Professional Documents
Culture Documents
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers
and Switches
Critical Security Control #14: Controlled Access Based on the Need to Know
Critical Security Control #20: Penetration Tests and Red Team Exercises
CIS Controls Master Mappings Tool (v7.1a)
SA-13: Trustworthiness
SA-15: Development Process, Standards, and Tools
SA-16: Developer-Provided Training
SA-17: Developer Security Architecture and Design
SA-20: Customized Development of Critical Components
SA-21: Developer Screening PR.DS-7
SC-39: Process Isolation
SI-10: Information Input Validation
SI-11: Error Handling
SI-15: Information Output Filtering
SI-16: Memory Protection
PR.IP-10
DE.AE-2
IR-1: Incident Response Policy and Procedures DE.AE-4
IR-2: Incident Response Training DE.AE-5
IR-3: Incident Response Testing DE.CM-1-7
IR-4: Incident Handling RS.RP-1
IR-5: Incident Monitoring RS.CO-1-5
IR-6: Incident Reporting RS.AN-1-4
IR-7: Incident Response Assistance RS.MI-1-2
IR-8: Incident Response Plan RS.IM-1-2
IR-10: Integrated Information Security Analysis Team RC.RP-1
RC.IM-1-2
RC.CO-1-3
ID.AM-1
ID.AM-3 6.2.16
ID.AM-4 6.2.17
PR.DS-3
ID.AM-2 6.2.16
PR.DS-6 6.2.17
ID.RA-1
ID.RA-2
PR.IP-12 6.2.16
DE.CM-8 6.2.17
RS.AN-5
RS.MI-3
PR.AC-4 5.15
PR.AT-2 6.2.7
PR.MA-2 6.2.16
PR.PT-3 6.2.17
6.2.16
PR.IP-1
6.2.17
PR.PT-1
DE.AE-3
DE.DP-1 5.16
DE.DP-2 6.2.16
DE.DP-3 6.2.17
DE.DP-4
DE.DP-5
6.2.16
PR.IP-1
6.2.17
PR.PT-2
DE.CM-4 6.2.16
6.2.17
DE.CM-5
PR.AC-5 6.2.16
DE.AE-1 6.2.17
6.2.16
PR.IP-4 6.2.17
PR.AC-5
5.15
PR.IP-1
6.2.7
PR.PT-4
PR.AC-3
PR.AC-5
5.1 - 5.11
PR.MA-2
DE.AE-1
PR.AC-5
PR.DS-2
PR.DS-5
PR.PT-2
PR.AC-4
PR.AC-5 5.1
PR.DS-1 5.4
PR.DS-2 5.5
PR.PT-2 6.2.1
PR.PT-3
PR.AC-1
PR.AC-4
5.15
PR.AC-6
PR.AC-7 6.2.7
PR.PT-3
PR.AT-1
PR.AT-2
PR.AT-3 6.2.2
PR.AT-4
PR.AT-5
PR.DS-7
PR.IP-10
DE.AE-2
DE.AE-4
DE.AE-5
DE.CM-1-7
RS.RP-1
5.17
RS.CO-1-5
6.2.8
RS.AN-1-4
RS.MI-1-2
RS.IM-1-2
RC.RP-1
RC.IM-1-2
RC.CO-1-3
6.2.3
6.2.4
3.2f
4.0b
4.0c
CSM: Configuration Settings Management
4.0e
4.0g
4.0i
3.3a
Boundary Protection
3.5a
3.5b
3.2e
3.1a
3.1c CRED: Credentials and Authentication
3.2a Management
4.0h
3.2i BEHV: Security-Related Behavior Management
A.12.5.1 SR 1.2
A.12.6.2
A.12.6.1 A.12.6.1
A.13.1.2
A.14.2.8
A.15.2.2
A.9.1.1
A.9.2.2 - A.9.2.6
A.11.5.1 - A.11.5.3
A.9.3.1
A.9.4.1 - A.9.4.4
A.14.2.4
A.14.2.8 A.15.2.2
A.18.2.3
SR 1.12
A.12.4.1 - A.12.4.4 A.10.10.1 - A.10.10.6 SR 2.8 - 2.11
A.12.7.1 SR 3.9
SR 6.1 - 6.2
A.13.2.3
A.14.2.4
A.15.2.2
A.14.2.8
A.18.2.3
A.8.3.1
A.12.2.1 A.10.4.1 - A.10.4.2 SR 3.2
A.10.7.1
A.13.2.3
A.9.1.2
A.13.1.1 A.10.6.1 - A.10.6.2
A.13.1.2 A.11.4.4
A.14.1.2
A.10.1.1 A.10.5.1
A.12.3.1 A.10.8.3 SR 7.3 - 7.4
A.10.6.1 - A.10.6.2
A.9.1.2
A.11.4.5
A.13.1.1 SR 7.6
A.11.4.7
A.13.1.3
A.11.5.1 - A.11.5.3
A.10.6.1 - A.10.6.2
A.9.1.2
A.10.10.2
A.12.4.1 SR 1.13
A.11.4.2
A.12.7.1 SR 2.3
A.11.4.5
A.13.1.1 SR 5.2
A.11.4.7
A.13.1.3
A.11.5.1 - A.11.5.3
A.13.2.3
A.11.7.1 - A.11.7.2
A.8.3.1 A.10.7.1
A.10.1.1 - A.10.1.2 A.12.3.1 - A.12.3.2 SR 3.1
A.13.2.3 A.12.5.4 SR 4.3
A.18.1.5 A.15.1.6
A.10.7.1
SR 2.1
A.10.10.1 - A.10.10.3
A.8.3.1 SR 4.1
A.11.4.5
A.9.1.1 SR 5.1
A.11.4.7
A.10.1.1 SR 5.3
A.11.6.1 - A.11.6.2
SR 7.7
A.12.5.4
A.10.1.1 SR 1.6
A.12.4.1
SR 2.2
A.12.7.1
A.9.1.1 A.8.3.3
A.9.2.1 - A.9.2.6 A.11.2.1 SR 1.1 - 1.13
A.9.3.1 A.11.2.3 - A.11.2.4 SR 2.1
A.9.4.1 - A.9.4.3 A.11.3.1 - A.11.3.3 SR 2.5
A.11.2.8 A.11.5.1 - A.11.5.3
A.7.2.2 A.8.2.2
A.10.1.4
A.9.4.5
A.12.2.1
A.12.1.4
A.14.2.1 A.12.2.4 SR 3.3 - 3.8
A.12.5.2
A.14.2.6 - A.14.2.8
A.12.5.5
A.6.1.3 A.6.1.6
A.7.2.1 A.8.2.1
A.16.1.2 A.13.1.1
A.16.1.4 - A.16.1.7 A.13.2.1 - A.13.2.2
A.14.2.8 A.6.1.8
A.18.2.1 A.15.2.2 SR 3.3
A.18.2.3 A.15.3.1
NIST 800-171 NSA MNP
Baseline Management
3.4.8 Executable Content Restrictions
3.4.9 Configuration and Change Management
3.11.2
3.11.3 Patch Management
Log Management
3.12.2
Configuration and Change Management
3.14.1
3.1.5 - 3.1.7
3.4.5 - 3.4.6 User Access
3.7.1 - 3.7.2 Baseline Management
3.7.5 - 3.7.6 Log Management
3.13.3
Patch Management
Baseline Management
3.4.1 - 3.4.3
Data-at-Rest Protection
Configuration and Change Management
Patch Management
Baseline Management
Data-at-Rest Protection
Configuration and Change Management
Device Accessibility
Virus Scanners and Host Intrusion Prevention
3.7.4 Systems
3.14.2 - 3.14.6 Security Gateways, Proxies, and Firewalls
Network Security Monitoring
Log Management
Baseline Management
3.4.7 Configuration and Change Management
3.1.2
Network Architecture
3.1.3
Device Accessibility
3.1.5
User Access
3.8.2
Data-at-Rest Protection
3.8.5 - 3.8.6
Log Management
3.13.4 - 3.13.6
3.1.8
3.1.10 - 3.1.11 User Access
3.5.1 - 3.5.9 Baseline Management
3.9.2 Log Management
3.13.9
3.2.2 - 3.2.3 Training
Training
Audit Strategy
Australian Essential Eight Australian Top 35
1
1 14
17
2
2-3
6
4
5 9
7 11
25
3 2-5
4 21
15-16
35
2
5
17-20
31
7
17
22
26
30
2
3
12
13
27
2
7 3
10
10-11
18-20
7
23
32-34
26
26
7 25
28
24
NSA Top 10 Canadian CSE Top 10
Application Whitelisting 8
10
2
Take Advantage of Software Improvements
8
3
Control Administrative Privileges
8
Set a Secure Baseline Configuration 4
Take Advantage of Software Improvements 8
1
Segregate Networks and Functions 5
9
5
7
9
5
Segregate Networks and Functions 7
9
6
GCHQ 10 Steps UK Cyber Essentials UK ICO Protecting Data
Decommissioning of software
or services
Monitoring
Secure Configuration
Secure Configuration
Patch Management
Removable Media Controls Malware Protection
Malware Protection
Decommissioning of software
Network Security or services
Unnecessary Services
Monitoring
Network Security
SQL Injection
Incident Management
PCI DSS 3.2 PCI DSS 3.1 PCI DSS 3.0
II.C.5
II.C.22
II.C.12
II.C.9
II.C.21
II.C.9
II.C.6
II.C.9
II.C.16
II.C.9
II.C.7
II.C.9
II.C.13
II.C.15
II.C.19
II.C.9
II.C.7
II.C.11
II.C.17
II.C.18
II.C.19
FFIEC Examiners Handbook
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Security Monitoring
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Network Security
Encryption
Network Security
Network Security
Security Monitoring
Encryption
Data Security
Network Security
Encryption
Security Monitoring
Application Security
Software Development & Acquisition
FFIEC Cybersecurity Assessment Tool (CAT) COBIT 5
7.2.2
8.2.1 9.4.12
8.2.2
7.2.2 9.4.12
8.2.1
7.2.2
CC 6.1 9.3.4
8.2.1
7.2.2
CC 5.1 - CC 5.6 8.2.1 9.3.7
8.2.2
7.2.2
9.3.5
8.2.1
7.2.2 9.3.3
8.2.1
9.3.17
7.2.2 9.4.3
8.2.1 9.4.16
9.4.17
CC 5.8 7.2.2 9.3.17
8.2.1
7.2.2
8.2.1
7.2.2
A 1.2 8.2.1 9.3.6
9.3.5
7.2.2
9.3.7
8.2.1
9.4.10
7.2.2
9.3.16
8.2.1
9.4.10
8.2.2
7.2.2
9.3.10
8.2.1
9.4.10
8.2.2
8.2.6
4.0
7.2.2 5.0
CC 5.7 8.2.1 6.1
C 1.2 - C 1.3 8.2.2 9.3.1
8.2.6 9.3.16
9.4.10
7.2.2
8.2.1 9.4.18
8.2.2
9.3.7
7.2.2
CC 5.1 - CC 5.6 9.3.13
8.2.1
1.2.9
1.2.10 6.1
CC 2.1 - CC 2.6
7.2.2 9.3.2
8.2.1
7.2.2
8.2.1
7.2.2
CC 6.2 9.3.8
8.2.1
7.2.2
8.2.1 9.3.3
8.2.7
SWIFT SG MAS TRM Saudi AMA
1.2
11 - Access Controls 3.3.5
2.6a
9 - Operational Infrastructure
2.3 3.3.6
Security Management
3.3.6
3.3.8
6.1 9 - Operational Infrastructure 3.3.8
Security Management 3.3.16
3.3.8
1.1
9 - Operational Infrastructure
2.1
Security Management
2.4a 3.3.5
11 - Access Controls
2.5a
12 - Online Financial Services
5.1
9 - Operational Infrastructure
Security Management
4.1
4.2 11 - Access Controls
3.3.5
5.2 12 - Online Financial Services
5.4a
3.1.6
7.2
3.1.7
7.1
7 - IT Service Management 3.3.15
7.4a
CIP-002-3 R1
CIP-002-4 R1
CIP-002-4 R2 CIP-002-3 R2
CIP-002-3 R3
CIP-002-4 R3 DCS-01
CIP-003-4 R5 CIP-002-3 R4 MOS-09
CIP-003-3 R5
CIP-004-4 R4 CIP-004-3 R4 MOS-15
CIP-005-4 R2
CIP-005-3 R2
CIP-006-4 R3 CIP-006-3 R3
CCC-04
MOS-3
MOS-04
MOS-15
IVS-05
CIP-005-4 R4 CIP-005-3 R4 MOS-15
CIP-007-4 R3 CIP-007-3 R3
MOS-19
CIP-007-4 R8 CIP-007-3 R8
TVM-02
CIP-003-4 R5 CIP-003-3 R5
CIP-004-4 R4 CIP-004-3 R4
IAM-09 - IAM-13
CIP-005-4 R2 CIP-005-3 R2
MOS-16
CIP-005-4 R3 CIP-005-3 R3
MOS-20
CIP-006-4 R3 CIP-006-3 R3
CIP-007-4 R3 CIP-007-3 R3
IVS-07
CIP-003-4 R6 CIP-003-3 R6 MOS-15
CIP-007-4 R3 CIP-007-3 R3 MOS-19
TVM-02
IVS-07
CIP-003-4 R6 CIP-003-3 R6 MOS-15
CIP-007-4 R3 CIP-007-3 R3 MOS-19
TVM-02
MOS-01
CIP-007-4 R4 CIP-007-3 R4 MOS-15
TVM-01
TVM-03
DSI-02
CIP-007-4 R2 CIP-007-3 R2 IVS-06
IPY-04
CIP-009-4 R4 CIP-009-3 R4
CIP-009-4 R5 CIP-009-3 R5 MOS-11
DSI-02
CIP-003-4 R6 CIP-003-3 R6 IAM-03
CIP-004-4 R4 CIP-004-3 R4
IVS-06
CIP-005-4 R2 CIP-005-3 R2
IVS-09
CIP-006-4 R3 CIP-006-3 R3
MOS-19
CIP-007-4 R3 CIP-007-3 R3
TVM-02
DSI-02
IVS-01
CIP-005-4 R3 CIP-005-3 R3
IVS-06
CIP-007-4 R6 CIP-007-3 R6
IVS-09
MOS-16
DSI-02
DSI-05
EKM-01 - EKM-04
MOS-11
CIP-003-4 R5 CIP-003-3 R5
DSI-02
CIP-004-4 R4 CIP-004-3 R4
IVS-09
CIP-005-4 R2 CIP-005-3 R2
MOS-11
CIP-006-4 R3 CIP-006-3 R3
IVS-01
CIP-005-4 R3 CIP-005-3 R3 IVS-06
CIP-007-4 R6 CIP-007-3 R6 IVS-12
MOS-11
IAM-02
CIP-005-4 R3 CIP-005-3 R3 IAM-09 - IAM-12
CIP-007-4 R5 CIP-007-3 R5 MOS-14
CIP-007-4 R6 CIP-007-3 R6 MOS-16
MOS-20
CIP-004-4 R1 CIP-004-3 R1 HRS-10
CIP-004-4 R2 CIP-004-3 R2 MOS-05
AIS-01
AIS-03
AIS-04
CCC-01 - CCC-03
IVS-08
CIP-008-4 R1 CIP-008-3 R1
SEF-01 - SEF-05
CIP-008-4 R2 CIP-008-3 R2
SEC OCIE for AWS FY15 FISMA Metrics ITIL 2011 KPIs
Information Security
2: Continuous Monitoring
Management
Information Security
2: Continuous Monitoring
Management
4: Anti Phishing and Malware Information Security
Defense Management
Information Security
Management
Information Security
Disaster Recovery Management
Information Security
Logical Access Control
Management
Information Security
Management
Information Security
Management
Information Security
Security Incident Response 9: Incident Response Management
