AuditScripts CIS Controls Master Mappings V7.1a

Critical Security Control
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
Critical Security Control #2: Inventory of Authorized and Unauthorized Software
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
Critical Security Control #4: Controlled Use of Administrative Privileges

Critical Security Control #5: Secure Configurations for Hardware and Software
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Security Control #7: Email and Web Browser Protections

Critical Security Control #8: Malware Defenses
Critical Security Control #9: Limitation and Control of Network Ports
Critical Security Control #10: Data Recovery Capabilities
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers
and Switches
Critical Security Control #12: Boundary Defense

Critical Security Control #13: Data Protection
Critical Security Control #14: Controlled Access Based on the Need to Know
Critical Security Control #15: Wireless Access Control
Critical Security Control #16: Account Monitoring and Control

Critical Security Control #17: Implement a Security Awareness and Training Program
Critical Security Control #18: Application Software Security
Critical Security Control #19: Incident Response and Management
Critical Security Control #20: Penetration Tests and Red Team Exercises
CIS Controls Master Mappings Tool (v7.1a)
NIST 800-53 rev4 NIST CSF v1.0
CA-7: Continuous Monitoring

CM-8: Information System Component Inventory ID.AM-1
IA-3: Device Identification and Authentication ID.AM-3
SA-4: Acquisition Process
SC-17: Public Key Infrastructure Certificates ID.AM-4
SI-4: Information System Monitoring PR.DS-3
PM-5: Information System Inventory

CM-2: Baseline Configuration
CM-8: Information System Component Inventory
CM-10: Software Usage Restrictions
CM-11: User-Installed Software ID.AM-2
SA-4: Acquisition Process PR.DS-6
SC-18: Mobile Code
SC-34: Non-Modifiable Executable Programs
SI-4: Information System Monitoring
PM-5: Information System Inventory
CA-2: Security Assessments ID.RA-1

CA-7: Continuous Monitoring ID.RA-2
RA-5: Vulnerability Scanning
SC-34: Non-Modifiable Executable Programs PR.IP-12
SI-4: Information System Monitoring DE.CM-8
SI-7: Software, Firmware, and Information Integrity RS.MI-3
AC-2: Account Management

AC-6: Least Privilege
AC-17: Remote Access PR.AC-4
AC-19: Access Control for Mobile Devices PR.AT-2
IA-2: Identification and Authentication (Organizational Users) PR.MA-2
IA-4: Identifier Management PR.PT-3
IA-5: Authenticator Management
CM-3: Configuration Change Control
CM-5: Access Restrictions for Change
CM-6: Configuration Settings
CM-7: Least Functionality
CM-9: Configuration Management Plan
CM-11: User-Installed Software PR.IP-1
MA-4: Nonlocal Maintenance
SC-15: Collaborative Computing Devices
SI-2: Flaw Remediation
AC-23: Data Mining Protection

AU-2: Audit Events
AU-3: Content of Audit Records
AU-4: Audit Storage Capacity
AU-5: Response to Audit Processing Failures
AU-6: Audit Review, Analysis, and Reporting PR.PT-1
AU-7: Audit Reduction and Report Generation DE.AE-3
AU-8: Time Stamps DE.DP-1
AU-9: Protection of Audit Information DE.DP-2
AU-10: Non-repudiation DE.DP-3
AU-11: Audit Record Retention DE.DP-4
AU-12: Audit Generation DE.DP-5
AU-13: Monitoring for Information Disclosure
AU-14: Session Audit
IA-10: Adaptive Identification and Authentication

CM-5: Access Restrictions for Change
CM-7: Least Functionality
CM-9: Configuration Management Plan
CM-11: User-Installed Software PR.IP-1
SC-15: Collaborative Computing Devices
SI-2: Flaw Remediation
SC-39: Process Isolation PR.PT-2
SC-44: Detonation Chambers
SI-3: Malicious Code Protection DE.CM-4
SI-4: Information System Monitoring DE.CM-5
SI-8: Spam Protection
AC-4: Information Flow Enforcement

CA-9: Internal System Connections
SC-20: Secure Name /Address Resolution Service PR.AC-5
(Authoritative Source) DE.AE-1
SC-21: Secure Name /Address Resolution Service (Recursive
or Caching Resolver)
SC-22: Architecture and Provisioning for Name/Address
Resolution Service
SC-41: Port and I/O Device Access
CP-9: Information System Backup

CP-10: Information System Recovery and Reconstitution PR.IP-4
MP-4: Media Storage

CA-3: System Interconnections
CM-2: Baseline Configuration PR.AC-5
CM-5: Access Restrictions for Change PR.IP-1
CM-6: Configuration Settings PR.PT-4
SC-24: Fail in Known State

AC-17: Remote Access
AC-20: Use of External Information Systems
CA-3: System Interconnections PR.AC-3
CA-7: Continuous Monitoring PR.AC-5
CM-2: Baseline Configuration PR.MA-2
SA-9: External Information System Services DE.AE-1
SC-7: Boundary Protection
SC-8: Transmission Confidentiality and Integrity
AC-3: Access Enforcement
AC-23: Data Mining Protection
CA-9: Internal System Connections PR.AC-5
IR-9: Information Spillage Response PR.DS-2
MP-5: Media Transport
SA-18: Tamper Resistance and Detection PR.DS-5
SC-8: Transmission Confidentiality and Integrity PR.PT-2
SC-28: Protection of Information at Rest
SC-31: Covert Channel Analysis
SC-41: Port and I/O Device Access
AC-1: Access Control Policy and Procedures

AC-3: Access Enforcement PR.AC-4
AC-6: Least Privilege PR.AC-5
AC-24: Access Control Decisions PR.DS-1
CA-7: Continuous Monitoring PR.DS-2
MP-3: Media Marking PR.PT-2
RA-2: Security Categorization PR.PT-3
SC-16: Transmission of Security Attributes
AC-18: Wireless Access

AC-19: Access Control for Mobile Devices
CA-3: System Interconnections
IA-3: Device Identification and Authentication
SC-8: Transmission Confidentiality and Integrity
SC-17: Public Key Infrastructure Certificates
SC-40: Wireless Link Protection

AC-3: Access Enforcement
AC-7: Unsuccessful Logon Attempts
AC-11: Session Lock
AC-12: Session Termination PR.AC-1
CA-7: Continuous Monitoring PR.AC-4
IA-5: Authenticator Management PR.PT-3
IA-10: Adaptive Identification and Authentication
SC-17: Public Key Infrastructure Certificates
SC-23: Session Authenticity
AT-1: Security Awareness and Training Policy and Procedures
AT-2: Security Awareness Training
AT-3: Role-Based Security Training PR.AT-1
AT-4: Security Training Records PR.AT-2
SA-11: Developer Security Testing and Evaluation PR.AT-3
SA-16: Developer-Provided Training PR.AT-4
PM-13: Information Security Workforce PR.AT-5
PM-14: Testing, Training, & Monitoring
PM-16: Threat Awareness Program
SA-13: Trustworthiness
SA-15: Development Process, Standards, and Tools
SA-16: Developer-Provided Training
SA-17: Developer Security Architecture and Design
SA-20: Customized Development of Critical Components
SA-21: Developer Screening PR.DS-7
SC-39: Process Isolation
SI-10: Information Input Validation
SI-11: Error Handling
SI-15: Information Output Filtering
SI-16: Memory Protection
PR.IP-10
DE.AE-2
IR-1: Incident Response Policy and Procedures DE.AE-4
IR-2: Incident Response Training DE.AE-5
IR-3: Incident Response Testing DE.CM-1-7
IR-4: Incident Handling RS.RP-1
IR-5: Incident Monitoring RS.CO-1-5
IR-6: Incident Reporting RS.AN-1-4
IR-7: Incident Response Assistance RS.MI-1-2
IR-8: Incident Response Plan RS.IM-1-2
IR-10: Integrated Information Security Analysis Team RC.RP-1
RC.IM-1-2
RC.CO-1-3
CA-2: Security Assessments

CA-5: Plan of Action and Milestones
CA-6: Security Authorization
CA-8: Penetration Testing
RA-6: Technical Surveillance Countermeasures Survey
SI-6: Security Function Verification
PM-6: Information Security Measures of Performance
PM-14: Testing, Training, & Monitoring
This work is licensed under a Creative Commons Attribution-ShareAlik

NIST CSF v1.1 NIST 800-82 rev2
ID.AM-1
ID.AM-3 6.2.16
ID.AM-4 6.2.17
PR.DS-3
ID.AM-2 6.2.16
PR.DS-6 6.2.17
ID.RA-1
ID.RA-2
PR.IP-12 6.2.16
DE.CM-8 6.2.17
RS.AN-5
RS.MI-3
PR.AC-4 5.15
PR.AT-2 6.2.7
PR.MA-2 6.2.16
PR.PT-3 6.2.17
6.2.16
PR.IP-1
6.2.17
PR.PT-1
DE.AE-3
DE.DP-1 5.16
DE.DP-2 6.2.16
DE.DP-3 6.2.17
DE.DP-4
DE.DP-5
6.2.16
PR.IP-1
6.2.17
PR.PT-2
DE.CM-4 6.2.16
6.2.17
DE.CM-5
PR.AC-5 6.2.16
DE.AE-1 6.2.17
6.2.16
PR.IP-4 6.2.17
PR.AC-5
5.15
PR.IP-1
6.2.7
PR.PT-4
PR.AC-3
PR.AC-5
5.1 - 5.11
PR.MA-2
DE.AE-1
PR.AC-5
PR.DS-2
PR.DS-5
PR.PT-2
PR.AC-4
PR.AC-5 5.1
PR.DS-1 5.4
PR.DS-2 5.5
PR.PT-2 6.2.1
PR.PT-3
PR.AC-1
PR.AC-4
5.15
PR.AC-6
PR.AC-7 6.2.7
PR.PT-3
PR.AT-1
PR.AT-2
PR.AT-3 6.2.2
PR.AT-4
PR.AT-5
PR.DS-7
PR.IP-10
DE.AE-2
DE.AE-4
DE.AE-5
DE.CM-1-7
RS.RP-1
5.17
RS.CO-1-5
6.2.8
RS.AN-1-4
RS.MI-1-2
RS.IM-1-2
RC.RP-1
RC.IM-1-2
RC.CO-1-3
6.2.3
6.2.4
ons Attribution-ShareAlike 4.0 International License.

NIST SMB Guide DHS CDM Program
4.0d HWAM: Hardware Asset Management
HWAM: Hardware Asset Management

SWAM: Software Asset Management
3.2c VUL: Vulnerability Management

CSM: Configuration Settings Management
3.3b Generic Audit Monitoring
3.2f
4.0b
4.0c
4.0e
4.0g
4.0i
3.3a
Boundary Protection
3.5a
3.5b

Boundary Protection
3.2d Boundary Protection

TRUST: Access Control Management
3.2g
PRIV: Privileges
3.2e
3.1a
3.1c CRED: Credentials and Authentication
3.2a Management
4.0h
3.2i BEHV: Security-Related Behavior Management
VUL: Vulnerability Management
Plan for Events

3.4a
Respond to Events
ISO 27002:2013 ISO 27002:2005 IEC 62443-3-3:2013
A.8.1.1 A.7.1.1 SR 1.2

A.9.1.2 A.10.6.1 - A.10.6.2 SR 2.3
A.13.1.1 A.11.4.6 SR 7.8
A.12.5.1 SR 1.2
A.12.6.2
A.12.6.1 A.12.6.1
A.13.1.2
A.14.2.8
A.15.2.2
A.9.1.1
A.9.2.2 - A.9.2.6
A.11.5.1 - A.11.5.3
A.9.3.1
A.9.4.1 - A.9.4.4
A.14.2.4
A.14.2.8 A.15.2.2
A.18.2.3
SR 1.12
A.12.4.1 - A.12.4.4 A.10.10.1 - A.10.10.6 SR 2.8 - 2.11
A.12.7.1 SR 3.9
SR 6.1 - 6.2
A.13.2.3
A.14.2.4
A.15.2.2
A.14.2.8
A.18.2.3
A.8.3.1
A.12.2.1 A.10.4.1 - A.10.4.2 SR 3.2
A.10.7.1
A.13.2.3
A.9.1.2
A.13.1.1 A.10.6.1 - A.10.6.2
A.13.1.2 A.11.4.4
A.14.1.2
A.10.1.1 A.10.5.1
A.12.3.1 A.10.8.3 SR 7.3 - 7.4
A.10.6.1 - A.10.6.2
A.9.1.2
A.11.4.5
A.13.1.1 SR 7.6
A.11.4.7
A.13.1.3
A.11.5.1 - A.11.5.3
A.10.6.1 - A.10.6.2
A.9.1.2
A.10.10.2
A.12.4.1 SR 1.13
A.11.4.2
A.12.7.1 SR 2.3
A.11.4.5
A.13.1.1 SR 5.2
A.11.4.7
A.13.1.3
A.11.5.1 - A.11.5.3
A.13.2.3
A.11.7.1 - A.11.7.2
A.8.3.1 A.10.7.1
A.10.1.1 - A.10.1.2 A.12.3.1 - A.12.3.2 SR 3.1
A.13.2.3 A.12.5.4 SR 4.3
A.18.1.5 A.15.1.6
A.10.7.1
SR 2.1
A.10.10.1 - A.10.10.3
A.8.3.1 SR 4.1
A.11.4.5
A.9.1.1 SR 5.1
A.11.4.7
A.10.1.1 SR 5.3
A.11.6.1 - A.11.6.2
SR 7.7
A.12.5.4
A.10.1.1 SR 1.6
A.12.4.1
SR 2.2
A.12.7.1
A.9.1.1 A.8.3.3
A.9.2.1 - A.9.2.6 A.11.2.1 SR 1.1 - 1.13
A.9.3.1 A.11.2.3 - A.11.2.4 SR 2.1
A.9.4.1 - A.9.4.3 A.11.3.1 - A.11.3.3 SR 2.5
A.11.2.8 A.11.5.1 - A.11.5.3
A.7.2.2 A.8.2.2
A.10.1.4
A.9.4.5
A.12.2.1
A.12.1.4
A.14.2.1 A.12.2.4 SR 3.3 - 3.8
A.12.5.2
A.14.2.6 - A.14.2.8
A.12.5.5
A.6.1.3 A.6.1.6
A.7.2.1 A.8.2.1
A.16.1.2 A.13.1.1
A.16.1.4 - A.16.1.7 A.13.2.1 - A.13.2.2
A.14.2.8 A.6.1.8
A.18.2.1 A.15.2.2 SR 3.3
A.18.2.3 A.15.3.1
NIST 800-171 NSA MNP
Map Your Network

Baseline Management
Document Your Network
Personal Electronic Device Management
Network Access Control
Log Management
Baseline Management
3.4.8 Executable Content Restrictions
3.4.9 Configuration and Change Management
3.11.2
3.11.3 Patch Management
Log Management
3.12.2
Configuration and Change Management
3.14.1
3.1.5 - 3.1.7
3.4.5 - 3.4.6 User Access
3.7.1 - 3.7.2 Baseline Management
3.7.5 - 3.7.6 Log Management
3.13.3
Patch Management
Baseline Management
3.4.1 - 3.4.3
Data-at-Rest Protection
3.3.1 - 3.3.9 Log Management

3.14.7
Patch Management
Baseline Management
Device Accessibility
Virus Scanners and Host Intrusion Prevention
3.7.4 Systems
3.14.2 - 3.14.6 Security Gateways, Proxies, and Firewalls
Network Security Monitoring
Log Management
Baseline Management
3.4.7 Configuration and Change Management
3.8.9 Backup Strategy
Map Your Network

Patch Management
3.7.5 - 3.7.6 Document Your Network
Security Gateways, Proxies, and Firewalls
3.1.3 Map Your Network

3.1.12 - 3.1.15 Network Architecture
3.1.18 Baseline Management
3.13.1 Personal Electronic Device Management
3.13.12 - 3.13.13 Remote Access Security
3.13.15 Network Security Monitoring
Log Management
3.1.19 Network Architecture
3.1.21 Device Accessibility
3.13.16 Network Security Monitoring
3.1.2
Network Architecture
3.1.3
Device Accessibility
3.1.5
User Access
3.8.2
3.8.5 - 3.8.6
Log Management
3.13.4 - 3.13.6
Map Your Network

Baseline Management
Personal Electronic Device Management
Network Access Control
3.1.8
3.1.10 - 3.1.11 User Access
3.9.2 Log Management
3.13.9
3.2.2 - 3.2.3 Training
Training
3.6.1 - 3.6.3 Incident Response and Disaster Recovery Plans
Audit Strategy
Australian Essential Eight Australian Top 35
1
1 14
17
2
2-3
6
4
5 9
7 11
25
3 2-5
4 21
15-16
35
2
5
17-20
31
7
17
22
26
30
2
3
12
13
27
2
7 3
10
10-11
18-20
7
23
32-34
26
26
7 25
28
24
NSA Top 10 Canadian CSE Top 10
Application Whitelisting 8
10
2
Take Advantage of Software Improvements
8
3
Control Administrative Privileges
8
Set a Secure Baseline Configuration 4
Take Advantage of Software Improvements 8
Set a Secure Baseline Configuration

8
Take Advantage of Software Improvements
Use Anti-Virus File Reputation Services 8
Enable Anti-Exploitation Features
Limit Workstation-to-Workstation Communication 8
Set a Secure Baseline Configuration

Segregate Networks and Functions
1
Segregate Networks and Functions 5
9
5
7
9
5
Segregate Networks and Functions 7
9
6
GCHQ 10 Steps UK Cyber Essentials UK ICO Protecting Data
Inappropriate locations for

processing data
Decommissioning of software
or services
Patch Management Software Updates
Configuration of SSL and TLS

Monitoring Access Control
Default Credentials
Secure Configuration
Patch Management
Monitoring
Patch Management
Removable Media Controls Malware Protection
Malware Protection
Decommissioning of software
Network Security or services
Unnecessary Services
Boundary firewalls and

Software Updates
Secure Configuration internet gateways
Inappropriate locations for
Network Security Secure Configuration
processing data
Patch Management
Home and Mobile Working Configuration of SSL and TLS

Monitoring Inappropriate locations for
internet gateways
Network Security processing data
Removable Media Controls
Managing User Privileges Inappropriate locations for

Access Control
Network Security processing data
Monitoring
Network Security
Managing User Privileges Access Control Configuration of SSL and TLS

User Education & Awareness
SQL Injection
Incident Management
PCI DSS 3.2 PCI DSS 3.1 PCI DSS 3.0
2.4 2.4 2.4
2.4 2.4 2.4
6.1 6.1 6.1

6.2 6.2 6.2
11.2 11.2 11.2
2.1 2.1 2.1

7.1 - 7.3 7.1 - 7.3 7.1 - 7.3
8.1 - 8.3 8.1 - 8.3 8.1 - 8.3
8.7 8.7 8.7
2.2 2.2 2.2
2.3 2.3 2.3
6.2 6.2 6.2
11.5 11.5 11.5
10.1 - 10.9 10.1 - 10.8 10.1 - 10.7
2.2 2.2 2.2

2.3 2.3 2.3
6.2 6.2 6.2
11.5 11.5 11.5
5.1 - 5.4 5.1 - 5.4 5.1 - 5.4
1.4 1.4 1.4
4.3 4.3 4.3

9.5 - 9.7 9.5 - 9.7 9.5 - 9.7
1.1 - 1.2 1.1 - 1.2 1.1 - 1.2

2.2 2.2 2.2
6.2 6.2 6.2
1.1 - 1.3 1.1 - 1.3 1.1 - 1.3

8.3 8.3 8.3
10.9 10.8 10.8
11.4 11.4 11.4
3.6 3.6 3.6
4.1 - 4.3 4.1 - 4.3 4.1 - 4.3
1.3 - 1.4 1.3 - 1.4 1.3 - 1.4

4.3 4.3 4.3
7.1 - 7.3 7.1 - 7.3 7.1 - 7.3
8.7 8.7 8.7
4.3 4.3 4.3

11.1 11.1 11.1
7.1 - 7.3 7.1 - 7.3 7.1 - 7.3

8.7 - 8.8 8.7 - 8.8 8.7 - 8.8
12.6 12.6 12.6
6.3 6.3 6.3

6.5 - 6.7 6.5 - 6.7 6.5 - 6.7
12.10 12.10 12.10
11.3 11.3 11.3

HIPAA
164.310(b): Workstation Use - R

164.310(c): Workstation Security - R



164.308(a)(1): Security Management Process - Information System Activity Review R

164.308(a)(5): Security Awareness and Training - Log-in Monitoring A

164.308(a)(5): Security Awareness and Training - Protection from Malicious Software A
164.310(d)(1): Device and Media Controls - Accountability A

164.308(a)(7): Contingency Plan - Data Backup Plan R

164.308(a)(7): Contingency Plan - Disaster Recovery Plan R
164.308(a)(7): Contingency Plan - Testing and Revision Procedure A
164.310(d)(1): Device and Media Controls - Data Backup and Storage A
164.308(a)(4): Information Access Management - Isolating Health care Clearinghouse Function R
164.310(d)(1): Device and Media Controls - Accountability A
164.312(a)(1): Access Control - Encryption and Decryption A
164.312(e)(1): Transmission Security - Integrity Controls A
164.312(e)(1): Transmission Security - Encryption A

