CIS RAM Workbook Version CC

CIS RAM Workbook for CIS RAM Version 1.
0
Provided by CIS® (Center for Internet Security, Inc.)
Instructions for Use

CIS provides CIS RAM (Center for Internet Security Risk Assessment Method) as a process for reasonabl
analysis methods and techniques that align cybersecurity risk analysis with the expectations of regulators
care. Based on Duty of Care Risk Analysis, CIS RAM conforms to and extends established risk assessme
RISK IT. By conforming to these standards, CIS RAM ensures alignment with successful information secu
organizations align their information security programs with regulatory definitions for "reasonable" and "ap
balancing tests used by judges to determine negligence in law suits.
The CIS RAM Workbook provides templates and examples that are referenced in CIS RAM 1.0. That docu
information security risk assessments by illustrating risk assessment steps, and by encouraging its reader
Workbook provides one tab per template. Each tab is named in the CIS RAM to assist the reader's use of
Users of the CIS RAM Workbook should copy these templates for use in their organizations and should m
programs and business context. Users should refer to the Principles and Practices in the CIS RAM to ensu
the objectives in those principles and practices.
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public
https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode)
CIS RAM also incorporates the CIS Controls™ Version 7, which is licensed under a Creative Commons Attribution-N
link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode).
To further clarify the Creative Commons license related to the CIS Controls and CIS RAM, you are authorized to cop
your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate c
Additionally, if you remix, transform or build upon the CIS Controls or CIS RAM, you may not distribute the modified
subject to the prior approval of CIS® (Center for Internet Security, Inc.).
link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode).
To further clarify the Creative Commons license related to the CIS Controls and CIS RAM, you are authorized to cop
your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate c
Additionally, if you remix, transform or build upon the CIS Controls or CIS RAM, you may not distribute the modified
subject to the prior approval of CIS® (Center for Internet Security, Inc.).
as a process for reasonable implementation of the CIS Controls. CIS RAM describes risk
expectations of regulators and legal authorities for demonstrating compliance, and due
s established risk assessment standards, such as ISO/IEC 27005, NIST SP 800-30, and
successful information security programs. By extending these standards, CIS RAM helps
ns for "reasonable" and "appropriate" safeguards and risk, and "multi-factor" or "due care"
d in CIS RAM 1.0. That document provides instructions for designing and conducting
d by encouraging its readers to attempt those steps for their organization. CIS RAM
o assist the reader's use of each tab.
organizations and should modify them to make them most applicable to their security
ices in the CIS RAM to ensure that any modifications made to these templates conform to
vatives 4.0 International Public License (the link can be found at
reative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the
AM, you are authorized to copy and redistribute the content as a framework for use by you, within
provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided.
ay not distribute the modified materials. Commercial use of the CIS Controls or CIS RAM is
Title Project Plan for Tier 1 Organizations
Step Task Key Roles
1 Defining the Scope & Scheduling Sessions Executives, Management, Assessor
2 Defining Risk Assessment Criteria Management, Assessor
3 Defining Risk Acceptance Criteria Executives, Management, Assessor
4 Risk Assessment (Control-Based)
4.1 Gather Evidence Personnel, Management, Assessor
4.2 Model the Threats Personnel, Management, Assessor
4.3 Risk Evaluation Assessor
5 Propose Safeguards
5.1 Evaluate Proposed Safeguards Assessor, Management

Duration Assigned To Start Date
1 Day
2 Hours
2 Hours
Scope Dependent
Scope Dependent
End Date Status
Title Project Plan for Tier 2 Organizations
Step Task Key Roles
1 Defining the Scope & Scheduling Sessions Executives, Management, Assessor
2 Defining Risk Assessment Criteria Management, Assessor
3 Defining Risk Acceptance Criteria Executives, Management, Assessor
4 Risk Assessment (Control-Based)
4.1 Gather Evidence Personnel, Management, Assessor
4.2 Model the Threats Personnel, Management, Assessor
4.3 Risk Evaluation Assessor
5 Propose Safeguards
5.1 Evaluate Proposed Safeguards Assessor, Management

Duration Assigned To Start Date
1 Day
2 Hours
2 Hours
Scope Dependent
Scope Dependent
End Date Status
Title Scope Definition for Tier 1 Organizations
Asset Type Asset Class Business Owner

Information IP and PII COO
Application Applications Customer Experience
Servers Servers Dev Ops
Network Device Network Devices CIO
Process Dev, Promotion, Maint. Dev Ops
Process Vulnerability Mgt. CIO
Process Acct Setup, Maint. Customer Experience
Process Internal Audit Compliance
Process Device/System set-up CIO
Process Customer Support Customer Experience
Steward
CIO
Prod Mgr, Dev & Dev Ops
DevOps
Network Engineering
Dev, DevOps
Security Team
Application Management
Internal Audit
DevOps
Title Scope Definition for Tier 2 Organizations
Asset Type Asset Name Business Owner

Information Application Code COO
Information Patient Information Customer Experience
Application Patient Record (prod) Customer Experience
Application Patent Record (dev) Customer Experience
Application DataMart Innovations Dept
Server ProductionAppSrvr1 Customer Experience
Server ProuctionDBServer2 Customer Experience
Server DevAppSrvr1 Software Development
Server DevDBServer2 Software Development
Server LDAP1 CIO
Server DNS1 CIO
Network Device Core Router CIO
Network Device DMZ Router CIO
Network Device Firewall 1 CIO
Network Device Firewall 2 CIO
Network Device Switch CIO
Process AppDev Customer Experience
Process Code Promotion Customer Experience
Process Maintenance Product Manager
Process Change Management Product Manager
Process Vulnerability Mgt CIO
Process Account Setup Customer Experience
Process Account Maintenance Customer Experience
Process New Client Onboarding Customer Experience
Process Internal Audit Compliance
Process Device/System set-up CIO
Process Customer Support Customer Experience
Steward
CIO
CIO
Product Manager
Software Development
DevOps
DevOps
DevOps
DevOps
DevOps
DevOps
DevOps
Network Engineering
Network Engineering
Network Engineering
Network Engineering
Network Engineering
Software Development
DevOps
DevOps
DevOps
Security Team
Internal Audit
DevOps
Title Risk Assessment and Acceptable Criteria for Tier 1 Organizations
Example from the CIS RAM Document
Impact Score Impact to Our Mission Impact to Our Obligations
Provide information to help Patients may be harmed if their

remote patients stay healthy. medical privacy is violated.
Patients continue to access

No harm would come to
1 helpful information, and
patients.
outcomes are on track.
Some patients cannot access Few patients may be harmed
2 the information they need for after compromise of information
good outcomes. or services.
We can no longer provide Many patients may be harmed

3 helpful information to remote financially, reputationally, or
patients. physically, up to including death.
Template for Exercise
Impact Score Impact to Our Mission Impact to Our Obligations
Define the organization's

Define the organization's
information security obligations
Mission.
to prevent harm to others.
Describe a scenario in which
consequences would be
1 consequences would be
acceptable to outside parties
acceptable to all parties.
who could be harmed.
Describe a scenario in which Describe a scenario in which
consequences would be consequences would be
2
unacceptable to all parties, but unacceptable to others, but
would be recoverable. would be recoverable.
Describe a scenario that could Describe a scenario that others
3
not be recovered from. could not recover from.
Likelihood
Foreseeability
Score
1 Not foreseeable. This is not plausible in the environment.
2 Foreseeable. This is plausible, but not expected.
3 Expected. We are certain this will occur at some time.
Likelihoo
Impact Risk
d
x =
Threshold Threshold Threshold
2 x 2 = 4
… therefore …
Acceptable Risk < 4
Likelihoo
Impact Risk
d
x =
x =
… therefore …
Acceptable Risk <

Title Impact and Acceptable Risk Criteria for Tier 2 Organizations
Impact Score Impact to Our Mission Impact to Objectives
Provide information to help

Operate profitably.
remote patients stay healthy.

1. Negligible helpful information, and Profits are on target.
Some patients may not get all
Profits are off target, but are
2. Acceptable the information they need as
within planned variance.
they request it.
Some patients cannot access
Profits are off planned
the information they need to
3. Unacceptable variance and may take a
maintain good health
fiscal year to recover.
outcomes.
Many patients consistently
Profits may take more than a
4. High cannot access beneficial
information.
We can no longer provide

The organization cannot
5. Catastrophic helpful information to remote
operate profitably.
patients.
Define the organization's Define the organization's

Mission. success criteria.
Describe a scenario in which no Describe a scenario in which

1. Negligible consequences would be no consequences would be
suffered. suffered.
2. Acceptable consequences would be
acceptable to the
organization.
3. Unacceptable unacceptable to all parties, but unacceptable to the
would be recoverable with little organization, but recoverable
effort. with little effort.
4. High unacceptable to all parties, but unacceptable to the
would be recoverable with organization, but recoverable
significant effort. with significant effort.
Describe a scenario that could Describe a scenario that

5. Catastrophic
not be recovered from. could not be recovered from.
Likelihood Score
Foreseeability
3 Expected. We are certain this will eventually occur.
4 Common. This happens repeatedly.
5 Current. This may be happening now.
Likelihoo
Impact to Obligations Impact Risk
d
x =
Patients must not be harmed by
compromised information.
Patients do not experience loss of

3 x 3 = 9
service or protection.
Patients may be concerned, but

… therefore …
not harmed.
Some patients may be harmed

financially or reputationally after
Acceptable Risk < 9
compromise of information or
services.
Many patients may be harmed

financially or reputationally

financially, reputationally, or
physically, up to and including
death.
Likelihoo
d
Define the organization's x =
information security obligations to Threshold Threshold Threshold
prevent harm to others.
Describe a scenario in which no

x =
consequences would be suffered.

… therefore …
acceptable to outside parties who
could be harmed.