Incident Management
Information Security
Management
NV Gaming MICS v7 2015 MA - CoM 201 CMR 17.00 NY - NYCRR 500
VI-02
Section 500.12
System Parameters VI-04 Section 500.06
VI-02
Backups
VI-01
Network Security and Data Protection Section 500.11
VI-04
Remote Access Section 500.12
VI-05
V-19
Network Security and Data Protection Section 500.15
VI-03
V-04
Section 500.07
V-05
Network Security and Data Protection Section 500.13
V-06
Section 500.15
VI-03
V-05
V-06
System Parameters V-08
Section 500.06
User Accounts V-09
Section 500.07
Generic User Accounts V-10 Section 500.12
Service & Default Accounts V-11
V-17
VI-05
IV-b
Section 500.10
IV-f
Section 500.14
V-02
Section 500.05
Victorian PDSF v1.0 ANSSI - 40 Measures
1
34
16
17
18
20
23
2
8-13
28-30
26
Standard 4
27
6
16
17
36
8-13
4
5
24
25
31
15
Standard 4
19
Standard 4 21
22
Standard 4 8-13
Standard 6 39
Standard 7 37
Standard 8 38
CIS Controls
Continuous
Inventory of Authorized Inventory of Authorized Vulnerability
v4) & Unauthorized Devices
and Unauthorized
Assessment and
Software
Remediation
P1
P1
P1
P1
P1
P1
P2
P1
P0
P2
P3
P2
---
P1
---
P0
P1
P1
P1
P1
P2
P2
P0
P0
P0
P1
P1
P1
P3
---
P1
P1
P1
P1
P1
P1
P2
P1
P1
P1
P3
P1
P0
P0
P0
P0
P1
P2 X
P1
---
P3
P3
P3 X X X
P1
P2
P1
P1 X
P1
P2
P1
P1
P1
P1 X X
P1
P2 X
P1 X
P1
P1
P2
P2
---
P1
P1
P1
P1
P1
P0
P0
P0
P1
P1
P1 X
P1
P1
P1
P1
P1
P0
P0
P0
P1
P2
P2
P1
P1
P1
P3
P1
P0
P0
P1
P2
P2
P1
P1
P2
P1
P1
P2
P1
P1
P1
P1
P0
P1
P1
P1
P1
P2
P1
---
P3
P1
P1
P1
P1
P1
P1
P1
P2
P2
P3
P0
P0
P1
P1
---
P2
---
---
P0
P1
P0
P1
P1
P1
P1
P2
P3
P1
P3
P1
P1
P1
---
P1 X
P0
P1
P1
P1
P1 X X
P2
---
---
P1
P1
P1
P1
P1
P0
P0
P2
P2
P1
P0
P0
P0
P0
P0
P1
P1
P1
P1
P1
P0
P1
P1
---
P2
P0
P1
P1
---
P1
P0
P1 X
P2 X
P1
P1
P1
P1
P1
P1
P0
P0
P0
P1
P0
P0
P0
P0
---
P0 X X
P0
P0
P0
P0
P1
P0
P0
P0
P0
P0
P1
P1
P1
P1 X X X
P1
P1
P1 X
P2
---
P1
P2
P2
P0
P0
P0
P1
P0
P1
P1
P1
P1
P1 X X
P1
P1
P1
P1
P1
P1
P1
P1
P1
P1
P1
Secure Configurations
Controlled Use of for Hardware and Maintenance,
Software on Mobile
Administrative Monitoring, and
Privileges Devices, Laptops, Analysis of Audit Logs
Workstations, and
Servers
CSC #4 CSC #5 CSC #6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
Email and Web Browser Limitation and Control
Malware Defenses of Network Ports,
Protections Protocols, and Services
X
X X
X X
X
X
X X
X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X X
Secure Configuration
Data Recovery for Network Devices,
Boundary Defense
Capabilities such as Firewalls,
Routers and Switches
X X
X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X X
Controlled Access Based
Data Protection Wireless Device Control
on the Need to Know
X
X
X X
X
X
X
X
X
X
X X X
X
X
X
X
X
X X
X
X
X
X
X X X
Account Monitoring Implement a Security Application Software
Awareness and Training
and Control Program Security
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X
X X
X
X
X
X
X
X
X
X
X
X
X
Incident Response and Penetration Tests and
Management Red Team Exercises
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NIST Cyber Security Framework (v1.1)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
s, Routers and Switches
Resources (e.g., hardware,
Cybersecurity roles and
devices, data, time,
personnel, and software) responsibilities for the
External information entire workforce and third-
systems are catalogued are prioritized based on party stakeholders (e.g.,
their classification,
criticality, and business suppliers, customers,
partners) are established
value
X
The organization’s role in The organization’s place in Priorities for organizational
the supply chain is critical infrastructure and its mission, objectives, and
identified and industry sector is identified activities are established
communicated and communicated and communicated
X X
X X
X X
X X
X X
X X
Potential business impacts Threats, vulnerabilities,
Risk responses are
and likelihoods are likelihoods, and impacts are identified and prioritized
identified used to determine risk
X
X
X
X
X
X
Access permissions and
authorizations are
Physical access to assets is
managed and protected Remote access is managed managed, incorporating the
principles of least privilege
and separation of duties
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Users, devices, and other
assets are authenticated
Network integrity is Identities are proofed and (e.g., single-factor, multi-
protected (e.g., network factor) commensurate with
segregation, network bound to credentials and the risk of the transaction
asserted in interactions
segmentation) (e.g., individuals’ security
and privacy risks and other
organizational risks)
PR.AC-5 PR.AC-6 PR.AC-7
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Privileged users understand Third-party stakeholders
All users are informed and (e.g., suppliers, customers,
trained their roles and partners) understand their
responsibilities
roles and responsibilities
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Senior executives Physical and cybersecurity
understand their roles and personnel understand their Data-at-rest is protected
responsibilities roles and responsibilities
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Assets are formally Adequate capacity to
managed throughout
Data-in-transit is protected removal, transfers, and ensure availability is
maintained
disposition
X
X
X
X
X
X
X
X
X
X
X
X
X
Integrity checking The development and
Protections against data mechanisms are used to testing environment(s) are
leaks are implemented verify software, firmware, separate from the
and information integrity production environment
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A baseline configuration of
information
Integrity checking technology/industrial A System Development Life
control systems is created
mechanisms are used to and maintained Cycle to manage systems is
verify hardware integrity implemented
incorporating security
principles (e.g. concept of
least functionality)
PR.DS-8 PR.IP-1 PR.IP-2
X
X
X
X
X
X
X
X
X
X
X
X
X
Policy and regulations
Configuration change Backups of information are regarding the physical
control processes are in conducted, maintained, and operating environment for
place tested organizational assets are
met
X
Data is destroyed according Protection processes are Effectiveness of protection
to policy improved technologies is shared
X
Remote maintenance of
Maintenance and repair of
A vulnerability organizational assets are organizational assets is
management plan is approved, logged, and
developed and performed and logged, with performed in a manner that
approved and controlled
implemented tools prevents unauthorized
access
X
X
X
X
X
X
X
X
X
X
X
X
X
X
The principle of least
Audit/log records are Removable media is functionality is
determined, documented, protected and its use
implemented, and reviewed restricted according to incorporated by configuring
systems to provide only
in accordance with policy policy essential capabilities
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Mechanisms (e.g., failsafe,
A baseline of network
Communications and load balancing, hot swap) operations and expected
are implemented to achieve
control networks are resilience requirements in data flows for users and
protected systems is established and
normal and adverse managed
situations
X
X
X
X
X
X
Detected events are Event data are collected
and correlated from Impact of events is
analyzed to understand multiple sources and determined
attack targets and methods
sensors
X X
X X
X X
X X
X X
X X
X X
The network is monitored The physical environment is
Incident alert thresholds are monitored to detect
established to detect potential potential cybersecurity
cybersecurity events
events
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Personnel activity is
monitored to detect Unauthorized mobile code
potential cybersecurity Malicious code is detected is detected
events
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
External service provider Monitoring for
activity is monitored to unauthorized personnel, Vulnerability scans are
detect potential connections, devices, and performed
cybersecurity events software is performed
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Roles and responsibilities Detection activities comply
for detection are well Detection processes are
defined to ensure with all applicable tested
requirements
accountability
X
X
X
X
Newly identified
vulnerabilities are mitigated Response plans incorporate Response strategies are
or documented as accepted lessons learned updated
risks
X
X
X
X
Recovery plan is executed
Recovery plans incorporate Recovery strategies are
during or after a lessons learned updated
cybersecurity incident
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Recovery activities are
communicated to internal
Public relations are Reputation is repaired after
managed an incident and external stakeholders
as well as executive and
management teams
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIS Controls v7.1 mapped to the NIST Cyber Security Framework (v1.0)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
Critical Security Control #4: Controlled Use of Administrative Privileges
System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
curity Control #4: Controlled Use of Administrative Privileges
Use automated tools to inventory all administrative accounts, including domain and local accounts,
to ensure that only authorized individuals have elevated privileges.