164.308(a)(4): Information Access Management - Isolating Health care Clearinghouse Function R
164.308(a)(4): Information Access Management - Access Authorization A
164.312(a)(1): Access Control - Encryption and Decryption A
164.312(c)(1): Integrity - Mechanism to Authenticate Electronic Protected Health Information A
164.312(a)(1): Access Control - Automatic Logoff A
164.312(d): Person or Entity Authentication - R

164.308(a)(4): Information Access Management - Access Authorization A
164.308(a)(4): Information Access Management - Access Establishment and Modification A
164.308(a)(5): Security Awareness and Training - Password Management A
164.312(a)(1): Access Control - Unique User Identification R
164.312(a)(1): Access Control - Automatic Logoff A
164.312(d): Person or Entity Authentication - R
164.308(a)(5): Security Awareness and Training - Security Reminders A
164.308(a)(5): Security Awareness and Training - Protection from Malicious Software A
164.308(a)(5): Security Awareness and Training - Log-in Monitoring A
164.308(a)(5): Security Awareness and Training - Password Management A
164.308(a)(6): Security Incident Procedures - Response and Reporting R

FFIEC Information Security Booklet (2016)
II.C.5
II.C.22
II.C.12
II.C.9
II.C.21
II.C.9
II.C.6
II.C.9
II.C.16
II.C.9
II.C.7
II.C.9
II.C.13
II.C.15
II.C.19
II.C.9
II.C.7
II.C.11
II.C.17
II.C.18
II.C.19
FFIEC Examiners Handbook
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Host Security
Host Security
Authentication and Access Controls

Host Security
Security Monitoring
Host Security
Host Security
Network Security
Encryption
Network Security
Network Security
Security Monitoring
Encryption
Data Security

Encryption
Data Security
Network Security
Encryption
Security Monitoring

Personnel Security
Application Security
Software Development & Acquisition
FFIEC Cybersecurity Assessment Tool (CAT) COBIT 5
APO13: Manage Security

Domain 3: Cybersecurity Controls - Preventative Controls DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls
BAI09: Manage Assets
Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security

Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services


Domain 3: Cybersecurity Controls - Preventative Controls
DSS05: Manage Security Services
BAI10: Manage Configuration
Domain 2: Threat Intelligence & Collaboration - Monitoring

and Analyzing APO13: Manage Security








Domain 1: Cyber Risk Management & Oversight - Training and
Culture

Domain 5: Cyber Incident Management and Resilience -

Incident Resilience Planning and Strategy APO13: Manage Security
Domain 5: Cyber Incident Management and Resilience - DSS05: Manage Security Services
Detection, Response, and Mitigation DSS02: Manage Service Requests
Domain 5: Cyber Incident Management and Resilience - and Incidents
Escalation and Reporting

Domain 3: Cybersecurity Controls - Detective Controls MEA02: Monitor, Evaluate and
Assess the System of Internal
Control
AICPA SOC 2 & SOC3 TSPC AICPA's GAPP IRS Pub1075
7.2.2
8.2.1 9.4.12
8.2.2
7.2.2 9.4.12
8.2.1
7.2.2
CC 6.1 9.3.4
8.2.1
7.2.2
CC 5.1 - CC 5.6 8.2.1 9.3.7
8.2.2
7.2.2
9.3.5
8.2.1
7.2.2 9.3.3
8.2.1
9.3.17
7.2.2 9.4.3
8.2.1 9.4.16
9.4.17
CC 5.8 7.2.2 9.3.17
8.2.1
7.2.2
8.2.1
7.2.2
A 1.2 8.2.1 9.3.6
9.3.5
7.2.2
9.3.7
8.2.1
9.4.10
7.2.2
9.3.16
8.2.1
9.4.10
8.2.2
7.2.2
9.3.10
8.2.1
9.4.10
8.2.2
8.2.6
4.0
7.2.2 5.0
CC 5.7 8.2.1 6.1
C 1.2 - C 1.3 8.2.2 9.3.1
8.2.6 9.3.16
9.4.10
7.2.2
8.2.1 9.4.18
8.2.2
9.3.7
7.2.2
CC 5.1 - CC 5.6 9.3.13
8.2.1
1.2.9
1.2.10 6.1
CC 2.1 - CC 2.6
7.2.2 9.3.2
8.2.1
7.2.2
8.2.1
7.2.2
CC 6.2 9.3.8
8.2.1
7.2.2
8.2.1 9.3.3
8.2.7
SWIFT SG MAS TRM Saudi AMA
6 - Acquisition and Development 3.3.3

of Information Systems
1.1-opt 6 - Acquisition and Development 3.3.3

of Information Systems
2.2 9 - Operational Infrastructure

3.3.17
2.7a Security Management
1.2
11 - Access Controls 3.3.5
2.6a
9 - Operational Infrastructure
2.3 3.3.6
Security Management
6.4 9 - Operational Infrastructure 3.3.14

Security Management
3.3.6
3.3.8
6.1 9 - Operational Infrastructure 3.3.8
Security Management 3.3.16
8 - Systems Reliability, 3.3.6

Availability, and Recoverability 3.3.8
3.3.8
1.1 9 - Operational Infrastructure

3.3.10
6.5a Security Management
3.3.8
Security Management
1.1
2.1
Security Management
2.4a 3.3.5
11 - Access Controls
2.5a
12 - Online Financial Services
5.1
Security Management
4.1
4.2 11 - Access Controls
3.3.5
5.2 12 - Online Financial Services
5.4a
3.1.6
7.2
3.1.7
6 - Acquisition and Development

6.2
6.3 of Information Systems 3.3.6
7 - IT Service Management
7.1
7 - IT Service Management 3.3.15
7.4a
9 - Operational Infrastructure 3.2.4

7.3a
Security Management 3.2.5
NERC CIP v7 NERC CIP v6 NERC CIP v5
CIP-002-5.1 R1 CIP-002-5.1 R1 CIP-002-5.1 R1

CIP-002-5.1 R2 CIP-002-5.1 R2 CIP-002-5.1 R2
CIP-010-3 R1 CIP-010-2 R1 CIP-010-1 R1
CIP-007-6 R2 CIP-007-6 R2 CIP-007-5 R2

CIP-010-3 R3 CIP-010-2 R3 CIP-010-1 R3
CIP-004-6 R4 CIP-004-6 R4 CIP-004-5 R4

CIP-004-6 R5 CIP-004-6 R5 CIP-004-5 R5
CIP-007-6 R5 CIP-007-6 R5 CIP-007-5 R5
CIP-007-6 R2 CIP-007-6 R2 CIP-007-5 R2
CIP-010-3 R2 CIP-010-2 R2 CIP-010-1 R2
CIP-007-6 R4 CIP-007-6 R4 CIP-007-5 R4
CIP-007-6 R2 CIP-007-6 R2 CIP-007-5 R2

CIP-010-3 R2 CIP-010-2 R2 CIP-010-1 R2
CIP-007-6 R3 CIP-007-6 R3 CIP-007-5 R3
CIP-007-6 R1 CIP-007-6 R1 CIP-007-5 R1

CIP-010-3 R2 CIP-010-2 R2 CIP-010-1 R2
CIP-009-6 R1 CIP-009-6 R1 CIP-009 -5 R1
CIP-005-5 R1 CIP-005-5 R1 CIP-005-5 R1

CIP-007-6 R2 CIP-007-6 R2 CIP-007-5 R2
CIP-010-3 R1 CIP-010-2 R1 CIP-010-1 R1
CIP-005-5 R1 CIP-005-5 R1 CIP-005-5 R1

CIP-005-5 R2 CIP-005-5 R2 CIP-005-5 R2
CIP-007-6 R4 CIP-007-6 R4 CIP-007-5 R4
CIP-011-2 R1 CIP-011-2 R1 CIP-011-1 R1
CIP-005-5 R1 CIP-005-5 R1 CIP-005-5 R1

CIP-005-5 R2 CIP-005-5 R2 CIP-005-5 R2
CIP-007-6 R4 CIP-007-6 R4 CIP-007-5 R4
CIP-011-2 R1 CIP-011-2 R1 CIP-011-1 R1
CIP-007-6 R4 CIP-007-6 R4 CIP-007-5 R4
CIP-005-5 R1 CIP-005-5 R1 CIP-005-5 R1

CIP-005-5 R2 CIP-005-5 R2 CIP-005-5 R2
CIP-007-6 R4 CIP-007-6 R4 CIP-007-5 R4
CIP-004-6 R1 CIP-004-6 R1 CIP-004-5 R1
CIP-004-6 R2 CIP-004-6 R2 CIP-004-5 R2
CIP-008-5 R1 CIP-008-5 R1 CIP-008-5 R1

CIP-008-5 R2 CIP-008-5 R2 CIP-008-5 R2
CIP-008-5 R3 CIP-008-5 R3 CIP-008-5 R3
NERC CIP v4 NERC CIP v3 Cloud Security Alliance
CIP-002-3 R1
CIP-002-4 R1
CIP-002-4 R2 CIP-002-3 R2
CIP-002-3 R3
CIP-002-4 R3 DCS-01
CIP-003-4 R5 CIP-002-3 R4 MOS-09
CIP-003-3 R5
CIP-004-4 R4 CIP-004-3 R4 MOS-15
CIP-005-4 R2
CIP-005-3 R2
CIP-006-4 R3 CIP-006-3 R3
CCC-04
MOS-3
MOS-04
MOS-15
IVS-05
CIP-005-4 R4 CIP-005-3 R4 MOS-15
CIP-007-4 R3 CIP-007-3 R3
MOS-19
CIP-007-4 R8 CIP-007-3 R8
TVM-02
CIP-003-4 R5 CIP-003-3 R5
CIP-004-4 R4 CIP-004-3 R4
IAM-09 - IAM-13
CIP-005-4 R2 CIP-005-3 R2
MOS-16
CIP-005-4 R3 CIP-005-3 R3
MOS-20
CIP-006-4 R3 CIP-006-3 R3
CIP-007-4 R3 CIP-007-3 R3
IVS-07
CIP-003-4 R6 CIP-003-3 R6 MOS-15
CIP-007-4 R3 CIP-007-3 R3 MOS-19
TVM-02
CIP-005-4 R3 CIP-005-3 R3 IVS-01

CIP-007-4 R6 CIP-007-3 R6 IVS-03
IVS-07
CIP-003-4 R6 CIP-003-3 R6 MOS-15
CIP-007-4 R3 CIP-007-3 R3 MOS-19
TVM-02
MOS-01
CIP-007-4 R4 CIP-007-3 R4 MOS-15
TVM-01
TVM-03
DSI-02
CIP-007-4 R2 CIP-007-3 R2 IVS-06
IPY-04
CIP-009-4 R4 CIP-009-3 R4
CIP-009-4 R5 CIP-009-3 R5 MOS-11
DSI-02
CIP-003-4 R6 CIP-003-3 R6 IAM-03
CIP-004-4 R4 CIP-004-3 R4
IVS-06
CIP-005-4 R2 CIP-005-3 R2
IVS-09
CIP-006-4 R3 CIP-006-3 R3
MOS-19
CIP-007-4 R3 CIP-007-3 R3
TVM-02
DSI-02
IVS-01
CIP-005-4 R3 CIP-005-3 R3
IVS-06
CIP-007-4 R6 CIP-007-3 R6
IVS-09
MOS-16
DSI-02
DSI-05
EKM-01 - EKM-04
MOS-11
CIP-003-4 R5 CIP-003-3 R5
DSI-02
CIP-004-4 R4 CIP-004-3 R4
IVS-09
CIP-005-4 R2 CIP-005-3 R2
MOS-11
CIP-006-4 R3 CIP-006-3 R3
IVS-01
CIP-005-4 R3 CIP-005-3 R3 IVS-06
CIP-007-4 R6 CIP-007-3 R6 IVS-12
MOS-11
IAM-02
CIP-005-4 R3 CIP-005-3 R3 IAM-09 - IAM-12
CIP-007-4 R5 CIP-007-3 R5 MOS-14
CIP-007-4 R6 CIP-007-3 R6 MOS-16
MOS-20
CIP-004-4 R1 CIP-004-3 R1 HRS-10
CIP-004-4 R2 CIP-004-3 R2 MOS-05
AIS-01
AIS-03
AIS-04
CCC-01 - CCC-03
IVS-08
CIP-008-4 R1 CIP-008-3 R1
SEF-01 - SEF-05
CIP-008-4 R2 CIP-008-3 R2
SEC OCIE for AWS FY15 FISMA Metrics ITIL 2011 KPIs
1: System Inventory Information Security

2: Continuous Monitoring Management
1: System Inventory Information Security

2: Continuous Monitoring Management
Information Security
2: Continuous Monitoring
Management
3: Identity Credential and Information Security

Access Management Management
Asset Configuration and Information Security
Management Management
Security Logging and Information Security

Monitoring Management
Management
4: Anti Phishing and Malware Information Security
Defense Management
Management
Disaster Recovery Management
Network Configuration and 3: Identity Credential and Information Security

Management Access Management Management
3: Identity Credential and

Network Configuration and Access Management Information Security
Management 6: Network Defense Management
7: Boundary Protection
Data Encryption 5: Data Protection
Management
Logical Access Control
Management
Management
3: Identity Credential and Information Security

Access Management Management
8: Training and Education
Management
Management
Security Incident Response 9: Incident Response Management
Incident Management
Management
NV Gaming MICS v7 2015 MA - CoM 201 CMR 17.00 NY - NYCRR 500
VI-02
VI-01 Section 500.05
Section 500.12
System Parameters VI-04 Section 500.06
VI-02
Network Security and Data Protection
Backups
Network Security and Data Protection Section 500.12
VI-01
VI-04
Remote Access Section 500.12
VI-05
V-19
VI-03
V-04
Section 500.07
V-05
V-06
Section 500.15
VI-03
Network Security and Data Protection
V-05
V-06
System Parameters V-08
Section 500.06
User Accounts V-09
Section 500.07
Generic User Accounts V-10 Section 500.12
Service & Default Accounts V-11
V-17
VI-05
IV-b
Section 500.10
IV-f
Section 500.14
V-02
In-House Software Development

Purchased Software Programs Section 500.08
V-13 Section 500.16
Section 500.05
Victorian PDSF v1.0 ANSSI - 40 Measures
1
34
16
17
18
20
23
2
8-13
28-30
26
Standard 4
27
6
16
17
36
8-13
4
5
24
25
31
15
Standard 4
19
Standard 4 21
22
Standard 4 8-13
Standard 6 39
Standard 7 37
Standard 8 38
CIS Controls
CIS Controls v7.1 mapped to NIST 800-53 (rev4)
ID # NIST Control Name

Access Control
AC-1 Access Control Policy and Procedures
AC-2 Account Management
AC-3 Access Enforcement
AC-4 Information Flow Enforcement
AC-5 Separation of Duties
AC-6 Least Privilege
AC-7 Unsuccessful Logon Attempts
AC-8 System Use Notification
AC-9 Previous Logon (Access) Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
AC-12 Session Termination
AC-13 Withdrawn
AC-14 Permitted Actions without Identification or Authentication
AC-15 Withdrawn
AC-16 Security Attributes
AC-17 Remote Access
AC-18 Wireless Access
AC-19 Access Control for Mobile Devices
AC-20 Use of External Information Systems
AC-21 Information Sharing
AC-22 Publicly Accessible Content
AC-23 Data Mining Protection
AC-24 Access Control Decisions
AC-25 Reference Monitor
Awareness and Training
AT-1 Security Awareness and Training Policy and Procedures
AT-2 Security Awareness Training
AT-3 Role-Based Security Training
AT-4 Security Training Records
AT-5 Withdrawn
Audit & Accountability
AU-1 Audit and Accountability Policy and Procedures
AU-2 Audit Events
AU-3 Content of Audit Records
AU-4 Audit Storage Capacity
AU-5 Response to Audit Processing Failures
AU-6 Audit Review, Analysis, and Reporting
AU-7 Audit Reduction and Report Generation
AU-8 Time Stamps
AU-9 Protection of Audit Information
AU-10 Non-repudiation
AU-11 Audit Record Retention
AU-12 Audit Generation
AU-13 Monitoring for Information Disclosure
AU-14 Session Audit
AU-15 Alternate Audit Capability
AU-16 Cross-Organizational Auditing
Security Assessment and Authorization
CA-1 Security Assessment and Authorization Policies and Procedures
CA-2 Security Assessments
CA-3 System Interconnections
CA-4 Withdrawn
CA-5 Plan of Action and Milestones
CA-6 Security Authorization
CA-7 Continuous Monitoring
CA-8 Penetration Testing
CA-9 Internal System Connections
Configuration Management
CM-1 Configuration Management Policy and Procedures
CM-2 Baseline Configuration
CM-3 Configuration Change Control
CM-4 Security Impact Analysis
CM-5 Access Restrictions for Change
CM-6 Configuration Settings
CM-7 Least Functionality
CM-8 Information System Component Inventory
CM-9 Configuration Management Plan
CM-10 Software Usage Restrictions
CM-11 User-Installed Software
Contingency Planning
CP-1 Contingency Planning Policy and Procedures
CP-2 Contingency Plan
CP-3 Contingency Training
CP-4 Contingency Plan Testing
CP-5 Withdrawn
CP-6 Alternate Storage Site
CP-7 Alternate Processing Site
CP-8 Telecommunications Services
CP-9 Information System Backup
CP-10 Information System Recovery and Reconstitution
CP-11 Alternate Communications Protocols
CP-12 Safe Mode
CP-13 Alternative Security Mechanisms
Identification and Authentication
IA-1 Identification and Authentication Policy and Procedures
IA-2 Identification and Authentication (Organizational Users)
IA-3 Device Identification and Authentication
IA-4 Identifier Management
IA-5 Authenticator Management
IA-6 Authenticator Feedback
IA-7 Cryptographic Module Authentication
IA-8 Identification and Authentication (Non- Organizational Users)
IA-9 Service Identification and Authentication
IA-10 Adaptive Identification and Authentication
IA-11 Re-authentication
Incident Response
IR-1 Incident Response Policy and Procedures
IR-2 Incident Response Training
IR-3 Incident Response Testing
IR-4 Incident Handling
IR-5 Incident Monitoring
IR-6 Incident Reporting
IR-7 Incident Response Assistance
IR-8 Incident Response Plan
IR-9 Information Spillage Response
IR-10 Integrated Information Security Analysis Team
Maintenance
MA-1 System Maintenance Policy and Procedures
MA-2 Controlled Maintenance
MA-3 Maintenance Tools
MA-4 Nonlocal Maintenance
MA-5 Maintenance Personnel
MA-6 Timely Maintenance
Media Protection
MP-1 Media Protection Policy and Procedures
MP-2 Media Access
MP-3 Media Marking
MP-4 Media Storage
MP-5 Media Transport
MP-6 Media Sanitization
MP-7 Media Use
MP-8 Media Downgrading
Physical and Environmental Protection
PE-1 Physical and Environmental Protection Policy and Procedures
PE-2 Physical Access Authorizations
PE-3 Physical Access Control
PE-4 Access Control for Transmission Medium
PE-5 Access Control for Output Devices
PE-6 Monitoring Physical Access
PE-7 Withdrawn
PE-8 Visitor Access Records
PE-9 Power Equipment and Cabling
PE-10 Emergency Shutoff
PE-11 Emergency Power
PE-12 Emergency Lighting
PE-13 Fire Protection
PE-14 Temperature and Humidity Controls
PE-15 Water Damage Protection
PE-16 Delivery and Removal
PE-17 Alternate Work Site
PE-18 Location of Information System Components
PE-19 Information Leakage
PE-20 Asset Monitoring and Tracking
Planning
PL-1 Security Planning Policy and Procedures
PL-2 System Security Plan
PL-3 Withdrawn
PL-4 Rules of Behavior
PL-5 Withdrawn
PL-6 Withdrawn
PL-7 Security Concept of Operations
PL-8 Information Security Architecture
PL-9 Central Management
Personnel Security
PS-1 Personnel Security Policy and Procedures
PS-2 Position Risk Designation
PS-3 Personnel Screening
PS-4 Personnel Termination
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-7 Third-Party Personnel Security
PS-8 Personnel Sanctions
Risk Assessment
RA-1 Risk Assessment Policy and Procedures
RA-2 Security Categorization
RA-3 Risk Assessment
RA-4 Withdrawn
RA-5 Vulnerability Scanning
RA-6 Technical Surveillance Countermeasures Survey
System and Services Acquisition
SA-1 System and Services Acquisition Policy and Procedures
SA-2 Allocation of Resources
SA-3 System Development Life Cycle
SA-4 Acquisition Process
SA-5 Information System Documentation
SA-6 Withdrawn
SA-7 Withdrawn
SA-8 Security Engineering Principles
SA-9 External Information System Services
SA-10 Developer Configuration Management
SA-11 Developer Security Testing and Evaluation
SA-12 Supply Chain Protection
SA-13 Trustworthiness
SA-14 Criticality Analysis
SA-15 Development Process, Standards, and Tools
SA-16 Developer-Provided Training
SA-17 Developer Security Architecture and Design
SA-18 Tamper Resistance and Detection
SA-19 Component Authenticity
SA-20 Customized Development of Critical Components
SA-21 Developer Screening
SA-22 Unsupported System Components
System and Communications Protection
SC-1 System and Communications Protection Policy and Procedures
SC-2 Application Partitioning
SC-3 Security Function Isolation
SC-4 Information in Shared Resources
SC-5 Denial of Service Protection
SC-6 Resource Availability
SC-7 Boundary Protection
SC-8 Transmission Confidentiality and Integrity
SC-9 Withdrawn
SC-10 Network Disconnect
SC-11 Trusted Path
SC-12 Cryptographic Key Establishment and Management
SC-13 Cryptographic Protection
SC-14 Withdrawn
SC-15 Collaborative Computing Devices
SC-16 Transmission of Security Attributes
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-19 Voice Over Internet Protocol
SC-20 Secure Name /Address Resolution Service (Authoritative Source)
SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver)
SC-22 Architecture and Provisioning for Name/Address Resolution Service
SC-23 Session Authenticity
SC-24 Fail in Known State
SC-25 Thin Nodes
SC-26 Honeypots
SC-27 Platform-Independent Applications
SC-28 Protection of Information at Rest
SC-29 Heterogeneity
SC-30 Concealment and Misdirection
SC-31 Covert Channel Analysis
SC-32 Information System Partitioning
SC-33 Withdrawn
SC-34 Non-Modifiable Executable Programs
SC-35 Honeyclients
SC-36 Distributed Processing and Storage
SC-37 Out-of-Band Channels
SC-38 Operations Security
SC-39 Process Isolation
SC-40 Wireless Link Protection
SC-41 Port and I/O Device Access
SC-42 Sensor Capability and Data
SC-43 Usage Restrictions
SC-44 Detonation Chambers
System and Information Integrity
SI-1 System and Information Integrity Policy and Procedures
SI-2 Flaw Remediation
SI-3 Malicious Code Protection
SI-4 Information System Monitoring
SI-5 Security Alerts, Advisories, and Directives
SI-6 Security Function Verification
SI-7 Software, Firmware, and Information Integrity
SI-8 Spam Protection
SI-9 Withdrawn
SI-10 Information Input Validation
SI-11 Error Handling
SI-12 Information Handling and Retention
SI-13 Predictable Failure Prevention
SI-14 Non-Persistence
SI-15 Information Output Filtering
SI-16 Memory Protection
SI-17 Fail-Safe Procedures
Program Management
PM-1 Information Security Program Plan
PM-2 Senior Information Security Officer
PM-3 Information Security Resources
PM-4 Plan of Action and Milestones Process
PM-5 Information System Inventory
PM-6 Information Security Measures of Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorization Process
PM-11 Mission/Business Process Definition
PM-12 Isider Threat Program
PM-13 Information Security Workforce
PM-14 Testing, Training, & Monitoring
PM-15 Contacts with Security Groups and Associations
PM-16 Threat Awareness Program
CIS Controls Master Mappings Tool (v7.1a)
Continuous
Inventory of Authorized Inventory of Authorized Vulnerability
v4) & Unauthorized Devices
and Unauthorized
Assessment and
Software
Remediation
Priority CSC #1 CSC #2 CSC #3
P1
P1
P1
P1
P1
P1
P2
P1
P0
P2
P3
P2
---
P1
---
P0
P1
P1
P1
P1
P2
P2
P0
P0
P0
P1
P1
P1
P3
---
P1
P1
P1
P1
P1
P1
P2
P1
P1
P1
P3
P1
P0
P0
P0
P0
P1
P2 X
P1
---
P3
P3
P3 X X X
P1
P2
P1
P1 X
P1
P2
P1
P1
P1
P1 X X
P1
P2 X
P1 X
P1
P1
P2
P2
---
P1
P1
P1
P1
P1
P0
P0
P0
P1
P1
P1 X
P1
P1
P1
P1
P1
P0
P0
P0
P1
P2
P2
P1
P1
P1
P3
P1
P0
P0
P1
P2
P2
P1
P1
P2
P1
P1
P2
P1
P1
P1
P1
P0
P1
P1
P1
P1
P2
P1
---
P3
P1
P1
P1
P1
P1
P1
P1
P2
P2
P3
P0
P0
P1
P1
---
P2
---
---
P0
P1
P0
P1
P1
P1
P1
P2
P3
P1
P3
P1
P1
P1
---
P1 X
P0
P1
P1
P1
P1 X X
P2
---
---
P1
P1
P1
P1
P1
P0
P0
P2
P2
P1
P0
P0
P0
P0
P0
P1
P1
P1
P1
P1
P0
P1
P1
---
P2
P0
P1
P1
---
P1
P0
P1 X
P2 X
P1
P1
P1
P1
P1
P1
P0
P0
P0
P1
P0
P0
P0
P0
---
P0 X X
P0
P0
P0
P0
P1
P0
P0
P0
P0
P0
P1
P1
P1
P1 X X X
P1
P1
P1 X
P2
---
P1
P2
P2
P0
P0
P0
P1
P0
P1
P1
P1
P1
P1 X X
P1
P1
P1
P1
P1
P1
P1
P1
P1
P1
P1
Secure Configurations
Controlled Use of for Hardware and Maintenance,
Software on Mobile
Administrative Monitoring, and
Privileges Devices, Laptops, Analysis of Audit Logs
Workstations, and
Servers
CSC #4 CSC #5 CSC #6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
Email and Web Browser Limitation and Control
Malware Defenses of Network Ports,
Protections Protocols, and Services
CSC #7 CSC #8 CSC #9
X
X X
X X
X
X
X X
X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X X
Data Recovery for Network Devices,
Boundary Defense
Capabilities such as Firewalls,
Routers and Switches
CSC #10 CSC #11 CSC #12
X X
X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X X
Controlled Access Based
Data Protection Wireless Device Control
on the Need to Know
CSC #13 CSC #14 CSC #15
X
X
X X
X
X
X
X
X
X
X X X
X
X
X
X
X
X X
X
X
X
X
X X X
Account Monitoring Implement a Security Application Software
and Control Program Security
CSC #16 CSC #17 CSC #18
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X
X X
X
X
X
X
X
X
X
X
X
X
X
Incident Response and Penetration Tests and
Management Red Team Exercises
CSC #19 CSC #20