Acceptable Risk <
unacceptable to others, but would
be recoverable with little effort.
be recoverable with significant
effort.
Describe a scenario that others

could not recover from.
bility
nment.
Title Impact and Acceptable Risk Criteria for Tiers 3 & 4 Organizations
Provide information to help

Operate profitably.
remote patients stay healthy.

1. Negligible helpful information, and Profits are on target.
Some patients may not get all
Profits are off target, but are
2. Acceptable the information they need as
within planned variance.
they request it.
Some patients cannot access
Profits are off planned
the information they need to
3. Unacceptable variance and may take a
maintain good health
outcomes.
Many patients consistently
Profits may take more than a
4. High cannot access beneficial
information.
We can no longer provide

The organization cannot
5. Catastrophic helpful information to remote
operate profitably.
patients.
Define the organization's Define the organization's

Mission. success criteria.
Describe a scenario in which no Describe a scenario in which

1. Negligible consequences would be no consequences would be
suffered. suffered.
2. Acceptable consequences would be
acceptable to the
organization.
3. Unacceptable unacceptable to all parties, but unacceptable to the
would be recoverable with little organization, but recoverable
effort. with little effort.
4. High unacceptable to all parties, but unacceptable to the
would be recoverable with organization, but recoverable
significant effort. with significant effort.
Describe a scenario that could Describe a scenario that

5. Catastrophic
not be recovered from. could not be recovered from.
Likelihood Score
Foreseeability
3 Expected. We are certain this will eventually occur.
4 Common. This happens repeatedly.
5 Current. This may be happening now.
Organizations
Likelihoo
d
x =
Patients must not be harmed by
compromised information.
Patients do not experience loss of

3 x 3 = 9
service or protection.
Patients may be concerned, but

… therefore …
not harmed.

financially or reputationally after
Acceptable Risk < 9
compromise of information or
services.
Many patients may be harmed

financially or reputationally

financially, reputationally, or
physically, up to and including
death.
Likelihoo
d
Define the organization's x =
information security obligations to Threshold Threshold Threshold
prevent harm to others.
Describe a scenario in which no

x =
consequences would be suffered.

… therefore …
acceptable to outside parties who
could be harmed.

Acceptable Risk <
be recoverable with little effort.
be recoverable with significant
effort.
Describe a scenario that others

could not recover from.
bility
nment.
The risks stated in this risk register were identified by evaluating how well the
Summary
[Name of organization or scope of the assessment]
Date Completed MM/DD/YYYY

Acceptable Risk Score is less than 4
CIS Control
Unique ID Asset Type CIS Control Name
Number
Risk # Family CIS Control CIS Sub-Control
Inventory and Control of

Example System 1.1
Hardware Assets
Continuous Vulnerability
Example System 3.4
Management
Example System 3.4
Management
Controlled Access Based on

Example Application 14.9
the Need to Know

1 1.1
Hardware Assets

2 1.2
Hardware Assets

3 1.3
Hardware Assets

4 1.4
Hardware Assets

5 1.5
Hardware Assets

6 1.6
Hardware Assets
7 1.7
Hardware Assets

8 1.8
Hardware Assets

9 2.1
Software Assets

10 2.2
Software Assets

11 2.3
Software Assets

12 2.4
Software Assets

13 2.5
Software Assets

14 2.6
Software Assets

15 2.7
Software Assets

16 2.8
Software Assets

17 2.9
Software Assets

18 2.10
Software Assets
19 3.1
Management
20 3.2
Management
21 3.3
Management
22 3.4
Management
23 3.5
Management
24 3.6
Management
25 3.7
Management
Controlled Use of
26 4.1
Administrative Privileges
Controlled Use of
27 4.2
Controlled Use of
28 4.3
Controlled Use of
29 4.4
Controlled Use of
30 4.5
Controlled Use of
31 4.6
Controlled Use of
32 4.7
Controlled Use of
33 4.8
Controlled Use of
34 4.9
Secure Configuration for

Hardware and Software on
35 5.1
Mobile Devices, Laptops,
Workstations and Servers

36 5.2

37 5.3
38 5.4

39 5.5
Maintenance, Monitoring and

40 6.1
Analysis of Audit Logs

41 6.2

42 6.3
43 6.4

44 6.5

45 6.6

46 6.7

47 6.8
Email and Web Browser

48 7.1
Protections

49 7.2
Protections

50 7.3
Protections

51 7.4
Protections

52 7.5
Protections

53 7.6
Protections

54 7.7
Protections

55 7.8
Protections
56 7.9
Protections

57 7.10
Protections
58 Malware Defenses 8.1
Limitation and Control of

66 Network Ports, Protocols, 9.1
and Services
and Services
and Services

and Services

and Services
71 Data Recovery Capabilities 10.1


Network Devices, such as
76 11.1
Firewalls, Routers and
Switches

77 11.2
Switches

78 11.3
Switches
79 11.4
Switches
80 11.5
Switches

81 11.6
Switches

82 11.7
Switches
83 Boundary Defense 12.1

95 Data Protection 13.1

104 14.1
the Need to Know

105 14.2
the Need to Know

106 14.3
the Need to Know

107 14.4
the Need to Know
108 14.5
the Need to Know

109 14.6
the Need to Know

110 14.7
the Need to Know

111 14.8
the Need to Know

112 14.9
the Need to Know
113 Wireless Access Control 15.1

Account Monitoring and

123 16.1
Control

124 16.2
Control

125 16.3
Control

126 16.4
Control

127 16.5
Control

128 16.6
Control

129 16.7
Control

130 16.8
Control
131 16.9
Control
132 16.1
Control
133 16.11
Control

134 16.12
Control

135 16.13
Control
Implement a Security
136 Awareness and Training 17.1
Program
Program
Program
Program
Program
Program
Program
Program
Program
145 Application Software Security 18.1

Incident Response and

156 19.1
Management

157 19.2
Management

158 19.3
Management

159 19.4
Management
160 19.5
Management

161 19.6
Management

162 19.7
Management

163 19.8
Management
Penetration Tests and Red

164 20.1
Team Exercises

165 20.2
Team Exercises

166 20.3
Team Exercises

167 20.4
Team Exercises

168 20.5
Team Exercises

169 20.6
Team Exercises
170 20.7
Team Exercises

171 20.8
Team Exercises
ere identified by evaluating how well the CIS Controls are applied to information assets at
e assessment]
CIS Control Title CIS Control Description
Title Description
Utilize an active discovery tool to identify devices

connected to the organization's network. This tool
Active Discovery Tool shall automatically update the organization's
hardware device inventory when devices are
discovered.
Deploy automated software update tools in order to

Deploy Automated
ensure that the operating systems are running the
Operating System Patch
most recent security updates provided by the
Management Tools
software vendor.
Deploy Automated
Management Tools
software vendor.
Enforce detailed audit logging for access to

Enforce Detail Logging for
sensitive data or changes to sensitive data (utilizing
Access or Changes to
tools such as File Integrity Monitoring or Security
Sensitive Data
Information and Event Monitoring).
Utilize an active discovery tool to identify devices

Utilize an Active Discovery
connected to the organization's network and update
Tool
the hardware asset inventory.
Utilize a passive discovery tool to identify devices
Use a Passive Asset connected to the organization's network and
Discovery Tool automatically update the organization's hardware
asset inventory.
Use Dynamic Host Configuration Protocol (DHCP)
Use DHCP Logging to logging on all DHCP servers or IP address
Update Asset Inventory management tools to update the organization's
hardware asset inventory.
Maintain an accurate and up-to-date inventory of all
technology assets with the potential to store or
Maintain Detailed Asset
process information. This inventory shall include all
Inventory
hardware assets, whether connected to the
organization's network or not.
Ensure that the hardware asset inventory records

the network address, hardware address, machine
Maintain Asset Inventory
name, data asset owner, and department for each
Information
asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed

Address Unauthorized
from the network, quarantined or the inventory is
Assets
updated in a timely manner.
Utilize port level access control, following 802.1x
standards, to control which devices can
Deploy Port Level Access authenticate to the network. The authentication
Control system shall be tied into the hardware asset
inventory data to ensure only authorized devices
can connect to the network.
Utilize Client Certificates to Use client certificates to authenticate hardware
Authenticate Hardware assets connecting to the organization's trusted
Assets network.
Maintain an up-to-date list of all authorized software
Maintain Inventory of
that is required in the enterprise for any business
Authorized Software
purpose on any business system.
Ensure that only software applications or operating

systems currently supported by the software's
Ensure Software is
vendor are added to the organization's authorized
Supported by Vendor
software inventory. Unsupported software should
be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the

Utilize Software Inventory
organization to automate the documentation of all
Tools
software on business systems.
The software inventory system should track the
Track Software Inventory name, version, publisher, and install date for all
Information software, including operating systems authorized by
the organization.
The software inventory system should be tied into
Integrate Software and the hardware asset inventory so all devices and
Hardware Asset Inventories associated software are tracked from a single
location.
Ensure that unauthorized software is either
Address unapproved
removed or the inventory is updated in a timely
software
manner
Utilize application whitelisting technology on all
Utilize Application assets to ensure that only authorized software
Whitelisting executes and all unauthorized software is blocked
from executing on assets.
The organization's application whitelisting software
Implement Application must ensure that only authorized software libraries
Whitelisting of Libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load
into a system process.
The organization's application whitelisting software

Implement Application must ensure that only authorized, digitally signed
Whitelisting of Scripts scripts (such as *.ps1,
*.py, macros, etc) are allowed to run on a system.
Physically or logically segregated systems should

Physically or Logically
be used to isolate and run software that is required
Segregate High Risk
for business operations but incur higher risk for the
Applications
organization.
Utilize an up-to-date SCAP-compliant vulnerability
Run Automated scanning tool to automatically scan all systems on
Vulnerability Scanning the network on a weekly or more frequent basis to
Tools identify all potential vulnerabilities on the
organization's systems.
Perform authenticated vulnerability scanning with
Perform Authenticated agents running locally on each system or with
Vulnerability Scanning remote scanners that are configured with elevated
rights on the system being tested.
Use a dedicated account for authenticated

Protect Dedicated vulnerability scans, which should not be used for
Assessment Accounts any other administrative activities and should be
tied to specific machines at specific IP addresses.

