Importance of the CIS 18 V8 & Reasonable Security Measures i.t.o POPIA

CIS 18 Controls are important because they minimize the risk of data breaches, data leaks, theft of intellectual property, corporate espionage, identity theft, privacy loss, denial of service, distributed denial of service and other cyber threats. The list can be highly regarded as your businesses best practices for the promotion of POPIA compliant best practices in terms of reasonable security.

The CIS 18 Control List is as follows:

CIS Control 1: Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

 CIS Control 2: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

 CIS Control 3: Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

 CIS Control 4: Secure Configuration of Enterprise Assets and Software

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

 CIS Control 5: Account Management

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts and service accounts, to enterprise assets and software.

 CIS Control 6: Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for a user, administrator, and service accounts for enterprise assets and software.

 CIS Control 7: Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

 CIS Control 8: Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

 CIS Control 9: Email Web Browser and Protections

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behaviour through direct engagement.

 CIS Control 10: Malware Defenses

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

 CIS Control 11: Data Recovery

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

 CIS Control 12: Network Infrastructure Management

Establish, implement, and actively manage (track, report, correct) network devices, to prevent attackers from exploiting vulnerable network services and access points.

 CIS Control 13: Network Monitoring and Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defence against security threats across the enterprise’s network infrastructure and user base.

 CIS Control 14: Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behaviour among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

 CIS Control 15: Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

 CIS Control 16: Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

 CIS Control 17: Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

 CIS Control 18: Penetration Testing

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

Download your CIS 18 V8 controls here

 Looking at our country's data exfiltration incidents based on IBM and the Phenom Institute Research the following is evident:

1. The cost of an average breach is R 40 200 000;
2. It takes companies on average 177 days to identify data exfiltration incidents;
3. It takes companies on average 51 days to contain a data exfiltration incident;

At a glance, the framework that companies take when undergoing an attack is based on the NIST framework here >>>>>>>>>>>>

It is imperative to note the following statistics from the most technologically advanced company we represent in the industry with 100% true visibility to secure every edge, SentinelOne:

Must-Know Ransomware Statistics for 2021 event though we are almost midway:

• The use of ransomware has increased by 239% from 2018-2019.  
• The cost to recover from a ransomware attack has increased by 228% from 2018-2019.  
• From Q1 to Q2 in 2020, ransomware attacks that involved a data breach increased by 22%. This is a major jump from the 8.77% increase during the previous quarter.  
• In just one quarter, the average payout per ransomware attacks from Q2 to Q3 in 2020 went up by 31%.  
• The payments due to a ransomware attack tripled from 2018 to 2019. 

All we can say from these statistics is that Ransomware is highly comparable to the scope of the infamous Coronavirus and its impact on nations. Remember that should an incident occur you 72 hours to report the incident to your clients and our information regulator.

So this is why the CIS 18 become so relevant in your business amidst the commencement of enforcement from our renowned information regulators offices.

Remember that the 1st of July 2021 is not your death sentence as it is playing our part in what matters which is ensuring:

1. Respect for our customers and their privacy;
2. Provision of transparency (openness) on information processing;
3. Provision of reasonable security (not free security) as it relates to cybersecurity and identity theft

CIS 18 is of paramount importance as it aids the information regulators investigation whereby you can demonstrate with proof that you have reasonable security in place which may at the discretion of our regulator provide some relief as if you can demonstrate that you meet the CIS 18 controls which is the benchmark or standard to show our regulator that you have taken reasonable steps in providing good safeguards in your businesses modus operandi.

So it is imperative that you take action to achieve the following goals:

1. Legal avoidance of enforcement by way of demonstrating compliance;
2. Fiercely protecting your reputation from risk;
3. Prevention of data exfiltration and security incidents;
4. Within a reasonable spend plan;
5. Registration is open on the InfoReg portal, so don't end trying to comply when it is too late, rather become compliant by no later than the 15th June 2021.

What is regarded as reasonable security under POPIA?

1. Data Loss Prevention (DLP) Solutions;
2. Encryption of devices you use to generate, store and share personal information(PI), personally identifiable information(PII) and implement (#datainmotion #dataatrest #datainuse)
3. Next-Generation Malware protection solutions, not the use of free antivirus, antimalware, anti-ransomware solutions as free solutions fall short in its line of defence
4. An Acceptable Usage Policy (AUP)
5. Incident response procedure
6. Security Awareness Training
7. Vulnerability assessments
8. Data Anonymisation

Referring to CIS 18 Controls V8's control #3 which is data protection deployment of a DLP solution in conjunction with an encryption solution are the most suitable ways of ensuring data protection in essence.

At Effectualness we value and respect your privacy and we embrace your rights to data subject access rights, that’s why we lead by cybersecurity awareness as to when more people are in the know-how this contributes to reduced cyber-risks, whilst improving your business productivity and enhance your business in digital transformation by challenging your status quo, leading to fierce protection of your reputation from data exfiltration alongside with prevention of security incidents.

Disclaimer: This initiative is purely for educational purposes and does not constitute express advice in the cyber solution landscape and I personally disclaim myself from liability based on any reliance on the information in this article and its contents, irrespective of the merit it carries.

Avishkar Singh (2021) | Director | Effectualness (Pty) Ltd