ETSI publishes critical security controls for effective cyber defence as technical reports

Sophia Antipolis, 3 October 2018: The ETSI technical committee CYBER has updated its five-part international compendium of Technical Reports to protect networks from cyber-attacks: the “Critical Security Controls for Effective Cyber Defence” are based on the CIS Controls^® and related materials.

The Reports use the CIS Controls v7 recommendations to describe the prioritized set of actions that collectively form a defence-in-depth set of best practices that mitigate the most common attacks against systems and networks.

“Building a strong cyber defence for an enterprise is increasingly challenging. Access exists to an extraordinary array of security tools and technology, security standards, and countless other guidance and recommendations. But all of this technology, information, and oversight has become a veritable "Fog of More": competing options, priorities, opinions, and claims that can paralyze or distract an enterprise from vital action. Therefore, we are honored that ETSI recognized the importance of the CIS Controls’ prioritized “do first” advice to improve global cyber defence by taking this action ” said Tony Sager, CIS Senior Vice President and Chief Evangelist.

“ETSI’s expertise on security is a well-known asset among cybersecurity stakeholders and TC CYBER recognizes the benefits brought by the Critical Security Controls to enhance the cybersecurity posture of industry, administrations and end users,” says Alex Leadbeater, chairman of the ETSI Technical Committee CYBER, “The ETSI Technical Reports reflect the combined knowledge of actual attacks and effective defences of experts from every part of the cyber security ecosystem.”

This ensures that the CIS Controls are an effective and specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of those attacks. These ETSI Reports were updated with the recent releases of both CIS Controls v7 and related materials to enable network providers to respond to the latest cyber security threats and meet new requirements such as General Data Protection Regulation (GDPR) compliance and cloud data centre hardening.

TR 103 305-1 addresses “The Critical Security Controls”. It captures and describes the prioritized set of actions that collectively form a defence-in-depth set of best practices that mitigate the most common attacks against systems and networks. TR 103 305-2, on measurement and auditing, is an evolving repository for measurement and effectiveness tests of Critical Security Control implementations. Because of their rapidly scaling importance and need for defensive measures, the mobile device and Internet of Things (IoT) sectors are treated in TR 103 305-3 on Service Sector Implementations. TR 103 305-4 deals with Facilitation Mechanisms and provides a placeholder for reference information for several especially useful mechanisms: Hardened Images, Mappings and Compliance, Guide for Small- and Medium-Sized Enterprises, and Risk Assessment Method. TR 103 305-5, on privacy enhancement, includes a privacy impact assessment and use of the Controls to help meet provisions of the EU General Data Protection Regulation (GDPR).