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NIST Cyber Security Framework (v1.1)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to the NIST Cyber Security Framework (v1.1)
curity Control #1: Inventory of Authorized and Unauthorized Devices

Utilize an active discovery tool to identify devices connected to the organization's network and
update the hardware asset inventory.
Utilize a passive discovery tool to identify devices connected to the organization's network and
automatically update the organization's hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address
management tools to update the organization's hardware asset inventory.
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
curity Control #4: Controlled Use of Administrative Privileges

Use automated tools to inventory all administrative accounts, including domain and local accounts,
to ensure that only authorized individuals have elevated privileges.
Before deploying any new asset, change all default passwords to have values consistent with
administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary account for
elevated activities. This account should only be used for administrative activities and not Internet
browsing, email, or similar activities.
Where multi-factor authentication is not supported (such as local administrator, root, or service
accounts), accounts will use passwords that are unique to that system.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.

On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.

Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Maintain an inventory of all sensitive information stored, processed, or transmitted by the

organization's technology systems, including those located on-site or at a remote service provider.
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14: Controlled Access Based on the Need to Know
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally

and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Encrypt all sensitive information in transit.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.

Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts to access deactivated accounts through audit logging.

Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and
duration.
curity Control #17: Implement a Security Awareness and Training Program
Perform a skills gap analysis to understand the skills and behaviors workforce members are not
adhering to, using this information to build a baseline education roadmap.
Deliver training to address the skills gap identified to positively impact workforce members' security
behavior.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Assemble and maintain information on third-party contact information to be used to report a

security incident, such as Law Enforcement, relevant government departments, vendors, and
Information Sharing and Analysis Center (ISAC) partners.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Physical devices and Software platforms and Organizational

systems within the applications within the
organization are organization are communication and data
flows are mapped
inventoried inventoried
ID.AM-1 ID.AM-2 ID.AM-3

X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
s, Routers and Switches
Resources (e.g., hardware,
Cybersecurity roles and
devices, data, time,
personnel, and software) responsibilities for the
External information entire workforce and third-
systems are catalogued are prioritized based on party stakeholders (e.g.,
their classification,
criticality, and business suppliers, customers,
partners) are established
value

X
X
X
X
The organization’s role in The organization’s place in Priorities for organizational
the supply chain is critical infrastructure and its mission, objectives, and
identified and industry sector is identified activities are established
communicated and communicated and communicated
ID.BE-1 ID.BE-2 ID.BE-3

Resilience requirements to
support delivery of critical
Dependencies and critical services are established for Organizational
functions for delivery of cybersecurity policy is
critical services are all operating states (e.g. established and
under duress/attack, during
established recovery, normal communicated
operations)
ID.BE-4 ID.BE-5 ID.GV-1

Legal and regulatory
Cybersecurity roles and
responsibilities are requirements regarding Governance and risk
cybersecurity, including
coordinated and aligned privacy and civil liberties management processes
with internal roles and address cybersecurity risks
external partners obligations, are understood
and managed
ID.GV-2 ID.GV-3 ID.GV-4

Cyber threat intelligence is Threats, both internal and
Asset vulnerabilities are
identified and documented received from information external, are identified and
sharing forums and sources documented
ID.RA-1 ID.RA-2 ID.RA-3

X X
X X
X X
X X
X X
X X
X X
Potential business impacts Threats, vulnerabilities,
Risk responses are
and likelihoods are likelihoods, and impacts are identified and prioritized
identified used to determine risk

The organization’s
Risk management processes Organizational risk determination of risk
are established, managed, tolerance is informed by its
and agreed to by tolerance is determined and role in critical infrastructure
clearly expressed
organizational stakeholders and sector specific risk
analysis
ID.RM-1 ID.RM-2 ID.RM-3

Contracts with suppliers
Suppliers and third party and third-party partners are
Cyber supply chain risk used to implement
partners of information
management processes are systems, components, and appropriate measures
identified, established, designed to meet the
assessed, managed, and services are identified, objectives of an
prioritized, and assessed
agreed to by organizational using a cyber supply chain organization’s cybersecurity
stakeholders program and Cyber Supply
risk assessment process Chain Risk Management
Plan.
ID.SC-1 ID.SC-2 ID.SC-3
Suppliers and third-party
Identities and credentials
partners are routinely
assessed using audits, test Response and recovery are issued, managed,
planning and testing are verified, revoked, and
results, or other forms of conducted with suppliers audited for authorized
evaluations to confirm they
are meeting their and third-party providers devices, users and
processes
contractual obligations.
ID.SC-4 ID-SC-5 PR.AC-1

X
X
X
X
X
X
X
X
X
X
X
X
Access permissions and
authorizations are
Physical access to assets is
managed and protected Remote access is managed managed, incorporating the
principles of least privilege
and separation of duties
PR.AC-2 PR.AC-3 PR.AC-4

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Users, devices, and other
assets are authenticated
Network integrity is Identities are proofed and (e.g., single-factor, multi-
protected (e.g., network factor) commensurate with
segregation, network bound to credentials and the risk of the transaction
asserted in interactions
segmentation) (e.g., individuals’ security
and privacy risks and other
organizational risks)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Privileged users understand Third-party stakeholders
All users are informed and (e.g., suppliers, customers,
trained their roles and partners) understand their
responsibilities
roles and responsibilities
PR.AT-1 PR.AT-2 PR.AT-3

X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Senior executives Physical and cybersecurity
understand their roles and personnel understand their Data-at-rest is protected
responsibilities roles and responsibilities
PR.AT-4 PR.AT-5 PR.DS-1

X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Assets are formally Adequate capacity to
managed throughout
Data-in-transit is protected removal, transfers, and ensure availability is
maintained
disposition
PR.DS-2 PR.DS-3 PR.DS-4

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Integrity checking The development and
Protections against data mechanisms are used to testing environment(s) are
leaks are implemented verify software, firmware, separate from the
and information integrity production environment
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A baseline configuration of
information
Integrity checking technology/industrial A System Development Life
control systems is created
mechanisms are used to and maintained Cycle to manage systems is
verify hardware integrity implemented
incorporating security
principles (e.g. concept of
least functionality)
PR.DS-8 PR.IP-1 PR.IP-2
X
X
X
X
X
X
X
X
X
X
X
X
X
Policy and regulations
Configuration change Backups of information are regarding the physical
control processes are in conducted, maintained, and operating environment for
place tested organizational assets are
met
PR.IP-3 PR.IP-4 PR.IP-5

X
X
X
X
Data is destroyed according Protection processes are Effectiveness of protection
to policy improved technologies is shared

Response plans (Incident
Response and Business Cybersecurity is included in
Continuity) and recovery Response and recovery human resources practices
plans (Incident Recovery plans are tested (e.g., deprovisioning,
and Disaster Recovery) are personnel screening)
in place and managed

X
X
Remote maintenance of
Maintenance and repair of
A vulnerability organizational assets are organizational assets is
management plan is approved, logged, and
developed and performed and logged, with performed in a manner that
approved and controlled
implemented tools prevents unauthorized
access
PR.IP-12 PR.MA-1 PR.MA-2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
The principle of least
Audit/log records are Removable media is functionality is
determined, documented, protected and its use
implemented, and reviewed restricted according to incorporated by configuring
systems to provide only
in accordance with policy policy essential capabilities
PR.PT-1 PR.PT-2 PR.PT-3

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Mechanisms (e.g., failsafe,
A baseline of network
Communications and load balancing, hot swap) operations and expected
are implemented to achieve
control networks are resilience requirements in data flows for users and
protected systems is established and
normal and adverse managed
situations
PR.PT-4 PR.PT-5 DE.AE-1

X
X
X
X
X
X
X
X
X
X
X
Detected events are Event data are collected
and correlated from Impact of events is
analyzed to understand multiple sources and determined
attack targets and methods
sensors
DE.AE-2 DE.AE-3 DE.AE-4

X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
The network is monitored The physical environment is
Incident alert thresholds are monitored to detect
established to detect potential potential cybersecurity
cybersecurity events
events
DE.AE-5 DE.CM-1 DE.CM-2

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Personnel activity is
monitored to detect Unauthorized mobile code
potential cybersecurity Malicious code is detected is detected
events
DE.CM-3 DE.CM-4 DE.CM-5

X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
External service provider Monitoring for
activity is monitored to unauthorized personnel, Vulnerability scans are
detect potential connections, devices, and performed
cybersecurity events software is performed

X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Roles and responsibilities Detection activities comply
for detection are well Detection processes are
defined to ensure with all applicable tested
requirements
accountability
DE.DP-1 DE.DP-2 DE.DP-3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Event detection information Detection processes are Response plan is executed
is communicated continuously improved during or after an incident
DE.DP-4 DE.DP-5 RS.RP-1

X X
X X
X X
X X
X X
X X
X X
X X
Personnel know their roles Incidents are reported Information is shared
and order of operations consistent with established consistent with response
when a response is needed criteria plans
RS.CO-1 RS.CO-2 RS.CO-3

Voluntary information
Coordination with sharing occurs with external Notifications from
stakeholders occurs
consistent with response stakeholders to achieve detection systems are
broader cybersecurity investigated
plans situational awareness
RS.CO-4 RS.CO-5 RS.AN-1

Incidents are categorized
The impact of the incident is
understood Forensics are performed consistent with response
plans
RS.AN-2 RS.AN-3 RS.AN-4

Processes are established to
receive, analyze and
respond to vulnerabilities
disclosed to the
organization from internal Incidents are contained Incidents are mitigated
and external sources (e.g.
internal testing, security
bulletins, or security
researchers)
RS.AN-5 RS.MI-1 RS.MI-2
X
X
X
X
X
Newly identified
vulnerabilities are mitigated Response plans incorporate Response strategies are
or documented as accepted lessons learned updated
risks
RS.MI-3 RS.IM-1 RS.IM-2

X
X
X
X
X
Recovery plan is executed
Recovery plans incorporate Recovery strategies are
during or after a lessons learned updated
cybersecurity incident
RC.RP-1 RC.IM-1 RC.IM-2

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Recovery activities are
communicated to internal
Public relations are Reputation is repaired after
managed an incident and external stakeholders
as well as executive and
management teams
RC.CO-1 RC.CO-2 RC.CO-3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIS Controls v7.1 mapped to the NIST Cyber Security Framework (v1.0)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to the NIST Cyber Security Framework (v1.0)

network or not.
network.
software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Physical devices and Software platforms and Organizational

systems within the applications within the
organization are organization are communication and data
flows are mapped
inventoried inventoried

X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
, Routers and Switches
Resources (e.g., hardware, Cybersecurity roles and
devices, data, and software) responsibilities for the
External information are prioritized based on entire workforce and third-
systems are catalogued their classification, party stakeholders (e.g.,
criticality, and business suppliers, customers,
value partners) are established

X
X
X
X
The organization’s role in The organization’s place in Priorities for organizational
the supply chain is critical infrastructure and its mission, objectives, and
identified and industry sector is identified activities are established
communicated and communicated and communicated
ID.BE-1 ID.BE-2 ID.BE-3

Dependencies and critical Resilience requirements to Organizational information
functions for delivery of
critical services are support delivery of critical security policy is
services are established established
established
ID.BE-4 ID.BE-5 ID.GV-1

Legal and regulatory
Information security roles &
responsibilities are requirements regarding Governance and risk
cybersecurity, including
coordinated and aligned privacy and civil liberties management processes
with internal roles and address cybersecurity risks
external partners obligations, are understood
and managed
ID.GV-2 ID.GV-3 ID.GV-4

Threat and vulnerability Threats, both internal and
Asset vulnerabilities are information is received
identified and documented from information sharing external, are identified and
documented
forums and sources

X X
X X
X X
X X
X X
X X
X X
Potential business impacts Threats, vulnerabilities,
Risk responses are
and likelihoods are likelihoods, and impacts are identified and prioritized
identified used to determine risk

The organization’s
Risk management processes Organizational risk determination of risk
are established, managed, tolerance is informed by its
and agreed to by tolerance is determined and role in critical infrastructure
clearly expressed
organizational stakeholders and sector specific risk
analysis
ID.RM-1 ID.RM-2 ID.RM-3

Identities and credentials
Physical access to assets is
are managed for authorized managed and protected Remote access is managed
devices and users

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Access permissions are Network integrity is
managed, incorporating the protected, incorporating All users are informed and
principles of least privilege network segregation where trained
and separation of duties appropriate
PR.AC-4 PR.AC-5 PR.AT-1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Third-party stakeholders Senior executives
Privileged users understand (e.g., suppliers, customers,
roles & responsibilities partners) understand roles understand roles &
responsibilities
& responsibilities
PR.AT-2 PR.AT-3 PR.AT-4

X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Physical and information
security personnel
understand roles & Data-at-rest is protected Data-in-transit is protected
responsibilities
PR.AT-5 PR.DS-1 PR.DS-2

X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
Assets are formally Adequate capacity to
managed throughout Protections against data
removal, transfers, and ensure availability is leaks are implemented
maintained
disposition

X
X
X
X
X
X
X
X
X
X
X
X
A baseline configuration of
Integrity checking The development and information
mechanisms are used to testing environment(s) are
verify software, firmware, separate from the technology/industrial
control systems is created
and information integrity production environment and maintained
PR.DS-6 PR.DS-7 PR.IP-1
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A System Development Life Configuration change Backups of information are
Cycle to manage systems is control processes are in conducted, maintained, and
implemented place tested periodically

X
X
X
X
Policy and regulations
regarding the physical
Data is destroyed according Protection processes are
operating environment for to policy continuously improved
organizational assets are
met

Response plans (Incident
Effectiveness of protection Response and Business
Continuity) and recovery Response and recovery
technologies is shared with plans (Incident Recovery plans are tested
appropriate parties
and Disaster Recovery) are
in place and managed

X
X
Maintenance and repair of
Cybersecurity is included in A vulnerability organizational assets is
human resources practices management plan is performed and logged in a
(e.g., deprovisioning, developed and timely manner, with
personnel screening) implemented approved and controlled
tools
PR.IP-11 PR.IP-12 PR.MA-1

X
X
X
X
X
Remote maintenance of
organizational assets is Audit/log records are Removable media is
approved, logged, and determined, documented, protected and its use
performed in a manner that implemented, and reviewed restricted according to
prevents unauthorized in accordance with policy policy
access
PR.MA-2 PR.PT-1 PR.PT-2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A baseline of network
Access to systems and Communications and operations and expected
assets is controlled,
incorporating the principle control networks are data flows for users and
protected systems is established and
of least functionality managed
PR.PT-3 PR.PT-4 DE.AE-1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Detected events are Event data are aggregated
and correlated from Impact of events is
analyzed to understand multiple sources and determined
attack targets and methods
sensors
DE.AE-2 DE.AE-3 DE.AE-4

X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
The network is monitored The physical environment is
Incident alert thresholds are monitored to detect
established to detect potential potential cybersecurity
cybersecurity events
events
DE.AE-5 DE.CM-1 DE.CM-2

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Personnel activity is
monitored to detect Unauthorized mobile code
potential cybersecurity Malicious code is detected is detected
events

X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
External service provider Monitoring for
activity is monitored to unauthorized personnel, Vulnerability scans are
detect potential connections, devices, and performed
cybersecurity events software is performed

X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Roles and responsibilities Detection activities comply
for detection are well Detection processes are
defined to ensure with all applicable tested
requirements
accountability
DE.DP-1 DE.DP-2 DE.DP-3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Event detection information
Detection processes are Response plan is executed
is communicated to continuously improved during or after an event
appropriate parties
DE.DP-4 DE.DP-5 RS.RP-1

X X
X X
X X
X X
X X
X X
X X
X X
Personnel know their roles Events are reported Information is shared
and order of operations consistent with established consistent with response
when a response is needed criteria plans
RS.CO-1 RS.CO-2 RS.CO-3

Voluntary information
Coordination with sharing occurs with external Notifications from
stakeholders occurs
consistent with response stakeholders to achieve detection systems are
broader cybersecurity investigated
plans situational awareness
RS.CO-4 RS.CO-5 RS.AN-1