Deploy Automated
Management Tools
software vendor.
Deploy Automated Software ensure that third-party software on all systems is
Patch Management Tools running the most recent security updates provided
by the software vendor.
Regularly compare the results from back-to-back

Compare Back-to-back
vulnerability scans to verify that vulnerabilities have
Vulnerability Scans
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the

Utilize a Risk-rating Process
remediation of discovered vulnerabilities.
Use automated tools to inventory all administrative
Maintain Inventory of accounts, including domain and local accounts, to
Administrative Accounts ensure that only authorized individuals have
elevated privileges.
Before deploying any new asset, change all default
Change Default Passwords passwords to have values consistent with
administrative level accounts.
Ensure that all users with administrative account
Ensure the Use of access use a dedicated or secondary account for
Dedicated Administrative elevated activities. This account should only be
Accounts used for administrative activities and not internet
browsing, email, or similar activities.
Where multi-factor authentication is not supported
(such as local administrator, root, or service
Use Unique Passwords
accounts), accounts will use passwords that are
unique to that system.
Use Multifactor
Use multi-factor authentication and encrypted
Authentication For All
channels for all administrative account access.
Administrative Access
Ensure administrators use a dedicated machine for
all administrative tasks or tasks requiring
administrative access. This machine will be
Use of Dedicated Machines
segmented from the organization's primary network
For All Administrative Tasks
and not be allowed Internet access. This machine
will not be used for reading e-mail, composing
documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft

PowerShell and Python) to only administrative or
Limit Access to Script Tools
development users with the need to access those
capabilities.
Log and Alert on Changes Configure systems to issue a log entry and alert
to Administrative Group when an account is added to or removed from any
Membership group assigned administrative privileges.
Log and Alert on

Configure systems to issue a log entry and alert on
Unsuccessful Administrative
unsuccessful logins to an administrative account.
Account Login
Maintain documented, standard security

Establish Secure
configuration standards for all authorized operating
Configurations
systems and software.
Maintain secure images or templates for all systems

in the enterprise based on the organization's
approved configuration standards. Any new system
Maintain Secure Images
deployment or existing system that becomes
compromised should be imaged using one of those
images or templates.
Store the master images and templates on securely
Securely Store Master configured servers, validated with integrity
Images monitoring tools, to ensure that only authorized
changes to the images are possible.
Deploy system configuration management tools that
Deploy System
will automatically enforce and redeploy
Configuration Management
configuration settings to systems at regularly
Tools
scheduled intervals.
Utilize a Security Content Automation Protocol
Implement Automated (SCAP) compliant configuration monitoring system
Configuration Monitoring to verify all security configuration elements, catalog
Systems approved exceptions, and alert when unauthorized
changes occur.
Use at least three synchronized time sources from
Utilize Three Synchronized which all servers and network devices retrieve time
Time Sources information on a regular basis so that timestamps in
logs are consistent.
Ensure that local logging has been enabled on all
Activate audit logging
systems and networking devices.
Enable system logging to include detailed
information such as a event source, date, user,
Enable Detailed Logging
timestamp, source addresses, destination
addresses, and other useful elements.
Ensure adequate storage Ensure that all systems that store logs have
for logs adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated
Central Log Management to a central log management system for analysis
and review.
Deploy Security Information and Event
Deploy SIEM or Log
Management (SIEM) or log analytic tool for log
Analytic tool
correlation and analysis.
On a regular basis, review logs to identify
Regularly Review Logs
anomalies or abnormal events.
On a regular basis, tune your SIEM system to better
Regularly Tune SIEM identify actionable events and decrease event
noise.
Ensure that only fully supported web browsers and
Ensure Use of Only Fully email clients are allowed to execute in the
Supported Browsers and organization, ideally only using the latest version of
Email Clients the browsers and email clients provided by the
vendor.
Disable Unnecessary or
Uninstall or disable any unauthorized browser or
Unauthorized Browser or
email client plugins or add-on applications.
Email Client Plugins
Limit Use of Scripting

Ensure that only authorized scripting languages are
Languages in Web
able to run in all web browsers and email clients.
Browsers and Email Clients
Enforce network-based URL filters that limit a

system's ability to connect to websites not approved
Maintain and Enforce
by the organization. This filtering shall be enforced
Network-Based URL Filters
for each of the organization's systems, whether they
are physically at an organization's facilities or not.
Subscribe to URL categorization services to ensure

Subscribe to URL- that they are up-to-date with the most recent
Categorization service website category definitions available.
Uncategorized sites shall be blocked by default.
Log all URL requests from each of the

organization's systems, whether onsite or a mobile
Log all URL requests device, in order to identify potentially malicious
activity and assist incident handlers with identifying
potentially compromised systems.
Use of DNS Filtering Use DNS filtering services to help block access to
Services known malicious domains.
To lower the chance of spoofed or modified emails
from valid domains, implement Domain-based
Implement DMARC and Message Authentication, Reporting and
Enable Receiver-Side Conformance (DMARC) policy and verification,
Verification starting by implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified
Mail(DKIM) standards.
Block all e-mail attachments entering the
Block Unnecessary File
organization's e-mail gateway if the file types are
Types
unnecessary for the organization's business.
Sandbox All Email Use sandboxing to analyze and block inbound
Attachments email attachments with malicious behavior.
Utilize centrally managed anti-malware software to
Utilize Centrally Managed
continuously monitor and defend each of the
Anti-malware Software
organization's workstations and servers.
Ensure Anti-Malware Ensure that the organization's anti-malware
Software and Signatures software updates its scanning engine and signature
are Updated database on a regular basis.
Enable anti-exploitation features such as Data

Enable Operating System Execution Prevention (DEP) or Address Space
Anti-Exploitation Features/ Layout Randomization (ASLR) that are available in
Deploy Anti-Exploit an operating system or deploy appropriate toolkits
Technologies that can be configured to apply protection to a
broader set of applications and executables.
Configure Anti-Malware Configure devices so that they automatically

Scanning of Removable conduct an anti-malware scan of removable media
Devices when inserted or connected.
Configure Devices Not To Configure devices to not auto-run content from
Auto-run Content removable media.
Send all malware detection events to enterprise
Centralize Anti-malware
anti-malware administration tools and event log
Logging
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging
Enable DNS Query Logging to detect hostname lookups for known malicious
domains.
Enable Command-line Audit Enable command-line audit logging for command

Logging shells, such as Microsoft PowerShell and Bash.
Associate Active Ports,

Associate active ports, services and protocols to the
Services and Protocols to
hardware assets in the asset inventory.
Asset Inventory
Ensure Only Approved Ensure that only network ports, protocols, and
Ports, Protocols and services listening on a system with validated
Services Are Running business needs, are running on each system.
Perform automated port scans on a regular basis
Perform Regular Automated
against all systems and alert if unauthorized ports
Port Scans
are detected on a system.
Apply host-based firewalls or port filtering tools on
Apply Host-based Firewalls end systems, with a default-deny rule that drops all
or Port Filtering traffic except those services and ports that are
explicitly allowed.
Place application firewalls in front of any critical
Implement Application servers to verify and validate the traffic going to the
Firewalls server. Any unauthorized traffic should be blocked
and logged.
Ensure Regular Automated Ensure that all system data is automatically backed
Back Ups up on regular basis.
Ensure that each of the organization's key systems
Perform Complete System are backed up as a complete system, through
Backups processes such as imaging, to enable the quick
recovery of an entire system.
Test data integrity on backup media on a regular
Test Data on Backup Media basis by performing a data restoration process to
ensure that the backup is properly working.
Ensure that backups are properly protected via
physical security or encryption when they are
Ensure Protection of
stored, as well as when they are moved across the
Backups
network. This includes remote backups and cloud
services.
Ensure Backups Have At Ensure that all backups have at least one backup
least One Non-Continuously destination that is not continuously addressable
Addressable Destination through operating system calls.
Maintain Standard Security Maintain standard, documented security

Configurations for Network configuration standards for all authorized network
Devices devices.
All configuration rules that allow traffic to flow

through network devices should be documented in
Document Traffic a configuration management system with a specific
Configuration Rules business reason for each rule, a specific individual’s
name responsible for that business need, and an
expected duration of the need.
Use Automated Tools to Compare all network device configuration against

Verify Standard Device approved security configurations defined for each
Configurations and Detect network device in use and alert when any
Changes deviations are discovered.
Install the Latest Stable
Version of Any Security- Install the latest stable version of any security-
related Updates on All related updates on all network devices.
Network Devices
Manage Network Devices
Using Multi-Factor Manage all network devices using multi-factor
Authentication and authentication and encrypted sessions.
Encrypted Sessions
Ensure network engineers use a dedicated machine

for all administrative tasks or tasks requiring
Use Dedicated Machines elevated access. This machine shall be segmented
For All Network from the organization's primary network and not be
Administrative Tasks allowed Internet access. This machine shall not be
used for reading e-mail, composing documents, or
surfing the Internet.
Manage the network infrastructure across network

Manage Network connections that are separated from the business
Infrastructure Through a use of that network, relying on separate VLANs or,
Dedicated Network preferably, on entirely different physical connectivity
for management sessions for network devices.
Maintain an Inventory of Maintain an up-to-date inventory of all of the
Network Boundaries organization's network boundaries.
Perform regular scans from outside each trusted
Scan for Unauthorized
network boundary to detect any unauthorized
Connections across Trusted
connections which are accessible across the
Network Boundaries
boundary.
Deny communications with known malicious or

