Professional Documents
Culture Documents
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers
and Switches
Critical Security Control #14: Controlled Access Based on the Need to Know
Critical Security Control #20: Penetration Tests and Red Team Exercises
CIS Controls Master Mappings Tool (v7.1a)
SA-13: Trustworthiness
SA-15: Development Process, Standards, and Tools
SA-16: Developer-Provided Training
SA-17: Developer Security Architecture and Design
SA-20: Customized Development of Critical Components
SA-21: Developer Screening PR.DS-7
SC-39: Process Isolation
SI-10: Information Input Validation PR.IP-10
SI-11: Error Handling DE.AE-2
SI-15: Information Output Filtering
IR-1: Incident
SI-16:
Response
MemoryPolicy
Protection
and Procedures DE.AE-4
IR-2: Incident Response Training DE.AE-5
IR-3: Incident Response Testing DE.CM-1-7
IR-4: Incident Handling RS.RP-1
IR-5: Incident Monitoring RS.CO-1-5
IR-6: Incident Reporting RS.AN-1-4
IR-7: Incident Response Assistance RS.MI-1-2
IR-8: Incident Response Plan RS.IM-1-2
CA-2:Information
IR-10: Integrated Security Assessments
Security Analysis Team
CA-5: Plan of Action and Milestones RC.RP-1
CA-6: Security Authorization RC.IM-1-2
CA-8: Penetration Testing RC.CO-1-3
RA-6: Technical Surveillance Countermeasures Survey
SI-6: Security Function Verification
PM-6: Information Security Measures of Performance
PM-14: Testing, Training, & Monitoring
ID.AM-1
ID.AM-3 6.2.16
ID.AM-4 6.2.17
PR.DS-3
ID.AM-2 6.2.16
PR.DS-6 6.2.17
ID.RA-1
ID.RA-2
PR.IP-12 6.2.16
DE.CM-8 6.2.17
RS.AN-5
RS.MI-3
PR.AC-4 5.15
PR.AT-2 6.2.7
PR.MA-2 6.2.16
PR.PT-3 6.2.17
6.2.16
PR.IP-1
6.2.17
PR.PT-1
DE.AE-3
DE.DP-1 5.16
DE.DP-2 6.2.16
DE.DP-3 6.2.17
DE.DP-4
DE.DP-5
6.2.16
PR.IP-1
6.2.17
PR.PT-2
DE.CM-4 6.2.16
6.2.17
DE.CM-5
PR.AC-5 6.2.16
DE.AE-1 6.2.17
6.2.16
PR.IP-4 6.2.17
PR.AC-5
5.15
PR.IP-1
6.2.7
PR.PT-4
PR.AC-3
PR.AC-5
5.1 - 5.11
PR.MA-2
DE.AE-1
PR.AC-5
PR.DS-2
PR.DS-5
PR.PT-2
PR.AC-4
PR.AC-5 5.1
PR.DS-1 5.4
PR.DS-2 5.5
PR.PT-2 6.2.1
PR.PT-3
PR.AC-1
PR.AC-4
5.15
PR.AC-6
PR.AC-7 6.2.7
PR.PT-3
PR.AT-1
PR.AT-2
PR.AT-3 6.2.2
PR.AT-4
PR.AT-5
PR.DS-7
PR.IP-10
DE.AE-2
DE.AE-4
DE.AE-5
DE.CM-1-7
RS.RP-1
5.17
RS.CO-1-5
6.2.8
RS.AN-1-4
RS.MI-1-2
RS.IM-1-2
RC.RP-1
RC.IM-1-2
RC.CO-1-3 6.2.3
6.2.4
3.2f
4.0b
4.0c
CSM: Configuration Settings Management
4.0e
4.0g
4.0i
3.3a
Boundary Protection
3.5a
3.5b
3.2e
3.1a
3.1c CRED: Credentials and Authentication
3.2a Management
4.0h
3.2i BEHV: Security-Related Behavior Management
A.12.5.1 SR 1.2
A.12.6.2
A.12.6.1 A.12.6.1
A.13.1.2
A.14.2.8
A.15.2.2
A.9.1.1
A.9.2.2 - A.9.2.6
A.11.5.1 - A.11.5.3
A.9.3.1
A.9.4.1 - A.9.4.4
A.14.2.4
A.14.2.8 A.15.2.2
A.18.2.3
SR 1.12
A.12.4.1 - A.12.4.4 A.10.10.1 - A.10.10.6 SR 2.8 - 2.11
A.12.7.1 SR 3.9
SR 6.1 - 6.2
A.13.2.3
A.14.2.4
A.15.2.2
A.14.2.8
A.18.2.3
A.8.3.1
A.12.2.1 A.10.4.1 - A.10.4.2 SR 3.2
A.10.7.1
A.13.2.3
A.9.1.2
A.13.1.1 A.10.6.1 - A.10.6.2
A.13.1.2 A.11.4.4
A.14.1.2
A.10.1.1 A.10.5.1
A.12.3.1 A.10.8.3 SR 7.3 - 7.4
A.10.6.1 - A.10.6.2
A.9.1.2
A.11.4.5
A.13.1.1 SR 7.6
A.11.4.7
A.13.1.3
A.11.5.1 - A.11.5.3
A.10.6.1 - A.10.6.2
A.9.1.2
A.10.10.2
A.12.4.1 SR 1.13
A.11.4.2
A.12.7.1 SR 2.3
A.11.4.5
A.13.1.1 SR 5.2
A.11.4.7
A.13.1.3
A.11.5.1 - A.11.5.3
A.13.2.3
A.11.7.1 - A.11.7.2
A.8.3.1 A.10.7.1
A.10.1.1 - A.10.1.2 A.12.3.1 - A.12.3.2 SR 3.1
A.13.2.3 A.12.5.4 SR 4.3
A.18.1.5 A.15.1.6
A.10.7.1
SR 2.1
A.10.10.1 - A.10.10.3
A.8.3.1 SR 4.1
A.11.4.5
A.9.1.1 SR 5.1
A.11.4.7
A.10.1.1 SR 5.3
A.11.6.1 - A.11.6.2
SR 7.7
A.12.5.4
A.10.1.1 SR 1.6
A.12.4.1
SR 2.2
A.12.7.1
A.9.1.1 A.8.3.3
A.9.2.1 - A.9.2.6 A.11.2.1 SR 1.1 - 1.13
A.9.3.1 A.11.2.3 - A.11.2.4 SR 2.1
A.9.4.1 - A.9.4.3 A.11.3.1 - A.11.3.3 SR 2.5
A.11.2.8 A.11.5.1 - A.11.5.3
A.7.2.2 A.8.2.2
A.10.1.4
A.9.4.5
A.12.2.1
A.12.1.4
A.14.2.1 A.12.2.4 SR 3.3 - 3.8
A.12.5.2
A.14.2.6 - A.14.2.8
A.12.5.5
A.6.1.3 A.6.1.6
A.7.2.1 A.8.2.1
A.16.1.2 A.13.1.1
A.16.1.4 - A.16.1.7 A.13.2.1 - A.13.2.2
A.14.2.8 A.6.1.8
A.18.2.1 A.15.2.2 SR 3.3
A.18.2.3 A.15.3.1
NIST 800-171 NSA MNP
Baseline Management
3.4.8 Executable Content Restrictions
3.4.9 Configuration and Change Management
3.11.2
3.11.3 Patch Management
Log Management
3.12.2
Configuration and Change Management
3.14.1
3.1.5 - 3.1.7
3.4.5 - 3.4.6 User Access
3.7.1 - 3.7.2 Baseline Management
3.7.5 - 3.7.6 Log Management
3.13.3
Patch Management
Baseline Management
3.4.1 - 3.4.3
Data-at-Rest Protection
Configuration and Change Management
Patch Management
Baseline Management
Data-at-Rest Protection
Configuration and Change Management
Device Accessibility
Virus Scanners and Host Intrusion Prevention
3.7.4 Systems
3.14.2 - 3.14.6 Security Gateways, Proxies, and Firewalls
Network Security Monitoring
Log Management
Baseline Management
3.4.7 Configuration and Change Management
3.1.2
Network Architecture
3.1.3
Device Accessibility
3.1.5
User Access
3.8.2
Data-at-Rest Protection
3.8.5 - 3.8.6
Log Management
3.13.4 - 3.13.6
3.1.8
3.1.10 - 3.1.11 User Access
3.5.1 - 3.5.9 Baseline Management
3.9.2 Log Management
3.13.9
3.2.2 - 3.2.3 Training
Training
Audit Strategy
Australian Essential Eight Australian Top 35
1
1 14
17
2
2-3
6
4
5 9
7 11
25
3 2-5
4 21
15-16
35
2
5
17-20
31
7
17
22
26
30
2
3
12
13
27
2
7 3
10
10-11
18-20
7
23
32-34
26
26
7 25
28
24
NSA Top 10 Canadian CSE Top 10
Application Whitelisting 8
10
2
Take Advantage of Software Improvements
8
3
Control Administrative Privileges
8
Set a Secure Baseline Configuration 4
Take Advantage of Software Improvements 8
1
Segregate Networks and Functions 5
9
5
7
9
5
Segregate Networks and Functions 7
9
6
GCHQ 10 Steps UK Cyber Essentials UK ICO Protecting Data
Decommissioning of software
or services
Monitoring
Secure Configuration
Secure Configuration
Patch Management
Removable Media Controls Malware Protection
Malware Protection
Decommissioning of software
Network Security or services
Unnecessary Services
Monitoring
Network Security
SQL Injection
Incident Management
PCI DSS 3.2 PCI DSS 3.1 PCI DSS 3.0
II.C.5
II.C.22
II.C.12
II.C.9
II.C.21
II.C.9
II.C.6
II.C.9
II.C.16
II.C.9
II.C.7
II.C.9
II.C.13
II.C.15
II.C.19
II.C.9
II.C.7
II.C.11
II.C.17
II.C.18
II.C.19
FFIEC Examiners Handbook
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Security Monitoring
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Network Security
Encryption
Network Security
Network Security
Security Monitoring
Encryption
Data Security
Network Security
Encryption
Security Monitoring
Application Security
Software Development & Acquisition
FFIEC Cybersecurity Assessment Tool (CAT) COBIT 5
7.2.2
8.2.1 9.4.12
8.2.2
7.2.2 9.4.12
8.2.1
7.2.2
CC 6.1 9.3.4
8.2.1
7.2.2
CC 5.1 - CC 5.6 8.2.1 9.3.7
8.2.2
7.2.2
9.3.5
8.2.1
7.2.2 9.3.3
8.2.1
9.3.17
7.2.2 9.4.3
8.2.1 9.4.16
9.4.17
CC 5.8 7.2.2 9.3.17
8.2.1
7.2.2
8.2.1
7.2.2
A 1.2 8.2.1 9.3.6
9.3.5
7.2.2
9.3.7
8.2.1
9.4.10
7.2.2
9.3.16
8.2.1
9.4.10
8.2.2
7.2.2
9.3.10
8.2.1
9.4.10
8.2.2
8.2.6
4.0
7.2.2 5.0
CC 5.7 8.2.1 6.1
C 1.2 - C 1.3 8.2.2 9.3.1
8.2.6 9.3.16
9.4.10
7.2.2
8.2.1 9.4.18
8.2.2
9.3.7
7.2.2
CC 5.1 - CC 5.6 9.3.13
8.2.1
1.2.9
1.2.10 6.1
CC 2.1 - CC 2.6
7.2.2 9.3.2
8.2.1
7.2.2
8.2.1
7.2.2
8.2.1 9.3.3
8.2.7
SWIFT SG MAS TRM Saudi AMA
1.2
11 - Access Controls 3.3.5
2.6a
9 - Operational Infrastructure
2.3 3.3.6
Security Management
3.3.6
3.3.8
6.1 9 - Operational Infrastructure 3.3.8
Security Management 3.3.16
3.3.8
1.1
9 - Operational Infrastructure
2.1
Security Management
2.4a 3.3.5
11 - Access Controls
2.5a
12 - Online Financial Services
5.1
9 - Operational Infrastructure
Security Management
4.1
4.2 11 - Access Controls
3.3.5
5.2 12 - Online Financial Services
5.4a
3.1.6
7.2
3.1.7
CIP-002-3 R1
CIP-002-4 R1
CIP-002-4 R2 CIP-002-3 R2
CIP-002-3 R3
CIP-002-4 R3 DCS-01
CIP-003-4 R5 CIP-002-3 R4 MOS-09
CIP-003-3 R5
CIP-004-4 R4 CIP-004-3 R4 MOS-15
CIP-005-4 R2
CIP-005-3 R2
CIP-006-4 R3 CIP-006-3 R3
CCC-04
MOS-3
MOS-04
MOS-15
IVS-05
CIP-005-4 R4 CIP-005-3 R4 MOS-15
CIP-007-4 R3 CIP-007-3 R3
MOS-19
CIP-007-4 R8 CIP-007-3 R8
TVM-02
CIP-003-4 R5 CIP-003-3 R5
CIP-004-4 R4 CIP-004-3 R4
IAM-09 - IAM-13
CIP-005-4 R2 CIP-005-3 R2
MOS-16
CIP-005-4 R3 CIP-005-3 R3
MOS-20
CIP-006-4 R3 CIP-006-3 R3
CIP-007-4 R3 CIP-007-3 R3
IVS-07
CIP-003-4 R6 CIP-003-3 R6 MOS-15
CIP-007-4 R3 CIP-007-3 R3 MOS-19
TVM-02
IVS-07
CIP-003-4 R6 CIP-003-3 R6 MOS-15
CIP-007-4 R3 CIP-007-3 R3 MOS-19
TVM-02
MOS-01
CIP-007-4 R4 CIP-007-3 R4 MOS-15
TVM-01
TVM-03
DSI-02
CIP-007-4 R2 CIP-007-3 R2 IVS-06
IPY-04
CIP-009-4 R4 CIP-009-3 R4
CIP-009-4 R5 CIP-009-3 R5 MOS-11
DSI-02
CIP-003-4 R6 CIP-003-3 R6 IAM-03
CIP-004-4 R4 CIP-004-3 R4
IVS-06
CIP-005-4 R2 CIP-005-3 R2
IVS-09
CIP-006-4 R3 CIP-006-3 R3
MOS-19
CIP-007-4 R3 CIP-007-3 R3
TVM-02
DSI-02
IVS-01
CIP-005-4 R3 CIP-005-3 R3
IVS-06
CIP-007-4 R6 CIP-007-3 R6
IVS-09
MOS-16
DSI-02
DSI-05
EKM-01 - EKM-04
MOS-11
CIP-003-4 R5 CIP-003-3 R5
DSI-02
CIP-004-4 R4 CIP-004-3 R4
IVS-09
CIP-005-4 R2 CIP-005-3 R2
MOS-11
CIP-006-4 R3 CIP-006-3 R3
IVS-01
CIP-005-4 R3 CIP-005-3 R3 IVS-06
CIP-007-4 R6 CIP-007-3 R6 IVS-12
MOS-11
IAM-02
CIP-005-4 R3 CIP-005-3 R3 IAM-09 - IAM-12
CIP-007-4 R5 CIP-007-3 R5 MOS-14
CIP-007-4 R6 CIP-007-3 R6 MOS-16
MOS-20
CIP-004-4 R1 CIP-004-3 R1 HRS-10
CIP-004-4 R2 CIP-004-3 R2 MOS-05
AIS-01
AIS-03
AIS-04
CCC-01 - CCC-03
IVS-08
Information Security
2: Continuous Monitoring
Management
Information Security
2: Continuous Monitoring
Management
4: Anti Phishing and Malware Information Security
Defense Management
Information Security
Management
Information Security
Disaster Recovery Management
Information Security
Logical Access Control
Management