Before deploying any new asset, change all default passwords to have values consistent with
administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary account for
elevated activities. This account should only be used for administrative activities and not Internet
browsing, email, or similar activities.
Where multi-factor authentication is not supported (such as local administrator, root, or service
accounts), accounts will use passwords that are unique to that system.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
, Routers and Switches
Resources (e.g., hardware, Cybersecurity roles and
devices, data, and software) responsibilities for the
External information are prioritized based on entire workforce and third-
systems are catalogued their classification, party stakeholders (e.g.,
criticality, and business suppliers, customers,
value partners) are established
X
The organization’s role in The organization’s place in Priorities for organizational
the supply chain is critical infrastructure and its mission, objectives, and
identified and industry sector is identified activities are established
communicated and communicated and communicated
X X
X X
X X
X X
X X
X X
Potential business impacts Threats, vulnerabilities,
Risk responses are
and likelihoods are likelihoods, and impacts are identified and prioritized
identified used to determine risk
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Access permissions are Network integrity is
managed, incorporating the protected, incorporating All users are informed and
principles of least privilege network segregation where trained
and separation of duties appropriate
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Third-party stakeholders Senior executives
Privileged users understand (e.g., suppliers, customers,
roles & responsibilities partners) understand roles understand roles &
responsibilities
& responsibilities
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Physical and information
security personnel
understand roles & Data-at-rest is protected Data-in-transit is protected
responsibilities
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
Assets are formally Adequate capacity to
managed throughout Protections against data
removal, transfers, and ensure availability is leaks are implemented
maintained
disposition
X
X
X
X
X
X
X
X
X
A baseline configuration of
Integrity checking The development and information
mechanisms are used to testing environment(s) are
verify software, firmware, separate from the technology/industrial
control systems is created
and information integrity production environment and maintained
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A System Development Life Configuration change Backups of information are
Cycle to manage systems is control processes are in conducted, maintained, and
implemented place tested periodically
X
Policy and regulations
regarding the physical
Data is destroyed according Protection processes are
operating environment for to policy continuously improved
organizational assets are
met
X
Maintenance and repair of
Cybersecurity is included in A vulnerability organizational assets is
human resources practices management plan is performed and logged in a
(e.g., deprovisioning, developed and timely manner, with
personnel screening) implemented approved and controlled
tools
X
X
X
X
Remote maintenance of
organizational assets is Audit/log records are Removable media is
approved, logged, and determined, documented, protected and its use
performed in a manner that implemented, and reviewed restricted according to
prevents unauthorized in accordance with policy policy
access
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A baseline of network
Access to systems and Communications and operations and expected
assets is controlled,
incorporating the principle control networks are data flows for users and
protected systems is established and
of least functionality managed
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Detected events are Event data are aggregated
and correlated from Impact of events is
analyzed to understand multiple sources and determined
attack targets and methods
sensors
X X
X X
X X
X X
X X
X X
X X
The network is monitored The physical environment is
Incident alert thresholds are monitored to detect
established to detect potential potential cybersecurity
cybersecurity events
events
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Personnel activity is
monitored to detect Unauthorized mobile code
potential cybersecurity Malicious code is detected is detected
events
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
External service provider Monitoring for
activity is monitored to unauthorized personnel, Vulnerability scans are
detect potential connections, devices, and performed
cybersecurity events software is performed
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Roles and responsibilities Detection activities comply
for detection are well Detection processes are
defined to ensure with all applicable tested
requirements
accountability
X
X
X
X
Response plans incorporate Response strategies are Recovery plan is executed
lessons learned updated during or after an event
X
Recovery plans incorporate Recovery strategies are Public relations are
lessons learned updated managed
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Recovery activities are
Reputation after an event is communicated to internal
repaired stakeholders and executive
and management teams
RC.CO-2 RC.CO-3
X X
X X
X X
X X
X X
X X
X X
X X
CIS Controls v7.1 mapped to NIST 800-82 rev2
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
Logically Separated Recommended
Network Segregation Defense-in-Depth
Control Network Architecture
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
General Firewall Recommended Firewall Network Address
Rules for Specific
Policies for ICS Services Translation (NAT)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Specific ICS Firewall Unidirectional
Single Points of Failure
Issues Gateways
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Redundancy and Fault Preventing Man-in-the- Authentication and
Tolerance Middle Attacks Authorization
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Monitoring, Logging, Incident Detection,
Response, and System Access Control
and Auditing Recovery
X
X
X
X
X
X
Audit and Security Assessment
Awareness and Training
Accountability and Authorization
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Configuration Identification and
Contingency Planning
Management Authentication
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Incident Response Maintenance Media Protection
X
Physical and
Environmental Planning Personnel Security
Protection
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
System and Information
Program Management Privacy Controls
Integrity
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NISTIR 7621 (rev 1): Small Business
Information Security
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X
Create policies and Install Surge Protectors
procedures for Limit employee access and Uninterruptible
information security to data and information Power Supplies (UPS)
X
X
X
X
X
X
Patch your operating Install and activate Secure your wireless
systems and software and hardware access point and
applications firewalls on all your networks
business networks
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use encryption for Dispose of old
Set up web and email sensitive business computers and media
filters information safely
X
X
X
X
X
X
X
X
X
Install and update anti-
Train your employees virus, -spyware, and Maintain and monitor
other –malware logs
programs
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop a plan for Make full backups of Make incremental
disasters and important business backups of important
information security data/information business
incidents data/information
X X
X X
X
X
Make improvements to Pay attention to the
Consider cyber processes / people you work with
insurance procedures / and around
technologies
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Do not give out
Be careful downloading personal or business Watch for harmful pop-
software information ups
X X
X X
X X
X X
X X
X X
X X
X X
X X
Use strong passwords Conduct online business
more securely
4.0h 4.0i
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the DHS CDM Program
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
, Routers and Switches
X
X
X
X
X
Vulnerability Access Control Security-Related
Management Management Behavior Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Credentials &
Authentication Privileges Boundary Protection
Management
CRED PRIV
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Generic Audit
Plan for Events Respond to Events
Monitoring
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Document
Quality Management Risk Management
Requirements
CIS Controls v7.1 mapped to ISO 27002:2013
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
Information security in
Mobile device policy Teleworking
project management
X
Information security Termination or change
awareness, education Disciplinary process of employment
and training responsibilities
X
X
X
X
X
X
Acceptable use of
Inventory of assets Ownership of assets
assets
X
Classification of
Return of assets Labelling of information
information
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Access to networks and
Physical media transfer Access control policy
netwok services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User registration and User access
Privilege management
de-registration provisioning
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Management of secret Review of user access Removal or adjustment
authentication
information of users rights of access rights
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Use of secret Use of secret Secure log-on
authentication authentication
information information procedures
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Password management Use of privileged utility Access control to
system programs program source code
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Policy on the use of Physical security
Key management
cryptographic controls perimeter
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Securing office, rooms Protecting against
Physical entry controls external end
and facilities environmental threats
X
X
X
X
X
X
Separation of
development, test and
Change management Capacity management
operational
environments
X
X
X
X
X
X
X
Controls against
Information backup Event logging
malware
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protection of log Administrator and
Clock synchronisation
information operator logs
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
Information systems Security of network
Network controls
audit controls services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
Information transfer Agreements on
Segregation in networks
policies and procedures information transfer
X
X
X
X
X
X
Confidentiality or non- Security requirements
Electronic messaging analysis and
disclosure agreements specification
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Securing applications Protecting application Secure development
services on public
networks services transactions policy
X
X
X
X
X
X
X
Technical review of
System change control applications after Restrictions on changes
procedures operating platform to software packages
changes
X
X
X
X
X
X
Secure system Secure development Outsourced
engineering principles environment development
X X
X X
X X
X X
X X
X X
X X
X X
X X
System acceptance
System security testing Protection of test data
testing
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information security Addressing security Information and
policy for supplier within supplier communication
relationships agreements technology supply chain
X X
X X
X X
X X
X X
X X
X X
Response to Learning from
information security information security Collection of evidence
incidents incidents
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Planning information Implementing Verify, review and
information security evaluate information
security continuity continuity security continuity
X
X
X
X
X
X
Independent review of Compliance with Technical compliance
security policies and
information security standards review
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
CIS Controls v7.1 mapped to ISO 27002:2005
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
Independent review of Identification of risks Addressing security
related to external when dealing with
information security parties customers
X
Addressing security in
Inventory of assets Ownership of assets
third party agreements
X
Acceptable use of Information labelling
Classification guidelines
assets and handling
X
X
X
X
X
X
X
X
Termination Removal of access
Return of assets
responsibilities rights
X
X
X
X
X
X
Physical security Securing offices, rooms
Physical entry controls
perimeter and facilities
X
X
X
X
X
X
X
Monitoring and review Managing changes to
Capacity management
of third party services third party services
X X
X X
X X
X X
X X
X X
X X
Security of network
Information back-up Network controls
services
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Management of Information handling
Disposal of media
removable media procedures
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security of system Information exchange
Exchange agreements
documentation policies and procedures
X
Publicly available
Electronic commerce On-line transactions
information
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Administrator and
Fault logging Clock synchronization
operator logs
X
X
X
X
X
X
User password Review of user access
Password use
management rights
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Unattended user Clear desk and clear Policy on use of
equipment screen policy network services
X X
X X
X X
X X
X X
X X
X X
User authentication for Equipment Remote diagnostic and
identification in configuration port
external connections networks protection
X
Network connection Network routing
Segregation in networks
control control
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Secure log-on User identification and Password management
procedures authentication system
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Limitation of
Use of system utilities Session time-out
connection time
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Security requirements
Teleworking analysis and Input data validation
specification
X
X
X
X
X
X
X
X
X
X
Control of internal
Message integrity Output data validation
processing
X
X
X
X
X
X
X
Policy on the use of Control of operational
Key management
cryptographic controls software
X X
X X
X X
X X
X X
X X
X X
Protection of system Access control to Change control
test data program source code procedures
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Outsourced software Control of technical Reporting information
development vulnerabilities security events
X
X
X
X
X
X
X
X
X
X
X
X
X
Reporting security Responsibilities and Learning from
information security
weaknesses procedures incidents
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Including information
security in the business Business continuity and
Collection of evidence
continuity management risk assessment
process
X
X
X
X
X
X
Compliance with Technical compliance Information systems
security policies and
standards checking audit controls
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Protection of
information systems
audit tools
A.15.3.2
CIS Controls v7.1 mapped to IEC 62443-3-3:2013
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
Routers and Switches
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Authenticator Wireless access
Identifier management
management management
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Strength of password- Public key Strength of public key
infrastructure (PKI)
based authentication Certificates authentication
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Unsuccessful login
Authenticator feedback System use notification
attempts
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Access via untrusted Authorisation
Wireless use control
networks enforcement
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Use control for portable
Mobile code Session Lock
and mobile devices
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Remote session Concurrent session
Auditable events
termination control
X
X
X
X
X
X
X
X
X
X
X
X
X
Security functionality Software and
Input validation
verification information integrity
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
Deterministic output Error handling Session integrity
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Protection of audit Information
Information persistence
information Confidentiality
X
X
X
X
Zone boundary
Use of cryptography Network segmentation
protection
X
X
X
X
X
X
X
X
X
X
X
X
General purpose
person-to-person
Application partitioning Audit log accessibility
communication
restriction
X
X
X
X
Denial of service
Continuous monitoring Resource management
protection
X X
X X
Network and security Control system
Least functionality
configuration settings component inventory
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NIST 800-171
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Limit information
system access to Use session lock with
authorized users, pattern-hiding displays Terminate
processes acting on to prevent (automatically) a user
behalf of authorized access/viewing of data session after a defined
users, or devices after period of condition.