Deny Communications with
unused Internet IP addresses and limit access only
Known Malicious IP
to trusted and necessary IP address ranges at each
Addresses
of the organization's network boundaries,.
Deny communication over unauthorized TCP or

UDP ports or application traffic to ensure that only
Deny Communication over
authorized protocols are allowed to cross the
Unauthorized Ports
network boundary in or out of the network at each
of the organization's network boundaries.
Configure Monitoring Configure monitoring systems to record network
Systems to Record Network packets passing through the boundary at each of
Packets the organization's network boundaries.
Deploy network-based Intrusion Detection Systems
(IDS) sensors to look for unusual attack
Deploy Network-based IDS
mechanisms and detect compromise of these
Sensor
systems at each of the organization's network
boundaries.
Deploy Network-Based Deploy network-based Intrusion Prevention

Intrusion Prevention Systems (IPS) to block malicious network traffic at
Systems each of the organization's network boundaries.
Deploy NetFlow Collection

Enable the collection of NetFlow and logging data
on Networking Boundary
on all network boundary devices.
Devices
Ensure that all network traffic to or from the Internet
Deploy Application Layer passes through an authenticated application layer
Filtering Proxy Server proxy that is configured to filter unauthorized
connections.
Decrypt all encrypted network traffic at the
boundary proxy prior to analyzing the content.
Decrypt Network Traffic at
However, the organization may use whitelists of
Proxy
allowed sites that can be accessed through the
proxy without decrypting the traffic.
Require All Remote Login to Require all remote login access to the
Use Multi-factor organization's network to encrypt data in transit and
Authentication use multi-factor authentication.
Scan all enterprise devices remotely logging into
Manage All Devices the organization's network prior to accessing the
Remotely Logging into network to ensure that each of the organization's
Internal Network security policies has been enforced in the same
manner as local network devices.
Maintain an inventory of all sensitive information
Maintain an Inventory stored, processed, or transmitted by the
Sensitive Information organization's technology systems, including those
located onsite or at a remote service provider.
Remove sensitive data or systems not regularly

accessed by the organization from the network.
Remove Sensitive Data or These systems shall only be used as stand alone
Systems Not Regularly systems (disconnected from the network) by the
Accessed by Organization business unit needing to occasionally use the
system or completely virtualized and powered off
until needed.
Deploy an automated tool on network perimeters

Monitor and Block
that monitors for unauthorized transfer of sensitive
Unauthorized Network
information and blocks such transfers while alerting
Traffic
information security professionals.
Only Allow Access to
Only allow access to authorized cloud storage or
Authorized Cloud Storage
email providers.
or Email Providers
Monitor and Detect Any
Monitor all traffic leaving the organization and
Unauthorized Use of
detect any unauthorized use of encryption.
Encryption
Encrypt the Hard Drive of All Utilize approved whole disk encryption software to
Mobile Devices. encrypt the hard drive of all mobile devices.
If USB storage devices are required, enterprise
software should be used that can configure systems
Manage USB Devices
to allow the use of specific devices. An inventory of
such devices should be maintained.
Manage System's External Configure systems not to write data to external

Removable Media's removable media, if there is no business need for
Read/write Configurations supporting such devices.
Encrypt Data on USB If USB storage devices are required, all data stored
Storage Devices on such devices must be encrypted while at rest.
Segment the network based on the label or

Segment the Network classification level of the information stored on the
Based on Sensitivity servers, locate all sensitive information on
separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure
Enable Firewall Filtering that only authorized systems are able to
Between VLANs communicate with other systems necessary to fulfill
their specific responsibilities.
Disable all workstation to workstation
communication to limit an attacker's ability to move
Disable Workstation to
laterally and compromise neighboring systems,
Workstation Communication
through technologies such as Private VLANs or
microsegmentation.
Encrypt All Sensitive
Encrypt all sensitive information in transit.
Information in Transit
Utilize an active discovery tool to identify all
sensitive information stored, processed, or
Utilize an Active Discovery
transmitted by the organization's technology
Tool to Identify Sensitive
systems, including those located onsite or at a
Data
remote service provider and update the
organization's sensitive information inventory.
Protect all information stored on systems with file

system, network share, claims, application, or
database specific access control lists. These
Protect Information through
controls will enforce the principle that only
Access Control Lists
authorized individuals should have access to the
information based on their need to access the
information as a part of their responsibilities.
Enforce Access Control to Use an automated tool, such as host-based Data

Data through Automated Loss Prevention, to enforce access controls to data
Tools even when data is copied off a system.
Encrypt all sensitive information at rest using a tool

Encrypt Sensitive that requires a secondary authentication
Information at Rest mechanism not integrated into the operating
system, in order to access the information.
Enforce detailed audit logging for access to
Enforce Detail Logging for
sensitive data or changes to sensitive data (utilizing
Access or Changes to
tools such as File Integrity Monitoring or Security
Sensitive Data
Information and Event Monitoring).
Maintain an Inventory of
Maintain an inventory of authorized wireless access
Authorized Wireless Access
points connected to the wired network.
Points
Detect Wireless Access Configure network vulnerability scanning tools to
Points Connected to the detect and alert on unauthorized wireless access
Wired Network points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to

Use a Wireless Intrusion
detect and alert on unauthorized wireless access
Detection System
points connected to the network.
Disable Wireless Access on Disable wireless access on devices that do not

Devices if Not Required have a business purpose for wireless access.
Configure wireless access on client machines that

Limit Wireless Access on do have an essential wireless business purpose, to
Client Devices allow access only to authorized wireless networks
and to restrict access to other wireless networks.
Disable Peer-to-peer
Wireless Network Disable peer-to-peer (adhoc) wireless network
Capabilities on Wireless capabilities on wireless clients.
Clients
Leverage the Advanced

Leverage the Advanced Encryption Standard (AES)
Encryption Standard (AES)
to encrypt wireless data in transit.
to Encrypt Wireless Data
Use Wireless Authentication Ensure that wireless networks use authentication
Protocols that Require protocols such as Extensible Authentication
Mutual, Multi-Factor Protocol-Transport Layer Security (EAP/TLS), that
Authentication requires mutual, multi-factor authentication.
Disable wireless peripheral access of devices (such

Disable Wireless Peripheral
as Bluetooth and NFC), unless such access is
Access of Devices
required for a business purpose.
Create a separate wireless network for personal or
Create Separate Wireless
untrusted devices. Enterprise access from this
Network for Personal and
network should be treated as untrusted and filtered
Untrusted Devices
and audited accordingly.
Maintain an inventory of each of the organization's

Maintain an Inventory of
authentication systems, including those located
Authentication Systems
onsite or at a remote service provider.
Configure access for all accounts through as few

Configure Centralized Point
centralized points of authentication as possible,
of Authentication
including network, security, and cloud systems.
Require multi-factor authentication for all user
Require Multi-factor
accounts, on all systems, whether managed onsite
Authentication
or by a third-party provider.
Encrypt or Hash all Encrypt or hash with a salt all authentication
Authentication Credentials credentials when stored.
Encrypt Transmittal of Ensure that all account usernames and
Username and authentication credentials are transmitted across
Authentication Credentials networks using encrypted channels.
Maintain an Inventory of Maintain an inventory of all accounts organized by
Accounts authentication system.
Establish and follow an automated process for
revoking system access by disabling accounts
Establish Process for immediately upon termination or change of
Revoking Access responsibilities of an employee or contractor .
Disabling these accounts, instead of deleting
accounts, allows preservation of audit trails.
Disable Any Unassociated Disable any account that cannot be associated with
Accounts a business process or business owner.
Automatically disable dormant accounts after a set
Disable Dormant Accounts
period of inactivity.
Ensure All Accounts Have Ensure that all accounts have an expiration date
An Expiration Date that is monitored and enforced.
Lock Workstation Sessions Automatically lock workstation sessions after a
After Inactivity standard period of inactivity.
Monitor Attempts to Access Monitor attempts to access deactivated accounts

Deactivated Accounts through audit logging.
Alert when users deviate from normal login

Alert on Account Login
behavior, such as time-of-day, workstation location
Behavior Deviation
and duration.
Perform a skills gap analysis to understand the
Perform a Skills Gap skills and behaviors workforce members are not
Analysis adhering to, using this information to build a
baseline education roadmap.
Deliver training to address the skills gap identified
Deliver Training to Fill the
to positively impact workforce members' security
Skills Gap
behavior.
Create a security awareness program for all

workforce members to complete on a regular basis
to ensure they understand and exhibit the
Implement a Security necessary behaviors and skills to help ensure the
Awareness Program security of the organization. The organization's
security awareness program should be
communicated in a continuous and engaging
manner.
Ensure that the organization's security awareness

Update Awareness Content program is updated frequently (at least annually) to
Frequently address new technologies, threats, standards and
business requirements.
Train Workforce on Secure Train workforce members on the importance of

Authentication enabling and utilizing secure authentication.
Train Workforce on Train the workforce on how to identify different