Information Security
Management
Information Security
Management
Information Security
Security Incident Response 9: Incident Response Management
Incident Management
Information Security
Management
NV Gaming MICS v7 2015 MA - CoM 201 CMR 17.00 NY - NYCRR 500
VI-02
Section 500.12
System Parameters VI-04 Section 500.06
VI-02
Backups
VI-01
Network Security and Data Protection Section 500.11
VI-04
Remote Access Section 500.12
VI-05
V-19
Network Security and Data Protection Section 500.15
VI-03
V-04
Section 500.07
V-05
Network Security and Data Protection Section 500.13
V-06
Section 500.15
VI-03
V-05
V-06
System Parameters V-08
Section 500.06
User Accounts V-09
Section 500.07
Generic User Accounts V-10 Section 500.12
Service & Default Accounts V-11
V-17
VI-05
IV-b
Section 500.10
IV-f
Section 500.14
V-02
Section 500.05
Victorian PDSF v1.0 ANSSI - 40 Measures
1
34
16
17
18
20
23
2
8-13
28-30
26
Standard 4
27
6
16
17
36
8-13
4
5
24
25
31
15
Standard 4
19
Standard 4 21
22
Standard 4 8-13
Standard 6 39
Standard 7 37
Standard 8 38
CIS Controls
Continuous
Inventory of Authorized Inventory of Authorized Vulnerability
v4) & Unauthorized Devices
and Unauthorized
Assessment and
Software
Remediation
P1
P1
P1
P1
P1
P1
P2
P1
P0
P2
P3
P2
---
P1
---
P0
P1
P1
P1
P1
P2
P2
P0
P0
P0
P1
P1
P1
P3
---
P1
P1
P1
P1
P1
P1
P2
P1
P1
P1
P3
P1
P0
P0
P0
P0
P1
P2 X
P1
---
P3
P3
P3 X X X
P1
P2
P1
P1 X
P1
P2
P1
P1
P1
P1 X X
P1
P2 X
P1 X
P1
P1
P2
P2
---
P1
P1
P1
P1
P1
P0
P0
P0
P1
P1
P1 X
P1
P1
P1
P1
P1
P0
P0
P0
P1
P2
P2
P1
P1
P1
P3
P1
P0
P0
P1
P2
P2
P1
P1
P2
P1
P1
P2
P1
P1
P1
P1
P0
P1
P1
P1
P1
P2
P1
---
P3
P1
P1
P1
P1
P1
P1
P1
P2
P2
P3
P0
P0
P1
P1
---
P2
---
---
P0
P1
P0
P1
P1
P1
P1
P2
P3
P1
P3
P1
P1
P1
---
P1 X
P0
P1
P1
P1
P1 X X
P2
---
---
P1
P1
P1
P1
P1
P0
P0
P2
P2
P1
P0
P0
P0
P0
P0
P1
P1
P1
P1
P1
P0
P1
P1
---
P2
P0
P1
P1
---
P1
P0
P1 X
P2 X
P1
P1
P1
P1
P1
P1
P0
P0
P0
P1
P0
P0
P0
P0
---
P0 X X
P0
P0
P0
P0
P1
P0
P0
P0
P0
P0
P1
P1
P1
P1 X X X
P1
P1
P1 X
P2
---
P1
P2
P2
P0
P0
P0
P1
P0
P1
P1
P1
P1
P1 X X
P1
P1
P1
P1
P1
P1
P1
P1
P1
P1
P1
Secure Configurations
Controlled Use of for Hardware and Maintenance,
Software on Mobile
Administrative Monitoring, and
Privileges Devices, Laptops, Analysis of Audit Logs
Workstations, and
Servers
CSC #4 CSC #5 CSC #6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
Email and Web Browser Limitation and Control
Malware Defenses of Network Ports,
Protections Protocols, and Services
X
X X
X X
X
X
X X
X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X X
Secure Configuration
Data Recovery for Network Devices,
Boundary Defense
Capabilities such as Firewalls,
Routers and Switches
X X
X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X X
Controlled Access Based
Data Protection Wireless Device Control
on the Need to Know
X
X
X X
X
X
X
X
X
X
X X X
X
X
X
X
X
X
X X
X
X
X
X
X X X
Account Monitoring Implement a Security Application Software
Awareness and Training
and Control Program Security
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X
X X
X
X
X
X
X
X
X
X
X
X
X
X
Incident Response and Penetration Tests and
Management Red Team Exercises
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NIST Cyber Security Framework (v1.1)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation and Remediation
Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThis
using multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be reading
connections email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled
network basedAccess Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
s, Routers and Switches
Resources (e.g., hardware,
Cybersecurity roles and
devices, data, time,
personnel, and software) responsibilities for the
External information entire workforce and third-
systems are catalogued are prioritized based on party stakeholders (e.g.,
their classification,
criticality, and business suppliers, customers,
partners) are established
value
X
The organization’s role in The organization’s place in Priorities for organizational
the supply chain is critical infrastructure and its mission, objectives, and
identified and industry sector is identified activities are established
communicated and communicated and communicated
X X
X X
X X
X X
X X
X X
Potential business impacts Threats, vulnerabilities,
Risk responses are
and likelihoods are likelihoods, and impacts are identified and prioritized
identified used to determine risk
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Users, devices, and other
assets are authenticated
Network integrity is Identities are proofed and (e.g., single-factor, multi-
protected (e.g., network factor) commensurate with
segregation, network bound to credentials and the risk of the transaction
asserted in interactions
segmentation) (e.g., individuals’ security
and privacy risks and other
organizational risks)
PR.AC-5 PR.AC-6 PR.AC-7
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Privileged users understand Third-party stakeholders
All users are informed and (e.g., suppliers, customers,
trained their roles and partners) understand their
responsibilities
roles and responsibilities
X X
X X
X X
X X
X X
X X
X X
X X
X X
Assets are formally Adequate capacity to
managed throughout
Data-in-transit is protected removal, transfers, and ensure availability is
maintained
disposition
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Integrity checking The development and
Protections against data mechanisms are used to testing environment(s) are
leaks are implemented verify software, firmware, separate from the
and information integrity production environment
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A baseline configuration of
information
Integrity checking technology/industrial A System Development Life
control systems is created
mechanisms are used to and maintained Cycle to manage systems is
verify hardware integrity implemented
incorporating security
principles (e.g. concept of
least functionality)
PR.DS-8 PR.IP-1 PR.IP-2
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Policy and regulations
Configuration change Backups of information are regarding the physical
control processes are in conducted, maintained, and operating environment for
place tested organizational assets are
met
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
The principle of least
Audit/log records are Removable media is functionality is
determined, documented, protected and its use
implemented, and reviewed restricted according to incorporated by configuring
systems to provide only
in accordance with policy policy essential capabilities
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mechanisms (e.g., failsafe,
A baseline of network
Communications and load balancing, hot swap) operations and expected
are implemented to achieve
control networks are resilience requirements in data flows for users and
protected systems is established and
normal and adverse managed
situations
X
X
X
X
X
X
X
X
X
Detected events are Event data are collected
and correlated from Impact of events is
analyzed to understand multiple sources and determined
attack targets and methods
sensors
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Roles and responsibilities Detection activities comply
for detection are well Detection processes are
defined to ensure with all applicable tested
requirements
accountability
X
X
X
X
Newly identified
vulnerabilities are mitigated Response plans incorporate Response strategies are
or documented as accepted lessons learned updated
risks
X
X
X
X
Recovery plan is executed
Recovery plans incorporate Recovery strategies are
during or after a lessons learned updated
cybersecurity incident
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
Critical Security Control #4: Controlled Use of Administrative Privileges
System 4.1
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation and Remediation
Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
Perform authenticated
all potential vulnerability
vulnerabilities scanning with
on the organization's agents running locally on each system or with
systems.
remote scanners that are configured with elevated
Use a dedicated account for authenticated vulnerability rightsscans,
on the system
which beingnot
should tested.
be used for any
other administrative activities and should be tied to specific machines at specific
Deploy automated software update tools in order to ensure that the operating systems IP addresses.
are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is runningcompare
Regularly the mosttherecent security
results from updates provided
consecutive by the software
vulnerability scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
curity Control #4: Controlled Use of Administrative Privileges
Use automated tools to inventory all administrative accounts, including domain and local accounts,
to ensure
Before that only
deploying authorized
any individuals
new asset, change allhave elevated
default privileges.
passwords to have values consistent with
Ensure that all users
administrative with administrative account access use a dedicated or secondary account for
level accounts.
elevated activities. This account should only be used for administrative activities and not Internet
Where multi-factor
browsing, authentication
email, or similar is not supported (such as local administrator, root, or service
activities.
accounts), accounts will use passwords that are unique to that system.