(including other inactivity.
information systems).
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Employ cryptographic Route remote access
Monitor and control mechanisms to protect via managed access
remote access sessions. the confidentiality of
remote access sessions. control points.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Authorize remote
execution of privileged Authorize wireless Protect wireless access
commands and remote access prior to allowing using authentication
access to security- such connections. and encryption.
relevant information.
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Limit information
system access to the
Control connection of Encrypt CUI on mobile types of transactions
mobile devices. devices. and functions that
authorized users are
permitted to execute.
X
X
X
X
X
X
X
X
X
X
X
X
Limit use of
Verify and control/limit organizational portable Control information
connections to and use storage devices on posted or processed on
of external information publicly accessible
systems. external information information systems.
systems.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
Separate the duties of Employ the principle of
Control the flow of CUI individuals to reduce least privilege, including
in accordance with the risk of malevolent for specific security
approved
authorizations. activity without functions and privileged
collusion. accounts.
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Prevent non-privileged
Use non-privileged users from executing
accounts or roles when privileged functions and Limit unsuccessful
accessing nonsecurity logon attempts.
functions. audit the execution of
such functions.
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Limit physical access to
organizational Protect and monitor the
Provide privacy and information systems, physical facility and
security notices equipment, and the support infrastructure
consistent with
applicable CUI rules. respective operating for those information
environments to systems.
authorized individuals.
X
X
X
X
Periodically assess the Develop and implement
security controls in plans of action designed
Remediate organizational to correct deficiencies
vulnerabilities in information systems to and reduce or eliminate
accordance with
assessments of risk. determine if the vulnerabilities in
controls are effective in organizational
their application. information systems.
X X
X X
X X
X X
X X
X X
Monitor, control, and
protect organizational
communications (i.e.,
Monitor information information Establish and manage
system security controls transmitted or received cryptographic keys for
on an ongoing basis to by organizational cryptography employed
ensure the continued
effectiveness of the information systems) at in the information
controls. the external boundaries system;
and key internal
boundaries of the
information systems.
X
X
X
Prohibit remote
activation of
Employ FIPS-validated collaborative
cryptography when computing devices and Control and monitor
used to protect the the use of mobile code.
confidentiality of CUI. provide indication of
devices in use to users
present at the device.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Control and monitor Protect the authenticity Protect the
the use of Voice over of communications confidentiality of CUI at
Internet Protocol (VoIP)
technologies. sessions. rest.
X
X
X
X
X
X
X
X
Employ architectural
designs, software
development Separate user Prevent unauthorized
techniques, and functionality from and unintended
systems engineering information system information transfer via
principles that promote
effective information management shared system
security within functionality. resources.
organizational
information systems.
X
X
X
X
X
X
X
X
X
X
X
Prevent remote devices
Deny network from simultaneously
Implement
subnetworks for communications traffic establishing non-
publicly accessible by default and allow remote connections
system components network with the information
communications traffic system and
that are physically or by exception (i.e., deny communicating via
logically separated from all, permit by some other connection
internal networks. exception). to resources in external
networks.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Implement
cryptographic Terminate network
mechanisms to prevent connections associated Identify, report, and
unauthorized disclosure with communications correct information and
of CUI during sessions at the end of information system
transmission unless the sessions or after a flaws in a timely
otherwise protected by defined period of manner.
alternative physical inactivity.
safeguards.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Provide protection from Monitor information
malicious code at system security alerts Update malicious code
appropriate locations and advisories and take protection mechanisms
when new releases are
within organizational appropriate actions in available.
information systems. response.
X X X
X X X
X X X
X X X
X X X
X X X
Monitor the
Perform periodic scans
of the information information system
system and real-time including inbound and Identify unauthorized
scans of files from outbound use of the information
communications traffic,
external sources as files to detect attacks and system.
are downloaded, indicators of potential
opened, or executed. attacks.
X X
X X
X X
X X
X X
X X
X X
X X
Ensure that managers,
systems administrators,
and users of
organizational Ensure that
information systems organizational Provide security
are made aware of the personnel are awareness training on
security risks associated adequately trained to recognizing and
with their activities and carry out their assigned reporting potential
of the applicable information security- indicators of insider
policies, standards, and related duties and threat.
procedures related to responsibilities.
the security of
organizational
information systems.
X X
X X
X X
X X
X X
X X
X X
Create, protect, and
retain information Ensure that the actions
system audit records to
the extent needed to of individual
enable the monitoring, information system
analysis, investigation, users can be uniquely Review and update
traced to those users so audited events.
and reporting of they can be held
unlawful, unauthorized, accountable for their
or inappropriate actions.
information system
activity.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Define, document,
approve, and enforce Employ the principle of
Analyze the security physical and logical least functionality by
impact of changes prior access restrictions configuring the
information system to
to implementation. associated with changes provide only essential
to the information capabilities.
system.
X X
X X
X X
X X
X X
X X
X X
Apply deny-by-
exception (blacklist)
Restrict, disable, and policy to prevent the
prevent the use of use of unauthorized
nonessential programs, software or deny-all, Control and monitor
user-installed software.
functions, ports, permit-by-exception
protocols, and services. (whitelisting) policy to
allow the execution of
authorized software.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
Identify information Store and transmit only Obscure feedback of
system users, processes encrypted authentication
acting on behalf of representation of
users, or devices. passwords. information.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Authenticate (or verify) Use multifactor
the identities of those authentication for local Employ replay-resistant
users, processes, or and network access to authentication
devices, as a privileged accounts and mechanisms for
network access to
prerequisite to allowing for network access to privileged and non-
access to organizational non-privileged privileged accounts.
information systems. accounts.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Enforce a minimum
Prevent reuse of Disable identifiers after password complexity
identifiers for a defined a defined period of and change of
period. inactivity. characters when new
passwords are created.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish an operational
incident-handling
Allow temporary capability for
Prohibit password password use for organizational
reuse for a specified system logons with an information systems
that includes adequate
number of generations. immediate change to a preparation, detection,
permanent password. analysis, containment,
recovery, and user
response activities.
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
Track, document, and
report incidents to Test the organizational Perform maintenance
appropriate officials incident response on organizational
and/or authorities both
internal and external to capability. information systems.
the organization.
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Provide effective
controls on the tools, Check media containing
techniques, Ensure equipment diagnostic and test
mechanisms, and removed for off-site programs for malicious
maintenance is code before the media
personnel used to sanitized of any CUI. are used in the
conduct information information system.
system maintenance.
X
X
X
X
X
X
X
X
X
X
X
X
X
Require multifactor
authentication to
establish nonlocal Supervise the Protect (i.e., physically
maintenance sessions maintenance activities control and securely
via external network of maintenance store) information
connections and personnel without system media
terminate such required access containing CUI, both
connections when authorization. paper and digital.
nonlocal maintenance
is complete.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Sanitize or destroy
Limit access to CUI on information system Mark media with
information system media containing CUI necessary CUI markings
media to authorized and distribution
users. before disposal or limitations.
release for reuse.
X
X
X
X
Implement
cryptographic
Control access to media mechanisms to protect
containing CUI and the confidentiality of Control the use of
maintain accountability CUI stored on digital removable media on
for media during media during transport information system
transport outside of unless otherwise components.
controlled areas. protected by
alternative physical
safeguards.
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Prohibit the use of
portable storage Protect the Screen individuals prior
devices when such confidentiality of to authorizing access to
backup CUI at storage information systems
devices have no locations. containing CUI.
identifiable owner.
X
X
X
X
X
X
X
X
Ensure that CUI and
information systems
containing CUI are
protected during and
after personnel actions
such as terminations
and transfers.
3.9.2
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NSA's MNT
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
, Routers and Switches
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Device Accessibility User Access Patch Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Document your
Baseline Management Backup Strategy
Network
Milestone 7 Milestone 8
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Incident Response and
Security Policy Training
Disaster Recovery Plans
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Executable Content Virus Scanners and Host Personal Electronic
Intrusion Prevention
Restrictions Systems Device Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Gateways,
Data-At-Rest Protection Network Access Control
Proxies, and Firewalls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network Security
Remote Access Security Log Management
Monitoring
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Configuration and
Audit Strategy
Change Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Australian Essential Eight
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
urity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Disable untrusted
Application whitelisting Patch applications
Microsoft Office macros
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
User application Restrict administrative Patch operating
hardening privileges systems
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Multi-factor Daily backup of
authentication important data
7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Australian DSD Top 35: 2014
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Restrict administrative User application configuration Automated dynamic analysis
privileges to operating hardening, disabling the of email and web content run
systems and applications running of internet-based Java in a sandbox to detect
based on user duties. Such code, untrusted Microsoft suspicious behaviour including
users should use a separate Office macros, and undesired network traffic, new or
unprivileged account for email web browser and PDF viewer modified files, or configuration
and web browsing. features. changes.
4 5 6
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X
X
X
X
X
Operating system generic
Disable local administrator
exploit mitigation Host-based Intrusion
accounts to prevent network
mechanisms, eg, Data Detection/Prevention System
propagation using
Execution Prevention (DEP), to identify anomalous
compromised local
Address Space Layout behaviour such as process
administration credentials
Randomisation (ASLR) and injection, keystroke logging,
that are shared by several
Enhanced Mitigation driver loading and persistence.
computers.
Experience Toolkit (EMET).
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network segmentation and Multi-factor authentication
Software-based application
segregation into security especially implemented for
firewall, blocking incoming
zones to protect sensitive remote access or when the
network traffic that is
information and critical user is about to perform a
malicious or otherwise
services such as user privileged action or access a
unauthorised, and denying
authentication by Microsoft sensitive information
network traffic by default.
Active Directory. repository.
10 11 12
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Software-based application Centralised and time-
Non-persistent virtualised
firewall, blocking outgoing synchronised logging of
sandboxed trusted operating
network traffic that is not successful and failed computer
environment, hosted outside
generated by whitelisted events with automated
the organisation's internal
applications, and denying immediate log analysis,
network, for risk activities
network traffic by default. storing logs for at least
such as web browsing.
18 months.
13 14 15
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Centralised and time- Web content filtering of
Email content filtering
synchronised logging of incoming and outgoing traffic,
allowing only business-related
allowed and blocked network whitelisting allowed types of
attachment types. Preferably
events with automated web content and using
analyse/convert/sanitise links,
immediate log analysis, behavioural analysis, cloud-
PDF and Microsoft Office
storing logs for at least based reputation ratings,
attachments.
18 months. heuristics and signatures.
16 17 18
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
Block spoofed emails using Workstation and server
Web domain whitelisting for
Sender ID or Sender Policy configuration management
all domains, since this
Framework (SPF) to check based on a hardened Standard
approach is more proactive
incoming emails, and a 'hard Operating Environment with
and thorough than blacklisting
fail' SPF record to help prevent unrequired functionality
a tiny percentage of malicious
spoofing of your disabled e.g. IPv6, autorun
domains.
organisation's domain. and LanMan.
19 20 21
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Antivirus software using Deny direct internet access Server application security
heuristics and automated from workstations by using an configuration hardening e.g.
internet-based reputation IPv6-capable firewall to force databases, web applications,
ratings to check a program's traffic through a split DNS customer relationship
prevalence and its digital server, an email server or an management, finance, human
signature's trustworthiness authenticated web proxy resources and other data
prior to execution. server. storage systems.
22 23 24
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Removable and portable
Enforce a strong passphrase
media control as part of a data Restrict access to Server
policy covering complexity,
loss prevention strategy, Message Block (SMB) and
length and expiry, and
including storage, handling, NetBIOS services running on
avoiding both passphrase re-
whitelisting allowed USB workstations and on servers
use and the use of a single
devices, encryption and where possible.
dictionary word.
destruction.