Identifying Social forms of social engineering attacks, such as
Engineering Attacks phishing, phone scams and impersonation calls.
Train workforce on how to identify and properly
Train Workforce on
store, transfer, archive and destroy sensitive
Sensitive Data Handling
information.
Train workforce members to be aware of causes for
Train Workforce on Causes
unintentional data exposures, such as losing their
of Unintentional Data
mobile devices or emailing the wrong person due to
Exposure
autocomplete in email.
Train Workforce Members Train employees to be able to identify the most
on Identifying and Reporting common indicators of an incident and be able to
Incidents report such an incident.
Establish secure coding practices appropriate to the
Establish Secure Coding
programming language and development
Practices
environment being used.
Ensure Explicit Error For in-house developed software, ensure that
Checking is Performed for explicit error checking is performed and
All In-house Developed documented for all input, including for size, data
Software type, and acceptable ranges or formats.
Verify that the version of all software acquired from
Verify That Acquired outside your organization is still supported by the
Software is Still Supported developer or appropriately hardened based on
developer security recommendations.
Only Use Up-to-date And Only use up-to-date and trusted third-party
Trusted Third-Party components for the software developed by the
Components organization.
Use Only Standardized and
Use only standardized and extensively reviewed
Extensively Reviewed
encryption algorithms.
Encryption Algorithms
Ensure that all software development personnel
Ensure Software
receive training in writing secure code for their
Development Personnel are
specific development environment and
Trained in Secure Coding
responsibilities.
Apply static and dynamic analysis tools to verify
Apply Static and Dynamic
that secure coding practices are being adhered to
Code Analysis Tools
for internally developed software.
Establish a Process to Establish a process to accept and address reports
Accept and Address of software vulnerabilities, including providing a
Reports of Software means for external entities to contact your security
Vulnerabilities group.
Maintain separate environments for production and
Separate Production and nonproduction systems. Developers should not
Non-Production Systems have unmonitored access to production
environments.
Protect web applications by deploying web

application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web
application attacks. For applications that are not
web-based, specific application firewalls should be
Deploy Web Application
deployed if such tools are available for the given
Firewalls (WAFs)
application type. If the traffic is encrypted, the
device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If
neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use

Use Standard Hardening
standard hardening configuration templates. All
Configuration Templates for
systems that are part of critical business processes
Databases
should also be tested.
Ensure that there are written incident response
Document Incident
plans that defines roles of personnel as well as
Response Procedures
phases of incident handling/management.
Assign job titles and duties for handling computer

Assign Job Titles and
and network incidents to specific individuals and
Duties for Incident
ensure tracking and documentation throughout the
Response
incident through resolution.
Designate Management Designate management personnel, as well as

Personnel to Support backups, who will support the incident handling
Incident Handling process by acting in key decision-making roles.
Devise organization-wide standards for the time

required for system administrators and other
Devise Organization-wide
workforce members to report anomalous events to
Standards for Reporting
the incident handling team, the mechanisms for
Incidents
such reporting, and the kind of information that
should be included in the incident notification.
Assemble and maintain information on third-party
Maintain Contact contact information to be used to report a security
Information For Reporting incident, such as Law Enforcement, relevant
Security Incidents government departments, vendors, and ISAC
partners.
Publish information for all workforce members,
Publish Information
regarding reporting computer anomalies and
Regarding Reporting
incidents to the incident handling team. Such
Computer Anomalies and
information should be included in routine employee
Incidents
awareness activities.
Plan and conduct routine incident response

exercises and scenarios for the workforce involved
Conduct Periodic Incident in the incident response to maintain awareness and
Scenario Sessions for comfort in responding to real world threats.
Personnel Exercises should test communication channels,
decision making, and incident responders technical
capabilities using tools and data available to them.
Create incident scoring and prioritization schema

Create Incident Scoring and based on known or potential impact to your
Prioritization Schema organization. Utilize score to define frequency of
status updates and escalation procedures.
Establish a program for penetration tests that

Establish a Penetration
includes a full scope of blended attacks, such as
Testing Program
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration

Conduct Regular External
tests to identify vulnerabilities and attack vectors
and Internal Penetration
that can be used to exploit enterprise systems
Tests
successfully.
Perform periodic Red Team exercises to test
Perform Periodic Red Team
organizational readiness to identify and stop attacks
Exercises
or to respond quickly and effectively.
Include tests for the presence of unprotected
system information and artifacts that would be
Include Tests for Presence
useful to attackers, including network diagrams,
of Unprotected System
configuration files, older penetration test reports, e-
Information and Artifacts
mails or documents containing passwords or other
information critical to system operation.
Create a test bed that mimics a production

environment for specific penetration tests and Red
Create Test Bed for
Team attacks against elements that are not typically
Elements Not Typically
tested in production, such as attacks against
Tested in Production
supervisory control and data acquisition and other
control systems.
Use vulnerability scanning and penetration testing

Use Vulnerability Scanning
tools in concert. The results of vulnerability
and Penetration Testing
scanning assessments should be used as a starting
Tools in Concert
point to guide and focus penetration testing efforts.
Ensure Results from Wherever possible, ensure that Red Teams results
Penetration Test are are documented using open, machine-readable
Documented Using Open, standards (e.g., SCAP). Devise a scoring method
Machine-readable for determining the results of Red Team exercises
Standards so that results can be compared over time.
Any user or system accounts used to perform

Control and Monitor penetration testing should be controlled and
Accounts Associated with monitored to make sure they are only being used
Penetration Testing for legitimate purposes, and are removed or
restored to normal function after testing is over.
What vulnerabilities are
How the control is currently
Information asset or asset class present, given the way the CIS
implemented
Control is Implemented
Information Asset Current Control Vulnerability
Vulnerability scans occur

occasionally and may not Systems that have joined the
All devices. identify all systems that have network between sporadic
been on the network between scans will not be detected.
scans.
Vulnerability scans occur when

Threat Info Service announces
a moderate-to-high A 24-hour window of
All devices in Production Environment. vulnerability that needs vulnerability remains with the
patching. Team reliably current process.
patches systems within 24
hours of announcement.
Vulnerability scans occur when
Threat Info Service announces
Enterprise management
a moderate-to-high
Enterprise management application in the application systems are
vulnerability that needs
internal corporate network. unpatched for more than one
patching. Team patches most
year.
systems within 24 hours of
announcement.
Access logs are captured and The organization is unaware of

Enterprise Management Application stored locally, and not suspicious or inappropriate
reviewed. use.
How foreseeable is it
What impact could this What impact could this
that this threat would
What threats could threat pose to our threat pose to our
occur and create an
compromise information mission? obligations?
impact?
assets as a result of the
vulnerabilities? Use risk assessment Use risk assessment
Use risk assessment
criteria as guidance criteria as guidance
criteria as guidance
Threat Threat Likelihood Mission Impact Obligations Impact
Hackers or malware may

attack and control systems
2 1 3
that have not been detected,
controlled, and monitored.

attack and control systems
that have not been patched
1 2 1
within the 24-hour period after
the vulnerability was
announced.
attack and control enterprise
2 2 3
management application
environment.
Rogue employees or hackers

using escalated privileges
may access and abuse 3 2 3
nonpublic information in the
application.
Risk - Likelihood x
What safeguard can we use to
Highest Impact Score. Will we accept, reduce,
better implement the CIS
transfer, or avoid this risk?
Control?
Acceptable risk < '4'
Risk Score Risk Treatment Option Recommended Safeguard
Purchase and implement an

appliance that actively and
passively identifies IP hosts in
all networks. Implement a
6 Reduce process for routinely adding
information about assets to the
appliance. Appliance should
optionally alert on new hosts
that join the network.
2 Accept
(CIS Control 12.7) Acquire and
implement an open-source IPS
solution to detect, and alert on
attacks on the enterprise
management application, and
6 Reduce other vulnerable systems in the
environment. After gaining
confidence in the types of
detected actions and alerts,
deploy IPS capability to protect
high-risk systems.
Implement a SIEM-as-a-
Service. To prevent being
overwhelmed by log messages
and alerts, focus SIEM first on
high-risk systems, such as the
9 Reduce
enterprise management
application. Alert on any data
manipulation and downloads
conducted by administrator
accounts.
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
How foreseeable is it that
What impact could this
this safeguard risk would
What risk would this safeguard risk pose to our
occur and create an
recommended control pose mission?
impact?
to the mission, objectives, or
obligations? Use risk assessment criteria as
Use risk assessment
guidance
Safeguard Threat
Safeguard Risk Safeguard Mission Impact
Likelihood
A moderate cost would have

minimal impact on the
budget. Installation of the
tool is likely not disruptive.
Moderate cost in personnel

time to add information about
IP assets to the appliance
database. 1 1
After a baseline is
established, we will be able
to distinguish between
organization-owned systems,
and systems that we do not
control. Alerting can be set
after baseline is complete.
Moderate cost in personnel
time to implement and 3 1
configure the IPS system.
Initial tuning may be

challenging, but will not
2 1
interfere with our mission or
obligations.
What impact could this
safeguard risk pose to our
obligations? Safeguard
Risk Score
Use risk assessment criteria as
guidance
Safeguard
Safeguard Obligations Impact
Risk Score
3 3
0
1 3
1 2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
The risks stated in this risk register were
identified by evaluating how well the CIS
Summary Controls are applied to information assets at
[Name of organization or scope of the
assessment]
Acceptable Risk Score is le 9
Information
CIS Control CIS Control CIS Control
Unique ID asset or asset Asset Type
Name Number Title
class
Information CIS Control CIS Sub-

Risk # Family Title
Asset Name Control
Disable
Wireless Wireless
Diary device
Example Network Access 15.9 Peripheral
controllers
Control Access of
Devices
Account Require Multi-
Diary device
Example System Monitoring 16.3 factor
controllers
and Control Authentication
Utilize
Centrally
Diary device Malware
Example System 8.1 Managed
controllers Defenses
Anti-malware
Software
Inventory and Utilize an
Control of Active
1 1.1
Hardware Discovery
Assets Tool
Inventory and Use a Passive

Control of Asset
2 1.2
Hardware Discovery
Assets Tool
Inventory and Use DHCP

Control of Logging to
3 1.3
Hardware Update Asset
Assets Inventory
Inventory and Maintain

Control of Detailed
4 1.4
Hardware Asset
Assets Inventory
Control of Asset
5 1.5
Hardware Inventory
Assets Information
Inventory and
Address
Control of
6 1.6 Unauthorized
Hardware
Assets
Assets
Inventory and
Deploy Port
Control of
7 1.7 Level Access
Hardware
Control
Assets
Utilize Client
Inventory and
Certificates to
Control of
8 1.8 Authenticate
Hardware
Hardware
Assets
Assets
Control of Inventory of
9 2.1
Software Authorized
Assets Software
Inventory and Ensure