Ensure administrators
Use multi-factor use a dedicated
authentication machinechannels
and encrypted for all administrative tasks or tasks
for all administrative requiring
account access.
administrative access. This machine will be segmented from the organization's primary network and
not beaccess
Limit allowed Internet access.
to scripting Thisas
tools (such machine will not
Microsoft® be used and
PowerShell for reading
Python)email,
to onlycomposing
administrative or
documents, orusers
development browsing Internet.
with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5:documented
Maintain Secure Configurations for Hardware
security configuration standards forand Software
all authorized operating systems and
Maintain secure images or templates for all systems in the enterprise based on the organization's
software.
approved configuration standards. Any new system deployment or existing system that becomes
compromised
Store the mastershould be imaged
images using one
and templates on of those images
securely or templates.
configured servers, validated with integrity
monitoring
Deploy tools, to ensure that only authorized changes to the images enforce
are possible.
Utilize asystem configuration
Security management
Content Automation tools(SCAP)
Protocol that will automatically
compliant and redeploy
configuration monitoring system to
configuration settings
verify all security to systems
configuration at regularly
elements, scheduled
catalog intervals.
approved exceptions, and alert when unauthorized
changes occur.
curity Control
Use at#6:
leastMaintenance, Monitoring,
three synchronized andwhich
time sources from Analysis of Audit
all servers Logs devices retrieve
and network
time information on a regular basis so that timestamps in logs are consistent.
Install the latest stable version of any security-related updates on all network devices.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThis
using multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be reading
connections email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny
trustedcommunication
and necessaryover unauthorized
IP address ranges at TCP or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
Configure monitoring
the organization's systems
network to record network packets passing through the boundary at each of
boundaries.
Deploy network-based
the organization's Intrusion
network Detection Systems (IDS) sensors to look for unusual attack
boundaries.
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt
layer proxyall encrypted networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitive network ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should
if therebeismaintained.
no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled
network basedAccess Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at
Configure a remote
access for allservice
accountsprovider.
through as few centralized points of authentication as possible,
including
Require multi-factor authentication forsystems.
network, security, and cloud all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel,
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security and
incident, theaskind
such ofEnforcement,
information that should be included in the incident notification.
Publish
Plan andinformation
conduct for allLaw
routine workforce
incident members,
response
relevant
exercises
government
regarding
and reporting
scenarios
departments,
computer
for the
vendors,
anomalies
workforce
and
and
involved in
Information
incidents, Sharing
to response and
the incident Analysis Center (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be used to exploit enterprise systems successfully. readiness to identify and stop attacks or
Perform periodic Red Team exercises to test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests emails
and Red Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
Any user or system accounts used to perform penetration testing should be controlled and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
s, Routers and Switches
Resources (e.g., hardware, Cybersecurity roles and
devices, data, and software) responsibilities for the
External information are prioritized based on entire workforce and third-
systems are catalogued their classification, party stakeholders (e.g.,
criticality, and business suppliers, customers,
value partners) are established
X
The organization’s role in The organization’s place in Priorities for organizational
the supply chain is critical infrastructure and its mission, objectives, and
identified and industry sector is identified activities are established
communicated and communicated and communicated
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Third-party stakeholders Senior executives
Privileged users understand (e.g., suppliers, customers,
roles & responsibilities partners) understand roles understand roles &
responsibilities
& responsibilities
X
X
X
X
X
X
X
X
X
X
A baseline configuration of
Integrity checking The development and information
mechanisms are used to testing environment(s) are
verify software, firmware, separate from the technology/industrial
control systems is created
and information integrity production environment and maintained
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A System Development Life Configuration change Backups of information are
Cycle to manage systems is control processes are in conducted, maintained, and
implemented place tested periodically
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
A baseline of network
Access to systems and Communications and operations and expected
assets is controlled,
incorporating the principle control networks are data flows for users and
protected systems is established and
of least functionality managed
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Detected events are Event data are aggregated
and correlated from Impact of events is
analyzed to understand multiple sources and determined
attack targets and methods
sensors
RC.CO-2 RC.CO-3
X X
X X
X X
X X
X X
X X
X X
X X
CIS Controls v7.1 mapped to NIST 800-82 rev2
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
Logically Separated Recommended
Network Segregation Defense-in-Depth
Control Network Architecture
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
General Firewall Recommended Firewall Network Address
Rules for Specific
Policies for ICS Services Translation (NAT)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Specific ICS Firewall Unidirectional
Single Points of Failure
Issues Gateways
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Redundancy and Fault Preventing Man-in-the- Authentication and
Tolerance Middle Attacks Authorization
X X
X X
X X
X X
X X
X X
X X
X X
Configuration Identification and
Contingency Planning
Management Authentication
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
System and Information
Program Management Privacy Controls
Integrity
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NISTIR 7621 (rev 1): Small Business
Information Security
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s
Compare allname responsible
network for that business
device configurations need,
against and an expected
approved duration of the
security configurations need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation throughout the incident through resolution.
Devise organization-widepersonnel,
management standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests emails
and Red Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisitionas and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use encryption for Dispose of old
Set up web and email sensitive business computers and media
filters information safely
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop a plan for Make full backups of Make incremental
disasters and important business backups of important
information security data/information business
incidents data/information
X X
X
X
X
X
X
X
X
X
Make improvements to Pay attention to the
Consider cyber processes / people you work with
insurance procedures / and around
technologies
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Do not give out
Be careful downloading personal or business Watch for harmful pop-
software information ups
4.0h 4.0i
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the DHS CDM Program
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
X
X
X
X
X
X
X
Vulnerability Access Control Security-Related
Management Management Behavior Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Credentials &
Authentication Privileges Boundary Protection
Management
CRED PRIV
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Generic Audit
Plan for Events Respond to Events
Monitoring
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Document
Quality Management Risk Management
Requirements
CIS Controls v7.1 mapped to ISO 27002:2013
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
Classification of
Return of assets Labelling of information
information
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User registration and User access
Privilege management
de-registration provisioning
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Securing office, rooms Protecting against
Physical entry controls external end
and facilities environmental threats
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protection of log Administrator and
Clock synchronisation
information operator logs
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
Information systems Security of network
Network controls
audit controls services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
Information transfer Agreements on
Segregation in networks
policies and procedures information transfer
X
X
X
X
X
X
X
X
X
Confidentiality or non- Security requirements
Electronic messaging analysis and
disclosure agreements specification
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Securing applications Protecting application Secure development
services on public
networks services transactions policy
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information security Addressing security Information and
policy for supplier within supplier communication
relationships agreements technology supply chain
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
Acceptable use of Information labelling
Classification guidelines
assets and handling
X
X
X
X
X
X
X
X
Termination Removal of access
Return of assets
responsibilities rights
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Management of Information handling
Disposal of media
removable media procedures
X
X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Administrator and
Fault logging Clock synchronization
operator logs
X
X
X
X
X
X
X
X
X
Network connection Network routing
Segregation in networks
control control
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Secure log-on User identification and Password management
procedures authentication system
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Limitation of
Use of system utilities Session time-out
connection time
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Security requirements
Teleworking analysis and Input data validation
specification
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Control of internal
Message integrity Output data validation
processing
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Reporting security Responsibilities and Learning from
information security
weaknesses procedures incidents
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Including information
security in the business Business continuity and
Collection of evidence
continuity management risk assessment
process
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Protection of
information systems
audit tools
A.15.3.2
CIS Controls v7.1 mapped to IEC 62443-3-3:2013
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
Routers and Switches
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Authenticator Wireless access
Identifier management
management management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Use control for portable
Mobile code Session Lock
and mobile devices
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Remote session Concurrent session
Auditable events
termination control
X
X
X
X
X
X
X
X
Deterministic output Error handling Session integrity
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
General purpose
person-to-person
Application partitioning Audit log accessibility
communication
restriction
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NIST 800-171
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts
Physically (such assegregated
or logically *.ps1,*.py,systems
macros,should
etc.) are
beallowed
used to to run on
isolate a system.
and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should
if therebeismaintained.
no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify including
that the versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamicenvironment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application
urity Control #19: firewall
Incident should be deployed.
Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsasforwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such ofEnforcement,
information that should be included in the incident notification.
Publish information for allLaw
workforce members,relevant government
regarding reporting departments, vendors,
computer anomalies and
and
Information Sharing and Analysis Center (ISAC) partners.
incidents, to the incident handling team. Such information should be included in routine employee
awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities usingscoring
Create incident tools and
and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Limit information
system access to Use session lock with
authorized users, pattern-hiding displays Terminate
processes acting on to prevent (automatically) a user
behalf of authorized access/viewing of data session after a defined
users, or devices after period of condition.
(including other inactivity.
information systems).
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Authorize remote
execution of privileged Authorize wireless Protect wireless access
commands and remote access prior to allowing using authentication
access to security- such connections. and encryption.
relevant information.
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Limit information
system access to the
Control connection of Encrypt CUI on mobile types of transactions
mobile devices. devices. and functions that
authorized users are
permitted to execute.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Limit use of
Verify and control/limit organizational portable Control information
connections to and use storage devices on posted or processed on
of external information publicly accessible
systems. external information information systems.
systems.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
Separate the duties of Employ the principle of
Control the flow of CUI individuals to reduce least privilege, including
in accordance with the risk of malevolent for specific security
approved
authorizations. activity without functions and privileged
collusion. accounts.
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Prevent non-privileged
Use non-privileged users from executing
accounts or roles when privileged functions and Limit unsuccessful
accessing nonsecurity logon attempts.
functions. audit the execution of
such functions.
X
X
X
X
Periodically assess the Develop and implement
security controls in plans of action designed
Remediate organizational to correct deficiencies
vulnerabilities in information systems to and reduce or eliminate
accordance with
assessments of risk. determine if the vulnerabilities in
controls are effective in organizational
their application. information systems.
X X
X X
X X
X X
X X
X X
Monitor, control, and
protect organizational
communications (i.e.,
Monitor information information Establish and manage
system security controls transmitted or received cryptographic keys for
on an ongoing basis to by organizational cryptography employed
ensure the continued
effectiveness of the information systems) at in the information
controls. the external boundaries system;
and key internal
boundaries of the
information systems.
X
X
X
X
X
X
X
X
X
Prohibit remote
activation of
Employ FIPS-validated collaborative
cryptography when computing devices and Control and monitor
used to protect the the use of mobile code.
confidentiality of CUI. provide indication of
devices in use to users
present at the device.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Control and monitor Protect the authenticity Protect the
the use of Voice over of communications confidentiality of CUI at
Internet Protocol (VoIP)
technologies. sessions. rest.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Employ architectural
designs, software
development Separate user Prevent unauthorized
techniques, and functionality from and unintended
systems engineering information system information transfer via
principles that promote
effective information management shared system
security within functionality. resources.
organizational
information systems.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Implement
cryptographic Terminate network
mechanisms to prevent connections associated Identify, report, and
unauthorized disclosure with communications correct information and
of CUI during sessions at the end of information system
transmission unless the sessions or after a flaws in a timely
otherwise protected by defined period of manner.
alternative physical inactivity.
safeguards.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Provide protection from Monitor information
malicious code at system security alerts Update malicious code
appropriate locations and advisories and take protection mechanisms
when new releases are
within organizational appropriate actions in available.
information systems. response.