25 26 27
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User education, eg, internet Workstation inspection of Signature-based antivirus
threats and spear-phishing Microsoft Office files for software that primarily relies
socially-engineered emails. potentially malicious on up-to-date signatures to
Avoid weak passphrases, abnormalities, eg, using the identify malware. Use
passphrase re-use, exposing Microsoft Office File gateway and desktop antivirus
email addresses and Validation or Protected View software from different
unapproved USB devices. features. vendors.
28 29 30
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TLS encryption between email Block attempts to access web Network-based Intrusion
servers to help prevent sites by their IP address Detection/Prevention System
legitimate emails being instead of by their domain using signatures and heuristics
intercepted and used for name, eg, implemented using to identify anomalous traffic
social engineering. Perform a web proxy server, to force both internally and crossing
content scanning after email cyber adversaries to obtain a network perimeter
traffic is decrypted. domain name. boundaries.
31 32 33
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Capture network traffic
Gateway blacklisting to block
to/from internal critical-asset
access to known malicious
workstations and servers, as
domains and IP addresses,
well as traffic traversing the
including dynamic and other
network perimeter, to
domains provided free to
perform post-intrusion
anonymous internet users.
analysis.
34 35
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NSA's Top 10 Information Assurance
Mitigation Strategies
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash with a salt all authentication credentials when stored.
Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts to access deactivated accounts through audit logging.
Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and
duration.
curity Control #17: Implement a Security Awareness and Training Program
Perform a skills gap analysis to understand the skills and behaviors workforce members are not
adhering to, using this information to build a baseline education roadmap.
Deliver training to address the skills gap identified to positively impact workforce members' security
behavior.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
4 5 6
X X
X X
X X
X X
X X
X X
X X
X X
Set a Secure Baseline Use Web Domain Name Take Advantage of
System (DNS)
Configuration Reputation Software Improvements
7 8 9
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
Segregate Networks
and Functions
10
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Canadian Communications Security
Establishment Top 10 IT Security Actions
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash with a salt all authentication credentials when stored.
Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts to access deactivated accounts through audit logging.
Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and
duration.
curity Control #17: Implement a Security Awareness and Training Program
Perform a skills gap analysis to understand the skills and behaviors workforce members are not
adhering to, using this information to build a baseline education roadmap.
Deliver training to address the skills gap identified to positively impact workforce members' security
behavior.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
X
X
Harden Operating Segment and Separate Provide Tailored
Systems and
Applications Information Awareness and Training
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protect Information at Apply Protection at the Isolate Web-Facing
the Enterprise Level Host Level Applications
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Implement Application
Whitelisting
10
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to GCHQ's 10 Steps to CyberSecurity
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
, Routers and Switches
X
X
X
X
X
X
X
X
X
X
X
X
Information Risk Managing User Removable Media
Management Regime Privileges Controls
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Monitoring Secure Configuration Malware Protection
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network Security
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the UK Government's Cyber Essentials Scheme
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malware protection Patch management
4 5
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the UK's Information Commissioner's Office
(ICO) Protecting Personal Data in Online Services
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Decommissioning of Configuration of SSL
Password storage
software or services and TLS
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Inappropriate locations
Default credentials
for processing data
7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to PCI DSS 3.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
Install personal firewall
software on any mobile
and/or employee-owned Ensure that security policies Always change vendor-
devices that connect to the and operational procedures supplied defaults and remove
Internet when outside the for managing firewalls are or disable unnecessary default
network (for example, laptops documented, in use, and accounts before installing a
used by employees), and known to all affected parties. system on the network.
which are also used to access
the network.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop configuration
Encrypt all non-console
standards for all system administrative access using
components. Assure that
strong cryptography. Use Maintain an inventory of
these standards address all
technologies such as SSH, system components that are
known security vulnerabilities
and are consistent with VPN, or SSL/TLS for web-based in scope for PCI DSS.
management and other non-
industry-accepted system
hardening standards. console administrative access.
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
Ensure that security policies Keep cardholder data storage
and operational procedures Shared hosting providers must
to a minimum by
for managing vendor defaults protect each entity’s hosted
implementing data retention
and other security parameters environment and cardholder
are documented, in use, and data. and disposal policies,
procedures and processes.
known to all affected parties.
X
X
X
X
X
X
Use strong cryptography and Never send unprotected PANs Ensure that security policies
and operational procedures
security protocols to by end-user messaging
for encrypting transmissions
safeguard sensitive cardholder technologies (for example, e-
of cardholder data are
data during transmission over mail, instant messaging, chat, documented, in use, and
open, public networks. etc.).
known to all affected parties.
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that anti-virus
Deploy anti-virus software on mechanisms are actively
running and cannot be
all systems commonly affected
Ensure that all anti-virus disabled or altered by users,
by malicious software
mechanisms are maintained. unless specifically authorized
(particularly personal by management on a case-by-
computers and servers).
case basis for a limited time
period.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish a process to identify
Ensure that all system
security vulnerabilities, using
Ensure that security policies reputable outside sources for components and software are
and operational procedures protected from known
security vulnerability
for protecting systems against vulnerabilities by installing
information, and assign a risk
malware are documented, in applicable vendor-supplied
use, and known to all affected ranking (for example, as security patches. Install critical
“high,” “medium,” or “low”)
parties. security patches within one
to newly discovered security month of release.
vulnerabilities.
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop internal and external Train developers in secure
Follow change control coding techniques, including
software applications
processes and procedures for how to avoid common coding
(including web-based
all changes to system vulnerabilities, and
administrative access to components. understanding how sensitive
applications) securely.
data is handled in memory.
X X
X X
X X
X X
X X
X X
X X
X X
X X
For public-facing web Ensure that security policies
applications, address new and operational procedures
threats and vulnerabilities on for developing and
Develop applications based on
an ongoing basis and ensure maintaining secure systems
secure coding guidelines.
these applications are and applications are
protected against known documented, in use, and
attacks. known to all affected parties.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish an access control
Limit access to system system for systems Ensure that security policies
and operational procedures
components and cardholder components that restricts
for restricting access to
data to only those individuals access based on a user’s need
cardholder data are
whose job requires such to know, and is set to “deny documented, in use, and
access. all” unless specifically
known to all affected parties.
allowed.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Define and implement policies
and procedures to ensure In addition to assigning a Secure all individual non-
unique ID, ensure proper user-
proper user identification console administrative access
authentication management
management for non- and all remote access to the
for non-consumer users and
consumer users and administrators on all system CDE using multi-factor
administrators on all system authentication.
components.
components.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
Where other authentication
mechanisms are used (for
Document and communicate Do not use group, shared, or
example, physical or logical
authentication procedures and generic IDs, passwords, or
security tokens, smart cards,
policies to all users. other authentication methods. certificates, etc.), use of these
mechanisms must be assigned.
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Develop procedures to easily Control physical access for
Implement procedures to
distinguish between onsite onsite personnel to the
identify and authorize visitors.
personnel and visitors. sensitive areas.
X X X
X X X
Protect devices that capture Ensure that security policies
and operational procedures
Destroy media when it is no payment card data via direct
for restricting physical access
longer needed for business or physical interaction with the
to cardholder data are
legal reasons. card from tampering and documented, in use, and
substitution.
known to all affected parties.
X
Run internal and external
Implement processes to test network vulnerability scans at
for the presence of wireless least quarterly and after any
access points (802.11), and significant change in the
Implement a methodology for
detect and identify all network (such as new system
penetration testing.
authorized and unauthorized component installations,
wireless access points on a changes in network topology,
quarterly basis. firewall rule modifications,
product upgrades).
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use intrusion-detection
Deploy a change-detection
and/or intrusion-prevention
mechanism (for example, file-
techniques to detect and/or
integrity monitoring tools) to
prevent intrusions into the alert personnel to Ensure that security policies
network. Monitor all traffic at and operational procedures
unauthorized modification of
the perimeter of the for security monitoring and
critical system files,
cardholder data environment testing are documented, in
as well as at critical points in configuration files, or content use, and known to all affected
files; and configure the
the cardholder data parties.
environment, and alert software to perform critical
file comparisons at least
personnel to suspected
weekly.
compromises.
X
X
X
X
X
X
X
X
Develop usage policies for
Establish, publish, maintain,
Implement a risk-assessment critical technologies and
and disseminate a security
process. define proper use of these
policy. technologies.
X
X
X
X
X
X
Service providers
acknowledge in writing to
Screen potential personnel customers that they are
Maintain and implement
prior to hire to minimize the policies and procedures to responsible for the security of
risk of attacks from internal cardholder data the service
manage service providers with
sources. (Examples of provider possesses or
whom cardholder data is
background checks include otherwise stores, processes,
previous employment history, shared, or that could affect or transmits on behalf of the
the security of cardholder
criminal record, credit history, customer, or to the extent
and reference checks.) data. that they could impact the
security of the customer’s
cardholder data environment.
12.10 12.11
X
X
CIS Controls v7.1 mapped to PCI DSS 3.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
Install personal firewall
software on any mobile
and/or employee-owned Ensure that security policies Always change vendor-
devices that connect to the and operational procedures supplied defaults and remove
Internet when outside the for managing firewalls are or disable unnecessary default
network (for example, laptops documented, in use, and accounts before installing a
used by employees), and known to all affected parties. system on the network.
which are also used to access
the network.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop configuration
Encrypt all non-console
standards for all system administrative access using
components. Assure that
strong cryptography. Use Maintain an inventory of
these standards address all
technologies such as SSH, system components that are
known security vulnerabilities
and are consistent with VPN, or SSL/TLS for web-based in scope for PCI DSS.
management and other non-
industry-accepted system
hardening standards. console administrative access.
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
Ensure that security policies Keep cardholder data storage
and operational procedures Shared hosting providers must
to a minimum by
for managing vendor defaults protect each entity’s hosted
implementing data retention
and other security parameters environment and cardholder
are documented, in use, and data. and disposal policies,
procedures and processes.
known to all affected parties.
X
X
X
X
X
X
Use strong cryptography and
security protocols (for Never send unprotected PANs Ensure that security policies
and operational procedures
example, TLS, IPSEC, SSH, etc.) by end-user messaging
for encrypting transmissions
to safeguard sensitive technologies (for example, e-
of cardholder data are
cardholder data during mail, instant messaging, chat, documented, in use, and
transmission over open, public etc.).
known to all affected parties.
networks.
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that anti-virus
Deploy anti-virus software on mechanisms are actively
running and cannot be
all systems commonly affected
Ensure that all anti-virus disabled or altered by users,
by malicious software
mechanisms are maintained. unless specifically authorized
(particularly personal by management on a case-by-
computers and servers).
case basis for a limited time
period.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish a process to identify
Ensure that all system
security vulnerabilities, using
Ensure that security policies reputable outside sources for components and software are
and operational procedures protected from known
security vulnerability
for protecting systems against vulnerabilities by installing
information, and assign a risk
malware are documented, in applicable vendor-supplied
use, and known to all affected ranking (for example, as security patches. Install critical
“high,” “medium,” or “low”)
parties. security patches within one
to newly discovered security month of release.
vulnerabilities.
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop internal and external Train developers in secure
Follow change control coding techniques, including
software applications
processes and procedures for how to avoid common coding
(including web-based
all changes to system vulnerabilities, and
administrative access to components. understanding how sensitive
applications) securely.
data is handled in memory.
X X
X X
X X
X X
X X
X X
X X
X X
X X
For public-facing web Ensure that security policies
applications, address new and operational procedures
threats and vulnerabilities on for developing and
Develop applications based on
an ongoing basis and ensure maintaining secure systems
secure coding guidelines.
these applications are and applications are
protected against known documented, in use, and
attacks. known to all affected parties.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish an access control
Limit access to system system for systems Ensure that security policies
and operational procedures
components and cardholder components that restricts
for restricting access to
data to only those individuals access based on a user’s need
cardholder data are
whose job requires such to know, and is set to “deny documented, in use, and
access. all” unless specifically
known to all affected parties.
allowed.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Incorporate two-factor
Define and implement policies authentication for remote
and procedures to ensure In addition to assigning a network access originating
unique ID, ensure proper user-
proper user identification from outside the network by
authentication management
management for non- personnel (including users and
for non-consumer users and
consumer users and administrators on all system administrators) and all third
administrators on all system parties, (including vendor
components.
components. access for support or
maintenance).