Incidents are categorized
The impact of the incident is
understood Forensics are performed consistent with response
plans
RS.AN-2 RS.AN-3 RS.AN-4

Newly identified
vulnerabilities are mitigated
Incidents are contained Incidents are mitigated or documented as accepted
risks
RS.MI-1 RS.MI-2 RS.MI-3

X
X
X
X
X
Response plans incorporate Response strategies are Recovery plan is executed
lessons learned updated during or after an event
RS.IM-1 RS.IM-2 RC.RP-1

X
X
Recovery plans incorporate Recovery strategies are Public relations are
lessons learned updated managed
RC.IM-1 RC.IM-2 RC.CO-1

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Recovery activities are
Reputation after an event is communicated to internal
repaired stakeholders and executive
and management teams
RC.CO-2 RC.CO-3
X X
X X
X X
X X
X X
X X
X X
X X
CIS Controls v7.1 mapped to NIST 800-82 rev2

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to NIST 800-82 rev2

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.

segmentation.



duration.
behavior.
organization.

efforts.
Business Case for Build and Train a Cross

Risk Management
Security Functional Team
3.1 4.1 4.2

Define ICS Specific Implement an ICS
Define Charter and Security Risk
Security Policies and
Scope Procedures Management
Framework
4.3 4.4 4.5

Network Segmentation
Boundary Protection Firewalls
and Segregation
5.1 5.2 5.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
Logically Separated Recommended
Network Segregation Defense-in-Depth
Control Network Architecture
5.4 5.5 5.6

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
General Firewall Recommended Firewall Network Address
Rules for Specific
Policies for ICS Services Translation (NAT)
5.7 5.8 5.9

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Specific ICS Firewall Unidirectional
Single Points of Failure
Issues Gateways
5.1 5.11 5.12

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Redundancy and Fault Preventing Man-in-the- Authentication and
Tolerance Middle Attacks Authorization
5.13 5.14 5.15

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Monitoring, Logging, Incident Detection,
Response, and System Access Control
and Auditing Recovery
5.16 5.17 6.2.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Audit and Security Assessment
Accountability and Authorization
6.2.2 6.2.3 6.2.4

X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Configuration Identification and
Management Authentication
6.2.5 6.2.6 6.2.7

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Incident Response Maintenance Media Protection
6.2.8 6.2.9 6.2.10

X
X
Physical and
Environmental Planning Personnel Security
Protection
6.2.11 6.2.12 6.2.13

System and Services System and
Risk Assessment Communications
Acquisition Protection
6.2.14 6.2.15 6.2.16

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
System and Information
Program Management Privacy Controls
Integrity
6.2.17 6.2.18 6.2.19

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NISTIR 7621 (rev 1): Small Business

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
S Controls v7.1 mapped to NISTIR 7621 (rev 1): Small Business

urity Control #1: Inventory of Authorized and Unauthorized Devices

network or not.
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
urity Control #3: Continuous Vulnerability Assessment and Remediation
urity Control #4: Controlled Use of Administrative Privileges

urity Control #5: Secure Configurations for Hardware and Software
software.
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
and review.
and analysis

noise.
urity Control #7: Email and Web Browser Protections
vendor.
standards.
urity Control #8: Malware Defenses

domains.
urity Control #9: Limitation and Control of Network Ports
urity Control #10: Data Recovery Capabilities
services.
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
urity Control #12: Boundary Defense
boundaries.
urity Control #13: Data Protection

needed.
urity Control #14: Controlled Access Based on the Need to Know

segmentation.
urity Control #15: Wireless Access Control
urity Control #16: Account Monitoring and Control


duration.
urity Control #17: Implement a Security Awareness and Training Program
behavior.
urity Control #18: Application Software Security
organization.
urity Control #19: Incident Response and Management

urity Control #20: Penetration Tests and Red Team Exercises
efforts.
Identify and control Require individual user

who has access to your Conduct Background accounts for each
business information Checks employee
3.1a 3.1b 3.1c

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Create policies and Install Surge Protectors
procedures for Limit employee access and Uninterruptible
information security to data and information Power Supplies (UPS)
3.1d 3.2a 3.2b

X
X
X
X
X
X
X
X
X
X
X
X
Patch your operating Install and activate Secure your wireless
systems and software and hardware access point and
applications firewalls on all your networks
business networks
3.2c 3.2d 3.2e

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use encryption for Dispose of old
Set up web and email sensitive business computers and media
filters information safely
3.2f 3.2g 3.2h

X
X
X
X
X
X
X
X
X
X
Install and update anti-
Train your employees virus, -spyware, and Maintain and monitor
other –malware logs
programs
3.2i 3.3a 3.3b

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop a plan for Make full backups of Make incremental
disasters and important business backups of important
information security data/information business
incidents data/information
3.4a 3.5a 3.5b

X X
X X
X X
X X
X X
X
X
Make improvements to Pay attention to the
Consider cyber processes / people you work with
insurance procedures / and around
technologies
3.5c 3.5d 4.0a

Do not connect
Be careful of email Use separate personal personal or untrusted
attachments and web and business storage devices or
links computers, mobile hardware into your
devices, and accounts computer, mobile
device, or network
4.0b 4.0c 4.0d

X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Do not give out
Be careful downloading personal or business Watch for harmful pop-
software information ups
4.0e 4.0f 4.0g

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Use strong passwords Conduct online business
more securely
4.0h 4.0i
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the DHS CDM Program

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to the DHS CDM Program

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.

segmentation.


duration.
behavior.
organization.

efforts.
Hardware Asset Software Asset Configuration Settings

Management Management Management
HWAM SWAM CSM

X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Vulnerability Access Control Security-Related
Management Management Behavior Management
VUL TRUST BEHV

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Credentials &
Authentication Privileges Boundary Protection
Management
CRED PRIV
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Generic Audit
Plan for Events Respond to Events
Monitoring
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Document
Quality Management Risk Management
Requirements
CIS Controls v7.1 mapped to ISO 27002:2013

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Policies for information Review of the policies Information security

roles and
security for information security responsibilities
A.5.1.1 A.5.1.2 A.6.1.1

Contact with Contact with special
Segregation of duties
authorities interest groups
A.6.1.2 A.6.1.3 A.6.1.4

X
X
Information security in
Mobile device policy Teleworking
project management
A.6.1.5 A.6.2.1 A.6.2.2

Terms and conditions of Management
Screening
employment responsibilities
A.7.1.1 A.7.1.2 A.7.2.1

X
X
Information security Termination or change
awareness, education Disciplinary process of employment
and training responsibilities
A.7.2.2 A.7.2.3 A.7.3.1

X
X
X
X
X
X
X
X
Acceptable use of
Inventory of assets Ownership of assets
assets
A.8.1.1 A.8.1.2 A.8.1.3

X
X
X
X
Classification of
Return of assets Labelling of information
information
A.8.1.4 A.8.2.1 A.8.2.2

Management of
Handling of assets Disposal of media
removable media
A.8.2.3 A.8.3.1 A.8.3.2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Access to networks and
Physical media transfer Access control policy
netwok services
A.8.3.3 A.9.1.1 A.9.1.2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User registration and User access
Privilege management
de-registration provisioning
A.9.2.1 A.9.2.2 A.9.2.3

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Management of secret Review of user access Removal or adjustment
authentication
information of users rights of access rights
A.9.2.4 A.9.2.5 A.9.2.6

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Use of secret Use of secret Secure log-on
authentication authentication
information information procedures
A.9.3.1 A.9.4.1 A.9.4.2

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Password management Use of privileged utility Access control to
system programs program source code
A.9.4.3 A.9.4.4 A.9.4.5

X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Policy on the use of Physical security
Key management
cryptographic controls perimeter
A.10.1.1 A.10.1.2 A.11.1.1

X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Securing office, rooms Protecting against
Physical entry controls external end
and facilities environmental threats
A.11.1.2 A.11.1.3 A.11.1.4

Delivery and loading Equipment siting and
Working in secure areas
areas protection
A.11.1.5 A.11.1.6 A.11.2.1

Equipment
Supporting utilities Cabling security
maintenance
A.11.2.2 A.11.2.3 A.11.2.4

Security of equipment Security disposal or re-
Removal of assets
and assets off-premises use of equipment
A.11.2.5 A.11.2.6 A.11.2.7

Unattended user Clear desk and clear Documented operating
equipment screen policy procedures
A.11.2.8 A.11.2.9 A.12.1.1

X
X
X
X
X
X
X
X
X
X
X
X
Separation of
development, test and
Change management Capacity management
operational
environments
A.12.1.2 A.12.1.3 A.12.1.4

X
X
X
X
X
X
X
X
X
Controls against
Information backup Event logging
malware
A.12.2.1 A.12.3.1 A.12.4.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protection of log Administrator and
Clock synchronisation
information operator logs
A.12.4.2 A.12.4.3 A.12.4.4

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Installation of software Management of Restrictions on
on operational systems technical vulnerabilities software installation
A.12.5.1 A.12.6.1 A.12.6.2
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
Information systems Security of network
Network controls
audit controls services
A.12.7.1 A.13.1.1 A.13.1.2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
Information transfer Agreements on
Segregation in networks
policies and procedures information transfer
A.13.1.3 A.13.2.1 A.13.2.2

X X
X X
X X
X X
X X
X
X
X
X
X
X
Confidentiality or non- Security requirements
Electronic messaging analysis and
disclosure agreements specification
A.13.2.3 A.13.2.4 A.14.1.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Securing applications Protecting application Secure development
services on public
networks services transactions policy
A.14.1.2 A.14.1.3 A.14.2.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
Technical review of
System change control applications after Restrictions on changes
procedures operating platform to software packages
changes
A.14.2.2 A.14.2.3 A.14.2.4

X
X
X
X
X
X
X
Secure system Secure development Outsourced
engineering principles environment development
A.14.2.5 A.14.2.6 A.14.2.7

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
System acceptance
System security testing Protection of test data
testing
A.14.2.8 A.14.2.9 A.14.3.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information security Addressing security Information and
policy for supplier within supplier communication
relationships agreements technology supply chain
A.15.1.1 A.15.1.2 A.15.1.3

Monitoring and review Managing changes to Responsibilities and
of supplier services supplier services procedures
A.15.2.1 A.15.2.2 A.16.1.1

Reporting information Reporting information Assessment and
decision on information
security events security weaknesses security events
A.16.1.2 A.16.1.3 A.16.1.4

X X
X X
X X
X X
X X
X X
X X
X X
Response to Learning from
information security information security Collection of evidence
incidents incidents
A.16.1.5 A.16.1.6 A.16.1.7

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Planning information Implementing Verify, review and
information security evaluate information
security continuity continuity security continuity
A.17.1.1 A.17.1.2 A.17.1.3

Availability of Identification of
applicable legislation Intellectual property
information processing
facilities and contractual rights (IPR)
requirements
A.17.2.1 A.18.1.1 A.18.1.2

Privacy and protection Regulation of
Protection of records of personally
identifiable information cryptographic controls
A.18.1.3 A.18.1.4 A.18.1.5

X
X
X
X
X
X
X
X
Independent review of Compliance with Technical compliance
security policies and
information security standards review
A.18.2.1 A.18.2.2 A.18.2.3

X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.



duration.
behavior.
organization.

efforts.
Information security Review of the Management

information security commitment to
policy document policy information security
A.5.1.1 A.5.1.2 A.6.1.1

Information security co- Allocation of Authorization process
information security for information
ordination responsibilities processing facilities
A.6.1.2 A.6.1.3 A.6.1.4

Confidentiality Contact with Contact with special
agreements authorities interest groups
A.6.1.5 A.6.1.6 A.6.1.7

X
X
Independent review of Identification of risks Addressing security
related to external when dealing with
information security parties customers
A.6.1.8 A.6.2.1 A.6.2.2

X
X
X
X
X
Addressing security in
Inventory of assets Ownership of assets
third party agreements
A.6.2.3 A.7.1.1 A.7.1.2

X
X
X
X
Acceptable use of Information labelling
Classification guidelines
assets and handling
A.7.1.3 A.7.2.1 A.7.2.2

Roles and Terms and conditions of
Screening
responsibilities employment
A.8.1.1 A.8.1.2 A.8.1.3

Management Information security
awareness, education Disciplinary process
responsibilities and training
A.8.2.1 A.8.2.2 A.8.2.3

X
X
X
X
X
X
X
X
X
X
Termination Removal of access
Return of assets
responsibilities rights
A.8.3.1 A.8.3.2 A.8.3.3

X
X
X
X
X
X
X
X
X
X
X
X
Physical security Securing offices, rooms
Physical entry controls
perimeter and facilities
A.9.1.1 A.9.1.2 A.9.1.3

Protecting against Public access, delivery
external and Working in secure areas
environmental threats and loading areas
A.9.1.4 A.9.1.5 A.9.1.6

Equipment siting and
Supporting utilities Cabling security
protection
A.9.2.1 A.9.2.2 A.9.2.3

Equipment Security of equipment Secure disposal or re-
maintenance off- premises use of equipment
A.9.2.4 A.9.2.5 A.9.2.6

Documented operating
Removal of property Change management
procedures
A.9.2.7 A.10.1.1 A.10.1.2

Separation of
Segregation of duties development, test and Service delivery
operational facilities
A.10.1.3 A.10.1.4 A.10.2.1

X
X
X
X
X
X
X
X
X
Monitoring and review Managing changes to
Capacity management
of third party services third party services
A.10.2.2 A.10.2.3 A.10.3.1

Controls against Controls against mobile
System acceptance
malicious code code
A.10.3.2 A.10.4.1 A.10.4.2

X X
X X
X X
X X
X X
X X
X X
X X
Security of network
Information back-up Network controls
services
A.10.5.1 A.10.6.1 A.10.6.2

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Management of Information handling
Disposal of media
removable media procedures
A.10.7.1 A.10.7.2 A.10.7.3

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security of system Information exchange
Exchange agreements
documentation policies and procedures
A.10.7.4 A.10.8.1 A.10.8.2

Physical media in Business information
Electronic messaging
transit systems
A.10.8.3 A.10.8.4 A.10.8.5

X
X
X
X
Publicly available
Electronic commerce On-line transactions
information
A.10.9.1 A.10.9.2 A.10.9.3

Protection of log
Audit logging Monitoring system use
information
A.10.10.1 A.10.10.2 A.10.10.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Administrator and
Fault logging Clock synchronization
operator logs
A.10.10.4 A.10.10.5 A.10.10.6

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Access control policy User registration Privilege management
A.11.1.1 A.11.2.1 A.11.2.2

X
X
X
X
X
X
X
X
X
X
X
X
User password Review of user access
Password use
management rights
A.11.2.3 A.11.2.4 A.11.3.1

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Unattended user Clear desk and clear Policy on use of
equipment screen policy network services
A.11.3.2 A.11.3.3 A.11.4.1

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
User authentication for Equipment Remote diagnostic and
identification in configuration port
external connections networks protection
A.11.4.2 A.11.4.3 A.11.4.4

X
X
X
X
X
X
X
Network connection Network routing
Segregation in networks
control control
A.11.4.5 A.11.4.6 A.11.4.7

X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Secure log-on User identification and Password management
procedures authentication system
A.11.5.1 A.11.5.2 A.11.5.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Limitation of
Use of system utilities Session time-out
connection time
A.11.5.4 A.11.5.5 A.11.5.6

Information access Sensitive system Mobile computing and
restriction isolation communications
A.11.6.1 A.11.6.2 A.11.7.1

X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Security requirements
Teleworking analysis and Input data validation
specification
A.11.7.2 A.12.1.1 A.12.2.1

X
X
X
X
X
X
X
X
X
X
X
Control of internal
Message integrity Output data validation
processing
A.12.2.2 A.12.2.3 A.12.2.4

X
X
X
X
X
X
X
X
X
Policy on the use of Control of operational
Key management
cryptographic controls software
A.12.3.1 A.12.3.2 A.12.4.1

X X
X X
X X
X X
X X
X X
X X
X X
X X
Protection of system Access control to Change control
test data program source code procedures
A.12.4.2 A.12.4.3 A.12.5.1

Technical review of
applications after Restrictions on changes
Information leakage
operating system to software packages
changes
A.12.5.2 A.12.5.3 A.12.5.4

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Outsourced software Control of technical Reporting information
development vulnerabilities security events
A.12.5.5 A.12.6.1 A.13.1.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
Reporting security Responsibilities and Learning from
information security
weaknesses procedures incidents
A.13.1.2 A.13.2.1 A.13.2.2

X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Including information
security in the business Business continuity and
Collection of evidence
continuity management risk assessment
process
A.13.2.3 A.14.1.1 A.14.1.2

Developing and
implementing Testing, maintaining
Business continuity and re- assessing
continuity plans
including information planning framework business continuity
security plans
A.14.1.3 A.14.1.4 A.14.1.5

Identification of Intellectual property Protection of
applicable legislation rights (IPR) organizational records
A.15.1.1 A.15.1.2 A.15.1.3

Data protection and Prevention of misuse of Regulation of
privacy of personal information processing
information facilities cryptographic controls
A.15.1.4 A.15.1.5 A.15.1.6

X
X
X
X
X
X
X
X
Compliance with Technical compliance Information systems
security policies and
standards checking audit controls
A.15.2.1 A.15.2.2 A.15.3.1

X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Protection of
information systems
audit tools
A.15.3.2
CIS Controls v7.1 mapped to IEC 62443-3-3:2013

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to IEC 62443-3-3:2013

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Human user Software process and

identification and device identification Account management
authentication and authentication
SR 1.1 SR 1.2 SR 1.3

X
X
X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Authenticator Wireless access
Identifier management
management management
SR 1.4 SR 1.5 SR 1.6

X
X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Strength of password- Public key Strength of public key
infrastructure (PKI)
based authentication Certificates authentication
SR 1.7 SR 1.8 SR 1.9

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Unsuccessful login
Authenticator feedback System use notification
attempts
SR 1.10 SR 1.11 SR 1.12

X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Access via untrusted Authorisation
Wireless use control
networks enforcement
SR 1.13 SR 2.1 SR 2.2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Use control for portable
Mobile code Session Lock
and mobile devices
SR 2.3 SR 2.4 SR 2.5

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Remote session Concurrent session
Auditable events
termination control
SR 2.6 SR 2.7 SR 2.8

X
X
X
X
X
X
X
X
Response to audit
Audit storage capacity Timestamps
processing failures
SR 2.9 SR 2.10 SR 2.11

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Communication Malicious code
Non-repudiation
integrity protection
SR 2.12 SR 3.1 SR 3.2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security functionality Software and
Input validation
verification information integrity
SR 3.3 SR 3.4 SR 3.5

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
Deterministic output Error handling Session integrity
SR 3.6 SR 3.7 SR 3.8

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Protection of audit Information
Information persistence
information Confidentiality
SR 3.9 SR 4.1 SR 4.2

X
X
X
X
X
X
X
X
X
X
X
X
X
Zone boundary
Use of cryptography Network segmentation
protection
SR 4.3 SR 5.1 SR 5.2

X
X
X
X
X
X
X
X
X
X
X
X
X
General purpose
person-to-person
Application partitioning Audit log accessibility
communication
restriction
SR 5.3 SR 5.4 SR 6.1

X
X
X
X
X
X
X
X
X
X
X
X
X
Denial of service
Continuous monitoring Resource management
protection
SR 6.2 SR 7.1 SR 7.2

X
X
X
X
X
X
X
X
Control system
Control system backup recovery and Emergency power
reconsitution
SR 7.3 SR 7.4 SR 7.5

X X
X X
X X
X X
X X
Network and security Control system
Least functionality
configuration settings component inventory
SR 7.6 SR 7.7 SR 7.8

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NIST 800-171

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to NIST 800-171

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.



duration.
behavior.
organization.

efforts.
Limit information
system access to Use session lock with
authorized users, pattern-hiding displays Terminate
processes acting on to prevent (automatically) a user
behalf of authorized access/viewing of data session after a defined
users, or devices after period of condition.
(including other inactivity.
information systems).
3.1.1 3.1.10 3.1.11

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Employ cryptographic Route remote access
Monitor and control mechanisms to protect via managed access
remote access sessions. the confidentiality of
remote access sessions. control points.
3.1.12 3.1.13 3.1.14

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Authorize remote
execution of privileged Authorize wireless Protect wireless access
commands and remote access prior to allowing using authentication
access to security- such connections. and encryption.
relevant information.
3.1.15 3.1.16 3.1.17

X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Limit information
system access to the
Control connection of Encrypt CUI on mobile types of transactions
mobile devices. devices. and functions that
authorized users are
permitted to execute.
3.1.18 3.1.19 3.1.2

X
X
X
X
X
X
X
X
X
X
X
X
X
Limit use of
Verify and control/limit organizational portable Control information
connections to and use storage devices on posted or processed on
of external information publicly accessible
systems. external information information systems.
systems.
3.1.20 3.1.21 3.1.22

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
Separate the duties of Employ the principle of
Control the flow of CUI individuals to reduce least privilege, including
in accordance with the risk of malevolent for specific security
approved
authorizations. activity without functions and privileged
collusion. accounts.
3.1.3 3.1.4 3.1.5

X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Prevent non-privileged
Use non-privileged users from executing
accounts or roles when privileged functions and Limit unsuccessful
accessing nonsecurity logon attempts.
functions. audit the execution of
such functions.
3.1.6 3.1.7 3.1.8