X X
X X
X X
X X
X X
X X
X X
X X
Ensure that managers,
systems administrators,
and users of
organizational Ensure that
information systems organizational Provide security
are made aware of the personnel are awareness training on
security risks associated adequately trained to recognizing and
with their activities and carry out their assigned reporting potential
of the applicable information security- indicators of insider
policies, standards, and related duties and threat.
procedures related to responsibilities.
the security of
organizational
information systems.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
Identify information Store and transmit only Obscure feedback of
system users, processes encrypted authentication
acting on behalf of representation of
users, or devices. passwords. information.
X
X
X
X
X
X
X
X
Track, document, and
report incidents to Test the organizational Perform maintenance
appropriate officials incident response on organizational
and/or authorities both
internal and external to capability. information systems.
the organization.
X
X
X
X
X
X
X
X
Require multifactor
authentication to
establish nonlocal Supervise the Protect (i.e., physically
maintenance sessions maintenance activities control and securely
via external network of maintenance store) information
connections and personnel without system media
terminate such required access containing CUI, both
connections when authorization. paper and digital.
nonlocal maintenance
is complete.
X
X
X
X
X
X
X
X
X
X
Ensure that CUI and
information systems
containing CUI are
protected during and
after personnel actions
such as terminations
and transfers.
3.9.2
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NSA's MNT
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
, Routers and Switches
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Device Accessibility User Access Patch Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Document your
Baseline Management Backup Strategy
Network
Milestone 7 Milestone 8
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Incident Response and
Security Policy Training
Disaster Recovery Plans
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Executable Content Virus Scanners and Host Personal Electronic
Intrusion Prevention
Restrictions Systems Device Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Gateways,
Data-At-Rest Protection Network Access Control
Proxies, and Firewalls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network Security
Remote Access Security Log Management
Monitoring
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Configuration and
Audit Strategy
Change Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Australian Essential Eight
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Disable untrusted
Application whitelisting Patch applications
Microsoft Office macros
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
User application Restrict administrative Patch operating
hardening privileges systems
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Multi-factor Daily backup of
authentication important data
7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Australian DSD Top 35: 2014
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s
Compare allname responsible
network for that business
device configurations need,
against and an expected
approved duration of the
security configurations need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation throughout the incident through resolution.
Devise organization-widepersonnel,
management standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests emails
and Red Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisitionas and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
, Routers and Switches
X X
X X
X X
X X
X X
X X
X X
Restrict administrative User application configuration Automated dynamic analysis
privileges to operating hardening, disabling the of email and web content run
systems and applications running of internet-based Java in a sandbox to detect
based on user duties. Such code, untrusted Microsoft suspicious behaviour including
users should use a separate Office macros, and undesired network traffic, new or
unprivileged account for email web browser and PDF viewer modified files, or configuration
and web browsing. features. changes.
4 5 6
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
Operating system generic
Disable local administrator
exploit mitigation Host-based Intrusion
accounts to prevent network
mechanisms, eg, Data Detection/Prevention System
propagation using
Execution Prevention (DEP), to identify anomalous
compromised local
Address Space Layout behaviour such as process
administration credentials
Randomisation (ASLR) and injection, keystroke logging,
that are shared by several
Enhanced Mitigation driver loading and persistence.
Experience Toolkit (EMET). computers.
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network segmentation and Multi-factor authentication
Software-based application
segregation into security especially implemented for
firewall, blocking incoming
zones to protect sensitive remote access or when the
network traffic that is
information and critical user is about to perform a
malicious or otherwise
services such as user privileged action or access a
unauthorised, and denying
authentication by Microsoft sensitive information
network traffic by default.
Active Directory. repository.
10 11 12
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
Software-based application Centralised and time-
Non-persistent virtualised
firewall, blocking outgoing synchronised logging of
sandboxed trusted operating
network traffic that is not successful and failed computer
environment, hosted outside
generated by whitelisted events with automated
the organisation's internal
applications, and denying immediate log analysis,
network, for risk activities
network traffic by default. storing logs for at least
such as web browsing. 18 months.
13 14 15
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Centralised and time- Web content filtering of
Email content filtering
synchronised logging of incoming and outgoing traffic,
allowing only business-related
allowed and blocked network whitelisting allowed types of
attachment types. Preferably
events with automated web content and using
analyse/convert/sanitise links,
immediate log analysis, behavioural analysis, cloud-
PDF and Microsoft Office
storing logs for at least based reputation ratings,
18 months. attachments. heuristics and signatures.
16 17 18
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Block spoofed emails using Workstation and server
Web domain whitelisting for
Sender ID or Sender Policy configuration management
all domains, since this
Framework (SPF) to check based on a hardened Standard
approach is more proactive
incoming emails, and a 'hard Operating Environment with
and thorough than blacklisting
fail' SPF record to help prevent unrequired functionality
a tiny percentage of malicious
spoofing of your disabled e.g. IPv6, autorun
domains. organisation's domain. and LanMan.
19 20 21
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Antivirus software using Deny direct internet access Server application security
heuristics and automated from workstations by using an configuration hardening e.g.
internet-based reputation IPv6-capable firewall to force databases, web applications,
ratings to check a program's traffic through a split DNS customer relationship
prevalence and its digital server, an email server or an management, finance, human
signature's trustworthiness authenticated web proxy resources and other data
prior to execution. server. storage systems.
22 23 24
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Removable and portable
Enforce a strong passphrase
media control as part of a data Restrict access to Server
policy covering complexity,
loss prevention strategy, Message Block (SMB) and
length and expiry, and
including storage, handling, NetBIOS services running on
avoiding both passphrase re-
whitelisting allowed USB workstations and on servers
use and the use of a single
devices, encryption and where possible.
dictionary word. destruction.
25 26 27
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User education, eg, internet Workstation inspection of Signature-based antivirus
threats and spear-phishing Microsoft Office files for software that primarily relies
socially-engineered emails. potentially malicious on up-to-date signatures to
Avoid weak passphrases, abnormalities, eg, using the identify malware. Use
passphrase re-use, exposing Microsoft Office File gateway and desktop antivirus
email addresses and Validation or Protected View software from different
unapproved USB devices. features. vendors.
28 29 30
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TLS encryption between email Block attempts to access web Network-based Intrusion
servers to help prevent sites by their IP address Detection/Prevention System
legitimate emails being instead of by their domain using signatures and heuristics
intercepted and used for name, eg, implemented using to identify anomalous traffic
social engineering. Perform a web proxy server, to force both internally and crossing
content scanning after email cyber adversaries to obtain a network perimeter
traffic is decrypted. domain name. boundaries.
31 32 33
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Capture network traffic
Gateway blacklisting to block
to/from internal critical-asset
access to known malicious
workstations and servers, as
domains and IP addresses,
well as traffic traversing the
including dynamic and other
network perimeter, to
domains provided free to
perform post-intrusion
anonymous internet users. analysis.
34 35
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the NSA's Top 10 Information Assurance
Mitigation Strategies
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
Use Anti-Virus File Enable Anti-Exploitation Implement Host
Intrusion Prevention
Reputation Services Features System (HIPS) Rules
4 5 6
X X
X X
X X
X X
X X
X X
X X
X X
Set a Secure Baseline Use Web Domain Name Take Advantage of
System (DNS)
Configuration Reputation Software Improvements
7 8 9
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
Segregate Networks
and Functions
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Canadian Communications Security
Establishment Top 10 IT Security Actions
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
X
X
X
X
X
X
X
X
X
Harden Operating Segment and Separate Provide Tailored
Systems and
Applications Information Awareness and Training
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protect Information at Apply Protection at the Isolate Web-Facing
the Enterprise Level Host Level Applications
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Implement Application
Whitelisting
10
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to GCHQ's 10 Steps to CyberSecurity
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
, Routers and Switches
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Risk Managing User Removable Media
Management Regime Privileges Controls
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Monitoring Secure Configuration Malware Protection
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Network Security
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the UK Government's Cyber Essentials Scheme
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malware protection Patch management
4 5
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the UK's Information Commissioner's Office
(ICO) Protecting Personal Data in Online Services
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
X
X
X
X
X
X
X
Decommissioning of Configuration of SSL
Password storage
software or services and TLS
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Inappropriate locations
Default credentials
for processing data
7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to PCI DSS 3.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control #13:as local network devices.
Maintain anData Protection
inventory of all sensitive information stored, processed, or transmitted by the
organization's technology systems, including those located on-site or at a remote service provider.
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate
and compromise with other systems
neighboring necessary
systems, throughto fulfill their specific
technologies such responsibilities.
as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by all information stored
sensitive information
the organization's technology in transit.with
systems,
file system, claims, application, or
database specific access control lists. Theseincluding
controlsthose locatedthe
will enforce on-site or atthat
principle a remote service
only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism not integrated into
Enforce detailed audit logging for accessthe operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain inventory of Monitoring and Control
each of the organization's authentication systems, including those located
on-site or at
Configure a remote
access for allservice
accountsprovider.
through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such ofEnforcement,
information that should be included in the incident notification.
Publish
Plan andinformation
conduct for allLaw
routine workforce
incident members,
response
relevant
exercises
government
regarding
and reporting
scenarios
departments,
computer
for the
vendors,
anomalies
workforce
and
and
involved in
Information
incidents, Sharing
to response and
the incident Analysis Center (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements
Use vulnerability scanningthat
andare not typically
penetration tested
testing in production,
tools suchresults
in concert. The as attacks against
of vulnerability
supervisory
scanning control and data acquisition and other control systems.
Whereverassessments should
possible, ensure beRed
that usedTeam
as a results
startingare
point to guide and
documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
Install personal firewall
software on any mobile
and/or employee-owned Ensure that security policies Always change vendor-
devices that connect to the and operational procedures supplied defaults and remove
Internet when outside the for managing firewalls are or disable unnecessary default
network (for example, laptops documented, in use, and accounts before installing a
used by employees), and known to all affected parties. system on the network.
which are also used to access
the network.
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
Ensure that security policies
Keep cardholder data storage
and operational procedures Shared hosting providers must
to a minimum by
for managing vendor defaults protect each entity’s hosted
implementing data retention
and other security parameters environment and cardholder
and disposal policies,
are documented, in use, and data.
known to all affected parties. procedures and processes.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that anti-virus
mechanisms are actively
Deploy anti-virus software on
running and cannot be
all systems commonly affected
Ensure that all anti-virus disabled or altered by users,
by malicious software
mechanisms are maintained. unless specifically authorized
(particularly personal
by management on a case-by-
computers and servers). case basis for a limited time
period.
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Train developers in secure
Develop internal and external
Follow change control coding techniques, including
software applications
processes and procedures for how to avoid common coding
(including web-based
all changes to system vulnerabilities, and
administrative access to
components. understanding how sensitive
applications) securely. data is handled in memory.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Define and implement policies
In addition to assigning a
and procedures to ensure Secure all individual non-
unique ID, ensure proper user-
proper user identification console administrative access
authentication management
management for non- and all remote access to the
for non-consumer users and
consumer users and CDE using multi-factor
administrators on all system
administrators on all system components. authentication.
components.
X
X
X
X
X
X
X
X
X
Where other authentication
mechanisms are used (for
Document and communicate Do not use group, shared, or
example, physical or logical
authentication procedures and generic IDs, passwords, or
security tokens, smart cards,
policies to all users. other authentication methods.
certificates, etc.), use of these
mechanisms must be assigned.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Develop procedures to easily Control physical access for
Implement procedures to
distinguish between onsite onsite personnel to the
identify and authorize visitors.
personnel and visitors. sensitive areas.