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
Where other authentication
mechanisms are used (for
Document and communicate Do not use group, shared, or
example, physical or logical
authentication procedures and generic IDs, passwords, or
security tokens, smart cards,
policies to all users. other authentication methods. certificates, etc.), use of these
mechanisms must be assigned.
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Develop procedures to easily Control physical access for
Implement procedures to
distinguish between onsite onsite personnel to the
identify and authorize visitors.
personnel and visitors. sensitive areas.
X X X
X X X
Protect devices that capture Ensure that security policies
and operational procedures
Destroy media when it is no payment card data via direct
for restricting physical access
longer needed for business or physical interaction with the
to cardholder data are
legal reasons. card from tampering and documented, in use, and
substitution.
known to all affected parties.
X
X
X
X
X
X
X
X
X
X
Use intrusion-detection
and/or intrusion-prevention
Run internal and external
techniques to detect and/or
network vulnerability scans at
least quarterly and after any prevent intrusions into the
network. Monitor all traffic at
significant change in the
Implement a methodology for the perimeter of the
network (such as new system
penetration testing. cardholder data environment
component installations, as well as at critical points in
changes in network topology,
the cardholder data
firewall rule modifications, environment, and alert
product upgrades).
personnel to suspected
compromises.
X
X
X
X
X
X
X
X
X
X
Deploy a change-detection
mechanism (for example, file-
integrity monitoring tools) to
alert personnel to Ensure that security policies
and operational procedures
unauthorized modification of Establish, publish, maintain,
for security monitoring and
critical system files, and disseminate a security
testing are documented, in
configuration files, or content use, and known to all affected policy.
files; and configure the
parties.
software to perform critical
file comparisons at least
weekly.
X
X
X
X
X
X
Ensure that the security policy
Develop usage policies for
and procedures clearly define
Implement a risk-assessment critical technologies and
information security
process. define proper use of these
technologies. responsibilities for all
personnel.
X
X
X
X
X
X
Service providers
acknowledge in writing to
customers that they are
Maintain and implement
policies and procedures to responsible for the security of
cardholder data the service Implement an incident
manage service providers with
provider possesses or response plan. Be prepared to
whom cardholder data is
otherwise stores, processes, respond immediately to a
shared, or that could affect or transmits on behalf of the system breach.
the security of cardholder
customer, or to the extent
data. that they could impact the
security of the customer’s
cardholder data environment.
X
CIS Controls v7.1 mapped to PCI DSS 3.0
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
Install personal firewall
software on any mobile
and/or employee-owned Ensure that security policies Always change vendor-
devices that connect to the and operational procedures supplied defaults and remove
Internet when outside the for managing firewalls are or disable unnecessary default
network (for example, laptops documented, in use, and accounts before installing a
used by employees), and known to all affected parties. system on the network.
which are also used to access
the network.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop configuration
Encrypt all non-console
standards for all system administrative access using
components. Assure that
strong cryptography. Use Maintain an inventory of
these standards address all
technologies such as SSH, system components that are
known security vulnerabilities
and are consistent with VPN, or SSL/TLS for web-based in scope for PCI DSS.
management and other non-
industry-accepted system
hardening standards. console administrative access.
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
Ensure that security policies Keep cardholder data storage
and operational procedures Shared hosting providers must
to a minimum by
for managing vendor defaults protect each entity’s hosted
implementing data retention
and other security parameters environment and cardholder
are documented, in use, and data. and disposal policies,
procedures and processes.
known to all affected parties.
X
X
X
X
X
X
Use strong cryptography and
security protocols (for Never send unprotected PANs Ensure that security policies
and operational procedures
example, SSL/TLS, IPSEC, SSH, by end-user messaging
for encrypting transmissions
etc.) to safeguard sensitive technologies (for example, e-
of cardholder data are
cardholder data during mail, instant messaging, chat, documented, in use, and
transmission over open, public etc.).
known to all affected parties.
networks.
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that anti-virus
Deploy anti-virus software on mechanisms are actively
running and cannot be
all systems commonly affected
Ensure that all anti-virus disabled or altered by users,
by malicious software
mechanisms are maintained. unless specifically authorized
(particularly personal by management on a case-by-
computers and servers).
case basis for a limited time
period.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish a process to identify
Ensure that all system
security vulnerabilities, using
Ensure that security policies reputable outside sources for components and software are
and operational procedures protected from known
security vulnerability
for protecting systems against vulnerabilities by installing
information, and assign a risk
malware are documented, in applicable vendor-supplied
use, and known to all affected ranking (for example, as security patches. Install critical
“high,” “medium,” or “low”)
parties. security patches within one
to newly discovered security month of release.
vulnerabilities.
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop internal and external Train developers in secure
Follow change control coding techniques, including
software applications
processes and procedures for how to avoid common coding
(including web-based
all changes to system vulnerabilities, and
administrative access to components. understanding how sensitive
applications) securely.
data is handled in memory.
X X
X X
X X
X X
X X
X X
X X
X X
X X
For public-facing web Ensure that security policies
applications, address new and operational procedures
threats and vulnerabilities on for developing and
Develop applications based on
an ongoing basis and ensure maintaining secure systems
secure coding guidelines.
these applications are and applications are
protected against known documented, in use, and
attacks. known to all affected parties.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Establish an access control
Limit access to system system for systems Ensure that security policies
and operational procedures
components and cardholder components that restricts
for restricting access to
data to only those individuals access based on a user’s need
cardholder data are
whose job requires such to know, and is set to “deny documented, in use, and
access. all” unless specifically
known to all affected parties.
allowed.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Incorporate two-factor
Define and implement policies authentication for remote
and procedures to ensure In addition to assigning a network access originating
unique ID, ensure proper user-
proper user identification from outside the network by
authentication management
management for non- personnel (including users and
for non-consumer users and
consumer users and administrators on all system administrators) and all third
administrators on all system parties, (including vendor
components.
components. access for support or
maintenance).
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
Where other authentication
mechanisms are used (for
Document and communicate Do not use group, shared, or
example, physical or logical
authentication procedures and generic IDs, passwords, or
security tokens, smart cards,
policies to all users. other authentication methods. certificates, etc.), use of these
mechanisms must be assigned.
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Develop procedures to easily Control physical access for
Implement procedures to
distinguish between onsite onsite personnel to the
identify and authorize visitors.
personnel and visitors. sensitive areas.
X X X
X X X
Protect devices that capture Ensure that security policies
and operational procedures
Destroy media when it is no payment card data via direct
for restricting physical access
longer needed for business or physical interaction with the
to cardholder data are
legal reasons. card from tampering and documented, in use, and
substitution.
known to all affected parties.
X
X
X
X
X
X
X
X
X
X
Use intrusion-detection
and/or intrusion-prevention
Run internal and external
techniques to detect and/or
network vulnerability scans at
least quarterly and after any prevent intrusions into the
network. Monitor all traffic at
significant change in the
Implement a methodology for the perimeter of the
network (such as new system
penetration testing. cardholder data environment
component installations, as well as at critical points in
changes in network topology,
the cardholder data
firewall rule modifications, environment, and alert
product upgrades).
personnel to suspected
compromises.
X
X
X
X
X
X
X
X
X
X
Deploy a change-detection
mechanism (for example, file-
integrity monitoring tools) to
alert personnel to Ensure that security policies
and operational procedures
unauthorized modification of Establish, publish, maintain,
for security monitoring and
critical system files, and disseminate a security
testing are documented, in
configuration files, or content use, and known to all affected policy.
files; and configure the
parties.
software to perform critical
file comparisons at least
weekly.
X
X
X
X
X
X
Ensure that the security policy
Develop usage policies for
and procedures clearly define
Implement a risk-assessment critical technologies and
information security
process. define proper use of these
technologies. responsibilities for all
personnel.
X
X
X
X
X
X
Service providers
acknowledge in writing to
customers that they are
Maintain and implement
policies and procedures to responsible for the security of
cardholder data the service Implement an incident
manage service providers with
provider possesses or response plan. Be prepared to
whom cardholder data is
otherwise stores, processes, respond immediately to a
shared, or that could affect or transmits on behalf of the system breach.
the security of cardholder
customer, or to the extent
data. that they could impact the
security of the customer’s
cardholder data environment.
X
CIS Controls v7.1 mapped to HIPAA
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Access
Workforce Security - Workforce Security - Management - Isolating
Workforce Clearance Termination Procedures Health care
Procedure A A Clearinghouse Function
R
X
X
X
X
X
X
X
X
X
X
Information Access Information Access
Management - Access Security Awareness and
Management - Access Training - Security
Authorization A Establishment and Reminders A
Modification A
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
Security Awareness and Security Awareness and Security Awareness and
Training - Protection
Training - Log-in Training - Password
from Malicious Monitoring A Management A
Software A
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Security Incident Contingency Plan - Data Contingency Plan -
Procedures - Response Disaster Recovery Plan
and Reporting R Backup Plan R R
X X
X X
X
X
Contingency Plan - Contingency Plan - Contingency Plan -
Emergency Mode Testing and Revision Applications and Data
Operation Plan R Procedure A Criticality Analysis A
X
Business Associate
Contracts and Other Facility Access Controls
Evaluation R Arrangement - Written - Contingency
Contract or Other Operations A
Arrangement R
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Device and Media Device and Media Device and Media
Controls - Media Re-use Controls - Controls - Data Backup
R Accountability A and Storage A
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Access Control - Unique Access Control - Access Control -
Emergency Access
User Identification R Procedure R Automatic Logoff A
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Access Control - Integrity - Mechanism
to Authenticate
Encryption and Audit Controls - R
Decryption A Electronic Protected
Health Information A
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Person or Entity Transmission Security - Transmission Security -
Authentication - R Integrity Controls A Encryption A
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIS Controls v7.1 mapped to the FFIEC's Information Security Booklet 2016
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
User Security Controls Physical Security Network Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Management End-of-Life
Within the IT Malware Mitigation
Environment Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Control of Information Supply Chain Logical Security
X X
X X
X X
X X
X X
X X
X X
X X
Customer Remote
Access to Financial Application Security Database Security
Services
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Oversight of Third-Party Business Continuity
Encryption
Service Providers Considerations
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Log Management
II.C.22
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FFIEC Examination Handbook (2006)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Authentication and
Network Security Host Security
Access Controls
A B C
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User Equipment
Security (Workstation, Physical Security Personnel Security
Laptop, Handheld)
D E F
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Software Development Business Continuity -
Application Security
& Acquisition Security
G H I
X
X
X
X
X
X
X
X
X
Service Provider
Encryption Data Security
Oversight - Security
J K L
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Security Monitoring
M
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FFIEC's Cybersecurity Assessment Tool
(CAT)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Domain 2: Threat Domain 3: Domain 3:
Intelligence &
Cybersecurity Controls - Cybersecurity Controls -
Collaboration - Preventative Controls Detective Controls
Information Sharing
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Domain 4: External
Domain 3: Domain 4: External Dependency
Dependency
Cybersecurity Controls - Management -
Corrective Controls Management - Relationship
Connections Management
Domain 5: Cyber Domain 5: Cyber Domain 5: Cyber
Incident Management Incident Management Incident Management
and Resilience - and Resilience - and Resilience -
Incident Resilience Detection, Response, Escalation and
Planning and Strategy and Mitigation Reporting
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIS Controls v7.1 mapped to COBIT 5
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Programmes Manage Requirements Manage Solutions
and Projects Definition Identification and Build
X
Manage Service
Manage Configuration Manage Operations
Requests and Incidents
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Security
Manage Problems Manage Continuity
Services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Business Monitor, Evaluate and Monitor, Evaluate and
Assess Performance Assess the System of
Process Controls and Conformance Internal Control
X
Monitor, Evaluate and
Assess Compliance with
External Requirements
MEA03
CIS Controls v7.1 mapped to the AICPA's Trust Services Principles and
Criteria for SOC2 & SOC3 Assessments
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
urity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X
Common Criteria Related to Communications
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Common Criteria Related to Risk Management and Design and
Implementation of Controls
X
X
X
X
X
X
Management and Design and Common Criteria
Related to Monitoring
of Controls of Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Common Criteria Related to Logical and Physical Access
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
ed to Logical and Physical Access Controls
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Common Criteria Related to System Operations