Control of Software is
10 2.2
Software Supported by
Assets Vendor
Inventory and Utilize

Control of Software
11 2.3
Software Inventory
Assets Tools
Inventory and Track

Control of Software
12 2.4
Software Inventory
Assets Information
Integrate
Inventory and
Software and
Control of
13 2.5 Hardware
Software
Asset
Assets
Inventories
Inventory and
Address
Control of
14 2.6 unapproved
Software
software
Assets
Inventory and
Utilize
Control of
15 2.7 Application
Software
Whitelisting
Assets
Inventory and Implement

Control of Application
16 2.8
Software Whitelisting of
Assets Libraries
Inventory and Implement
Control of Application
17 2.9
Software Whitelisting of
Assets Scripts
Physically or
Inventory and
Logically
Control of
18 2.10 Segregate
Software
High Risk
Assets
Applications
Run
Continuous Automated
19 Vulnerability 3.1 Vulnerability
Management Scanning
Tools
Perform
Continuous
Authenticated
20 Vulnerability 3.2
Vulnerability
Management
Scanning
Protect
Continuous
Dedicated
Assessment
Management
Accounts
Deploy
Automated
Continuous
Operating
System Patch
Management
Management
Tools
Deploy
Automated
Continuous
Software
Patch
Management
Management
Tools
Compare
Continuous
Back-to-back
Vulnerability
Management
Scans
Continuous
Utilize a Risk-
rating Process
Management
Controlled Maintain
Use of Inventory of
26 4.1
Administrative Administrative
Privileges Accounts
Controlled
Change
Use of
27 4.2 Default
Administrative
Passwords
Privileges
Ensure the
Controlled
Use of
Use of
28 4.3 Dedicated
Administrative
Administrative
Privileges
Accounts
Controlled
Use of Use Unique
29 4.4
Administrative Passwords
Privileges
Use
Controlled Multifactor
Use of Authentication
30 4.5
Administrative For All
Privileges Administrative
Access
Use of
Controlled Dedicated
Use of Machines For
31 4.6
Administrative All
Privileges Administrative
Tasks
Controlled
Use of Limit Access
32 4.7
Administrative to Script Tools
Privileges
Log and Alert

Controlled on Changes
Use of to
33 4.8
Administrative Administrative
Privileges Group
Membership
Log and Alert
Controlled
on
Use of
34 4.9 Unsuccessful
Administrative
Administrative
Privileges
Account Login
Secure
Configuration
for Hardware
Establish
and Software
Secure
35 on Mobile 5.1
Configuration
Devices,
s
Laptops,
Workstations
and Servers
Secure
Configuration
for Hardware
and Software Maintain
36 on Mobile 5.2 Secure
Devices, Images
Laptops,
Workstations
and Servers
Secure
Configuration
for Hardware
and Software Securely
37 on Mobile 5.3 Store Master
Devices, Images
Laptops,
Workstations
and Servers
Secure
Configuration
for Hardware Deploy
and Software System
38 on Mobile 5.4 Configuration
Devices, Management
Laptops, Tools
Workstations
and Servers
Secure
Configuration
for Hardware Implement
and Software Automated
39 on Mobile 5.5 Configuration
Devices, Monitoring
Laptops, Systems
Workstations
and Servers
Maintenance,
Utilize Three
Monitoring
40 6.1 Synchronized
and Analysis
Time Sources
of Audit Logs
Maintenance,
Monitoring Activate audit
41 6.2
and Analysis logging
of Audit Logs
Maintenance,
Enable
Monitoring
42 6.3 Detailed
and Analysis
Logging
of Audit Logs
Maintenance, Ensure
Monitoring adequate
43 6.4
and Analysis storage for
of Audit Logs logs
Maintenance,
Monitoring Central Log
44 6.5
and Analysis Management
of Audit Logs
Maintenance,
Deploy SIEM
Monitoring
45 6.6 or Log
and Analysis
Analytic tool
of Audit Logs
Maintenance,
Monitoring Regularly
46 6.7
and Analysis Review Logs
of Audit Logs
Maintenance,
Monitoring Regularly
47 6.8
and Analysis Tune SIEM
of Audit Logs
Ensure Use of
Email and Only Fully
48 Web Browser 7.1 Supported
Protections Browsers and
Email Clients
Disable
Unnecessary
Email and or
49 Web Browser 7.2 Unauthorized
Protections Browser or
Email Client
Plugins
Limit Use of
Scripting
Email and
Languages in
50 Web Browser 7.3
Web
Protections
Browsers and
Email Clients
Maintain and
Email and Enforce
51 Web Browser 7.4 Network-
Protections Based URL
Filters
Subscribe to
Email and
URL-
52 Web Browser 7.5
Categorizatio
Protections
n service
Email and
Log all URL
53 Web Browser 7.6
requests
Protections
Email and Use of DNS

54 Web Browser 7.7 Filtering
Protections Services
Implement
Email and DMARC and
55 Web Browser 7.8 Enable
Protections Receiver-Side
Verification
Email and Block

56 Web Browser 7.9 Unnecessary
Protections File Types
Email and Sandbox All

57 Web Browser 7.10 Email
Protections Attachments
Utilize
Centrally
Malware
58 8.1 Managed
Defenses
Anti-malware
Software
Ensure Anti-
Malware
Malware
59 8.2 Software and
Defenses
Signatures
are Updated
Enable
Operating
System Anti-
Malware Exploitation
60 8.3
Defenses Features/
Deploy Anti-
Exploit
Technologies
Configure
Anti-Malware
Malware
61 8.4 Scanning of
Defenses
Removable
Devices
Configure
Malware Devices Not
62 8.5
Defenses To Auto-run
Content
Centralize
Malware
63 8.6 Anti-malware
Defenses
Logging
Enable DNS
Malware
64 8.7 Query
Defenses
Logging
Enable
Malware Command-
65 8.8
Defenses line Audit
Logging
Limitation and Associate

Control of Active Ports,
Network Services and
66 9.1
Ports, Protocols to
Protocols, and Asset
Services Inventory
Limitation and Ensure Only

Control of Approved
Network Ports,
67 9.2
Ports, Protocols and
Protocols, and Services Are
Services Running
Limitation and
Control of Perform
Network Regular
68 9.3
Ports, Automated
Protocols, and Port Scans
Services
Limitation and
Control of Apply Host-
Network based
69 9.4
Ports, Firewalls or
Protocols, and Port Filtering
Services
Limitation and
Control of
Implement
Network
70 9.5 Application
Ports,
Firewalls
Protocols, and
Services
Ensure
Data
Regular
71 Recovery 10.1
Automated
Capabilities
Back Ups
Perform
Data
Complete
72 Recovery 10.2
System
Capabilities
Backups
Data
Test Data on
73 Recovery 10.3
Backup Media
Capabilities
Data Ensure
74 Recovery 10.4 Protection of
Capabilities Backups
Ensure
Backups
Data Have At least
75 Recovery 10.5 One Non-
Capabilities Continuously
Addressable
Destination
Secure
Maintain
Configuration
Standard
for Network
Security
76 Devices, such 11.1
Configuration
as Firewalls,
s for Network
Routers and
Devices
Switches
Secure
Configuration
Document
for Network
Traffic
Configuration
as Firewalls,
Rules
Routers and
Switches
Use
Secure
Automated
Configuration
Tools to Verify
for Network
Standard
Device
as Firewalls,
Configuration
Routers and
s and Detect
Switches
Changes
Install the
Secure
Latest Stable
Configuration
Version of
for Network
Any Security-
related
as Firewalls,
Updates on
Routers and
All Network
Switches
Devices
Manage
Secure
Network
Configuration
Devices Using
for Network
Multi-Factor
Authentication
as Firewalls,
and
Routers and
Encrypted
Switches
Sessions
Secure
Use
Configuration
Dedicated
for Network
Machines For
All Network
as Firewalls,
Administrative
Routers and
Tasks
Switches
Secure
Manage
Configuration
Network
for Network
Infrastructure
Through a
as Firewalls,
Dedicated
Routers and
Network
Switches
Maintain an
Boundary Inventory of
83 12.1
Defense Network
Boundaries
Scan for
Unauthorized
Connections
Boundary
84 12.2 across
Defense
Trusted
Network
Boundaries
Deny
Communicatio
Boundary ns with
85 12.3
Defense Known
Malicious IP
Addresses
Deny
Communicatio
Boundary
86 12.4 n over
Defense
Unauthorized
Ports
Configure
Monitoring
Boundary Systems to
87 12.5
Defense Record
Network
Packets
Deploy
Boundary Network-
88 12.6
Defense based IDS
Sensor
Deploy
Network-
Boundary Based
89 12.7
Defense Intrusion
Prevention
Systems
Deploy
NetFlow
Boundary Collection on
90 12.8
Defense Networking
Boundary
Devices
Deploy
Boundary Application
91 12.9
Defense Layer Filtering
Proxy Server
Decrypt
Boundary Network
92 12.10
Defense Traffic at
Proxy
Require All
Remote Login
Boundary
93 12.11 to Use Multi-
Defense
factor
Authentication
Manage All
Devices
Boundary Remotely
94 12.12
Defense Logging into
Internal
Network
Maintain an
Data Inventory
95 13.1
Protection Sensitive
Information
Remove
Sensitive
Data or
Data
96 13.2 Systems Not
Protection
Regularly
Accessed by
Organization
Monitor and
Block
Data
97 13.3 Unauthorized
Protection
Network
Traffic
Only Allow
Access to
Data Authorized
98 13.4
Protection Cloud Storage
or Email
Providers
Monitor and
Detect Any
Data
99 13.5 Unauthorized
Protection
Use of
Encryption
Encrypt the
Data Hard Drive of
100 13.6
Protection All Mobile
Devices.
Data Manage USB