X X X
Ensure that security policies
Protect devices that capture
and operational procedures
Destroy media when it is no payment card data via direct
for restricting physical access
longer needed for business or physical interaction with the
to cardholder data are
legal reasons. card from tampering and
documented, in use, and
substitution. known to all affected parties.
X
X
X
X
X
X
X
X
X
Run internal and external
Implement processes to test network vulnerability scans at
for the presence of wireless least quarterly and after any
access points (802.11), and significant change in the
Implement a methodology for
detect and identify all network (such as new system
penetration testing.
authorized and unauthorized component installations,
wireless access points on a changes in network topology,
quarterly basis. firewall rule modifications,
product upgrades).
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use intrusion-detection
Deploy a change-detection
and/or intrusion-prevention
mechanism (for example, file-
techniques to detect and/or
integrity monitoring tools) to
prevent intrusions into the Ensure that security policies
alert personnel to
network. Monitor all traffic at and operational procedures
unauthorized modification of
the perimeter of the for security monitoring and
critical system files,
cardholder data environment testing are documented, in
configuration files, or content
as well as at critical points in use, and known to all affected
the cardholder data files; and configure the parties.
software to perform critical
environment, and alert
personnel to suspected file comparisons at least
weekly.
compromises.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Develop usage policies for
Establish, publish, maintain,
Implement a risk-assessment critical technologies and
and disseminate a security
process. define proper use of these
policy.
technologies.
12.10 12.11
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to PCI DSS 3.1
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control #13:as local network devices.
Maintain anData Protection
inventory of all sensitive information stored, processed, or transmitted by the
organization's technology systems, including those located on-site or at a remote service provider.
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate
and compromise with other systems
neighboring necessary
systems, throughto fulfill their specific
technologies such responsibilities.
as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by all information stored
sensitive information
the organization's technology in transit.with
systems,
file system, claims, application, or
database specific access control lists. Theseincluding
controlsthose locatedthe
will enforce on-site or atthat
principle a remote service
only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism not integrated into
Enforce detailed audit logging for accessthe operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain inventory of Monitoring and Control
each of the organization's authentication systems, including those located
on-site or at
Configure a remote
access for allservice
accountsprovider.
through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such ofEnforcement,
information that should be included in the incident notification.
Publish
Plan andinformation
conduct for allLaw
routine workforce
incident members,
response
relevant
exercises
government
regarding
and reporting
scenarios
departments,
computer
for the
vendors,
anomalies
workforce
and
and
involved in
Information
incidents, Sharing
to response and
the incident Analysis Center (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements
Use vulnerability scanningthat
andare not typically
penetration tested
testing in production,
tools suchresults
in concert. The as attacks against
of vulnerability
supervisory
scanning control and data acquisition and other control systems.
Whereverassessments should
possible, ensure beRed
that usedTeam
as a results
startingare
point to guide and
documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
Install personal firewall
software on any mobile
and/or employee-owned Ensure that security policies Always change vendor-
devices that connect to the and operational procedures supplied defaults and remove
Internet when outside the for managing firewalls are or disable unnecessary default
network (for example, laptops documented, in use, and accounts before installing a
used by employees), and known to all affected parties. system on the network.
which are also used to access
the network.
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
Ensure that security policies
Keep cardholder data storage
and operational procedures Shared hosting providers must
to a minimum by
for managing vendor defaults protect each entity’s hosted
implementing data retention
and other security parameters environment and cardholder
and disposal policies,
are documented, in use, and data.
known to all affected parties. procedures and processes.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that anti-virus
mechanisms are actively
Deploy anti-virus software on
running and cannot be
all systems commonly affected
Ensure that all anti-virus disabled or altered by users,
by malicious software
mechanisms are maintained. unless specifically authorized
(particularly personal
by management on a case-by-
computers and servers). case basis for a limited time
period.
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Train developers in secure
Develop internal and external
Follow change control coding techniques, including
software applications
processes and procedures for how to avoid common coding
(including web-based
all changes to system vulnerabilities, and
administrative access to
components. understanding how sensitive
applications) securely. data is handled in memory.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Incorporate two-factor
Define and implement policies authentication for remote
In addition to assigning a
and procedures to ensure network access originating
unique ID, ensure proper user-
proper user identification from outside the network by
authentication management
management for non- personnel (including users and
for non-consumer users and
consumer users and administrators) and all third
administrators on all system
administrators on all system components. parties, (including vendor
components. access for support or
maintenance).
X
X
X
X
X
X
X
X
X
Where other authentication
mechanisms are used (for
Document and communicate Do not use group, shared, or
example, physical or logical
authentication procedures and generic IDs, passwords, or
security tokens, smart cards,
policies to all users. other authentication methods.
certificates, etc.), use of these
mechanisms must be assigned.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Develop procedures to easily Control physical access for
Implement procedures to
distinguish between onsite onsite personnel to the
identify and authorize visitors.
personnel and visitors. sensitive areas.
X X X
Ensure that security policies
Protect devices that capture
and operational procedures
Destroy media when it is no payment card data via direct
for restricting physical access
longer needed for business or physical interaction with the
to cardholder data are
legal reasons. card from tampering and
documented, in use, and
substitution. known to all affected parties.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use intrusion-detection
and/or intrusion-prevention
Run internal and external
techniques to detect and/or
network vulnerability scans at
prevent intrusions into the
least quarterly and after any
network. Monitor all traffic at
significant change in the
Implement a methodology for the perimeter of the
network (such as new system
penetration testing. cardholder data environment
component installations,
as well as at critical points in
changes in network topology, the cardholder data
firewall rule modifications,
environment, and alert
product upgrades). personnel to suspected
compromises.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Deploy a change-detection
mechanism (for example, file-
integrity monitoring tools) to
Ensure that security policies
alert personnel to
and operational procedures
unauthorized modification of Establish, publish, maintain,
for security monitoring and
critical system files, and disseminate a security
testing are documented, in
configuration files, or content policy.
use, and known to all affected
files; and configure the parties.
software to perform critical
file comparisons at least
weekly.
X
X
X
X
X
X
X
X
X
X
Ensure that the security policy
Develop usage policies for
and procedures clearly define
Implement a risk-assessment critical technologies and
information security
process. define proper use of these
responsibilities for all
technologies.
personnel.
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control as local
#13: network devices.
Maintain an Data Protection
inventory of all sensitive information stored, processed, or transmitted by the
organization's technology systems, including those located on-site or at a remote service provider.
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate
and compromise with other systems
neighboring necessary
systems, throughto fulfill their specific
technologies such responsibilities.
as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by all information stored
sensitive information
the organization's technology in transit.with
systems,
file system, claims, application, or
database specific access control lists. Theseincluding
controlsthose locatedthe
will enforce on-site or atthat
principle a remote service
only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism not integrated into
Enforce detailed audit logging for accessthe operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at
Configure a remote
access for allservice
accountsprovider.
through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such ofEnforcement,
information that should be included in the incident notification.
Publish
Plan andinformation
conduct for allLaw
routine workforce
incident members,
response
relevant
exercises
government
regarding
and reporting
scenarios
departments,
computer
for the
vendors,
anomalies
workforce
and
and
involved in
Information
incidents, Sharing
to response and
the incident Analysis Center (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements
Use vulnerability scanningthat
andare not typically
penetration tested
testing in production,
tools suchresults
in concert. The as attacks against
of vulnerability
supervisory
scanning control and data acquisition and other control systems.
Whereverassessments should
possible, ensure beRed
that usedTeam
as a results
startingare
point to guide and
documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
Install personal firewall
software on any mobile
and/or employee-owned Ensure that security policies Always change vendor-
devices that connect to the and operational procedures supplied defaults and remove
Internet when outside the for managing firewalls are or disable unnecessary default
network (for example, laptops documented, in use, and accounts before installing a
used by employees), and known to all affected parties. system on the network.
which are also used to access
the network.
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
Ensure that security policies
Keep cardholder data storage
and operational procedures Shared hosting providers must
to a minimum by
for managing vendor defaults protect each entity’s hosted
implementing data retention
and other security parameters environment and cardholder
and disposal policies,
are documented, in use, and data.
known to all affected parties. procedures and processes.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that anti-virus
mechanisms are actively
Deploy anti-virus software on
running and cannot be
all systems commonly affected
Ensure that all anti-virus disabled or altered by users,
by malicious software
mechanisms are maintained. unless specifically authorized
(particularly personal
by management on a case-by-
computers and servers). case basis for a limited time
period.
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Train developers in secure
Develop internal and external
Follow change control coding techniques, including
software applications
processes and procedures for how to avoid common coding
(including web-based
all changes to system vulnerabilities, and
administrative access to
components. understanding how sensitive
applications) securely. data is handled in memory.
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Incorporate two-factor
Define and implement policies authentication for remote
In addition to assigning a
and procedures to ensure network access originating
unique ID, ensure proper user-
proper user identification from outside the network by
authentication management
management for non- personnel (including users and
for non-consumer users and
consumer users and administrators) and all third
administrators on all system
administrators on all system components. parties, (including vendor
components. access for support or
maintenance).
X
X
X
X
X
X
X
X
X
Where other authentication
mechanisms are used (for
Document and communicate Do not use group, shared, or
example, physical or logical
authentication procedures and generic IDs, passwords, or
security tokens, smart cards,
policies to all users. other authentication methods.
certificates, etc.), use of these
mechanisms must be assigned.
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Develop procedures to easily Control physical access for
Implement procedures to
distinguish between onsite onsite personnel to the
identify and authorize visitors.
personnel and visitors. sensitive areas.
X X X
Ensure that security policies
Protect devices that capture
and operational procedures
Destroy media when it is no payment card data via direct
for restricting physical access
longer needed for business or physical interaction with the
to cardholder data are
legal reasons. card from tampering and
documented, in use, and
substitution. known to all affected parties.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use intrusion-detection
and/or intrusion-prevention
Run internal and external
techniques to detect and/or
network vulnerability scans at
prevent intrusions into the
least quarterly and after any
network. Monitor all traffic at
significant change in the
Implement a methodology for the perimeter of the
network (such as new system
penetration testing. cardholder data environment
component installations,
as well as at critical points in
changes in network topology, the cardholder data
firewall rule modifications,
environment, and alert
product upgrades). personnel to suspected
compromises.
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Deploy a change-detection
mechanism (for example, file-
integrity monitoring tools) to
Ensure that security policies
alert personnel to
and operational procedures
unauthorized modification of Establish, publish, maintain,
for security monitoring and
critical system files, and disseminate a security
testing are documented, in
configuration files, or content policy.
use, and known to all affected
files; and configure the parties.
software to perform critical
file comparisons at least
weekly.
X
X
X
X
X
X
X
X
X
X
Ensure that the security policy
Develop usage policies for
and procedures clearly define
Implement a risk-assessment critical technologies and
information security
process. define proper use of these
responsibilities for all
technologies.
personnel.