X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Limit physical access to
organizational Protect and monitor the
Provide privacy and information systems, physical facility and
security notices equipment, and the support infrastructure
consistent with
applicable CUI rules. respective operating for those information
environments to systems.
authorized individuals.
3.1.9 3.10.1 3.10.2

Escort visitors and Maintain audit logs of Control and manage
monitor visitor activity. physical access. physical access devices.
3.10.3 3.10.4 3.10.5

Periodically assess the
risk to organizational
operations (including
mission, functions,
Scan for vulnerabilities
image, or reputation), in the information
Enforce safeguarding organizational assets, system and applications
measures for CUI at and individuals, periodically and when
alternate work sites resulting from the
(e.g., telework sites). operation of new vulnerabilities
organizational affecting the system are
information systems identified.
and the associated
processing, storage, or
transmission of CUI.
3.10.6 3.11.1 3.11.2

X
X
X
X
X
Periodically assess the Develop and implement
security controls in plans of action designed
Remediate organizational to correct deficiencies
vulnerabilities in information systems to and reduce or eliminate
accordance with
assessments of risk. determine if the vulnerabilities in
controls are effective in organizational
their application. information systems.
3.11.3 3.12.1 3.12.2

X X
X X
X X
X X
X X
X X
X X
Monitor, control, and
protect organizational
communications (i.e.,
Monitor information information Establish and manage
system security controls transmitted or received cryptographic keys for
on an ongoing basis to by organizational cryptography employed
ensure the continued
effectiveness of the information systems) at in the information
controls. the external boundaries system;
and key internal
boundaries of the
information systems.
3.12.3 3.13.1 3.13.10

X
X
X
X
Prohibit remote
activation of
Employ FIPS-validated collaborative
cryptography when computing devices and Control and monitor
used to protect the the use of mobile code.
confidentiality of CUI. provide indication of
devices in use to users
present at the device.
3.13.11 3.13.12 3.13.13

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Control and monitor Protect the authenticity Protect the
the use of Voice over of communications confidentiality of CUI at
Internet Protocol (VoIP)
technologies. sessions. rest.
3.13.14 3.13.15 3.13.16

X
X
X
X
X
X
X
X
X
Employ architectural
designs, software
development Separate user Prevent unauthorized
techniques, and functionality from and unintended
systems engineering information system information transfer via
principles that promote
effective information management shared system
security within functionality. resources.
organizational
3.13.2 3.13.3 3.13.4

X
X
X
X
X
X
X
X
X
X
X
X
X
Prevent remote devices
Deny network from simultaneously
Implement
subnetworks for communications traffic establishing non-
publicly accessible by default and allow remote connections
system components network with the information
communications traffic system and
that are physically or by exception (i.e., deny communicating via
logically separated from all, permit by some other connection
internal networks. exception). to resources in external
networks.
3.13.5 3.13.6 3.13.7

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Implement
cryptographic Terminate network
mechanisms to prevent connections associated Identify, report, and
unauthorized disclosure with communications correct information and
of CUI during sessions at the end of information system
transmission unless the sessions or after a flaws in a timely
otherwise protected by defined period of manner.
alternative physical inactivity.
safeguards.
3.13.8 3.13.9 3.14.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Provide protection from Monitor information
malicious code at system security alerts Update malicious code
appropriate locations and advisories and take protection mechanisms
when new releases are
within organizational appropriate actions in available.
information systems. response.
3.14.2 3.14.3 3.14.4

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Monitor the
Perform periodic scans
of the information information system
system and real-time including inbound and Identify unauthorized
scans of files from outbound use of the information
communications traffic,
external sources as files to detect attacks and system.
are downloaded, indicators of potential
opened, or executed. attacks.
3.14.5 3.14.6 3.14.7

X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Ensure that managers,
systems administrators,
and users of
organizational Ensure that
information systems organizational Provide security
are made aware of the personnel are awareness training on
security risks associated adequately trained to recognizing and
with their activities and carry out their assigned reporting potential
of the applicable information security- indicators of insider
policies, standards, and related duties and threat.
procedures related to responsibilities.
the security of
organizational
3.2.1 3.2.2 3.2.3

X X
X X
X X
X X
X X
X X
X X
X X
X X
Create, protect, and
retain information Ensure that the actions
system audit records to
the extent needed to of individual
enable the monitoring, information system
analysis, investigation, users can be uniquely Review and update
traced to those users so audited events.
and reporting of they can be held
unlawful, unauthorized, accountable for their
or inappropriate actions.
information system
activity.
3.3.1 3.3.2 3.3.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Use automated
mechanisms to
integrate and correlate
audit review, analysis, Provide audit reduction
Alert in the event of an and reporting processes and report generation
audit process failure. for investigation and to support on-demand
response to indications analysis and reporting.
of inappropriate,
suspicious, or unusual
activity.
3.3.4 3.3.5 3.3.6

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Provide an information
system capability that Protect audit
compares and information and audit Limit management of
synchronizes internal tools from audit functionality to a
system clocks with an unauthorized access, subset of privileged
authoritative source to modification, and users.
generate time stamps deletion.
for audit records.
3.3.7 3.3.8 3.3.9

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish and maintain
baseline configurations
and inventories of Establish and enforce
organizational security configuration
information systems settings for information Track, review,
(including hardware, technology products approve/disapprove,
and audit changes to
software, firmware, and employed in information systems.
documentation) organizational
throughout the information systems.
respective system
development life cycles.
3.4.1 3.4.2 3.4.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Define, document,
approve, and enforce Employ the principle of
Analyze the security physical and logical least functionality by
impact of changes prior access restrictions configuring the
information system to
to implementation. associated with changes provide only essential
to the information capabilities.
system.
3.4.4 3.4.5 3.4.6

X X
X X
X X
X X
X X
X X
X X
X X
X X
Apply deny-by-
exception (blacklist)
Restrict, disable, and policy to prevent the
prevent the use of use of unauthorized
nonessential programs, software or deny-all, Control and monitor
user-installed software.
functions, ports, permit-by-exception
protocols, and services. (whitelisting) policy to
allow the execution of
authorized software.
3.4.7 3.4.8 3.4.9

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
Identify information Store and transmit only Obscure feedback of
system users, processes encrypted authentication
acting on behalf of representation of
users, or devices. passwords. information.
3.5.1 3.5.10 3.5.11

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Authenticate (or verify) Use multifactor
the identities of those authentication for local Employ replay-resistant
users, processes, or and network access to authentication
devices, as a privileged accounts and mechanisms for
network access to
prerequisite to allowing for network access to privileged and non-
access to organizational non-privileged privileged accounts.
information systems. accounts.
3.5.2 3.5.3 3.5.4

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Enforce a minimum
Prevent reuse of Disable identifiers after password complexity
identifiers for a defined a defined period of and change of
period. inactivity. characters when new
passwords are created.
3.5.5 3.5.6 3.5.7

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish an operational
incident-handling
Allow temporary capability for
Prohibit password password use for organizational
reuse for a specified system logons with an information systems
that includes adequate
number of generations. immediate change to a preparation, detection,
permanent password. analysis, containment,
recovery, and user
response activities.
3.5.8 3.5.9 3.6.1

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
Track, document, and
report incidents to Test the organizational Perform maintenance
appropriate officials incident response on organizational
and/or authorities both
internal and external to capability. information systems.
the organization.
3.6.2 3.6.3 3.7.1

X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Provide effective
controls on the tools, Check media containing
techniques, Ensure equipment diagnostic and test
mechanisms, and removed for off-site programs for malicious
maintenance is code before the media
personnel used to sanitized of any CUI. are used in the
conduct information information system.
system maintenance.
3.7.2 3.7.3 3.7.4

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Require multifactor
authentication to
establish nonlocal Supervise the Protect (i.e., physically
maintenance sessions maintenance activities control and securely
via external network of maintenance store) information
connections and personnel without system media
terminate such required access containing CUI, both
connections when authorization. paper and digital.
nonlocal maintenance
is complete.
3.7.5 3.7.6 3.8.1

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Sanitize or destroy
Limit access to CUI on information system Mark media with
information system media containing CUI necessary CUI markings
media to authorized and distribution
users. before disposal or limitations.
release for reuse.
3.8.2 3.8.3 3.8.4

X
X
X
X
X
Implement
cryptographic
Control access to media mechanisms to protect
containing CUI and the confidentiality of Control the use of
maintain accountability CUI stored on digital removable media on
for media during media during transport information system
transport outside of unless otherwise components.
controlled areas. protected by
alternative physical
safeguards.
3.8.5 3.8.6 3.8.7

X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Prohibit the use of
portable storage Protect the Screen individuals prior
devices when such confidentiality of to authorizing access to
backup CUI at storage information systems
devices have no locations. containing CUI.
identifiable owner.
3.8.8 3.8.9 3.9.1

X
X
X
X
X
X
X
X
X
X
X
Ensure that CUI and
information systems
containing CUI are
protected during and
after personnel actions
such as terminations
and transfers.
3.9.2
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NSA's MNT

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to the NSA's MNT

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Prepare to Document Map your Network Network Architecture
Milestone 1 Milestone 2 Milestone 3

X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Device Accessibility User Access Patch Management
Milestone 4 Milestone 5 Milestone 6

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Document your
Baseline Management Backup Strategy
Network
Milestone 7 Milestone 8
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Incident Response and
Security Policy Training
Disaster Recovery Plans
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Executable Content Virus Scanners and Host Personal Electronic
Intrusion Prevention
Restrictions Systems Device Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Gateways,
Data-At-Rest Protection Network Access Control
Proxies, and Firewalls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network Security
Remote Access Security Log Management
Monitoring
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Configuration and
Audit Strategy
Change Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Australian Essential Eight

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to the Australian Essential Eight

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.

segmentation.


duration.
behavior.
organization.

efforts.
Disable untrusted
Application whitelisting Patch applications
Microsoft Office macros
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
User application Restrict administrative Patch operating
hardening privileges systems
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Multi-factor Daily backup of
authentication important data
7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Australian DSD Top 35: 2014

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to Australian DSD Top 35: 2014

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.



duration.
behavior.
organization.

efforts.
Patch applications,eg, Java, Patch operating system

Application whitelisting of
PDF viewers, Flash, web vulnerabilities. Patch or
permitted/trusted programs,
browsers and Microsoft Office. mitigate systems with
to prevent execution of
Patch or mitigate systems with 'extreme risk' vulnerabilities
malicious or unapproved
'extreme risk' vulnerabilities within two days. Use the
programs including DLL files,
within two days. Use the latest suitable operating
scripts and installers.
latest version of applications. system. Avoid Windows XP.
1 2 3
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X X
X X
X X
X X
X X

X X
X X
X X
X X
X X
X X
X X
Restrict administrative User application configuration Automated dynamic analysis
privileges to operating hardening, disabling the of email and web content run
systems and applications running of internet-based Java in a sandbox to detect
based on user duties. Such code, untrusted Microsoft suspicious behaviour including
users should use a separate Office macros, and undesired network traffic, new or
unprivileged account for email web browser and PDF viewer modified files, or configuration
and web browsing. features. changes.
4 5 6
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X
X
X
X
X
Operating system generic
Disable local administrator
exploit mitigation Host-based Intrusion
accounts to prevent network
mechanisms, eg, Data Detection/Prevention System
propagation using
Execution Prevention (DEP), to identify anomalous
compromised local
Address Space Layout behaviour such as process
administration credentials
Randomisation (ASLR) and injection, keystroke logging,
that are shared by several
Enhanced Mitigation driver loading and persistence.
computers.
Experience Toolkit (EMET).
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network segmentation and Multi-factor authentication
Software-based application
segregation into security especially implemented for
firewall, blocking incoming
zones to protect sensitive remote access or when the
network traffic that is
information and critical user is about to perform a
malicious or otherwise
services such as user privileged action or access a
unauthorised, and denying
authentication by Microsoft sensitive information
network traffic by default.
Active Directory. repository.
10 11 12
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Software-based application Centralised and time-
Non-persistent virtualised
firewall, blocking outgoing synchronised logging of
sandboxed trusted operating
network traffic that is not successful and failed computer
environment, hosted outside
generated by whitelisted events with automated
the organisation's internal
applications, and denying immediate log analysis,
network, for risk activities
network traffic by default. storing logs for at least
such as web browsing.
18 months.
13 14 15
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Centralised and time- Web content filtering of
Email content filtering
synchronised logging of incoming and outgoing traffic,
allowing only business-related
allowed and blocked network whitelisting allowed types of
attachment types. Preferably
events with automated web content and using
analyse/convert/sanitise links,
immediate log analysis, behavioural analysis, cloud-
PDF and Microsoft Office
storing logs for at least based reputation ratings,
attachments.
18 months. heuristics and signatures.
16 17 18
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
Block spoofed emails using Workstation and server
Web domain whitelisting for
Sender ID or Sender Policy configuration management
all domains, since this
Framework (SPF) to check based on a hardened Standard
approach is more proactive
incoming emails, and a 'hard Operating Environment with
and thorough than blacklisting
fail' SPF record to help prevent unrequired functionality
a tiny percentage of malicious
spoofing of your disabled e.g. IPv6, autorun
domains.
organisation's domain. and LanMan.
19 20 21
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Antivirus software using Deny direct internet access Server application security
heuristics and automated from workstations by using an configuration hardening e.g.
internet-based reputation IPv6-capable firewall to force databases, web applications,
ratings to check a program's traffic through a split DNS customer relationship
prevalence and its digital server, an email server or an management, finance, human
signature's trustworthiness authenticated web proxy resources and other data
prior to execution. server. storage systems.
22 23 24
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Removable and portable
Enforce a strong passphrase
media control as part of a data Restrict access to Server
policy covering complexity,
loss prevention strategy, Message Block (SMB) and
length and expiry, and
including storage, handling, NetBIOS services running on
avoiding both passphrase re-
whitelisting allowed USB workstations and on servers
use and the use of a single
devices, encryption and where possible.
dictionary word.
destruction.
25 26 27
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User education, eg, internet Workstation inspection of Signature-based antivirus
threats and spear-phishing Microsoft Office files for software that primarily relies
socially-engineered emails. potentially malicious on up-to-date signatures to
Avoid weak passphrases, abnormalities, eg, using the identify malware. Use
passphrase re-use, exposing Microsoft Office File gateway and desktop antivirus
email addresses and Validation or Protected View software from different
unapproved USB devices. features. vendors.
28 29 30
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TLS encryption between email Block attempts to access web Network-based Intrusion
servers to help prevent sites by their IP address Detection/Prevention System
legitimate emails being instead of by their domain using signatures and heuristics
intercepted and used for name, eg, implemented using to identify anomalous traffic
social engineering. Perform a web proxy server, to force both internally and crossing
content scanning after email cyber adversaries to obtain a network perimeter
traffic is decrypted. domain name. boundaries.
31 32 33
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Capture network traffic
Gateway blacklisting to block
to/from internal critical-asset
access to known malicious
workstations and servers, as
domains and IP addresses,
well as traffic traversing the
including dynamic and other
network perimeter, to
domains provided free to
perform post-intrusion
anonymous internet users.
analysis.
34 35
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NSA's Top 10 Information Assurance
Mitigation Strategies

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to the NSA's Top 10 Information Assurance

Mitigation Strategies

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.

segmentation.
duration.
behavior.
organization.

efforts.
Control Administrative Limit Workstation-to-

Application Whitelisting Workstation
Privileges Communication
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X

Use Anti-Virus File Enable Anti-Exploitation Implement Host
Intrusion Prevention
Reputation Services Features System (HIPS) Rules
4 5 6
X X
X X
X X
X X
X X
X X
X X
X X
Set a Secure Baseline Use Web Domain Name Take Advantage of
System (DNS)
Configuration Reputation Software Improvements
7 8 9
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
Segregate Networks
and Functions
10
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Canadian Communications Security
Establishment Top 10 IT Security Actions

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
S Controls v7.1 mapped to Canadian Communications Security

Establishment Top 10 IT Security Actions

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.
duration.
behavior.
organization.

efforts.
Consolidate, Monitor Patch Operating Enforce the

Management of
and Defend Internet Systems and
Gateways Applications Administrative
Privileges
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Harden Operating Segment and Separate Provide Tailored
Systems and
Applications Information Awareness and Training
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protect Information at Apply Protection at the Isolate Web-Facing
the Enterprise Level Host Level Applications
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Implement Application
Whitelisting
10
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to GCHQ's 10 Steps to CyberSecurity

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
IS Controls v7.1 mapped to GCHQ's 10 Steps to CyberSecurity

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Home & Mobile User Education &

Incident Management
Working Awareness
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
Information Risk Managing User Removable Media
Management Regime Privileges Controls
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Monitoring Secure Configuration Malware Protection
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network Security
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the UK Government's Cyber Essentials Scheme

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
trols v7.1 mapped to the UK Government's Cyber Essentials Scheme

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.

segmentation.



duration.
behavior.
organization.

efforts.

Secure configuration Access control
internet gateways
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malware protection Patch management
4 5
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the UK's Information Commissioner's Office
(ICO) Protecting Personal Data in Online Services

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ntrols v7.1 mapped to the UK's Information Commissioner's Office

(ICO) Protecting Personal Data in Online Services

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.

segmentation.


duration.
behavior.
organization.

efforts.
Software updates SQL injection Unnecessary services
1 2 3
X
X
X
X
X
X
X
X
X
X

X
X
X
X
X
Decommissioning of Configuration of SSL
Password storage
software or services and TLS
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Inappropriate locations
Default credentials
for processing data
7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to PCI DSS 3.1

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Build firewall and router

configurations that restrict Prohibit direct public access
Establish and implement
connections between between the Internet and any
firewall and router
untrusted networks and any system component in the
configuration standards. system components in the cardholder data environment.
cardholder data environment.
1.1 1.2 1.3

X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
Install personal firewall
software on any mobile
and/or employee-owned Ensure that security policies Always change vendor-
devices that connect to the and operational procedures supplied defaults and remove
Internet when outside the for managing firewalls are or disable unnecessary default
network (for example, laptops documented, in use, and accounts before installing a
used by employees), and known to all affected parties. system on the network.
which are also used to access
the network.
1.4 1.5 2.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop configuration
Encrypt all non-console
standards for all system administrative access using
components. Assure that
strong cryptography. Use Maintain an inventory of
these standards address all
technologies such as SSH, system components that are
known security vulnerabilities
and are consistent with VPN, or SSL/TLS for web-based in scope for PCI DSS.
management and other non-
industry-accepted system
hardening standards. console administrative access.
2.2 2.3 2.4

X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
Ensure that security policies Keep cardholder data storage
and operational procedures Shared hosting providers must
to a minimum by
for managing vendor defaults protect each entity’s hosted
implementing data retention
and other security parameters environment and cardholder
are documented, in use, and data. and disposal policies,
procedures and processes.
known to all affected parties.
2.5 2.6 3.1

Do not store sensitive
Mask PAN when displayed
authentication data after
authorization (even if (the first six and last four Render PAN unreadable
digits are the maximum
encrypted). If sensitive anywhere it is stored
number of digits to be
authentication data is (including on portable digital
displayed), such that only
received, render all data personnel with a legitimate media, backup media, and in
unrecoverable upon logs).
business need can see the full
completion of the PAN.
authorization process.
3.2 3.3 3.4

Document and implement Fully document and Ensure that security policies
implement all key- and operational procedures
procedures to protect keys
management processes and for protecting stored
used to secure stored
procedures for cryptographic cardholder data are
cardholder data against keys used for encryption of documented, in use, and
disclosure and misuse.
cardholder data. known to all affected parties.
3.5 3.6 3.7

X
X
X
X
X
X
X
Use strong cryptography and Never send unprotected PANs Ensure that security policies
and operational procedures
security protocols to by end-user messaging
for encrypting transmissions
safeguard sensitive cardholder technologies (for example, e-
of cardholder data are
data during transmission over mail, instant messaging, chat, documented, in use, and
open, public networks. etc.).
4.1 4.2 4.3

X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that anti-virus
Deploy anti-virus software on mechanisms are actively
running and cannot be
all systems commonly affected
Ensure that all anti-virus disabled or altered by users,
by malicious software
mechanisms are maintained. unless specifically authorized
(particularly personal by management on a case-by-
computers and servers).
case basis for a limited time
period.
5.1 5.2 5.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish a process to identify
Ensure that all system
security vulnerabilities, using
Ensure that security policies reputable outside sources for components and software are
and operational procedures protected from known
security vulnerability
for protecting systems against vulnerabilities by installing
information, and assign a risk
malware are documented, in applicable vendor-supplied
use, and known to all affected ranking (for example, as security patches. Install critical
“high,” “medium,” or “low”)
parties. security patches within one
to newly discovered security month of release.
vulnerabilities.
5.4 6.1 6.2

X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop internal and external Train developers in secure
Follow change control coding techniques, including
software applications
processes and procedures for how to avoid common coding
(including web-based
all changes to system vulnerabilities, and
administrative access to components. understanding how sensitive
applications) securely.
data is handled in memory.
6.3 6.4 6.5a

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
For public-facing web Ensure that security policies
applications, address new and operational procedures
threats and vulnerabilities on for developing and
Develop applications based on
an ongoing basis and ensure maintaining secure systems
secure coding guidelines.
these applications are and applications are
protected against known documented, in use, and
attacks. known to all affected parties.
6.5b 6.6 6.7