101 13.7
Protection Devices
Manage
System's
External
Data Removable
102 13.8
Protection Media's
Read/write
Configuration
s
Encrypt Data
Data on USB
103 13.9
Protection Storage
Devices
Controlled Segment the

Access Based Network
104 14.1
on the Need Based on
to Know Sensitivity
Enable
Controlled
Firewall
Access Based
105 14.2 Filtering
on the Need
Between
to Know
VLANs
Disable
Controlled
Workstation to
Access Based
106 14.3 Workstation
on the Need
Communicatio
to Know
n
Controlled Encrypt All

Access Based Sensitive
107 14.4
on the Need Information in
to Know Transit
Utilize an
Active
Controlled
Discovery
Access Based
108 14.5 Tool to
on the Need
Identify
to Know
Sensitive
Data
Protect
Controlled
Information
Access Based
109 14.6 through
on the Need
Access
to Know
Control Lists
Enforce
Controlled Access
Access Based Control to
110 14.7
on the Need Data through
to Know Automated
Tools
Controlled Encrypt
Access Based Sensitive
111 14.8
on the Need Information at
to Know Rest
Enforce Detail
Controlled Logging for
Access Based Access or
112 14.9
on the Need Changes to
to Know Sensitive
Data
Maintain an
Wireless Inventory of
113 Access 15.1 Authorized
Control Wireless
Access Points
Detect
Wireless
Wireless
Access Points
114 Access 15.2
Connected to
Control
the Wired
Network
Use a
Wireless Wireless
115 Access 15.3 Intrusion
Control Detection
System
Disable
Wireless Wireless
116 Access 15.4 Access on
Control Devices if Not
Required
Wireless Limit Wireless

117 Access 15.5 Access on
Control Client Devices
Disable Peer-
to-peer
Wireless Wireless
118 Access 15.6 Network
Control Capabilities
on Wireless
Clients
Leverage the
Advanced
Wireless Encryption
119 Access 15.7 Standard
Control (AES) to
Encrypt
Wireless Data
Use Wireless
Authentication
Wireless Protocols that
120 Access 15.8 Require
Control Mutual, Multi-
Factor
Authentication
Disable
Wireless Wireless
121 Access 15.9 Peripheral
Control Access of
Devices
Create
Separate
Wireless Wireless
122 Access 15.10 Network for
Control Personal and
Untrusted
Devices
Maintain an
Account
Inventory of
123 Monitoring 16.1
Authentication
and Control
Systems
Configure
Account
Centralized
124 Monitoring 16.2
Point of
and Control
Authentication
Account Require Multi-

125 Monitoring 16.3 factor
and Control Authentication
Encrypt or
Account
Hash all
126 Monitoring 16.4
Authentication
and Control
Credentials
Encrypt
Transmittal of
Account
Username
127 Monitoring 16.5
and
and Control
Authentication
Credentials
Account Maintain an
128 Monitoring 16.6 Inventory of
and Control Accounts
Establish
Account
Process for
129 Monitoring 16.7
Revoking
and Control
Access
Account Disable Any

130 Monitoring 16.8 Unassociated
Account Disable
131 Monitoring 16.9 Dormant
Ensure All
Account Accounts
132 Monitoring 16.1 Have An
and Control Expiration
Date
Lock
Account
Workstation
133 Monitoring 16.11
Sessions
and Control
After Inactivity
Monitor
Account Attempts to
134 Monitoring 16.12 Access
and Control Deactivated
Accounts
Alert on
Account
Account Login
Monitoring 16.13
Behavior
and Control
Deviation
Implement a
Security Perform a
Awareness 17.1 Skills Gap
and Training Analysis
Program
Implement a
Security Deliver
Awareness 17.2 Training to Fill
and Training the Skills Gap
Program
Implement a
Implement a
Security
Security
Awareness 17.3
Awareness
and Training
Program
Program
Implement a
Update
Security
Awareness
Awareness 17.4
Content
and Training
Frequently
Program
Implement a
Train
Security
Workforce on
Awareness 17.5
Secure
and Training
Authentication
Program
Train
Implement a
Workforce on
Security
Identifying
Awareness 17.6
Social
and Training
Engineering
Program
Attacks
Implement a
Train
Security
Workforce on
Awareness 17.7
Sensitive
and Training
Data Handling
Program
Train
Implement a
Workforce on
Security
Causes of
Awareness 17.8
Unintentional
and Training
Data
Program
Exposure
Train
Implement a
Workforce
Security
Members on
Awareness 17.9
Identifying
and Training
and Reporting
Program
Incidents
Establish
Application
Secure
Software 18.1
Coding
Security
Practices
Ensure
Explicit Error
Application Checking is
Software 18.2 Performed for
Security All In-house
Developed
Software
Verify That
Application Acquired
Software 18.3 Software is
Security Still
Supported
Only Use Up-

Application to-date And
Software 18.4 Trusted Third-
Security Party
Components
Use Only
Standardized
Application and
Software 18.5 Extensively
Security Reviewed
Encryption
Algorithms
Ensure
Software
Application Development
Software 18.6 Personnel are
Security Trained in
Secure
Coding
Apply Static
Application
and Dynamic
Software 18.7
Code Analysis
Security
Tools
Establish a
Process to
Application Accept and
Software 18.8 Address
Security Reports of
Software
Vulnerabilities
Separate
Application Production
Software 18.9 and Non-
Security Production
Systems
Deploy Web
Application
Application
Software 18.1
Firewalls
Security
(WAFs)
Use Standard
Application Hardening
Software 18.11 Configuration
Security Templates for
Databases
Incident Document
Response Incident
19.1
and Response
Management Procedures
Assign Job
Incident
Titles and
Response
19.2 Duties for
and
Incident
Management
Response
Designate
Incident Management
Response Personnel to
19.3
and Support
Management Incident
Handling
Devise
Incident Organization-
Response wide
19.4
and Standards for
Management Reporting
Incidents
Maintain
Incident Contact
Response Information
19.5
and For Reporting
Management Security
Incidents
Publish
Information
Incident
Regarding
Response
19.6 Reporting
and
Computer
Management
Anomalies
and Incidents
Conduct
Incident Periodic
Response Incident
19.7
and Scenario
Management Sessions for
Personnel
Create
Incident
Incident
Response
19.8 Scoring and
and
Prioritization
Management
Schema
Penetration Establish a
Tests and Penetration
20.1
Red Team Testing
Exercises Program
Conduct
Penetration Regular
Tests and External and
20.2
Red Team Internal
Exercises Penetration
Tests
Penetration Perform
Tests and Periodic Red
20.3
Red Team Team
Exercises Exercises
Include Tests
for Presence
Penetration
of
Tests and
20.4 Unprotected
Red Team
System
Exercises
Information
and Artifacts
Create Test
Penetration Bed for
Tests and Elements Not
20.5
Red Team Typically
Exercises Tested in
Production
Use
Penetration Vulnerability
Tests and Scanning and
20.6
Red Team Penetration
Exercises Testing Tools
in Concert
Ensure
Results from
Penetration
Penetration
Test are
Tests and
20.7 Documented
Red Team
Using Open,
Exercises
Machine-
readable
Standards
Control and
Monitor
Penetration
Accounts
Tests and
20.8 Associated
Red Team
with
Exercises
Penetration
Testing
How
foreseeable is
What impact
it that this
could this
threat would
What vulnerabilities What threats could threat pose to
occur and
How the control is are present, given compromise our mission?
CIS Control create an
currently the way the CIS information assets as
Description impact?
implemented Control is a result of the Use risk
Implemented vulnerabilities? assessment
Use risk
criteria as
assessment
guidance
criteria as
guidance
Threat Mission
Description Current Control Vulnerability Threat
Likelihood Impact
[Supplemented by
CIS Control 16.3]
Each diary device is Hackers may walk
Diary device
joined to the diary through clinics with
controllers are using
device controller Bluetooth devices
a deprecated
using a one-time, that are prepared
version of Bluetooth
six-digit code that is with device-specific
Disable wireless to support older
displayed on the soft-certs to hack
peripheral access diary devices.
controller and diary device
of devices (such Bluetooth devices
entered at the controllers using
as Bluetooth and with seized soft-
device. At this point, attacks such as 1 3
NFC), unless such certs can
all file transfers and Blueborne. Hackers
access is required manipulate
firmware updates are must steal soft-certs
for a business Bluetooth services
enabled. However, from diary devices,
purpose. on the diary device
files may only be then guess one-time
controllers to gain
accessed by devices six-digit codes to
access to files and
that use soft-certs access patient files
commands on the
that are associated on diary device
controllers.
with access controllers.
privileges on diary
device controllers.
While diary devices
can connect to diary
Require multi-
device controllers
factor Hackers must steal
over Bluetooth using Six-digit codes may
authentication for soft-certs from diary
a one-time, six-digit be guessed, or soft-
all user accounts, devices, then guess
code, access to certs may be stolen
on all systems, one-time six-digit 1 3
existing files with from diary devices
whether managed codes to access
patient information and stored on
onsite or by a patient files on diary
on the controller is attacker systems.
third-party device controllers.
granted using the
provider.
unique soft-cert on
each diary device.
limited because
common vectors for
receiving malware
such as email
clients and web
browsers are not
installed on the
controllers.
Attackers would
need to download
malware
executables from
the Internet using
scripts or bash
commands.
Utilize centrally
managed anti- Hackers may implant
Command line, by
malware software Anti-malware malware on diary
design, is only
to continuously software is not device controllers
accessible over
monitor and permitted on the through web 3 3
terminal connections
defend each of diary device application exploits
to the console port.
the organization's controllers while they operate in
workstations and clinical settings.
Bluetooth attacks
servers.
may still permit
malware
executables to be
uploaded to a file
space associated
with an anonymous
account. The web
admin application on
each controller has
been tested as
vulnerable to
arbitrary code
execution, cross-site
scripting, and other
attacks.
Utilize an active
discovery tool to
identify devices
connected to the
organization's
network and
update the
hardware asset
inventory.
Utilize a passive
discovery tool to
identify devices
connected to the
organization's
network and
automatically
update the
organization's
hardware asset
inventory.
Use Dynamic
Host
Configuration
Protocol (DHCP)
logging on all
DHCP servers or
IP address
management tools
to update the
organization's
hardware asset
inventory.
Maintain an
accurate and up-
to-date inventory
of all technology
assets with the
potential to store
or process
information. This
inventory shall
include all
hardware assets,
whether
connected to the
organization's
network or not.
Ensure that the
hardware asset
inventory records
the network
address,
hardware
address, machine
name, data asset
owner, and
department for
each asset and
whether the
hardware asset
has been
approved to
connect to the
network.
Ensure that
unauthorized
assets are either
removed from the
network,
quarantined or the
inventory is
updated in a
timely manner.
Utilize port level