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Access
Workforce Security - Workforce Security - Management - Isolating
Workforce Clearance Termination Procedures Health care
Procedure A A Clearinghouse Function
R
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
Security Awareness and Security Awareness and Security Awareness and
Training - Protection
Training - Log-in Training - Password
from Malicious Monitoring A Management A
Software A
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Security Incident Contingency Plan - Data Contingency Plan -
Procedures - Response Disaster Recovery Plan
and Reporting R Backup Plan R R
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Device and Media Device and Media Device and Media
Controls - Media Re-use Controls - Controls - Data Backup
R Accountability A and Storage A
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Access Control - Unique Access Control - Access Control -
Emergency Access
User Identification R Procedure R Automatic Logoff A
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Access Control - Integrity - Mechanism
to Authenticate
Encryption and Audit Controls - R
Decryption A Electronic Protected
Health Information A
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIS Controls v7.1 mapped to the FFIEC's Information Security Booklet 2016
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
User Security Controls Physical Security Network Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Management End-of-Life
Within the IT Malware Mitigation
Environment Management
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Oversight of Third-Party Business Continuity
Encryption
Service Providers Considerations
II.C.22
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FFIEC Examination Handbook (2006)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Authentication and
Network Security Host Security
Access Controls
A B C
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
User Equipment
Security (Workstation, Physical Security Personnel Security
Laptop, Handheld)
D E F
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Software Development Business Continuity -
Application Security
& Acquisition Security
G H I
X
X
X
X
X
X
X
X
X
X
X
Service Provider
Encryption Data Security
Oversight - Security
J K L
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Security Monitoring
M
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FFIEC's Cybersecurity Assessment Tool
(CAT)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Domain 2: Threat Domain 3: Domain 3:
Intelligence &
Cybersecurity Controls - Cybersecurity Controls -
Collaboration - Preventative Controls Detective Controls
Information Sharing
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Domain 4: External
Domain 3: Domain 4: External Dependency
Dependency
Cybersecurity Controls - Management -
Corrective Controls Management - Relationship
Connections Management
Domain 5: Cyber Domain 5: Cyber Domain 5: Cyber
Incident Management Incident Management Incident Management
and Resilience - and Resilience - and Resilience -
Incident Resilience Detection, Response, Escalation and
Planning and Strategy and Mitigation Reporting
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
CIS Controls v7.1 mapped to COBIT 5
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Programmes Manage Requirements Manage Solutions
and Projects Definition Identification and Build
X
Manage Service
Manage Configuration Manage Operations
Requests and Incidents
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Security
Manage Problems Manage Continuity
Services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Manage Business Monitor, Evaluate and Monitor, Evaluate and
Assess Performance Assess the System of
Process Controls and Conformance Internal Control
MEA03
CIS Controls v7.1 mapped to the AICPA's Trust Services Principles and
Criteria for SOC2 & SOC3 Assessments
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Common Criteria Related to System Operations
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Common Criteria Related to Change Management
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Misuse of Personal
New Purposes and Uses Information by a Third Privacy Policies
Party
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Environmental Transmitted Personal
Physical Access Controls
Safeguards Information
10.2.5
CIS Controls v7.1 mapped to the US Internal Revenue Service (IRS)
Publication 1075
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
Audit and
Access Control Awareness and Training
Accountability
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Assessment Configuration
Contingency Planning
and Authorization Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Identification and
Incident Response Maintenance
Authentication
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Cloud Computing
Data Warehouse Email Communications
Environments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Virtual Desktop Virtualization
VoIP Systems
Infrastructure Environments
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Protection of the secure Communication
zone Boundary Protection between components
in the secure zone
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Local Operator (end Remote Operator
Access to the secure Access (teleworking,
zone systems user and administrator) “on-call” duties, or
access remote administration)
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Restriction of Internet Segregation from
access General Enterprise IT Virtualisation
Services
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Systems within the
secure zone implement Operating System
application whitelisting, Internal Data Flow
allowing only trusted Privileged Account Security
applications to be Control
executed
1.1-opt 1.2 2.1
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Back-office Data Flow
Security Updates System Hardening Security
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
External Transmission Operator Session
Data Protection Confidentiality and Vulnerability Scanning
Integrity
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Critical Activity Transaction Business
Outsourcing Controls Physical Security
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Personnel Vetting Physical and Logical
Token Management Process Password Storage
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Training and Scenario Risk
Awareness Penetration Testing Assessment
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Monetary Authority of Singapore's (MAS)
Technology Risk Management (TRM) Guidance
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
3 4 5
, Routers and Switches
Acquisition and Systems Reliability,
Development of IT Service Management Availability, and
Information Systems Recoverability
6 7 8
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
Operational Data Centres Protection
Infrastructure Security Access Controls
Management and Controls
9 10 11
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Online Financial
Payment Card Security IT Audit
Services
12 13 14
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to Saudi Arabian Monetary Authority Cyber
Security Framework (v1.0)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Cyber Security
Cyber Security Strategy Cyber Security Policy
Governance
X
X
X
X
X
X
X
X
Cyber Security Identity and Access
Application Security
Architecture Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Management Infrastructure Security Cryptography
X
X
X
X
X
X
X
X
X
Bring Your Own Device Secure Disposal of
Payment Systems
(BYOD) Information Assets
X
X
X
X
X
X
X
X
X
Electronic Banking Cyber Security Event Cyber Security Incident
Services Management Management
X
X
X
X
X
X
X
X
X
X
X
X
Outsourcing Cloud Computing
3.4.2 3.4.3
CIS Controls v7.1 mapped to NERC CIP v7
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control as
#13: local network ordevices.
an Data Protection
Remove sensitive data systems not regularly accessed by the organization from the network.
Maintain
These systems inventory of be
shall only all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests emails
and Red Team
or documents
attacks against containing
elements passwords
that are or
not other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory control andshould
scanning assessments data acquisition
be used as and other point
a starting control
tosystems.
guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Attachment 1 CIP-002-5
Incorporates the Cyber Security Policies
"Bright Line Criteria" to BES Cyber System Lists approved for Medium
classify BES Assets as must be reviewed and and High Impact BES
Low, Medium, or High. approved every 15 Cyber Systems by CIP
Called BES Cyber calendar months Senior Manager every
Systems consolidating 15 calendar months.
CAs and CCAs
X X
X X
X X
X X
X X
, Routers and Switches
Cyber Security Policies Identify a CIP Senior
approved for Low Manager and document CIP Senior Manager
Impact Assets by CIP any change within 30 must document any
Senior Manager every calendar days of the delegates
15 Calendar Months change
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
Access Management Physical Security Plan Visitor Control Plan
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and Security Patch
Testing Program Ports and Services Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Code Security Event
Prevention Monitoring System Access Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Implementation and Cyber Security Incident
Cyber Security Incident testing of Cyber Response Plan Review,
Response Plan Security Incident Update and
Response Plans Communication
X
Configuration Change Configuration Vulnerability
Management Process Monitoring Assessments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse Supply Chain Risk
Process and Disposal Management Plan
CIP-014-2 R5 CIP-014-2 R6
CIS Controls v7.1 mapped to NERC CIP v6
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control as
#13: local network ordevices.
an Data Protection
Remove sensitive data systems not regularly accessed by the organization from the network.
Maintain
These systems inventory of be
shall only all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests emails
and Red Team
or documents
attacks against containing
elements passwords
that are or
not other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory control andshould
scanning assessments data acquisition
be used as and other point
a starting control
tosystems.
guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Attachment 1 CIP-002-5
Incorporates the Cyber Security Policies
"Bright Line Criteria" to BES Cyber System Lists approved for Medium
classify BES Assets as must be reviewed and and High Impact BES
Low, Medium, or High. approved every 15 Cyber Systems by CIP
Called BES Cyber calendar months Senior Manager every
Systems consolidating 15 calendar months.
CAs and CCAs
X X
X X
X X
X X
X X
, Routers and Switches
Cyber Security Policies Identify a CIP Senior
approved for Low Manager and document CIP Senior Manager
Impact Assets by CIP any change within 30 must document any
Senior Manager every calendar days of the delegates
15 Calendar Months change
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
Access Management Physical Security Plan Visitor Control Plan
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and Security Patch
Testing Program Ports and Services Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Code Security Event
Prevention Monitoring System Access Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Implementation and Cyber Security Incident
Cyber Security Incident testing of Cyber Response Plan Review,
Response Plan Security Incident Update and
Response Plans Communication
X
Configuration Change Configuration Vulnerability
Management Process Monitoring Assessments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse
Process and Disposal
CIP-011-2 R1 CIP-011-2 R2
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NERC CIP v5
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control as
#13: local network ordevices.
an Data Protection
Remove sensitive data systems not regularly accessed by the organization from the network.
Maintain
These systems inventory of be
shall only all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests emails
and Red Team
or documents
attacks against containing
elements passwords
that are or
not other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory control andshould
scanning assessments data acquisition
be used as and other point
a starting control
tosystems.
guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Attachment 1 CIP-002-5
Incorporates the Cyber Security Policies
"Bright Line Criteria" to BES Cyber System Lists approved for Medium
classify BES Assets as must be reviewed and and High Impact BES
Low, Medium, or High. approved every 15 Cyber Systems by CIP
Called BES Cyber calendar months Senior Manager every
Systems consolidating 15 calendar months.
CAs and CCAs
X X
X X
X X
X X
X X
, Routers and Switches
Cyber Security Policies Identify a CIP Senior
approved for Low Manager and document CIP Senior Manager
Impact Assets by CIP any change within 30 must document any
Senior Manager every calendar days of the delegates
15 Calendar Months change
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Interactive Remote
Access Management Physical Security Plan Visitor Control Plan
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and Security Patch
Testing Program Ports and Services Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Code Security Event
Prevention Monitoring System Access Controls
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Implementation and Cyber Security Incident
Cyber Security Incident testing of Cyber Response Plan Review,
Response Plan Security Incident Update and
Response Plans Communication
X
Configuration Change Configuration Vulnerability
Management Process Monitoring Assessments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Protection BES Cyber Asset Reuse
Process and Disposal
CIP-011-1 R1 CIP-011-1 R2
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to NERC CIP v4
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
, Routers and Switches
CIP Senior Manager Exceptions to the Cyber
Cyber Security Policy
Identification Security Policy
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Awareness: Security Training: Cyber Security Personnel Risk
Awareness Program Training Program Assessment
X X
X X
X X
X X
X X
X X
X X
X X
Electronic Security
Perimeters: All CCAs Electronic Access
Access
must reside within an Controls
ESP
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Monitoring Electronic Cyber Vulnerability Documentation Review
Access Assessment and Maintenance
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Protection of Physical Protection of Electronic
Physical Security Plan
Access Control Systems Access Control Systems
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Monitoring Physical
Physical Access Controls Logging Physical Access
Access
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Status Disposal or
Account Management
Monitoring Redeployment
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Cyber Vulnerabiliity Documentation Review Cyber Security Incident
Assessment and Maintenance Response Plan
X
X
X
X
Cyber Security Incident
Recovery Plans Exercises
Documentation
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X X X
X X X
X X X
X X X
X X X
, Routers and Switches
Annual Approval of CIP Senior Manager
RBAM, CA list, and CCA Cyber Security Policy
List Identification
X
Exceptions to the Cyber Information Protection
Access Control
Security Policy Program
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Change Control and Awareness: Security Training: Cyber Security
Configuration
Management Awareness Program Training Program
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Electronic Access Monitoring Electronic Cyber Vulnerability
Controls Access Assessment
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Documentation Review Protection of Physical
Physical Security Plan
and Maintenance Access Control Systems
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Maintenance and
Logging Physical Access Access Log Retention
Testing
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Malicious Software Security Status
Account Management
Prevention Monitoring
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Disposal or Cyber Vulnerabiliity Documentation Review
Redeployment Assessment and Maintenance
X
X
X
X
Cyber Security Incident Cyber Security Incident
Recovery Plans
Response Plan Documentation
CIP-009-3 R5
X
X
X
X
X
CIS Controls v7.1 mapped to the Cloud Security Alliance (CSA) Cloud
Control Matrix (CCM) ver.3
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s
Compare allname responsible
network for that business
device configurations need,
against and an expected
approved duration of the
security configurations need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation throughout the incident through resolution.
