools, guides, and assessments to help organizations implement the controls and assess their progress.
  • CIS Controls Version 8 is soon to be released, incorporating cloud and mobile technologies and updating the community defense model.- Speaker discusses changes in Implementation Group 1 (IG-1) of Critical Security Controls Version 8.
  • Added safeguards for IG-1 organizations, including Multi-Factor Authentication (MFA) for sysadmins and account inventory management.
  • Requirement for default deny policy in firewalls.
  • New control around service provider management.
  • PDF download available for details on all 20 controls in Version 7.1.
  • Controls version 8 focuses on implementation groups instead of basic, foundational, and organizational categories.
  • Control 1 (Inventory of Hardware and Software Assets) and Control 2 (Inventory of Software Assets) go hand in hand.
  • Maintaining a detailed asset inventory, including unauthorized assets and outdated versions.
  • Leveraging software inventory tools and automating documentation processes.
  • Maintaining an inventory of authorized software and ensuring they are supported by vendors.
  • Addressing unauthorized software through removal or updating.
  • System Entity Relationship Diagrams available for visual learners.
  • Critical Security Control 3 focuses on Continuous Vulnerability Management and Patch Management.
  • Utilizing SCAP-compliant vulnerability scanning tools and software update tools.
  • Removing unsupported software or updating in a timely manner.
  • Control 4 focuses on Controlled Use of Administrative Privileges.
  • Processes and tools to track, prevent, and correct use of administrative privileges.
  • Ensuring users use dedicated accounts for elevated activities.
  • Configuring systems to issue log entry alerts when administrative privileges are added or removed.
  • Changing default passwords as a standard process.
  • Importance of finding default passwords through simple Google searches.
  • Overview of IG-1, IG-2, and IG-3 implementation groups.
  • Varying sub-controls for each critical security control depending on the implementation group.

Learn about Nevada's adoption of Critical Security Controls (CIS Controls) as the baseline for cybersecurity governance, including the state's alignment with CIS standards, the implementation process, benefits, and changes in Implementation Group 1 (IG-1) of CIS Controls Version 8.

Make Your Own Quizzes and Flashcards

Convert your notes into interactive study material.

Get started for free

More Quizzes Like This

Southern Nevada Food Handler Questions
12 questions

Southern Nevada Food Handler Questions

InvigoratingSulfur avatar
InvigoratingSulfur
Fault-Block Mountains and Sierra Nevada Range
10 questions

Fault-Block Mountains and Sierra Nevada Range

HonestMagnolia avatar
HonestMagnolia
Southern Nevada Fire Operations SOP Emergency Operations Quiz
38 questions

Southern Nevada Fire Operations SOP Emergency Operations Quiz

InnovativeTulip avatar
InnovativeTulip
Southern Nevada Fire Operations Flag Etiquette Procedures Quiz
33 questions

Southern Nevada Fire Operations Flag Etiquette Procedures Quiz

InnovativeTulip avatar
InnovativeTulip
Use Quizgecko on...
Browser
Open
Browser
Browser