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish an access control
Limit access to system system for systems Ensure that security policies
components and cardholder components that restricts
for restricting access to
data to only those individuals access based on a user’s need
cardholder data are
whose job requires such to know, and is set to “deny documented, in use, and
access. all” unless specifically
allowed.
7.1 7.2 7.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Define and implement policies
and procedures to ensure In addition to assigning a Secure all individual non-
unique ID, ensure proper user-
proper user identification console administrative access
authentication management
management for non- and all remote access to the
for non-consumer users and
consumer users and administrators on all system CDE using multi-factor
administrators on all system authentication.
components.
components.
8.1 8.2 8.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
Where other authentication
mechanisms are used (for
Document and communicate Do not use group, shared, or
example, physical or logical
authentication procedures and generic IDs, passwords, or
security tokens, smart cards,
policies to all users. other authentication methods. certificates, etc.), use of these
mechanisms must be assigned.
8.4 8.5 8.6

All access to any database Ensure that security policies Use appropriate facility entry
containing cardholder data and operational procedures
controls to limit and monitor
(including access by for identification and
physical access to systems in
applications, administrators, authentication are
and all other users) is documented, in use, and the cardholder data
environment.
restricted. known to all affected parties.
8.7 8.8 9.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Develop procedures to easily Control physical access for
Implement procedures to
distinguish between onsite onsite personnel to the
identify and authorize visitors.
personnel and visitors. sensitive areas.
9.2 9.3 9.4

Maintain strict control over
the internal or external
Physically secure all media. the storage and accessibility of
distribution of any kind of
media. media.
9.5 9.6 9.7

X X X
X X X
X X X
X X X
X X X
Protect devices that capture Ensure that security policies
Destroy media when it is no payment card data via direct
for restricting physical access
longer needed for business or physical interaction with the
to cardholder data are
legal reasons. card from tampering and documented, in use, and
substitution.
9.8 9.9 9.10

Implement audit trails to link Record at least the following
Implement automated audit
all access to system audit trail entries for all
trails for all system
components to each individual system components for each
user. components. event.
10.1 10.2 10.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Using time-synchronization
technology, synchronize all Review logs and security
critical system clocks and events for all system
Secure audit trails so they
times and ensure that the components to identify
cannot be altered.
following is implemented for anomalies or suspicious
acquiring, distributing, and activity.
storing time.
10.4 10.5 10.6

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Retain audit trail history for at Ensure that security policies
least one year, with a and operational procedures
Implement a process for the
minimum of three months for monitoring all access to
timely detection and reporting
immediately available for network resources and
of failures of critical security
analysis (for example, online, control systems, cardholder data are
archived, or restorable from documented, in use, and
backup). known to all affected parties.
10.7 10.8 10.9

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
Run internal and external
Implement processes to test network vulnerability scans at
for the presence of wireless least quarterly and after any
access points (802.11), and significant change in the
Implement a methodology for
detect and identify all network (such as new system
penetration testing.
authorized and unauthorized component installations,
wireless access points on a changes in network topology,
quarterly basis. firewall rule modifications,
product upgrades).
11.1 11.2 11.3

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use intrusion-detection
Deploy a change-detection
and/or intrusion-prevention
mechanism (for example, file-
techniques to detect and/or
integrity monitoring tools) to
prevent intrusions into the alert personnel to Ensure that security policies
network. Monitor all traffic at and operational procedures
unauthorized modification of
the perimeter of the for security monitoring and
critical system files,
cardholder data environment testing are documented, in
as well as at critical points in configuration files, or content use, and known to all affected
files; and configure the
the cardholder data parties.
environment, and alert software to perform critical
file comparisons at least
personnel to suspected
weekly.
compromises.
11.4 11.5 11.6

X
X
X
X
X
X
X
X
X
Develop usage policies for
Establish, publish, maintain,
Implement a risk-assessment critical technologies and
and disseminate a security
process. define proper use of these
policy. technologies.
12.1 12.2 12.3

Ensure that the security policy Implement a formal security
Assign to an individual or
and procedures clearly define awareness program to make
team the following
information security all personnel aware of the
responsibilities for all management responsibilities. importance of cardholder data
personnel. security.
12.4 12.5 12.6

X
X
X
X
X
X
X
X
Service providers
acknowledge in writing to
Screen potential personnel customers that they are
Maintain and implement
prior to hire to minimize the policies and procedures to responsible for the security of
risk of attacks from internal cardholder data the service
manage service providers with
sources. (Examples of provider possesses or
whom cardholder data is
background checks include otherwise stores, processes,
previous employment history, shared, or that could affect or transmits on behalf of the
the security of cardholder
criminal record, credit history, customer, or to the extent
and reference checks.) data. that they could impact the
security of the customer’s
12.7 12.8 12.9

Perform reviews at least
Implement an incident
quarterly to confirm
response plan. Be prepared to
personnel are following
respond immediately to a
system breach. security policies and
operational procedures.
12.10 12.11
X
X

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.

firewall and router
1.1 1.2 1.3

X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
the network.
1.4 1.5 2.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
2.2 2.3 2.4

X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
to a minimum by
2.5 2.6 3.1

3.2 3.3 3.4

3.5 3.6 3.7

X
X
X
X
X
X
X
Use strong cryptography and
security protocols (for Never send unprotected PANs Ensure that security policies
example, TLS, IPSEC, SSH, etc.) by end-user messaging
to safeguard sensitive technologies (for example, e-
cardholder data during mail, instant messaging, chat, documented, in use, and
transmission over open, public etc.).
networks.
4.1 4.2 4.3

X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
period.
5.1 5.2 5.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
vulnerabilities.
5.4 6.1 6.2

X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
6.3 6.4 6.5a

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
6.5b 6.6 6.7

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
cardholder data are
allowed.
7.1 7.2 7.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Incorporate two-factor
Define and implement policies authentication for remote
and procedures to ensure In addition to assigning a network access originating
proper user identification from outside the network by
management for non- personnel (including users and
consumer users and administrators on all system administrators) and all third
administrators on all system parties, (including vendor
components.
components. access for support or
maintenance).
8.1 8.2 8.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
8.4 8.5 8.6

environment.
8.7 8.8 9.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
9.2 9.3 9.4

media. media.
9.5 9.6 9.7

X X X
X X X
X X X
X X X
X X X
substitution.
9.8 9.9 9.10

10.1 10.2 10.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
cannot be altered.
storing time.
10.4 10.5 10.6

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Retain audit trail history for at Ensure that security policies Implement processes to test
least one year, with a and operational procedures for the presence of wireless
minimum of three months for monitoring all access to access points (802.11), and
immediately available for network resources and detect and identify all
analysis (for example, online, cardholder data are authorized and unauthorized
archived, or restorable from documented, in use, and wireless access points on a
backup). known to all affected parties. quarterly basis.
10.7 10.8 11.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
network vulnerability scans at
least quarterly and after any prevent intrusions into the
network. Monitor all traffic at
significant change in the
Implement a methodology for the perimeter of the
network (such as new system
penetration testing. cardholder data environment
component installations, as well as at critical points in
changes in network topology,
the cardholder data
firewall rule modifications, environment, and alert
product upgrades).
compromises.
11.2 11.3 11.4

X
X
X
X
X
X
X
X
X
X
X
alert personnel to Ensure that security policies
unauthorized modification of Establish, publish, maintain,
for security monitoring and
critical system files, and disseminate a security
testing are documented, in
configuration files, or content use, and known to all affected policy.
parties.
software to perform critical
weekly.
11.5 11.6 12.1

X
X
X
X
X
X
X
Ensure that the security policy
and procedures clearly define
technologies. responsibilities for all
personnel.
12.2 12.3 12.4

Screen potential personnel
Implement a formal security prior to hire to minimize the
Assign to an individual or risk of attacks from internal
awareness program to make
team the following sources. (Examples of
all personnel aware of the
information security background checks include
management responsibilities. importance of cardholder data previous employment history,
security.
criminal record, credit history,
and reference checks.)
12.5 12.6 12.7

X
X
X
X
X
X
X
X
Service providers
customers that they are
policies and procedures to responsible for the security of
cardholder data the service Implement an incident
provider possesses or response plan. Be prepared to
otherwise stores, processes, respond immediately to a
shared, or that could affect or transmits on behalf of the system breach.
customer, or to the extent
data. that they could impact the
12.8 12.9 12.10

X
X

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.

firewall and router
1.1 1.2 1.3

X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
the network.
1.4 1.5 2.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
2.2 2.3 2.4

X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
to a minimum by
2.5 2.6 3.1

3.2 3.3 3.4

3.5 3.6 3.7

X
X
X
X
X
X
X
Use strong cryptography and
security protocols (for Never send unprotected PANs Ensure that security policies
example, SSL/TLS, IPSEC, SSH, by end-user messaging
etc.) to safeguard sensitive technologies (for example, e-
cardholder data during mail, instant messaging, chat, documented, in use, and
transmission over open, public etc.).
networks.
4.1 4.2 4.3

X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
period.
5.1 5.2 5.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
vulnerabilities.
5.4 6.1 6.2

X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
6.3 6.4 6.5a

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
6.5b 6.6 6.7

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
cardholder data are
allowed.
7.1 7.2 7.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Incorporate two-factor
Define and implement policies authentication for remote
and procedures to ensure In addition to assigning a network access originating
proper user identification from outside the network by
management for non- personnel (including users and
consumer users and administrators on all system administrators) and all third
administrators on all system parties, (including vendor
components.
components. access for support or
maintenance).
8.1 8.2 8.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
8.4 8.5 8.6

environment.
8.7 8.8 9.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
9.2 9.3 9.4

media. media.
9.5 9.6 9.7

X X X
X X X
X X X
X X X
X X X
substitution.
9.8 9.9 9.10

10.1 10.2 10.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
cannot be altered.
storing time.
10.4 10.5 10.6

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Retain audit trail history for at Ensure that security policies Implement processes to test
least one year, with a and operational procedures for the presence of wireless
minimum of three months for monitoring all access to access points (802.11), and
immediately available for network resources and detect and identify all
analysis (for example, online, cardholder data are authorized and unauthorized
archived, or restorable from documented, in use, and wireless access points on a
backup). known to all affected parties. quarterly basis.
10.7 10.8 11.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
network vulnerability scans at
least quarterly and after any prevent intrusions into the
network. Monitor all traffic at
significant change in the
Implement a methodology for the perimeter of the
network (such as new system
penetration testing. cardholder data environment
component installations, as well as at critical points in
changes in network topology,
the cardholder data
firewall rule modifications, environment, and alert
product upgrades).
compromises.
11.2 11.3 11.4

X
X
X
X
X
X
X
X
X
X
X
alert personnel to Ensure that security policies
unauthorized modification of Establish, publish, maintain,
for security monitoring and
critical system files, and disseminate a security
testing are documented, in
configuration files, or content use, and known to all affected policy.
parties.
software to perform critical
weekly.
11.5 11.6 12.1

X
X
X
X
X
X
X
Ensure that the security policy
and procedures clearly define
technologies. responsibilities for all
personnel.
12.2 12.3 12.4

Screen potential personnel
Implement a formal security prior to hire to minimize the
Assign to an individual or risk of attacks from internal
awareness program to make
team the following sources. (Examples of
all personnel aware of the
information security background checks include
management responsibilities. importance of cardholder data previous employment history,
security.
criminal record, credit history,
and reference checks.)
12.5 12.6 12.7

X
X
X
X
X
X
X
X
Service providers
customers that they are
policies and procedures to responsible for the security of
cardholder data the service Implement an incident
provider possesses or response plan. Be prepared to
otherwise stores, processes, respond immediately to a
shared, or that could affect or transmits on behalf of the system breach.
customer, or to the extent
data. that they could impact the
12.8 12.9 12.10

X
X
CIS Controls v7.1 mapped to HIPAA

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to HIPAA

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Security Management Security Management Security Management

Process - Risk Process - Sanctions
Process - Risk Analysis R Management R Policy R
164.308(a)(1) 164.308(a)(1) 164.308(a)(1)

Security Management Workforce Security -
Process - Information Assigned Security
Authorization and/or
System Activity Review Responsibility - R Supervision A
R
164.308(a)(1) 164.308(a)(2) 164.308(a)(3)

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Access
Workforce Security - Workforce Security - Management - Isolating
Workforce Clearance Termination Procedures Health care
Procedure A A Clearinghouse Function
R
164.308(a)(3) 164.308(a)(3) 164.308(a)(4)

X
X
X
X
X
X
X
X
X
X
X
Information Access Information Access
Management - Access Security Awareness and
Management - Access Training - Security
Authorization A Establishment and Reminders A
Modification A
164.308(a)(4) 164.308(a)(4) 164.308(a)(5)

X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
Security Awareness and Security Awareness and Security Awareness and
Training - Protection
Training - Log-in Training - Password
from Malicious Monitoring A Management A
Software A
164.308(a)(5) 164.308(a)(5) 164.308(a)(5)

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Security Incident Contingency Plan - Data Contingency Plan -
Procedures - Response Disaster Recovery Plan
and Reporting R Backup Plan R R
164.308(a)(6) 164.308(a)(7) 164.308(a)(7)

X X
X X
X X
X X
X X
X
X
Contingency Plan - Contingency Plan - Contingency Plan -
Emergency Mode Testing and Revision Applications and Data
Operation Plan R Procedure A Criticality Analysis A
164.308(a)(7) 164.308(a)(7) 164.308(a)(7)

X
X
X
X
Business Associate
Contracts and Other Facility Access Controls
Evaluation R Arrangement - Written - Contingency
Contract or Other Operations A
Arrangement R
164.308(a)(8) 164.308(b)(1) 164.310(a)(1)

Facility Access Controls Facility Access Controls Facility Access Controls
- Access Control and - Maintenance Records
- Facility Security Plan A Validation Procedures A A
164.310(a)(1) 164.310(a)(1) 164.310(a)(1)

Workstation Security - Device and Media
Workstation Use - R
R Controls - Disposal R
164.310(b) 164.310(c) 164.310(d)(1)

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Device and Media Device and Media Device and Media
Controls - Media Re-use Controls - Controls - Data Backup
R Accountability A and Storage A
164.310(d)(1) 164.310(d)(1) 164.310(d)(1)

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Access Control - Unique Access Control - Access Control -
Emergency Access
User Identification R Procedure R Automatic Logoff A
164.312(a)(1) 164.312(a)(1) 164.312(a)(1)

X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Access Control - Integrity - Mechanism
to Authenticate
Encryption and Audit Controls - R
Decryption A Electronic Protected
Health Information A
164.312(a)(1) 164.312(b) 164.312(c)(1)

X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Person or Entity Transmission Security - Transmission Security -
Authentication - R Integrity Controls A Encryption A
164.312(d) 164.312(e)(1) 164.312(e)(1)

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIS Controls v7.1 mapped to the FFIEC's Information Security Booklet 2016

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
trols v7.1 mapped to the FFIEC's Information Security Booklet 2016

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Policies, Standards, and

Technology Design Control Types
Procedures
II.C.1 II.C.2 II.C.3

Inventory and Mitigating
Control Implementation
Classification of Assets Interconnectivity Risk

X
X
X
X
X
X
User Security Controls Physical Security Network Controls

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Management End-of-Life
Within the IT Malware Mitigation
Environment Management
II.C.10 II.C.11 II.C.12

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Control of Information Supply Chain Logical Security
II.C.13 II.C.14 II.C.15

X X
X X
X X
X X
X X
X X
X X
X X
X X
Customer Remote
Access to Financial Application Security Database Security
Services
II.C.16 II.C.17 II.C.18

X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Oversight of Third-Party Business Continuity
Encryption
Service Providers Considerations
II.C.19 II.C.20 II.C.21

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Log Management
II.C.22
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FFIEC Examination Handbook (2006)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to the FFIEC Examination Handbook (2006)

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Authentication and
Network Security Host Security
Access Controls
A B C
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User Equipment
Security (Workstation, Physical Security Personnel Security
Laptop, Handheld)
D E F
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Software Development Business Continuity -
& Acquisition Security
G H I
X
X
X
X
X
X
X
X
X
Service Provider
Encryption Data Security
Oversight - Security
J K L
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Security Monitoring
M
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FFIEC's Cybersecurity Assessment Tool
(CAT)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to the FFIEC's Cybersecurity Assessment Tool

(CAT)

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Domain 1: Cyber Risk Domain 1: Cyber Risk

Management & Domain 1: Cyber Risk
Management & Management &
Oversight - Governance Oversight - Risk Oversight - Resources
Management
Domain 2: Threat
Domain 1: Cyber Risk Domain 2: Threat Intelligence &
Management & Intelligence &
Collaboration -
Oversight - Training and Collaboration - Threat Monitoring and
Culture Intelligence Analyzing
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Domain 2: Threat Domain 3: Domain 3:
Intelligence &
Cybersecurity Controls - Cybersecurity Controls -
Collaboration - Preventative Controls Detective Controls
Information Sharing
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Domain 4: External
Domain 3: Domain 4: External Dependency
Dependency
Cybersecurity Controls - Management -
Corrective Controls Management - Relationship
Connections Management
Domain 5: Cyber Domain 5: Cyber Domain 5: Cyber
Incident Management Incident Management Incident Management
and Resilience - and Resilience - and Resilience -
Incident Resilience Detection, Response, Escalation and
Planning and Strategy and Mitigation Reporting
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIS Controls v7.1 mapped to COBIT 5

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to COBIT 5

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Ensure Governance Ensure Benefits Ensure Risk

Framework Setting and
Maintenance Delivery Optimisation
EDM01 EDM02 EDM03

Ensure Resource Ensure Stakeholder Manage the IT
Management
Optimisation Transparency Framework
EDM04 EDM05 APO01

Manage Enterprise
Manage Strategy Manage Innovation
Architecture
APO02 APO03 APO04

Manage Budget and Manage Human
Manage Portfolio
Costs Resources
APO05 APO06 APO07

Manage Service
Manage Relationships Manage Suppliers
Agreements
APO08 APO09 APO10

Manage Quality Manage Risk Manage Security
APO11 APO12 APO13

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Programmes Manage Requirements Manage Solutions
and Projects Definition Identification and Build
BAI01 BAI02 BAI03

Manage Availability and Manage Organisational
Manage Changes
Capacity Change Enablement
BAI04 BAI05 BAI06

Manage Change
Acceptance and Manage Knowledge Manage Assets
Transitioning
BAI07 BAI08 BAI09

X
X
X
X
Manage Service
Manage Configuration Manage Operations
Requests and Incidents
BAI10 DSS01 DSS02

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Security
Manage Problems Manage Continuity
Services
DSS03 DSS04 DSS05

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Business Monitor, Evaluate and Monitor, Evaluate and
Assess Performance Assess the System of
Process Controls and Conformance Internal Control
DSS06 MEA01 MEA02

X
X
X
X
Monitor, Evaluate and
Assess Compliance with
External Requirements
MEA03
CIS Controls v7.1 mapped to the AICPA's Trust Services Principles and
Criteria for SOC2 & SOC3 Assessments

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to the AICPA's Trust Services Principles and

Criteria for SOC2 & SOC3 Assessments

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.

segmentation.


duration.
behavior.
organization.

efforts.
Common Criteria Related to Organization and Management
CC 1.1 CC 1.2 CC 1.3

Management Common Criteria Rela
CC 1.4 CC 2.1 CC 2.2

X X
X X
X X
X X
X X
X X
X X
X X
X X
Common Criteria Related to Communications
CC 2.3 CC 2.4 CC 2.5

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Common Criteria Related to Risk Management and Design and
Implementation of Controls
CC 2.6 CC 3.1 CC 3.2

X
X
X
X
X
X
X
X
Management and Design and Common Criteria
Related to Monitoring
of Controls of Controls
CC 3.3 CC 4.1 CC 5.1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Common Criteria Related to Logical and Physical Access
CC 5.2 CC 5.3 CC 5.4

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
ed to Logical and Physical Access Controls
CC 5.5 CC 5.6 CC 5.7

X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Common Criteria Related to System Operations
CC 5.8 CC 6.1 CC 6.2

X
X
X
X
X
X
X
X
X
X
X
X
X
Common Criteria Related to Change Management
CC 7.1 CC 7.2 CC 7.3

nagement Additional Criteria for Availability
CC 7.4 A 1.1 A 1.2

X
X
X
X
or Availability Additional Criteria f
A 1.3 PI 1.1 PI 1.2

Additional Criteria for Processing Integrity
PI 1.3 PI 1.4 PI 1.5

Additional Criteri
PI 1.6 C 1.1 C 1.2

X
X
X
X
Additional Criteria for Confidentiality
C 1.3 C 1.4 C 1.5

X
X
X
X
C 1.6
CIS Controls v7.1 mapped to the AICPA's Generally Accepted Privacy
Policies (GAPP)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Controls v7.1 mapped to the AICPA's Generally Accepted Privacy

Policies (GAPP)

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Communication to Responsibility and

Privacy Policies Accountability for
Internal Personnel Policies
1.1.0 1.1.1 1.1.2

Consistency of Privacy
Policies and Procedures Personal Information
Review and Approval Identification and
With Laws and Classification
Regulations
1.2.1 1.2.2 1.2.3

Consistency of
Commitments With Infrastructure and
Risk Assessment
Privacy Policies and Systems Management
Procedures
1.2.4 1.2.5 1.2.6

Privacy Incident and Qualifications of
Supporting Resources
Breach Management Internal Personnel
1.2.7 1.2.8 1.2.9

X
X
X
X
X
X
X
X
Privacy Awareness and Changes in Regulatory
and Business Privacy Policies
Training Requirements
1.2.10 1.2.11 2.1.0

X
X
X
X
X
X
X
X
Communication to Entities and Activities
Provision of Notice
Individuals Covered
2.1.1 2.2.1 2.2.2