Devise organization-widepersonnel,
management standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests emails
and Red Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisitionas and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Data Security & Data Security & Data Security &
Information Lifecycle Information Lifecycle Information Lifecycle
Management - Management - Data Management -
Classification Inventory / Flows Commerce Transactions
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Data Security & Data Security & Data Security &
Information Lifecycle
Information Lifecycle Information Lifecycle
Management - Handling Management - Management - Non-
/ Labeling / Security Information Leakage Production Data
Policy
X
Datacenter Security - Datacenter Security -
Datacenter Security -
Controlled Access Equipment Off-Site Authorization
Points Identification
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure & Infrastructure &
Infrastructure & Virtualization Security -
Virtualization Security -
Virtualization Security - Information System Management -
Clock Synchronization Documentation Vulnerability
Management
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure & Infrastructure &
Infrastructure & Virtualization Security -
Virtualization Security -
Virtualization Security - OS Hardening and Base Production / Non-
Network Security Controls Production
Environments
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure & Infrastructure & Infrastructure &
Virtualization Security - Virtualization Security -
Virtualization Security - VM Security - vMotion VMM Security -
Segmentation Data Protection Hypervisor Hardening
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Infrastructure & Interoperability &
Interoperability &
Virtualization Security - Portability - APIs Portability - Data
Wireless Security Request
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security -
Mobile Security - Mobile Security - Cloud
Approved Software for Awareness and Training Based Services
BYOD
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security - Device Mobile Security - Device
Compatibility Eligibility Inventory
X
Mobile Security -
Mobile Security - Device Mobile Security -
Management Encryption Jailbreaking and
Rooting
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security -
Mobile Security - Legal Lockout Screen Operating Systems
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mobile Security - Mobile Security -
Passwords Mobile Security - Policy Remote Wipe
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Management, E-
Mobile Security -
Security Patches Mobile Security - Users Discovery & Cloud
Forensics - Contact /
Authority Maintenance
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Security Incident Security Incident Management, E-
Management, E- Management, E-
Discovery & Cloud
Discovery & Cloud Discovery & Cloud Forensics - Incident
Forensics - Incident Forensics - Incident Response Legal
Management Reporting Preparation
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Threat and Vulnerbility
Management - Mobile
Code
TVM-03
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Amazon Web Services – OCIE
Cybersecurity Audit Guide (Oct 2015)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
Routers and Switches
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Logging and
Logical Access Control Data Encryption
Monitoring
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident
Disaster Recovery Inherited Controls
Response
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the FY15 CIO Annual FISMA Metrics
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Routers and Switches
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Anti-Phishing and
Data Protection Network Defense
Malware Defense
4 5 6
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Boundary Protection Training and Education Incident Response
7 8 9
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to ITIL 2011 KPIs
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Service Portfolio
Management and Business Relationship
Financial Management
Strategy Management Management
for IT Services
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Release and
Change Management Project Management Deployment
Management
KPI 19
CIS Controls v7.1 mapped to the State of Nevada Gaming Control Board
Minimum Internal Control Standards (MICS) v7 2015
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
Routers and Switches
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Service & Default
Generic User Accounts Backups
Accounts
4 5 6
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Electronic Storage of Creation of Wagering
Recordkeeping
Documentation Instruments Database
7 8 9
Network Security and Changes to Production
Remote Access
Data Protection Environment
10 11 12
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Information Technology In-House Software Purchased Software
Department Development Programs
13 14 15
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
CIS Controls v7.1 mapped to Commonwealth of Massachusetts 201 CMR
17.00
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
IV IV-a IV-b
Routers and Switches
X
X
X
X
X
X
X
X
X
DSC is responsible for DSC is responsible for DSC is responsible for
review security
testing the WISP evaluate third parties measures
X
X
X
X
X
X
X
X
X
X
X
X
X
Internal Threats - Block Internal Threats - Internal Threats -
Employee Termination
Unauthorized Access to Annual Security
Data Measure Review Procedures (Return of
Data)
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Internal Threats - Internal Threats - Internal Threats -
Employee Termination
Passwords Changed Access Provided to
Procedures (Access Regularly Active Users Only
Revoked)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
External Threats - External Threats - External Threats -
Encryption of sensitive
Endpoint Protection data Monitoring
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
External Threats -
Authentication
VI-05
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to New York State Department of Financial
Services 23 NYCRR 500
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
Chief Information
Cybersecurity Program Cybersecurity Policy
Security Officer
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
Cybersecurity Personnel
Application Security Risk Assessment
and Intelligence
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Training and Encryption of Nonpublic
Incident Response Plan
Monitoring Information
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
CIS Controls v7.1 mapped to the Victorian Protective Data Security
Framework (v1.0)
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
urity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocoland Remediation
(SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
urity Control
Remove#13:as local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive informationsystems
as stand-alone stored, (disconnected
processed, or transmitted by the by the
from the network)
organization's technology systems, including those located on-site or at a remote
business unit needing to occasionally use the system or completely virtualized and powered service provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
urity Control #14:theControlled
Segment Access
network based on the Based
label or on the Need
classification toofKnow
level the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off ata system.
rest using a tool that requires a secondary authentication
mechanism
Enforce detailed not integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16:anAccount
Maintain Monitoring
inventory of and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
urity Control #17:
Perform Implement
a skills gap analysisa to
Security Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing
Train workforce members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and
Publish
Plan information
and conduct for
routineall workforce members,
incidentCenter
response regarding
exercises reporting computer anomalies and
and scenarios for the workforce involved in
Information
incidents, Sharing
to response and
the incident Analysis (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20:a program
Establish Penetration Tests and
for penetration testsRed Team Exercises
that includes a full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Security Incident Business Continuity Contracted Service
Management Management Providers
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries
The organization's application whitelisting software must ensure that onlyprocess.
(such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
Security Assessment
Content Automation Protocol and
(SCAP)Remediation
compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is
Regularly compare the results from consecutive vulnerabilitysoftware
running the most recent security updates provided by the scans to vendor.
verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain documented
configuration security
management configuration
system standards
with a specific for all
business authorized
reason network
for each rule, a devices.
specific
individual’s name responsible for that business need, and an expected duration
Compare all network device configurations against approved security configurations of the need. for
defined
each network device in use, and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading email,
that are composing
separated from documents,
the
or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13:
Remove
Maintain an Data
sensitive Protection
data
inventory
or systems not regularly accessed by the organization from the network.
of all sensitive information stored, processed, or transmitted by the
These systems shall only be used as stand-alone systems (disconnected from the network) by the
organization's technology
business unit needing systems, including
to occasionally use thethose
systemlocated on-site orvirtualized
or completely at a remote
andservice
poweredprovider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the
Configure use of not
systems specific devices.
to write dataAn inventoryremovable
to external of such devices
media,should beismaintained.
if there no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering between
all workstation-to-workstation VLANscommunication
to ensure only authorized
to limit an attacker's ability able
to to laterally
move
communicate with other systems necessary to fulfill their specific responsibilities.
and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.
Utilize
Protect an active discovery
all toolon
to systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located on-site
claims, application,
or at a remote
or
service
database specific access control lists. These controls will enforce the principle that only authorized
provider,
individualsand update
should havetheaccess
organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen the data information
all sensitive is copied off at
a system.
rest using a tool that requires a secondary authentication
mechanism not integrated into the
Enforce detailed audit logging for access operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
[suchrequires mutual,
as Bluetooth andmulti-factor
Near Field authentication.
Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed on-site
or by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain an inventory
immediately of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor. Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location, and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand andthe skills gap
exhibit identified to
the necessary positively
behaviors and impact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.
Train
Train workforce members
the workforce on howontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their
Train mobile devices
workforce or emailing
members the wrong
to be able person
to identify thedue tocommon
most autocomplete in email.
indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and non-production
application systems.
attacks. For Developers
applications should
that are not not
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals, and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsas forwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such ofEnforcement,
information that should be included in the incident notification.
Publish
Plan andinformation
conduct for allLaw
routine workforce
incident members,
response
relevant
exercises
government
regarding
and reporting
scenarios
departments,
computer
for the
vendors,
anomalies
workforce
and
and
involved in
Information
incidents, Sharing
to response and
the incident Analysis Center (ISAC)
handling awareness
team. Suchand partners.
information should be included in routine employee
the incident to maintain comfort in responding to real-world threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Redemails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeam a results
starting guide and
are documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
1 2 3
X
X
X
X
X
X
X
X
X
X
X
X
X
, Routers and Switches
Know how all software
Limit the number of Prohibit the connection components are
Internet access points of personal devices to updated and keep up to
for the company to date on the
those that are strictly the organisation's vulnerabilities of these
necessary. information system. components and their
required updates.
4 5 6
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Define and strictly Identify each individual Set rules for the choice
accessing the system by
apply an update policy. name. and size of passwords.
7 8 9
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
Systematically renew
Set in place technical default authentication
methods to enable Do not store passwords settings (password,
in plain sight in files on certificates) on devices
authentication rules to information systems. (network switches,
be followed. routers, servers,
printers).
10 11 12
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Technically prevent the
connection of portable
media except where
Opt, where possible, for Implement a uniform strictly necessary;
strong, smart card level of security across
authentication. the entire IT stock. deactivate the
execution of the
autorun functions from
these types of media.
13 14 15
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Use an IT stock
management tool that Manage portable Wherever possible,
enables the machines with a prohibit remote
security policy that is at
deployment of security least as stringent as for connections to client
policies and updates to fixed machines. machines.
machines.
16 17 18
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
Set in place
compartmentalised
Frequently audit (or networks. For machines
Encrypt sensitive data, have audited) the or servers containing
especially on mobile configuration of the information that is of
central directory (Active strategic importance to
machines and media Directory in Windows the company, create a
that may get lost. environments or LDAP sub-network protected
directory for example). by a specific
interconnection
gateway.
19 20 21
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Avoid the use of
wireless (Wifi)
infrastructures. If the
use of these
technologies cannot be Systematically use Secure Internet
secure applications and interconnection
avoided, protocols. gateways.
compartmentalise the
Wifi access network
from the rest of the
information system.
22 23 24
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Ensure that there are
no machines on the Clearly define the
network with an objectives of system Define event log
administration
interface that is and network analysis methods.
accessible via the monitoring.
Internet.
25 26 27
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
Use a dedicated
Prohibit all access to network for the Do not grant
the Internet from administration of administration
machines or at least a
administration network that is logically privileges to users.
accounts. separated from the user Make no exceptions.
network.
28 29 30
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Only authorise remote
access to the company
network, even for
network
administration, from Robust control Keys to access the
company machines that mechanisms for premises and alarm
use strong
authentication premises access must codes must be
mechanisms and imperatively be used. scrupulously protected.
protect the integrity
and confidentiality of
traffic using robust
means.
31 32 33
X
X
X
X
X
X
X
X
X
X
Develop a plan for IT
recovery and continuity
Do not leave access of activity, even if only
sockets to the internal Define rules for the use in outline, that is
network accessible in of printers and regularly updated,
locations that are open photocopiers. setting out how to
to the public. safeguard the
company's essential
data.
34 35 36
X
X
X
X
X
X
X
X
X
Never simply deal with
the infection of a
machine without
Implement an alert and attempting to establish
reaction chain that all how the malware came Make users aware of
parties involved are to be installed on that the basic IT rules.
familiar with. machine, whether it has
spread elsewhere on
the network and what
data has been accessed.
37 38 39
X
X
X
X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
Periodically carry out a
security audit (at least
annually). Each audit
must be accompanied
by an action plan, the
implementation of
which should be
monitored at the
highest level.
40
CIS Controls v7.1 mapped to ?????
