It’s update time. The biggest update and perhaps the one we are most excited about is the update for the Center for Internet Security’s (CIS) Critical Security Controls Version 7. As many of you know, James and I, along with Philippe Langlois at CIS served as technical editors of the Controls and we reviewed terrific feedback from students at the SANS Institute, community forums at CIS, feedback from the RSA Conference. Version 7 of the Controls was released this past spring, and this policy update, version 2.4, mirrors the new technical controls and simplified language introduced in Version 7. To help subscribers visualize what was changed in the this policy update, we have provided an Excel spreadsheet that highlights the changes to policy statements as well as highlights in pink those statements that were removed. This can found in the zip file for Complete AuditScripts Policies v2.4.
Other major highlights:
- We have also updated the policy library to reflect the NIST Cybersecurity Framework from 1.0 to 1.1
- We have updated our policy language to emphasize the ever growing importance of multi-factor authentication and we have references to using passwords.
- The policies have been updated to reflect NERC CIP Version 7 updates.
We will be releasing the updates for the AuditScripts questionnaires and checklists in the upcoming week.
Thank you for the great feedback on the documents so far, and we hope you find this policy update helpful.