Communication to
Clear and Conspicuous Privacy Policies
Individuals
2.2.3 3.1.0 3.1.1

Consequences of Implicit or Explicit Consent for New
Denying or
Withdrawing Consent Consent Purposes and Uses
3.1.2 3.2.1 3.2.2

Consent for Online Data
Explicit Consent for Transfers To or From an
Individual’s Computer Privacy Policies
Sensitive Information or Other Similar
Electronic Devices
3.2.3 3.2.4 4.1.0

Types of Personal
Communication to Information Collected Collection Limited to
Individuals and Methods of Identified Purpose
Collection
4.1.1 4.1.2 4.1.3

Collection by Fair and Collection From Third Information Developed
Lawful Means Parties about Individuals
4.1.4 4.1.5 4.1.6

Communication to Use of Personal
Privacy Policies
Individuals Information
5.1.0 5.1.1 5.2.1

Retention of Personal Disposal, Destruction
and Redaction of Privacy Policies
Information Personal Information
5.2.2 5.2.3 6.1.0

Communication to Access by Individuals to Confirmation of an
Their Personal
Individuals Information Individual’s Identity
6.1.1 6.2.1 6.2.2

Understandable Updating or Correcting
Personal Information, Denial of Access
Time Frame, and Cost Personal Information
6.2.3 6.2.4 6.2.5

Statement of Communication to
Privacy Policies
Disagreement Individuals
6.2.6 7.1.0 7.1.1

Communication to Disclosure of Personal Protection of Personal
Third Parties Information Information
7.1.2 7.2.1 7.2.2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Misuse of Personal
New Purposes and Uses Information by a Third Privacy Policies
Party
7.2.3 7.2.4 8.1.0

Communication to Information Security
Logical Access Controls
Individuals Program
8.1.1 8.2.1 8.2.2

X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Environmental Transmitted Personal
Physical Access Controls
Safeguards Information
8.2.3 8.2.4 8.2.5

Personal Information Testing Security
Privacy Policies
on Portable Media Safeguards
8.2.6 8.2.7 9.1.0

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Communication to Accuracy and Relevance of Personal
Completeness of
Individuals Personal Information Information
9.1.1 9.2.1 9.2.2

Communication to Inquiry, Complaint, and
Privacy Policies
Individuals Dispute Process
10.1.0 10.1.1 10.2.1

Dispute Resolution and Instances of
Compliance Review
Recourse Noncompliance
10.2.2 10.2.3 10.2.4

Ongoing Monitoring
10.2.5
CIS Controls v7.1 mapped to the US Internal Revenue Service (IRS)
Publication 1075

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Controls v7.1 mapped to the US Internal Revenue Service (IRS)

Publication 1075

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Record Keeping Secure Storage Restricting Access
3.0 4.0 5.0

X X
X X
X X
X X
X X
X X
X X
X X
X X
Reporting
Other SafeGuards Disposing of FTI
Requirements
6.1 7.0 8.0

X
X
X
X
X
X
X
X
X
X
X
X
X
Audit and
Access Control Awareness and Training
Accountability
9.3.1 9.3.2 9.3.3

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Assessment Configuration
and Authorization Management
9.3.4 9.3.5 9.3.6

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Identification and
Incident Response Maintenance
Authentication
9.3.7 9.3.8 9.3.9

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Physical and
Media Protection Environmental Planning
Protection
9.3.10 9.3.11 9.3.12

X
X
X
X
X
X
X
X
System and Service
Personnel Security Risk Assessment
Acquisition
9.3.13 9.3.14 9.3.15

X
X
X
X
X
X
X
X
X
X
X
X
System and System and Information
Communication Program Management
Protection Integrity
9.3.16 9.3.17 9.3.18

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Cloud Computing
Data Warehouse Email Communications
Environments
9.4.1 9.4.2 9.4.3

X
X
X
X
X
Integrated Voice
Fax Equipment Live Data Testing
Response Systems
9.4.4 9.4.5 9.4.6

Multi-Functional
Media Sanitization Mobile Devices
Devices
9.4.7 9.4.8 9.4.9

System Component
Network Protections Storage Area Networks
Inventory
9.4.10 9.4.11 9.4.12

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Virtual Desktop Virtualization
VoIP Systems
Infrastructure Environments
9.4.13 9.4.14 9.4.15

Web-Based Systems Web Browser Wireless Networks
9.4.16 9.4.17 9.4.18

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
Reporting Improper Disclosure to Other Return Information in
Inspections or
Disclosurers Persons Statistical Reports
10.0 11.0 12.0

CIS Controls v7.1 mapped to SWIFT Customer Security Controls Framework

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
trols v7.1 mapped to SWIFT Customer Security Controls Framework

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.

segmentation.



duration.
behavior.
organization.

efforts.
Overall design goals for

SWIFT Environment implementing Scope of the secure
Protection environment zone
segregation
1.1 1.1a 1.1b

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Protection of the secure Communication
zone Boundary Protection between components
in the secure zone
1.1c 1.1c.1 1.1c.2

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Local Operator (end Remote Operator
Access to the secure Access (teleworking,
zone systems user and administrator) “on-call” duties, or
access remote administration)
1.1d 1.1d.1 1.1d.2

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Restriction of Internet Segregation from
access General Enterprise IT Virtualisation
Services
1.1e 1.1f 1.1g

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Systems within the
secure zone implement Operating System
application whitelisting, Internal Data Flow
allowing only trusted Privileged Account Security
applications to be Control
executed
1.1-opt 1.2 2.1
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Back-office Data Flow
Security Updates System Hardening Security
2.2 2.3 2.4a

X
X
X
X
X
X
X
X
X
X
X
X
External Transmission Operator Session
Data Protection Confidentiality and Vulnerability Scanning
Integrity
2.5a 2.6a 2.7a

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Critical Activity Transaction Business
Outsourcing Controls Physical Security
2.8a 2.9a 3.1

Multi-factor
Password Policy Authentication Logical Access Control
4.1 4.2 5.1

X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Personnel Vetting Physical and Logical
Token Management Process Password Storage
5.2 5.3a 5.4a

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Malware Protection Software Integrity Database Integrity
6.1 6.2 6.3

X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Cyber Incident
Logging and Monitoring Intrusion Detection Response Planning
6.4 6.5a 7.1

X
X
X
X
X
X
X
X
X
X
X
X
Security Training and Scenario Risk
Awareness Penetration Testing Assessment
7.2 7.3a 7.4a

X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Monetary Authority of Singapore's (MAS)
Technology Risk Management (TRM) Guidance

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to Monetary Authority of Singapore's (MAS)

Technology Risk Management (TRM) Guidance

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Oversight of Technology Technology Risk

Risks by Board of Management of IT
Management
Directors and Senior Framework Outsourcing Risks
Management
3 4 5
Acquisition and Systems Reliability,
Development of IT Service Management Availability, and
Information Systems Recoverability
6 7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
Operational Data Centres Protection
Infrastructure Security Access Controls
Management and Controls
9 10 11
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Online Financial
Payment Card Security IT Audit
Services
12 13 14
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Saudi Arabian Monetary Authority Cyber
Security Framework (v1.0)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to Saudi Arabian Monetary Authority Cyber

Security Framework (v1.0)

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.



duration.
behavior.
organization.

efforts.
Cyber Security
Cyber Security Strategy Cyber Security Policy
Governance
3.1.1 3.1.2 3.1.3

Cyber Security Roles Cyber Security in Cyber Security
and Responsibilities Project Management Awareness
3.1.4 3.1.5 3.1.6

X
X
X
X
X
X
X
X
Cyber Security Risk
Cyber Security Training Regulatory Compliance
Management
3.1.7 3.2.1 3.2.2

X
X
X
X
X
X
X
X
Compliance with
(inter)national industry Cyber Security Review Cyber Security Audits
standards
3.2.3 3.2.4 3.2.5

X X
X X
X X
X X
X X
X X
X X
X X
Human Resources Physical Security Asset Management
3.3.1 3.3.2 3.3.3

X
X
X
X
X
X
X
X
X
X
Cyber Security Identity and Access
Architecture Management
3.3.4 3.3.5 3.3.6

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Management Infrastructure Security Cryptography
3.3.7 3.3.8 3.3.9

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Bring Your Own Device Secure Disposal of
Payment Systems
(BYOD) Information Assets
3.3.10 3.3.11 3.3.12

X
X
Electronic Banking Cyber Security Event Cyber Security Incident
Services Management Management
3.3.13 3.3.14 3.3.15

X
X
X
X
X
X
X
X
X
X
Vulnerability Contract and Vendor
Threat Management
3.3.16 3.3.17 3.4.1

X
X
X
X
X
X
X
X
X
X
X
Outsourcing Cloud Computing
3.4.2 3.4.3
CIS Controls v7.1 mapped to NERC CIP v7

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Attachment 1 CIP-002-5
Incorporates the Cyber Security Policies
"Bright Line Criteria" to BES Cyber System Lists approved for Medium
classify BES Assets as must be reviewed and and High Impact BES
Low, Medium, or High. approved every 15 Cyber Systems by CIP
Called BES Cyber calendar months Senior Manager every
Systems consolidating 15 calendar months.
CAs and CCAs
CIP-002-5.1 R1 CIP-002-5.1 R2 CIP-003-7 R1

X X
X X
X X
X X
X X
X X
X X
X X
Cyber Security Policies Identify a CIP Senior
approved for Low Manager and document CIP Senior Manager
Impact Assets by CIP any change within 30 must document any
Senior Manager every calendar days of the delegates
15 Calendar Months change
CIP-003-7 R2 CIP-003-7 R3 CIP-003-7 R4

Personnel Risk
Security Awareness Assessment (PRA)
Program Training Program
Program
CIP-004-6 R1 CIP-004-6 R2 CIP-004-6 R3

X X
X X
X X
X X
X X
X X
X X
X X
X X
Access Management Access Revocation Electronic Security
Program Program Perimeters
CIP-004-6 R4 CIP-004-6 R5 CIP-005-5 R1

X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
Access Management Physical Security Plan Visitor Control Plan
CIP-005-5 R2 CIP-006-6 R1 CIP-006-6 R2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and Security Patch
Testing Program Ports and Services Management
CIP-006-6 R3 CIP-007-6 R1 CIP-007-6 R2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Code Security Event
Prevention Monitoring System Access Controls
CIP-007-6 R3 CIP-007-6 R4 CIP-007-6 R5

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Implementation and Cyber Security Incident
Cyber Security Incident testing of Cyber Response Plan Review,
Response Plan Security Incident Update and
Response Plans Communication
CIP-008-5 R1 CIP-008-5 R2 CIP-008-5 R3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Recovery Plan Recovery Plan Review,
Recovery Plan Implementation and Udpate, and
Specifications Testing Communication
CIP-009-6 R1 CIP-009-6 R2 CIP-009-6 R3

X
X
X
X
Configuration Change Configuration Vulnerability
Management Process Monitoring Assessments
CIP-010-3 R1 CIP-010-3 R2 CIP-010-3 R3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse Supply Chain Risk
Process and Disposal Management Plan
CIP-011-2 R1 CIP-011-2 R2 CIP-013-1 R1

X
X
X
X
X
X
X
X
X
X
X
X
Approval of Supply
Supply Chain Risk Chain Management Physical Security Risk
Management Plan Plan Assessments
CIP-013-1 R2 CIP-013-1 R3 CIP-014-2 R1

Third Party Validation
Physical Vulnerability
of Physical Security Risk Notification of Control and
Assessment Threat Assessment
CIP-014-2 R2 CIP-014-2 R3 CIP-014-2 R4

Third Party Validation
Physical Security Plan of Physical Security Plan
CIP-014-2 R5 CIP-014-2 R6

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
CAs and CCAs
CIP-002-5.1 R1 CIP-002-5.1 R2 CIP-003-6 R1

X X
X X
X X
X X
X X
X X
X X
X X
CIP-003-6 R2 CIP-003-6 R3 CIP-003-6 R4

Personnel Risk
Program
CIP-004-6 R1 CIP-004-6 R2 CIP-004-6 R3

X X
X X
X X
X X
X X
X X
X X
X X
X X
CIP-004-6 R4 CIP-004-6 R5 CIP-005-5 R1

X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
CIP-005-5 R2 CIP-006-6 R1 CIP-006-6 R2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIP-006-6 R3 CIP-007-6 R1 CIP-007-6 R2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIP-007-6 R3 CIP-007-6 R4 CIP-007-6 R5

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIP-008-5 R1 CIP-008-5 R2 CIP-008-5 R3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIP-009-6 R1 CIP-009-6 R2 CIP-009-6 R3

X
X
X
X
CIP-010-2 R1 CIP-010-2 R2 CIP-010-2 R3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse
Process and Disposal
CIP-011-2 R1 CIP-011-2 R2
X
X
X
X
X
X
X
X
X
X
X
X

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
CAs and CCAs
CIP-002-5.1 R1 CIP-002-5.1 R2 CIP-003-5 R1

X X
X X
X X
X X
X X
X X
X X
X X
CIP-003-5 R2 CIP-003-5 R3 CIP-003-5 R4

Personnel Risk
Program
CIP-004-5 R1 CIP-004-5 R2 CIP-004-5 R3

X X
X X
X X
X X
X X
X X
X X
X X
X X
CIP-004-5 R4 CIP-004-5 R5 CIP-005-5 R1

X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
CIP-005-5 R2 CIP-006-5 R1 CIP-006-5 R2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIP-006-5 R3 CIP-007-5 R1 CIP-007-5 R2

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIP-007-5 R3 CIP-007-5 R4 CIP-007-5 R5

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIP-008-5 R1 CIP-008-5 R2 CIP-008-5 R3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIP-009-5 R1 CIP-009-5 R2 CIP-009-5 R3

X
X
X
X
CIP-010-1 R1 CIP-010-1 R2 CIP-010-1 R3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse
Process and Disposal
CIP-011-1 R1 CIP-011-1 R2
X
X
X
X
X
X
X
X
X
X
X
X

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.

segmentation.


duration.
behavior.
organization.

efforts.
Risk-Based Assessment Identify Critical Cyber Annual Approval of

Methodology (RBAM) RBAM, CA list, and CCA
to ID Critical Assets (CA) Assets (CCA) List
CIP-002-4 R1 CIP-002-4 R2 CIP-002-4 R3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIP Senior Manager Exceptions to the Cyber
Cyber Security Policy
Identification Security Policy
CIP-003-4 R1 CIP-003-4 R2 CIP-003-4 R3

Information Protection Change Control and
Access Control Configuration
Program Management
CIP-003-4 R4 CIP-003-4 R5 CIP-003-4 R6

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Awareness: Security Training: Cyber Security Personnel Risk
Awareness Program Training Program Assessment
CIP-004-4 R1 CIP-004-4 R2 CIP-004-4 R3

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Electronic Security
Perimeters: All CCAs Electronic Access
Access
must reside within an Controls
ESP
CIP-004-4 R4 CIP-005-4 R1 CIP-005-4 R2

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Monitoring Electronic Cyber Vulnerability Documentation Review
Access Assessment and Maintenance
CIP-005-4 R3 CIP-005-4 R4 CIP-005-4 R5

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protection of Physical Protection of Electronic
Physical Security Plan
Access Control Systems Access Control Systems
CIP-006-4 R1 CIP-006-4 R2 CIP-006-4 R3

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Monitoring Physical
Physical Access Controls Logging Physical Access
Access
CIP-006-4 R4 CIP-006-4 R5 CIP-006-4 R6

Maintenance and
Access Log Retention Test Procedures
Testing
CIP-006-4 R7 CIP-006-4 R8 CIP-007-4 R1

Security Patch Malicious Software
Ports and Services
Management Prevention
CIP-007-4 R2 CIP-007-4 R3 CIP-007-4 R4

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Status Disposal or
Account Management
Monitoring Redeployment
CIP-007-4 R5 CIP-007-4 R6 CIP-007-4 R7

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Cyber Vulnerabiliity Documentation Review Cyber Security Incident
Assessment and Maintenance Response Plan
CIP-007-4 R8 CIP-007-4 R9 CIP-008-4 R1

X
X
X
X
X
Cyber Security Incident
Recovery Plans Exercises
Documentation
CIP-008-4 R2 CIP-009-4 R1 CIP-009-4 R2

Change Control Backup and Restore Testing Back Up Media
CIP-009-4 R3 CIP-009-4 R4 CIP-009-4 R5

X X
X X
X X
X X
X X

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.

segmentation.


duration.
behavior.
organization.

efforts.
Risk-Based Assessment Apply RBAM to ID Identify Critical Cyber

Methodology (RBAM)
to ID Critical Assets (CA) Critical Assets Assets (CCA)
CIP-002-3 R1 CIP-002-3 R2 CIP-002-3 R3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Annual Approval of CIP Senior Manager
RBAM, CA list, and CCA Cyber Security Policy
List Identification
CIP-002-3 R4 CIP-003-3 R1 CIP-003-3 R2

X
X
X
X
Exceptions to the Cyber Information Protection
Access Control
Security Policy Program
CIP-003-3 R3 CIP-003-3 R4 CIP-003-3 R5

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Control and Awareness: Security Training: Cyber Security
Configuration
Management Awareness Program Training Program
CIP-003-3 R6 CIP-004-3 R1 CIP-004-3 R2

X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Electronic Security
Personnel Risk Perimeters: All CCAs
Access
Assessment must reside within an
ESP
CIP-004-3 R3 CIP-004-3 R4 CIP-005-3 R1

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Electronic Access Monitoring Electronic Cyber Vulnerability
Controls Access Assessment
CIP-005-3 R2 CIP-005-3 R3 CIP-005-3 R4

X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Documentation Review Protection of Physical
Physical Security Plan
and Maintenance Access Control Systems
CIP-005-3 R5 CIP-006-3 R1 CIP-006-3 R2

Protection of Electronic Monitoring Physical
Physical Access Controls
Access Control Systems Access
CIP-006-3 R3 CIP-006-3 R4 CIP-006-3 R5

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and
Logging Physical Access Access Log Retention
Testing
CIP-006-3 R6 CIP-006-3 R7 CIP-006-3 R8

Security Patch
Test Procedures Ports and Services
Management
CIP-007-3 R1 CIP-007-3 R2 CIP-007-3 R3

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Software Security Status
Account Management
Prevention Monitoring
CIP-007-3 R4 CIP-007-3 R5 CIP-007-3 R6

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Disposal or Cyber Vulnerabiliity Documentation Review
Redeployment Assessment and Maintenance
CIP-007-3 R7 CIP-007-3 R8 CIP-007-3 R9

X
X
X
X
X
Cyber Security Incident Cyber Security Incident
Recovery Plans
Response Plan Documentation
CIP-008-3 R1 CIP-008-3 R2 CIP-009-3 R1

X X
X X
X X
X X
X X
X X
X X
X X
Exercises Change Control Backup and Restore
CIP-009-3 R2 CIP-009-3 R3 CIP-009-3 R4

X
X
X
X
Testing Back Up Media
CIP-009-3 R5
X
X
X
X
CIS Controls v7.1 mapped to the Cloud Security Alliance (CSA) Cloud
Control Matrix (CCM) ver.3

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Controls v7.1 mapped to the Cloud Security Alliance (CSA) Cloud

Control Matrix (CCM) ver.3

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Application & Interface Application & Interface Application & Interface

Security - Application Security - Customer
Security Access Requirements Security - Data Integrity
AIS-01 AIS-02 AIS-03

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Application & Interface Audit Assurance & Audit Assurance &
Security - Data Compliance - Audit Compliance -
Security / Integrity Planning Independent Audits
AIS-04 AAC-01 AAC-02

X
X
X
X
X
X
X
X
X
Business Continuity Business Continuity
Audit Assurance & Management & Management &
Compliance -
Operational Resilience - Operational Resilience -
Information System Business Continuity Business Continuity
Regulatory Mapping Planning Testing
AAC-03 BCR-01 BCR-02

Business Continuity
Management & Business Continuity Business Continuity
Operational Resilience - Management & Management &
Datacenter Utilities / Operational Resilience - Operational Resilience -
Environmental Documentation Environmental Risks
Conditions
BCR-03 BCR-04 BCR-05

Business Continuity Business Continuity
Business Continuity Management & Management &
Management &
Operational Resilience - Operational Resilience -
Operational Resilience - Equipment Equipment Power
Equipment Location Maintenance Failures

Business Continuity Business Continuity Business Continuity
Management & Management & Management &
Operational Resilience - Operational Resilience - Operational Resilience -
Impact Analysis Management Program Policy

Change Control & Change Control &
Business Continuity Configuration Configuration
Management &
Management - New Management -
Operational Resilience - Development / Outsourced
Retention Policy Acquisition Development
BCR-12 CCC-01 CCC-02

X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Change Control &
Change Control & Configuration Change Control &
Configuration Configuration
Management -
Management - Quality Unauthorized Software Management -
Testing Installations Production Changes
CCC-03 CCC-04 CCC-05
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Data Security & Data Security & Data Security &
Information Lifecycle Information Lifecycle Information Lifecycle
Management - Management - Data Management -
Classification Inventory / Flows Commerce Transactions
DSI-01 DSI-02 DSI-03

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Data Security &
Data Security &
Information Lifecycle Information Data Security &
Lifecycle Information Lifecycle
Management - Handling
/ Labeling / Security Management - Management - Non-
Policy Information Leakage Production Data
DSI-04 DSI-05 DSI-06

X
X
X
X
X
X
X
X
Data Security &
Information Lifecycle Data Security &
Information Lifecycle Datacenter Security -
Management -
Ownership / Management - Secure Asset Management
Stewardship Disposal
DSI-07 DSI-08 DCS-01