System 1.2
System 1.3
System 1.4
System 1.5
System 1.6
System 1.7
System 1.8
System 2.2
System 2.3
System 2.4
System 2.5
System 2.6
System 2.7
System 2.8
System 2.9
System 2.10
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
System 3.1
System 3.2
System 3.3
System 3.4
System 3.5
System 3.6
System 3.7
System 4.2
System 4.3
System 4.4
System 4.5
System 4.6
System 4.7
System 4.8
System 4.9
Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1
System 5.2
System 5.3
System 5.4
System 5.5
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1
System 6.2
System 6.3
System 6.4
System 6.5
System 6.6
System 6.7
System 6.8
Critical Security Control #7: Email and Web Browser Protections
System 7.1
System 7.2
System 7.3
System 7.4
System 7.5
System 7.6
System 7.7
System 7.8
System 7.9
System 7.10
Critical Security Control #8: Malware Defenses
System 8.1
System 8.2
System 8.3
System 8.4
System 8.5
System 8.6
System 8.7
System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1
System 9.2
System 9.3
System 9.4
System 9.5
Critical Security Control #10: Data Recovery Capabilities
System 10.1
System 10.2
System 10.3
System 10.4
System 10.5
Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Critical Security Control #12: Boundary Defense
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.7
Network 12.8
Network 12.9
Network 12.10
Network 12.11
Network 12.12
Critical Security Control #13: Data Protection
Network 13.1
Network 13.2
Network 13.3
Network 13.4
Network 13.5
Network 13.6
Network 13.7
Network 13.8
Network 13.9
Critical Security Control #14: Controlled Access Based on the Need to Know
Application 14.1
Application 14.2
Application 14.3
Application 14.4
Application 14.5
Application 14.6
Application 14.7
Application 14.8
Application 14.9
Critical Security Control #15: Wireless Access Control
Network 15.1
Network 15.2
Network 15.3
Network 15.4
Network 15.5
Network 15.6
Network 15.7
Network 15.8
Network 15.9
Network 15.10
Critical Security Control #16: Account Monitoring and Control
Application 16.1
Application 16.2
Application 16.3
Application 16.4
Application 16.5
Application 16.6
Application 16.7
Application 16.8
Application 16.9
Application 16.10
Application 16.11
Application 16.12
Application 16.13
Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1
Application 17.2
Application 17.3
Application 17.4
Application 17.5
Application 17.6
Application 17.7
Application 17.8
Application 17.9
Critical Security Control #18: Application Software Security
Application 18.1
Application 18.2
Application 18.3
Application 18.4
Application 18.5
Application 18.6
Application 18.7
Application 18.8
Application 18.9
Application 18.10
Application 18.11
Critical Security Control #19: Incident Response and Management
Application 19.1
Application 19.2
Application 19.3
Application 19.4
Application 19.5
Application 19.6
Application 19.7
Application 19.8
Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2
Application 20.3
Application 20.4
Application 20.5
Application 20.6
Application 20.7
Application 20.8
CIS Controls
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all hardware assets, whether connected to the
organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
curity Control #2: Inventory of Authorized and Unauthorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported by the software's
vendor are added to the organization's authorized software inventory. Unsupported software should
be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized
The organization's software is blocked
application whitelisting softwarefrom
mustexecuting on assets.
ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load into a system
The organization's application whitelisting software must ensure that only process.
authorized, digitally
signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incur higher risk for the organization.
curity Control
Utilize#3: Continuous
an up-to-date Vulnerability
SCAP-compliant Assessment
vulnerability scanning and
tool toRemediation
automatically scan all systems on
the network on a weekly or more frequent basis to identify all potential vulnerabilities on the
organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running
the most
Deploy recent security
automated updates
software provided
update tools inby the software
order to ensurevendor.
that third-party software on all systems
is running the most recent security updates provided by the
Regularly compare the results from back-to-back vulnerability software
scans tovendor.
verify that vulnerabilities
have been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one backup destination that is not continuously addressable
through operating system calls.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
All configuration rules that allow traffic to flow through network devices should be documented in a
Maintain standard,
configuration documented
management systemsecurity
with aconfiguration standards
specific business reasonfor
forall authorized
each network devices.
rule, a specific
individual’s
Compare allname responsible
network for that business
device configuration need,
against and ansecurity
approved expected duration of the
configurations need.for each
defined
network device in use and alert when any deviations are discovered.
Ensure network
Install the latest engineers use aofdedicated
stable version machine forupdates
any security-related all administrative tasksdevices.
on all network or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
Manage
be allowedall Internet
network devicesThisusing multi-factor authentication
used forand encrypted sessions.
Manage the networkaccess. machine
infrastructure acrossshall not
network be
connectionsreading e-mail,
that are composing
separated from the
documents, or surfing the Internet.
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to
Deny communication
trusted and necessaryover unauthorized
IP address TCP
ranges at or UDP
each ports
of the or application
organization's trafficboundaries,.
network to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
boundaries.
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
Decrypt all encrypted
layer proxy networktotraffic
that is configured filter at the boundary
unauthorized proxy prior to analyzing the content. However,
connections.
the organization may use whitelists of allowed sites that can be accessed through the proxy without
Require
decryptingall remote login access to the organization's network to encrypt data in transit and use
the traffic.
Scan all enterprise
multi-factor devices remotely logging into the organization's network prior to accessing the
authentication.
network to ensure that each of the organization's security policies has been enforced in the same
manner
curity Control
Remove as
#13: local
Data
sensitivenetwork ordevices.
Protection
data systems not regularly accessed by the organization from the network.
Maintain an inventory
These systems shall only be of all used
sensitive information
as stand stored,(disconnected
alone systems processed, or transmitted by the by the
from the network)
organization's technology systems, including those located onsite or at a remote
business unit needing to occasionally use the system or completely virtualized and poweredservice provider.
off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.
Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
curity Control #14:
Segment theControlled Access
network based Based
on the label on the Need
or classification levelto
of Know
the information stored on the
servers,
Enable locate all sensitive information on separatedthatVirtual Local Areasystems
Networks are(VLANs).
Disablefirewall filtering
all workstation between
to VLANscommunication
workstation to ensure only
to authorized
limit an attacker's ability toable
move to laterally
communicate with other systems necessary to fulfill their specific
and compromise neighboring systems, through technologies such as Private VLANs or responsibilities.
microsegmentation.
Utilize
Protect an active discovery
all toolonto systems
identify all sensitive information
networkstored,
share, processed, or transmitted
Encrypt
by the all information
organization's
stored
sensitive information
technology in transit.with
systems,
file system,
including those located onsite or
claims, application,
at a remote service
or
database specific access control lists. These controls will enforce the principle that only authorized
provider
individualsand update
should theaccess
have organization's sensitive information
to the information based on theirinventory.
need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even
Encryptwhen data is copied
all sensitive off a system.
information at rest using a tool that requires a secondary authentication
mechanism
Enforce detailednot integrated intofor
audit logging theaccess
operating system,data
to sensitive in order to access
or changes the information.
to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected
Use a wireless to the detection
intrusion wired network.
system (WIDS) to detect and alert on unauthorized wireless access
points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.
Disable peer-to-peer (adhoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security
Disable wireless peripheral access (EAP/TLS),
of devices that
(suchrequires mutual,
as Bluetooth andmulti-factor authentication.
NFC), unless such access is
required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16:
Maintain an Account
inventory ofMonitoring and Control
each of the organization's authentication systems, including those located
onsite or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security,
Require multi-factor and cloud
authentication forsystems.
all user accounts, on all systems, whether managed onsite or
by a third-party provider.
Encrypt or hash
Ensure that with a salt
all account all authentication
usernames credentials
and authentication when stored.
credentials are transmitted across networks
using encrypted channels.
Establish and follow an automated process for revoking system access by disabling accounts
Maintain
immediatelyan inventory of all accounts
upon termination organized
or change by authentication
of responsibilities system. or contractor . Disabling
of an employee
these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts
Alert when to access
users deviate deactivated
from accounts
normal login through
behavior, suchaudit logging. workstation location and
as time-of-day,
duration.
curity Control #17:
Perform Implement
a skills gap analysisatoSecurity Awareness
understand the skills andand Training
behaviors Program
workforce members are not
adhering to, using this information to build a baseline education roadmap.
Create a security awareness program for all workforce members to complete on a regular basis to
Deliver training
ensure they to address
understand the
and skills gap
exhibit identified to
the necessary positively
behaviors andimpact workforce
skills to members'
help ensure security
the security of
behavior.
the organization. The organization's security awareness program should be communicated in a
continuous
Ensure that and engaging manner.
the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards and business requirements.
Train
Train workforce members
the workforce on how ontothe importance
identify of enabling
different forms of and utilizing
social secureattacks,
engineering authentication.
such as
phishing, phone scams and impersonation calls.
Train workforce on how to identify and properly store, transfer, archive and destroy sensitive
information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing
their
Train mobile devices
employees orable
to be emailing the wrong
to identify person
the most due to indicators
common autocompleteof aninincident
email. and be able to
report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.software, ensure that explicit error checking is performed and documented
For in-house developed
for all input,
Verify that theincluding
versionfor size,
of all data type,
software and acceptable
acquired from outside ranges
yourororganization
formats. is still supported by
the
Onlydeveloper or appropriately
use up-to-date and trustedhardened based
third-party on developer
components security
for the recommendations.
software developed by the
organization.
Use only standardized and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development
Apply static and dynamic environment and to
analysis tools responsibilities.
verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
Protect
means web
for applications
external byto
entities deploying web security
application
contactproduction
your firewalls (WAFs) that inspect all traffic
group.
Maintain
flowing toseparate
the webenvironments
application forforcommon web and nonproduction
application attacks. systems. Developers
For applications that should
are notnot
have unmonitored access to production environments.
web-based, specific application firewalls should be deployed if such tools are available for the given
application type.that
For applications If the traffic
rely on aisdatabase,
encrypted,usethe device should
standard hardening either sit behind the
configuration encryption
templates. All or be
capable of decrypting the traffic prior to analysis. If neither option
systems that are part of critical business processes should also be tested. is appropriate, a host-based web
application firewall should be deployed.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that defines roles of personnel as well as
phases of incident
Assign job titles andhandling/management.
duties for handling computer and network incidents to specific individuals and
ensure tracking
Designate and documentation
management personnel, throughout the incident through resolution.
Devise organization-wide standardsasforwell
theas backups,
time who
required forwill support
system the incidentand
administrators handling
other
process
workforceby acting in key decision-making roles.
Assemble and maintain information on third-party contact information to be used to report a for
members to report anomalous events to the incident handling team, the mechanisms
such reporting,
security incident,and theaskind
such LawofEnforcement,
information that should
relevant be included
government in the incident
departments, notification.
vendors, and ISAC
Publish
Plan information for all workforce members, regarding reporting computer anomalies
and conduct routine incident response exercises and scenarios for the workforce involved and in
partners.
incidents to the incident
the incident response to handling
maintain team. Such and
awareness information
comfort should be included
in responding in world
to real routine employee
threats.
awareness activities.
Exercises should test communication channels, decision making, and incident responders technical
capabilities using tools and
Create incident scoring and data availableschema
prioritization to them.based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20:
Establish Penetration
a program Tests and
for penetration Redincludes
tests that Team aExercises
full scope of blended attacks, such as
wireless, client-based,
Conduct regular andand
external web application
internal attacks.tests to identify vulnerabilities and attack vectors
penetration
that can be
Perform used to
periodic exploit
Red Teamenterprise systems
exercises to successfully. readiness to identify and stop attacks or
test organizational
to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers,
Create a test including networka diagrams,
bed that mimics productionconfiguration
environmentfiles, older penetration
for specific penetrationtest reports,
tests and Rede-mails
Team
or documents
attacks against containing
elements passwords
that are notor other
typicallyinformation
tested in critical
production,to system
such as operation.
attacks against
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
supervisory
scanning control andshould
data acquisition
as and other point
controltosystems.
Whereverassessments
possible, ensure beRed
that usedTeamsa starting
results are guide and
documented focus
using penetration
open, testing
machine-readable
efforts.
standards
Any user or(e.g., SCAP).
system Deviseused
accounts a scoring method
to perform for determining
penetration testingthe results
should beof Red Team
controlled exercises so
and
that results can be compared over time.
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1a)
, Routers and Switches