X
X
X
X
X
X
X
X
X
X
X
X
Common Criteria Related to Change Management
X
or Availability Additional Criteria f
X
X
X
Additional Criteria for Confidentiality
X
X
X
C 1.6
CIS Controls v7.1 mapped to the AICPA's Generally Accepted Privacy
Policies (GAPP)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
Privacy Awareness and Changes in Regulatory
and Business Privacy Policies
Training Requirements
X
X
X
X
X
X
Communication to Entities and Activities
Provision of Notice
Individuals Covered
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Misuse of Personal
New Purposes and Uses Information by a Third Privacy Policies
Party
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Environmental Transmitted Personal
Physical Access Controls
Safeguards Information
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Communication to Accuracy and Relevance of Personal
Completeness of
Individuals Personal Information Information
10.2.5
CIS Controls v7.1 mapped to the US Internal Revenue Service (IRS)
Publication 1075
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X
X X
Reporting
Other SafeGuards Disposing of FTI
Requirements
X
X
X
X
X
X
X
X
X
X
X
X
Audit and
Access Control Awareness and Training
Accountability
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Assessment Configuration
Contingency Planning
and Authorization Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Identification and
Incident Response Maintenance
Authentication
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Physical and
Media Protection Environmental Planning
Protection
X
X
X
X
X
X
System and Service
Personnel Security Risk Assessment
Acquisition
X
X
X
X
X
X
System and System and Information
Communication Program Management
Protection Integrity
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Cloud Computing
Data Warehouse Email Communications
Environments
X
X
X
X
Integrated Voice
Fax Equipment Live Data Testing
Response Systems
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Virtual Desktop Virtualization
VoIP Systems
Infrastructure Environments
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
Reporting Improper Disclosure to Other Return Information in
Inspections or
Disclosurers Persons Statistical Reports
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Protection of the secure Communication
zone Boundary Protection between components
in the secure zone
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Local Operator (end Remote Operator
Access to the secure Access (teleworking,
zone systems user and administrator) “on-call” duties, or
access remote administration)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Restriction of Internet Segregation from
access General Enterprise IT Virtualisation
Services
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Systems within the
secure zone implement Operating System
application whitelisting, Internal Data Flow
allowing only trusted Privileged Account Security
applications to be Control
executed
1.1-opt 1.2 2.1
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Back-office Data Flow
Security Updates System Hardening Security
X
X
X
X
X
X
X
X
X
X
X
External Transmission Operator Session
Data Protection Confidentiality and Vulnerability Scanning
Integrity
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Critical Activity Transaction Business
Outsourcing Controls Physical Security
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Personnel Vetting Physical and Logical
Token Management Process Password Storage
X X
X X
X X
X X
X X
X X
X X
Malware Protection Software Integrity Database Integrity
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Cyber Incident
Logging and Monitoring Intrusion Detection Response Planning
X
X
X
Security Training and Scenario Risk
Awareness Penetration Testing Assessment
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Monetary Authority of Singapore's (MAS)
Technology Risk Management (TRM) Guidance
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
3 4 5
, Routers and Switches
Acquisition and Systems Reliability,
Development of IT Service Management Availability, and
Information Systems Recoverability
6 7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
Operational Data Centres Protection
Infrastructure Security Access Controls
Management and Controls
9 10 11
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Online Financial
Payment Card Security IT Audit
Services
12 13 14
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Saudi Arabian Monetary Authority Cyber
Security Framework (v1.0)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Cyber Security
Cyber Security Strategy Cyber Security Policy
Governance
X
X
X
X
X
X
Cyber Security Risk
Cyber Security Training Regulatory Compliance
Management
X
X
X
X
X
X
Compliance with
(inter)national industry Cyber Security Review Cyber Security Audits
standards
X X
X X
X X
X X
Human Resources Physical Security Asset Management
X
X
X
X
X
X
X
Cyber Security Identity and Access
Application Security
Architecture Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Management Infrastructure Security Cryptography
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Bring Your Own Device Secure Disposal of
Payment Systems
(BYOD) Information Assets
X
Electronic Banking Cyber Security Event Cyber Security Incident
Services Management Management
X
Vulnerability Contract and Vendor
Threat Management
Management Management
X
X
X
X
X
X
X
X
X
X
Outsourcing Cloud Computing
3.4.2 3.4.3
CIS Controls v7.1 mapped to NERC CIP v7
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Attachment 1 CIP-002-5
Incorporates the Cyber Security Policies
"Bright Line Criteria" to BES Cyber System Lists approved for Medium
classify BES Assets as must be reviewed and and High Impact BES
Low, Medium, or High. approved every 15 Cyber Systems by CIP
Called BES Cyber calendar months Senior Manager every
Systems consolidating 15 calendar months.
CAs and CCAs
X X
X X
X X
X X
X X
, Routers and Switches
Cyber Security Policies Identify a CIP Senior
approved for Low Manager and document CIP Senior Manager
Impact Assets by CIP any change within 30 must document any
Senior Manager every calendar days of the delegates
15 Calendar Months change
X X
X X
X X
X X
X X
X X
X X
Access Management Access Revocation Electronic Security
Program Program Perimeters
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
Access Management Physical Security Plan Visitor Control Plan
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and Security Patch
Testing Program Ports and Services Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Code Security Event
Prevention Monitoring System Access Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Implementation and Cyber Security Incident
Cyber Security Incident testing of Cyber Response Plan Review,
Response Plan Security Incident Update and
Response Plans Communication
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Recovery Plan Recovery Plan Review,
Recovery Plan Implementation and Udpate, and
Specifications Testing Communication
X
Configuration Change Configuration Vulnerability
Management Process Monitoring Assessments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse Supply Chain Risk
Process and Disposal Management Plan
X
X
X
X
X
X
X
X
X
X
X
Approval of Supply
Supply Chain Risk Chain Management Physical Security Risk
Management Plan Plan Assessments
CIP-014-2 R5 CIP-014-2 R6
CIS Controls v7.1 mapped to NERC CIP v6
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Attachment 1 CIP-002-5
Incorporates the Cyber Security Policies
"Bright Line Criteria" to BES Cyber System Lists approved for Medium
classify BES Assets as must be reviewed and and High Impact BES
Low, Medium, or High. approved every 15 Cyber Systems by CIP
Called BES Cyber calendar months Senior Manager every
Systems consolidating 15 calendar months.
CAs and CCAs
X X
X X
X X
X X
X X
, Routers and Switches
Cyber Security Policies Identify a CIP Senior
approved for Low Manager and document CIP Senior Manager
Impact Assets by CIP any change within 30 must document any
Senior Manager every calendar days of the delegates
15 Calendar Months change
X X
X X
X X
X X
X X
X X
X X
Access Management Access Revocation Electronic Security
Program Program Perimeters
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
Access Management Physical Security Plan Visitor Control Plan
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and Security Patch
Testing Program Ports and Services Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Code Security Event
Prevention Monitoring System Access Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Implementation and Cyber Security Incident
Cyber Security Incident testing of Cyber Response Plan Review,
Response Plan Security Incident Update and
Response Plans Communication
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Recovery Plan Recovery Plan Review,
Recovery Plan Implementation and Udpate, and
Specifications Testing Communication
X
Configuration Change Configuration Vulnerability
Management Process Monitoring Assessments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse
Process and Disposal
CIP-011-2 R1 CIP-011-2 R2
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NERC CIP v5
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Attachment 1 CIP-002-5
Incorporates the Cyber Security Policies
"Bright Line Criteria" to BES Cyber System Lists approved for Medium
classify BES Assets as must be reviewed and and High Impact BES
Low, Medium, or High. approved every 15 Cyber Systems by CIP
Called BES Cyber calendar months Senior Manager every
Systems consolidating 15 calendar months.
CAs and CCAs
X X
X X
X X
X X
X X
, Routers and Switches
Cyber Security Policies Identify a CIP Senior
approved for Low Manager and document CIP Senior Manager
Impact Assets by CIP any change within 30 must document any
Senior Manager every calendar days of the delegates
15 Calendar Months change
X X
X X
X X
X X
X X
X X
X X
Access Management Access Revocation Electronic Security
Program Program Perimeters
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
Access Management Physical Security Plan Visitor Control Plan
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and Security Patch
Testing Program Ports and Services Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Code Security Event
Prevention Monitoring System Access Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Implementation and Cyber Security Incident
Cyber Security Incident testing of Cyber Response Plan Review,
Response Plan Security Incident Update and
Response Plans Communication
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Recovery Plan Recovery Plan Review,
Recovery Plan Implementation and Udpate, and
Specifications Testing Communication
X
Configuration Change Configuration Vulnerability
Management Process Monitoring Assessments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse
Process and Disposal
CIP-011-1 R1 CIP-011-1 R2
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NERC CIP v4
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
, Routers and Switches
CIP Senior Manager Exceptions to the Cyber
Cyber Security Policy
Identification Security Policy
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Awareness: Security Training: Cyber Security Personnel Risk
Awareness Program Training Program Assessment
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Electronic Security
Perimeters: All CCAs Electronic Access
Access
must reside within an Controls
ESP
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Monitoring Electronic Cyber Vulnerability Documentation Review
Access Assessment and Maintenance
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protection of Physical Protection of Electronic
Physical Security Plan
Access Control Systems Access Control Systems
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Monitoring Physical
Physical Access Controls Logging Physical Access
Access
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Status Disposal or
Account Management
Monitoring Redeployment
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Cyber Vulnerabiliity Documentation Review Cyber Security Incident
Assessment and Maintenance Response Plan
X
X
X
X
Cyber Security Incident
Recovery Plans Exercises
Documentation
X X
X X
CIS Controls v7.1 mapped to NERC CIP v3
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
, Routers and Switches
Annual Approval of CIP Senior Manager
RBAM, CA list, and CCA Cyber Security Policy
List Identification
X
Exceptions to the Cyber Information Protection
Access Control
Security Policy Program
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Control and Awareness: Security Training: Cyber Security
Configuration
Management Awareness Program Training Program
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Electronic Security
Personnel Risk Perimeters: All CCAs
Access
Assessment must reside within an
ESP
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Electronic Access Monitoring Electronic Cyber Vulnerability
Controls Access Assessment
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Documentation Review Protection of Physical
Physical Security Plan
and Maintenance Access Control Systems
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and
Logging Physical Access Access Log Retention
Testing
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Software Security Status
Account Management
Prevention Monitoring
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Disposal or Cyber Vulnerabiliity Documentation Review
Redeployment Assessment and Maintenance
X
X
X
X
Cyber Security Incident Cyber Security Incident
Recovery Plans
Response Plan Documentation
X X
X X
X X
X X
X X
X X
X X
Exercises Change Control Backup and Restore
X
Testing Back Up Media
CIP-009-3 R5
X
X
X
X
CIS Controls v7.1 mapped to the Cloud Security Alliance (CSA) Cloud
Control Matrix (CCM) ver.3
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X
X X
X X
Application & Interface Audit Assurance & Audit Assurance &
Security - Data Compliance - Audit Compliance -
Security / Integrity Planning Independent Audits
X
X
X
X
X
X
X
Business Continuity Business Continuity
Audit Assurance & Management & Management &
Compliance -
Operational Resilience - Operational Resilience -
Information System Business Continuity Business Continuity
Regulatory Mapping Planning Testing
X X
X X
X X
X X
X X
X X
X X
X X
X X
Change Control &
Change Control & Configuration Change Control &
Configuration Configuration
Management -
Management - Quality Unauthorized Software Management -
Testing Installations Production Changes
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Data Security & Data Security & Data Security &
Information Lifecycle Information Lifecycle Information Lifecycle
Management - Management - Data Management -
Classification Inventory / Flows Commerce Transactions
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Data Security &
Data Security &
Information Lifecycle Information Data Security &
Lifecycle Information Lifecycle
Management - Handling
/ Labeling / Security Management - Management - Non-
Policy Information Leakage Production Data
X
X
X
X
X
X
Data Security &
Information Lifecycle Data Security &
Information Lifecycle Datacenter Security -
Management -
Ownership / Management - Secure Asset Management
Stewardship Disposal
X
Datacenter Security - Datacenter Security - Datacenter Security -
Controlled Access Equipment
Points Identification Off-Site Authorization
X
X
X
X
X
X
Encryption & Key Encryption & Key Encryption & Key
Management - Key Management - Sensitive Management - Storage
Generation Data Protection and Access
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Governance and Risk Governance and Risk Governance and Risk
Management - Baseline Management - Data Management -
Requirements Focus Risk Assessments Management Oversight
X
X
X
X
X
X
Identity & Access
Identity & Access Identity & Access Management -
Management -
Management - Audit Diagnostic /
Tools Access Credential Lifecycle / Configuration Ports
Provision Management Access
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Identity & Access Identity & Access Identity & Access
Management - Policies Management - Management - Source
and Procedures Segregation of Duties Code Access Restriction
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Identity & Access Identity & Access Identity & Access
Management - User Management - User Management - User ID
Access Reviews Access Revocation Credentials
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Identity & Access Infrastructure & Infrastructure &