X
X
X
X
Datacenter Security - Datacenter Security - Datacenter Security -
Controlled Access Equipment
Points Identification Off-Site Authorization
DCS-02 DCS-03 DCS-04

Datacenter Security - Datacenter Security - Datacenter Security -
Secure Area
Off-Site Equipment Policy Authorization
DCS-05 DCS-06 DCS-07

Datacenter Security - Datacenter Security - Encryption & Key
Unauthorized Persons Management -
Entry User Access Entitlement
DCS-08 DCS-09 EKM-01

X
X
X
X
X
X
X
X
Encryption & Key Encryption & Key Encryption & Key
Management - Key Management - Sensitive Management - Storage
Generation Data Protection and Access
EKM-02 EKM-03 EKM-04

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Governance and Risk Governance and Risk Governance and Risk
Management - Baseline Management - Data Management -
Requirements Focus Risk Assessments Management Oversight
GRM-01 GRM-02 GRM-03

Governance and Risk Governance and Risk
Management - Governance and Risk
Management -
Management Program Management Management - Policy
Support/Involvement

Management - Policy
Management - Policy Management - Policy
Enforcement Impact on Risk Reviews
Assessments

Management - Risk
Management - Risk Management - Risk
Assessments Management Mitigation / Acceptance
Framework

Human Resources - Human Resources - Human Resources -
Employment
Asset Returns Background Screening Agreements
HRS-01 HRS-02 HRS-03

Employment Industry Knowledge / Mobile Device
Termination Benchmarking Management

Non-Disclosure Technology Acceptable
Agreements Roles / Responsibilities Use

Training / Awareness User Responsibility Workspace

X
X
X
X
X
X
X
X
Identity & Access
Identity & Access Identity & Access Management -
Management -
Management - Audit Diagnostic /
Tools Access Credential Lifecycle / Configuration Ports
Provision Management Access
IAM-01 IAM-02 IAM-03

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Identity & Access Identity & Access Identity & Access
Management - Policies Management - Management - Source
and Procedures Segregation of Duties Code Access Restriction

Management - Third Management - Trusted Management - User
Party Access Sources Access Authorization

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Management - User Management - User Management - User ID
Access Reviews Access Revocation Credentials

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Identity & Access Infrastructure & Infrastructure &
Virtualization Security -
Management - Utility Virtualization Security -
Programs Access Audit Logging / Change Detection
Intrusion Detection
IAM-13 IVS-01 IVS-02

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure &
Infrastructure & Infrastructure &
Virtualization Security - Virtualization Security -
Virtualization Security - Management -
Clock Synchronization Information System Vulnerability
Documentation Management
IVS-03 IVS-04 IVS-05

X
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure &
Infrastructure & Infrastructure &
Virtualization Security - Production / Non-
Network Security OS Hardening and Base Production
Controls Environments

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure & Infrastructure & Infrastructure &
Virtualization Security -
Segmentation VM Security - vMotion VMM Security -
Data Protection Hypervisor Hardening

X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure & Interoperability & Interoperability &
Virtualization Security - Portability - Data
Wireless Security Portability - APIs Request
IVS-12 IPY-01 IPY-02

X
X
X
X
X
X
X
X
X
Interoperability & Interoperability & Interoperability &
Portability -
Portability - Policy & Portability -
Legal Standardized Network Virtualization
Protocols
IPY-03 IPY-04 IPY-05

X
X
X
X
X
Mobile Security - Anti- Mobile Security - Mobile Security -
Malware Application Stores Approved Applications
MOS-01 MOS-02 MOS-03
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security - Mobile Security - Cloud
Approved Software for
BYOD Awareness and Training Based Services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security - Device Mobile Security - Device
Compatibility Eligibility Inventory

X
X
X
X
Mobile Security - Device Mobile Security - Mobile Security -
Jailbreaking and
Management Encryption Rooting

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security -
Mobile Security - Legal
Lockout Screen Operating Systems

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security -
Mobile Security - Policy
Passwords Remote Wipe

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Mobile Security - Management, E-
Mobile Security - Users Discovery & Cloud
Security Patches Forensics - Contact /
Authority Maintenance
MOS-19 MOS-20 SEF-01

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Security Incident Security Incident
Management, E- Management, E- Management, E-
Discovery & Cloud
Discovery & Cloud Discovery & Cloud
Forensics - Incident Forensics - Incident Forensics - Incident
Management Reporting Response Legal
Preparation
SEF-02 SEF-03 SEF-04

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Security Incident Supply Chain Supply Chain
Management, E- Management, Management,
Discovery & Cloud Transparency and Transparency and
Forensics - Incident Accountability - Data Accountability -
Response Metrics Quality and Integrity Incident Reporting
SEF-05 STA-01 STA-02

X
X
Supply Chain Supply Chain
Supply Chain
Management, Management, Management,
Transparency and Transparency and
Transparency and
Accountability - Accountability - Accountability - Supply
Network / Provider Internal Chain Agreements
Infrastructure Services Assessments
STA-03 STA-04 STA-05

Supply Chain
Supply Chain Supply Chain
Management, Management, Management,
Transparency and
Transparency and Transparency and
Accountability - Supply Accountability - Supply Accountability - Third
Chain Governance Chain Metrics Party Assessment
Reviews
STA-06 STA-07 STA-08

Supply Chain Threat and Threat and
Management, Vulnerability Vulnerability
Transparency and Management - Anti- Management -
Accountability - Third Virus / Malicious Vulnerability / Patch
Party Audits Software Management
STA-09 TVM-01 TVM-02

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Threat and Vulnerbility
Management - Mobile
Code
TVM-03
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Amazon Web Services – OCIE
Cybersecurity Audit Guide (Oct 2015)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
IS Controls v7.1 mapped to the Amazon Web Services – OCIE

Cybersecurity Audit Guide (Oct 2015)

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.


segmentation.

duration.
behavior.
organization.

efforts.
Network Configuration Asset Configuration and

Governance
and Management Management
1 2 3
X
X
X
X
X
X
X
X
X
Security Logging and
Logical Access Control Data Encryption
Monitoring
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Disaster Recovery Inherited Controls
Response
7 8 9
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FY15 CIO Annual FISMA Metrics

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
S Controls v7.1 mapped to the FY15 CIO Annual FISMA Metrics

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.



duration.
behavior.
organization.

efforts.
Identity Credential and

System Inventory Continuous Monitoring
Access Management
1 2 3
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Anti-Phishing and
Data Protection Network Defense
Malware Defense
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Boundary Protection Training and Education Incident Response
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to ITIL 2011 KPIs

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to ITIL 2011 KPIs

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Service Portfolio
Management and Business Relationship
Financial Management
Strategy Management Management
for IT Services
KPI 1 KPI 2 KPI 3

Service Level Availability
Capacity Management
KPI 4 KPI 5 KPI 6

IT Service Continuity Information Security
Supplier Management
KPI 7 KPI 8 KPI 9

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Release and
Change Management Project Management Deployment
Management
KPI 10 KPI 11 KPI 12

Service Validation and Service Asset and
Configuration Incident Management
Testing Management

X
X
Problem Management Service Review Process Evaluation

Definition of
Improvement Initiatives
KPI 19
CIS Controls v7.1 mapped to the State of Nevada Gaming Control Board
Minimum Internal Control Standards (MICS) v7 2015

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ntrols v7.1 mapped to the State of Nevada Gaming Control Board

Minimum Internal Control Standards (MICS) v7 2015

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Physical Access and

System Parameters User Accounts
Maintenance Controls
1 2 3
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Service & Default
Generic User Accounts Backups
Accounts
4 5 6
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Electronic Storage of Creation of Wagering
Recordkeeping
Documentation Instruments Database
7 8 9
Network Security and Changes to Production
Remote Access
Data Protection Environment
10 11 12
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Technology In-House Software Purchased Software
Department Development Programs
13 14 15
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
CIS Controls v7.1 mapped to Commonwealth of Massachusetts 201 CMR
17.00

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ntrols v7.1 mapped to Commonwealth of Massachusetts 201 CMR

17.00

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.

domains.
services.
backup destination.
boundaries.

needed.


segmentation.



duration.
behavior.
organization.

efforts.
Designated Data DSC is responsible for DSC is responsible for

implementation of the
Security Coordinator WISP training employees
IV IV-a IV-b
X
X
X
X
X
X
X
X
DSC is responsible for DSC is responsible for DSC is responsible for
review security
testing the WISP evaluate third parties measures
IV-c IV-d IV-e

DSC is responsible for Internal Threats - Internal Threats -
performing annual Distribution of WISP to Employee Awareness
training Employees Training
IV-f V-01 V-02

X X
X X
X X
X X
X X
X X
X X
X X
X X
Internal Threats - Internal Threats - Limit Internal Threats -
Employment Contract Access Based on Need
Provisions Data Collected to Know
V-03 V-04 V-05

X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Internal Threats - Block Internal Threats - Internal Threats -
Employee Termination
Unauthorized Access to Annual Security
Data Measure Review Procedures (Return of
Data)
V-06 V-07 V-08

X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Internal Threats - Internal Threats - Internal Threats -
Employee Termination
Passwords Changed Access Provided to
Procedures (Access Regularly Active Users Only
Revoked)
V-09 V-10 V-11

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Internal Threats - Internal Threats - Internal Threats - Do
Reporting Suspicious Not Leave Data
Behavior Incident Handling Unattended
V-12 V-13 V-14

X
X
Internal Threats - Close Internal Threats - Internal Threats -
Data at Conclusion of Restrict Physical Access Unique User IDs
Work Day to Data Required
V-15 V-16 V-17

X
X
X
X
X
X
X
X
X
X
X
X
Internal Threats - Internal Threats - External Threats -
Restrict Visitor Physical
Access Disposal of Media Firewall and OS Patches
V-18 V-19 VI-01

X
X
X
X
X
X
X
X
X
X
X
X
X
X
External Threats - External Threats - External Threats -
Encryption of sensitive
Endpoint Protection data Monitoring
VI-02 VI-03 VI-04
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
External Threats -
Authentication
VI-05
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to New York State Department of Financial
Services 23 NYCRR 500

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ontrols v7.1 mapped to New York State Department of Financial

Services 23 NYCRR 500

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Chief Information
Cybersecurity Program Cybersecurity Policy
Security Officer
Section 500.02 Section 500.03 Section 500.04

Penetration Testing and
Vulnerability Audit Trail Access Privileges
Assessments

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
Cybersecurity Personnel
Application Security Risk Assessment
and Intelligence

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Third Party Information Multi-Factor Limitations on Data
Security Policy Authentication Retention

X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Training and Encryption of Nonpublic
Incident Response Plan
Monitoring Information

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Victorian Protective Data Security
Framework (v1.0)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Controls v7.1 mapped to the Victorian Protective Data Security

Framework (v1.0)

network or not.
network.

software.
changes occur.
and review.
and analysis
noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.


segmentation.


duration.
behavior.
organization.

efforts.
Security Management Security Risk Security Policies and

Framework Management Procedures
Standard 1 Standard 2 Standard 3

Security Training and
Information Access Security Obligations
Awareness

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident Business Continuity Contracted Service
Management Management Providers

X X
X X
X X
X X
X X
X X
X X
X X
Government Services Security Plans Compliance

Information
Information Value Information Sharing
Management

Information
Communications
Personnel Lifecycle Physical Lifecycle
Technology (ICT)
Lifecycle

CIS Controls v7.1 mapped to ANSSI's 40 Essential Measures for a Healthy
Network
(www.ssi.gouv.fr/systemesindustriels)

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
ntrols v7.1 mapped to ANSSI's 40 Essential Measures for a Healthy

Network
(www.ssi.gouv.fr/systemesindustriels)

network or not.
network.

software.
changes occur.
and review.
and analysis

noise.
vendor.
standards.
domains.
services.
backup destination.
boundaries.

needed.


segmentation.



duration.
behavior.
organization.

efforts.
Keep an exhaustive Create and apply

Have an accurate map inventory of privileged procedures for the
of IT installations and arrival and departure of
keep it updated. accounts and ensure users (personnel,
this is updated. interns, etc.).
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
Know how all software
Limit the number of Prohibit the connection components are
Internet access points of personal devices to updated and keep up to
for the company to date on the
those that are strictly the organisation's vulnerabilities of these
necessary. information system. components and their
required updates.
4 5 6
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Define and strictly Identify each individual Set rules for the choice
accessing the system by
apply an update policy. name. and size of passwords.
7 8 9
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Systematically renew
Set in place technical default authentication
methods to enable Do not store passwords settings (password,
in plain sight in files on certificates) on devices
authentication rules to information systems. (network switches,
be followed. routers, servers,
printers).
10 11 12
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Technically prevent the
connection of portable
media except where
Opt, where possible, for Implement a uniform strictly necessary;
strong, smart card level of security across
authentication. the entire IT stock. deactivate the
execution of the
autorun functions from
these types of media.
13 14 15
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use an IT stock
management tool that Manage portable Wherever possible,
enables the machines with a prohibit remote
security policy that is at
deployment of security least as stringent as for connections to client
policies and updates to fixed machines. machines.
machines.
16 17 18
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
Set in place
compartmentalised
Frequently audit (or networks. For machines
Encrypt sensitive data, have audited) the or servers containing
especially on mobile configuration of the information that is of
central directory (Active strategic importance to
machines and media Directory in Windows the company, create a
that may get lost. environments or LDAP sub-network protected
directory for example). by a specific
interconnection
gateway.
19 20 21
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Avoid the use of
wireless (Wifi)
infrastructures. If the
use of these
technologies cannot be Systematically use Secure Internet
secure applications and interconnection
avoided, protocols. gateways.
compartmentalise the
Wifi access network
from the rest of the
information system.
22 23 24
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that there are
no machines on the Clearly define the
network with an objectives of system Define event log
administration
interface that is and network analysis methods.
accessible via the monitoring.
Internet.
25 26 27
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
Use a dedicated
Prohibit all access to network for the Do not grant
the Internet from administration of administration
machines or at least a
administration network that is logically privileges to users.
accounts. separated from the user Make no exceptions.
network.
28 29 30
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Only authorise remote
access to the company
network, even for
network
administration, from Robust control Keys to access the
company machines that mechanisms for premises and alarm
use strong
authentication premises access must codes must be
mechanisms and imperatively be used. scrupulously protected.
protect the integrity
and confidentiality of
traffic using robust
means.
31 32 33
X
X
X
Develop a plan for IT
recovery and continuity
Do not leave access of activity, even if only
sockets to the internal Define rules for the use in outline, that is
network accessible in of printers and regularly updated,
locations that are open photocopiers. setting out how to
to the public. safeguard the
company's essential
data.
34 35 36
X
X
X
X
X
X
X
X
Never simply deal with
the infection of a
machine without
Implement an alert and attempting to establish
reaction chain that all how the malware came Make users aware of
parties involved are to be installed on that the basic IT rules.
familiar with. machine, whether it has
spread elsewhere on
the network and what
data has been accessed.
37 38 39
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Periodically carry out a
security audit (at least
annually). Each audit
must be accompanied
by an action plan, the
implementation of
which should be
monitored at the
highest level.
40
CIS Controls v7.1 mapped to ?????

System 1.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8

System 2.1
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7

System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8

System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10

System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8

System 9.1
System 9.2
System 9.3
System 9.4
System 9.5

System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7

Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9

Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10

Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9

Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11

Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
CIS Controls v7.1 mapped to ?????

process information. This inventory shall include all hardware assets, whether connected to the
organization's network or not.
network.
Ensure that only software applications or operating systems currently supported by the software's
vendor are added to the organization's authorized software inventory. Unsupported software should
be tagged as unsupported in the inventory system.
libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load into a system process.
signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.
for business operations but incur higher risk for the organization.
Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on
the network on a weekly or more frequent basis to identify all potential vulnerabilities on the
organization's systems.
Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities
have been remediated in a timely manner.

elevated activities. This account should only be used for administrative activities and not internet
not be allowed Internet access. This machine will not be used for reading e-mail, composing
Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or
Maintain documented, standard security configuration standards for all authorized operating
systems and software.
changes occur.
Enable system logging to include detailed information such as a event source, date, user, timestamp,
source addresses, destination addresses, and other useful elements.
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation
and analysis.
noise.
vendor.
Subscribe to URL categorization services to ensure that they are up-to-date with the most recent
Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in
Use DNS filtering services to help block access to known malicious domains.
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM)
standards.
Block all e-mail attachments entering the organization's e-mail gateway if the file types are
Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout
domains.
Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.
Associate active ports, services and protocols to the hardware assets in the asset inventory.
needs, are running on each system.
Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops
Ensure that all system data is automatically backed up on regular basis.
Ensure that each of the organization's key systems are backed up as a complete system, through
services.
Ensure that all backups have at least one backup destination that is not continuously addressable
through operating system calls.
Maintain standard, documented security configuration standards for all authorized network devices.
Compare all network device configuration against approved security configurations defined for each
network device in use and alert when any deviations are discovered.
be allowed Internet access. This machine shall not be used for reading e-mail, composing
documents, or surfing the Internet.
trusted and necessary IP address ranges at each of the organization's network boundaries,.
boundaries.

organization's technology systems, including those located onsite or at a remote service provider.
These systems shall only be used as stand alone systems (disconnected from the network) by the
needed.
Utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices.
Disable all workstation to workstation communication to limit an attacker's ability to move laterally
and compromise neighboring systems, through technologies such as Private VLANs or
microsegmentation.
by the organization's technology systems, including those located onsite or at a remote service
provider and update the organization's sensitive information inventory.
even when data is copied off a system.
Disable peer-to-peer (adhoc) wireless network capabilities on wireless clients.
Disable wireless peripheral access of devices (such as Bluetooth and NFC), unless such access is
required for a business purpose.
onsite or at a remote service provider.
Require multi-factor authentication for all user accounts, on all systems, whether managed onsite or
by a third-party provider.
immediately upon termination or change of responsibilities of an employee or contractor . Disabling

Alert when users deviate from normal login behavior, such as time-of-day, workstation location and
duration.
behavior.
to address new technologies, threats, standards and business requirements.
phishing, phone scams and impersonation calls.
Train workforce on how to identify and properly store, transfer, archive and destroy sensitive
information.
Train employees to be able to identify the most common indicators of an incident and be able to
report such an incident.
organization.
Use only standardized and extensively reviewed encryption algorithms.
Maintain separate environments for production and nonproduction systems. Developers should not
Ensure that there are written incident response plans that defines roles of personnel as well as
Assign job titles and duties for handling computer and network incidents to specific individuals and

security incident, such as Law Enforcement, relevant government departments, vendors, and ISAC
partners.
incidents to the incident handling team. Such information should be included in routine employee
the incident response to maintain awareness and comfort in responding to real world threats.
Exercises should test communication channels, decision making, and incident responders technical
to attackers, including network diagrams, configuration files, older penetration test reports, e-mails
efforts.
Wherever possible, ensure that Red Teams results are documented using open, machine-readable

AuditScripts CIS Controls Master Mappings V7.1a

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AuditScripts CIS Controls Master Mappings V7.1a

Uploaded by

Copyright:

Available Formats

Critical Security Control

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

Critical Security Control #4: Controlled Use of Administrative Privileges

Critical Security Control #7: Email and Web Browser Protections

Critical Security Control #9: Limitation and Control of Network Ports

Critical Security Control #10: Data Recovery Capabilities

Critical Security Control #12: Boundary Defense

Critical Security Control #15: Wireless Access Control

Critical Security Control #16: Account Monitoring and Control

Critical Security Control #18: Application Software Security

Critical Security Control #19: Incident Response and Management

NIST 800-53 rev4 NIST CSF v1.0

CA-7: Continuous Monitoring

CA-7: Continuous Monitoring

CA-2: Security Assessments ID.RA-1

AC-2: Account Management

AC-23: Data Mining Protection

CA-7: Continuous Monitoring

AC-4: Information Flow Enforcement

CP-9: Information System Backup

AC-4: Information Flow Enforcement

AC-4: Information Flow Enforcement

AC-1: Access Control Policy and Procedures

AC-18: Wireless Access

AC-2: Account Management

CA-2: Security Assessments

This work is licensed under a Creative Commons Attribution-ShareAlik

ons Attribution-ShareAlike 4.0 International License.

4.0d HWAM: Hardware Asset Management

HWAM: Hardware Asset Management

3.2c VUL: Vulnerability Management

3.3b Generic Audit Monitoring

CSM: Configuration Settings Management

3.2d Boundary Protection

VUL: Vulnerability Management

Plan for Events

A.8.1.1 A.7.1.1 SR 1.2

Map Your Network

3.3.1 - 3.3.9 Log Management

3.8.9 Backup Strategy

Map Your Network

3.1.3 Map Your Network

Map Your Network

3.6.1 - 3.6.3 Incident Response and Disaster Recovery Plans

Set a Secure Baseline Configuration

Limit Workstation-to-Workstation Communication 8

Set a Secure Baseline Configuration

Inappropriate locations for

Patch Management Software Updates

Configuration of SSL and TLS

Boundary firewalls and

Home and Mobile Working Configuration of SSL and TLS

Managing User Privileges Inappropriate locations for

Managing User Privileges Access Control Configuration of SSL and TLS

2.4 2.4 2.4

2.4 2.4 2.4

6.1 6.1 6.1

2.1 2.1 2.1

10.1 - 10.9 10.1 - 10.8 10.1 - 10.7

2.2 2.2 2.2

1.4 1.4 1.4