Virtualization Security -
Management - Utility Virtualization Security -
Programs Access Audit Logging / Change Detection
Intrusion Detection
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure &
Infrastructure & Infrastructure &
Virtualization Security - Virtualization Security -
Virtualization Security - Management -
Clock Synchronization Information System Vulnerability
Documentation Management
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure &
Infrastructure & Infrastructure &
Virtualization Security - Virtualization Security -
Virtualization Security - Production / Non-
Network Security OS Hardening and Base Production
Controls Environments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure & Infrastructure & Infrastructure &
Virtualization Security - Virtualization Security -
Virtualization Security -
Segmentation VM Security - vMotion VMM Security -
Data Protection Hypervisor Hardening
X
X
X
X
X
X
X
X
X
X
X
Infrastructure & Interoperability & Interoperability &
Virtualization Security - Portability - Data
Wireless Security Portability - APIs Request
X
X
X
X
X
Interoperability & Interoperability & Interoperability &
Portability -
Portability - Policy & Portability -
Legal Standardized Network Virtualization
Protocols
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security - Mobile Security - Cloud
Approved Software for
BYOD Awareness and Training Based Services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security - Device Mobile Security - Device
Compatibility Eligibility Inventory
X
Mobile Security - Device Mobile Security - Mobile Security -
Jailbreaking and
Management Encryption Rooting
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security -
Mobile Security - Legal
Lockout Screen Operating Systems
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security -
Mobile Security - Policy
Passwords Remote Wipe
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Mobile Security - Management, E-
Mobile Security - Users Discovery & Cloud
Security Patches Forensics - Contact /
Authority Maintenance
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Security Incident Security Incident
Management, E- Management, E- Management, E-
Discovery & Cloud
Discovery & Cloud Discovery & Cloud
Forensics - Incident Forensics - Incident Forensics - Incident
Management Reporting Response Legal
Preparation
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Security Incident Supply Chain Supply Chain
Management, E- Management, Management,
Discovery & Cloud Transparency and Transparency and
Forensics - Incident Accountability - Data Accountability -
Response Metrics Quality and Integrity Incident Reporting
X
Supply Chain Supply Chain
Supply Chain
Management, Management, Management,
Transparency and Transparency and
Transparency and
Accountability - Accountability - Accountability - Supply
Network / Provider Internal Chain Agreements
Infrastructure Services Assessments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Threat and Vulnerbility
Management - Mobile
Code
TVM-03
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Amazon Web Services – OCIE
Cybersecurity Audit Guide (Oct 2015)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash with a salt all authentication credentials when stored.
Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
Routers and Switches
X
X
X
X
X
X
X
Security Logging and
Logical Access Control Data Encryption
Monitoring
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Disaster Recovery Inherited Controls
Response
7 8 9
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FY15 CIO Annual FISMA Metrics
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
urity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Routers and Switches
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Anti-Phishing and
Data Protection Network Defense
Malware Defense
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Boundary Protection Training and Education Incident Response
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to ITIL 2011 KPIs
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Service Portfolio
Management and Business Relationship
Financial Management
Strategy Management Management
for IT Services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Release and
Change Management Project Management Deployment
Management
X
Problem Management Service Review Process Evaluation
KPI 19
CIS Controls v7.1 mapped to the State of Nevada Gaming Control Board
Minimum Internal Control Standards (MICS) v7 2015
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
Routers and Switches
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Service & Default
Generic User Accounts Backups
Accounts
4 5 6
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Electronic Storage of Creation of Wagering
Recordkeeping
Documentation Instruments Database
7 8 9
Network Security and Changes to Production
Remote Access
Data Protection Environment
10 11 12
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Technology In-House Software Purchased Software
Department Development Programs
13 14 15
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
CIS Controls v7.1 mapped to Commonwealth of Massachusetts 201 CMR
17.00
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
IV IV-a IV-b
Routers and Switches
X
X
X
X
X
X
X
X
DSC is responsible for DSC is responsible for DSC is responsible for
review security
testing the WISP evaluate third parties measures
X X
X X
X X
X X
X X
X X
X X
Internal Threats - Internal Threats - Limit Internal Threats -
Employment Contract Access Based on Need
Provisions Data Collected to Know
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Internal Threats - Block Internal Threats - Internal Threats -
Employee Termination
Unauthorized Access to Annual Security
Data Measure Review Procedures (Return of
Data)
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Internal Threats - Internal Threats - Internal Threats -
Employee Termination
Passwords Changed Access Provided to
Procedures (Access Regularly Active Users Only
Revoked)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Internal Threats - Internal Threats - Internal Threats - Do
Reporting Suspicious Not Leave Data
Behavior Incident Handling Unattended
X
Internal Threats - Close Internal Threats - Internal Threats -
Data at Conclusion of Restrict Physical Access Unique User IDs
Work Day to Data Required
X
X
X
X
X
X
Internal Threats - Internal Threats - External Threats -
Restrict Visitor Physical
Access Disposal of Media Firewall and OS Patches
X
X
X
X
X
X
X
X
X
X
X
X
X
External Threats - External Threats - External Threats -
Encryption of sensitive
Endpoint Protection data Monitoring
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
External Threats -
Authentication
VI-05
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to New York State Department of Financial
Services 23 NYCRR 500
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Chief Information
Cybersecurity Program Cybersecurity Policy
Security Officer
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
Cybersecurity Personnel
Application Security Risk Assessment
and Intelligence
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Third Party Information Multi-Factor Limitations on Data
Security Policy Authentication Retention
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Training and Encryption of Nonpublic
Incident Response Plan
Monitoring Information
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Victorian Protective Data Security
Framework (v1.0)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
urity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
urity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
urity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
urity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident Business Continuity Contracted Service
Management Management Providers
X X
X X
X X
X X
X X
X X
X X
Government Services Security Plans Compliance
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation
and analysis
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Disable any account that cannot be associated with a business process or business owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
Know how all software
Limit the number of Prohibit the connection components are
Internet access points of personal devices to updated and keep up to
for the company to date on the
those that are strictly the organisation's vulnerabilities of these
necessary. information system. components and their
required updates.
4 5 6
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Define and strictly Identify each individual Set rules for the choice
accessing the system by
apply an update policy. name. and size of passwords.
7 8 9
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Systematically renew
Set in place technical default authentication
methods to enable Do not store passwords settings (password,
in plain sight in files on certificates) on devices
authentication rules to information systems. (network switches,
be followed. routers, servers,
printers).
10 11 12
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Technically prevent the
connection of portable
media except where
Opt, where possible, for Implement a uniform strictly necessary;
strong, smart card level of security across
authentication. the entire IT stock. deactivate the
execution of the
autorun functions from
these types of media.
13 14 15
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use an IT stock
management tool that Manage portable Wherever possible,
enables the machines with a prohibit remote
security policy that is at
deployment of security least as stringent as for connections to client
policies and updates to fixed machines. machines.
machines.
16 17 18
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
Set in place
compartmentalised
Frequently audit (or networks. For machines
Encrypt sensitive data, have audited) the or servers containing
especially on mobile configuration of the information that is of
central directory (Active strategic importance to
machines and media Directory in Windows the company, create a
that may get lost. environments or LDAP sub-network protected
directory for example). by a specific
interconnection
gateway.
19 20 21
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Avoid the use of
wireless (Wifi)
infrastructures. If the
use of these
technologies cannot be Systematically use Secure Internet
secure applications and interconnection
avoided, protocols. gateways.
compartmentalise the
Wifi access network
from the rest of the
information system.
22 23 24
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that there are
no machines on the Clearly define the
network with an objectives of system Define event log
administration
interface that is and network analysis methods.
accessible via the monitoring.
Internet.
25 26 27
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
Use a dedicated
Prohibit all access to network for the Do not grant
the Internet from administration of administration
machines or at least a
administration network that is logically privileges to users.
accounts. separated from the user Make no exceptions.
network.
28 29 30
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Only authorise remote
access to the company
network, even for
network
administration, from Robust control Keys to access the
company machines that mechanisms for premises and alarm
use strong
authentication premises access must codes must be
mechanisms and imperatively be used. scrupulously protected.
protect the integrity
and confidentiality of
traffic using robust
means.
31 32 33
X
X
X
Develop a plan for IT
recovery and continuity
Do not leave access of activity, even if only
sockets to the internal Define rules for the use in outline, that is
network accessible in of printers and regularly updated,
locations that are open photocopiers. setting out how to
to the public. safeguard the
company's essential
data.
34 35 36
X
X
X
X
X
X
X
X
Never simply deal with
the infection of a
machine without
Implement an alert and attempting to establish
reaction chain that all how the malware came Make users aware of
parties involved are to be installed on that the basic IT rules.
familiar with. machine, whether it has
spread elsewhere on
the network and what
data has been accessed.
37 38 39
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Periodically carry out a
security audit (at least
annually). Each audit
must be accompanied
by an action plan, the
implementation of
which should be
monitored at the
highest level.
40
CIS Controls v7.1 mapped to ?????
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
System 9.2
System 9.3
System 9.4
System 9.5
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all hardware assets, whether connected to the
organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported by the software's
vendor are added to the organization's authorized software inventory. Unsupported software should
be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incur higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on
the network on a weekly or more frequent basis to identify all potential vulnerabilities on the
organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities
have been remediated in a timely manner.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading e-mail, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented, standard security configuration standards for all authorized operating
systems and software.
Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to
verify all security configuration elements, catalog approved exceptions, and alert when unauthorized
changes occur.
curity Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve
time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as a event source, date, user, timestamp,
source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis
and review.
Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation
and analysis.
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.
Subscribe to URL categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.
Use DNS filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM)
standards.
Block all e-mail attachments entering the organization's e-mail gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated business
needs, are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on regular basis.
Ensure that each of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one backup destination that is not continuously addressable
through operating system calls.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Maintain standard, documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configuration against approved security configurations defined for each
network device in use and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading e-mail, composing
documents, or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries,.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Disable all workstation to workstation communication to limit an attacker's ability to move laterally
and compromise neighboring systems, through technologies such as Private VLANs or
microsegmentation.
Encrypt all sensitive information in transit.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located onsite or at a remote service
provider and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices (such as Bluetooth and NFC), unless such access is
required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
onsite or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed onsite or
by a third-party provider.
Encrypt or hash with a salt all authentication credentials when stored.
Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor . Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams and impersonation calls.
Train workforce on how to identify and properly store, transfer, archive and destroy sensitive
information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train employees to be able to identify the most common indicators of an incident and be able to
report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and nonproduction systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that defines roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real world threats.
Exercises should test communication channels, decision making, and incident responders technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, e-mails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Teams results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
, Routers and Switches