access control,
following 802.1x
standards, to
control which
devices can
authenticate to the
network. The
authentication
system shall be
tied into the
hardware asset
inventory data to
ensure only
authorized
devices can
connect to the
network.
Use client
certificates to
authenticate
hardware assets
connecting to the
organization's
trusted network.
Maintain an up-to-
date list of all
authorized
software that is
required in the
enterprise for any
business purpose
on any business
system.
Ensure that only

software
applications or
operating systems
currently
supported by the
software's vendor
are added to the
organization's
authorized
software
inventory.
Unsupported
software should
be tagged as
unsupported in
the inventory
system.
Utilize software
inventory tools
throughout the
organization to
automate the
documentation of
all software on
business systems.
The software
inventory system
should track the
name, version,
publisher, and
install date for all
software,
including
operating systems
authorized by the
organization.
The software
inventory system
should be tied into
the hardware
asset inventory so
all devices and
associated
software are
tracked from a
single location.
Ensure that
unauthorized
software is either
removed or the
inventory is
updated in a
timely manner
Utilize application
whitelisting
technology on all
assets to ensure
that only
authorized
software executes
and all
unauthorized
software is
blocked from
executing on
assets.
The organization's
application
whitelisting
software must
ensure that only
authorized
software libraries
(such as *.dll,
*.ocx, *.so, etc)
are allowed to
load into a system
process.
The organization's
application
whitelisting
software must
ensure that only
authorized,
digitally signed
scripts (such as
*.ps1,
*.py, macros, etc)
are allowed to run
on a system.
Physically or
logically
segregated
systems should
be used to isolate
and run software
that is required for
business
operations but
incur higher risk
for the
organization.
Utilize an up-to-
date SCAP-
compliant
vulnerability
scanning tool to
automatically scan
all systems on the
network on a
weekly or more
frequent basis to
identify all
potential
vulnerabilities on
the organization's
systems.
Perform
authenticated
vulnerability
scanning with
agents running
locally on each
system or with
remote scanners
that are
configured with
elevated rights on
the system being
tested.
Use a dedicated
account for
authenticated
vulnerability
scans, which
should not be
used for any other
administrative
activities and
should be tied to
specific machines
at specific IP
addresses.
Deploy automated
software update
tools in order to
ensure that the
operating systems
are running the
most recent
security updates
provided by the
software vendor.
Deploy automated
software update
tools in order to
ensure that third-
party software on
all systems is
running the most
recent security
updates provided
by the software
vendor.
Regularly
compare the
results from back-
to-back
vulnerability scans
to verify that
vulnerabilities
have been
remediated in a
timely manner.
Utilize a risk-rating
process to
prioritize the
remediation of
discovered
vulnerabilities.
Use automated
tools to inventory
all administrative
accounts,
including domain
and local
accounts, to
ensure that only
authorized
individuals have
elevated
privileges.
Before deploying
any new asset,
change all default
passwords to
have values
consistent with
administrative
level accounts.
Ensure that all
users with
administrative
account access
use a dedicated or
secondary
account for
elevated activities.
This account
should only be
used for
administrative
activities and not
internet browsing,
email, or similar
activities.
Where multi-factor
authentication is
not supported
(such as local
administrator,
root, or service
accounts),
accounts will use
passwords that
are unique to that
system.
Use multi-factor
authentication and
encrypted
channels for all
administrative
account access.
Ensure
administrators use
a dedicated
machine for all
administrative
tasks or tasks
requiring
administrative
access. This
machine will be
segmented from
the organization's
primary network
and not be
allowed Internet
access. This
machine will not
be used for
reading e-mail,
composing
documents, or
browsing the
Internet.
Limit access to
scripting tools
(such as Microsoft
PowerShell and
Python) to only
administrative or
development
users with the
need to access
those capabilities.
Configure
systems to issue a
log entry and alert
when an account
is added to or
removed from any
group assigned
administrative
privileges.
Configure
systems to issue a
log entry and alert
on unsuccessful
logins to an
administrative
account.
Maintain
documented,
standard security
configuration
standards for all
authorized
operating systems
and software.
Maintain secure
images or
templates for all
systems in the
enterprise based
on the
organization's
approved
configuration
standards. Any
new system
deployment or
existing system
that becomes
compromised
should be imaged
using one of those
images or
templates.
Store the master

images and
templates on
securely
configured
servers, validated
with integrity
monitoring tools,
to ensure that only
authorized
changes to the
images are
possible.
Deploy system
configuration
management tools
that will
automatically
enforce and
redeploy
configuration
settings to
systems at
regularly
scheduled
intervals.
Utilize a Security
Content
Automation
Protocol (SCAP)
compliant
configuration
monitoring system
to verify all
security
configuration
elements, catalog
approved
exceptions, and
alert when
unauthorized
changes occur.
Use at least three

synchronized time
sources from
which all servers
and network
devices retrieve
time information
on a regular basis
so that
timestamps in
logs are
consistent.
Ensure that local

logging has been
enabled on all
systems and
networking
devices.
Enable system
logging to include
detailed
information such
as a event source,
date, user,
timestamp, source
addresses,
destination
addresses, and
other useful
elements.
Ensure that all

systems that store
logs have
adequate storage
space for the logs
generated.
Ensure that
appropriate logs
are being
aggregated to a
central log
management
system for
analysis and
review.
Deploy Security
Information and
Event
Management
(SIEM) or log
analytic tool for
log correlation and
analysis.
On a regular
basis, review logs
to identify
anomalies or
abnormal events.
On a regular
basis, tune your
SIEM system to
better identify
actionable events
and decrease
event noise.
Ensure that only
fully supported
web browsers and
email clients are
allowed to
execute in the
organization,
ideally only using
the latest version
of the browsers
and email clients
provided by the
vendor.
Uninstall or
disable any
unauthorized
browser or email
client plugins or
add-on
applications.
Ensure that only

authorized
scripting
languages are
able to run in all
web browsers and
email clients.
Enforce network-
based URL filters
that limit a
system's ability to
connect to
websites not
approved by the
organization. This
filtering shall be
enforced for each
of the
organization's
systems, whether
they are physically
at an
organization's
facilities or not.
Subscribe to URL
categorization
services to ensure
that they are up-
to-date with the
most recent
website category
definitions
available.
Uncategorized
sites shall be
blocked by
default.
Log all URL

requests from
each of the
organization's
systems, whether
onsite or a mobile
device, in order to
identify potentially
malicious activity
and assist incident
handlers with
identifying
potentially
compromised
systems.
Use DNS filtering

services to help
block access to
known malicious
domains.
To lower the
chance of spoofed
or modified emails
from valid
domains,
implement
Domain-based
Message
Authentication,
Reporting and
Conformance
(DMARC) policy
and verification,
starting by
implementing the
Sender Policy
Framework (SPF)
and the
DomainKeys
Identified
Mail(DKIM)
standards.
Block all e-mail

attachments
entering the
organization's e-
mail gateway if
the file types are
unnecessary for
the organization's
business.
Use sandboxing
to analyze and
block inbound
email attachments
with malicious
behavior.
Utilize centrally
managed anti-
malware software
to continuously
monitor and
defend each of
the organization's
workstations and
servers.
Ensure that the
organization's
anti-malware
software updates
its scanning
engine and
signature
database on a
regular basis.
Enable anti-
exploitation
features such as
Data Execution
Prevention (DEP)
or Address Space
Layout
Randomization
(ASLR) that are
available in an
operating system
or deploy
appropriate
toolkits that can
be configured to
apply protection to
a broader set of
applications and
executables.
Configure devices
so that they
automatically
conduct an anti-
malware scan of
removable media
when inserted or
connected.
Configure devices
to not auto-run
content from
removable media.
Send all malware

detection events
to enterprise anti-
malware
administration
tools and event
log servers for
analysis and
alerting.
Enable Domain
Name System
(DNS) query
logging to detect
hostname lookups
for known
malicious
domains.
Enable command-
line audit logging
for command
shells, such as
Microsoft
PowerShell and
Bash.
Associate active
ports, services
and protocols to
the hardware
assets in the
asset inventory.
Ensure that only

network ports,
protocols, and
services listening
on a system with
validated business
needs, are
running on each
system.
Perform
automated port
scans on a regular
basis against all
systems and alert
if unauthorized
ports are detected
on a system.
Apply host-based
firewalls or port
filtering tools on
end systems, with
a default-deny
rule that drops all
traffic except
those services
and ports that are
explicitly allowed.
Place application
firewalls in front of
any critical
servers to verify
and validate the
traffic going to the
server. Any
unauthorized
traffic should be
blocked and
logged.
Ensure that all

system data is
automatically
backed up on
regular basis.
Ensure that each

of the
organization's key
systems are
backed up as a
complete system,
through processes
such as imaging,
to enable the
quick recovery of
an entire system.
Test data integrity

on backup media
on a regular basis
by performing a
data restoration
process to ensure
that the backup is
properly working.
Ensure that
backups are
properly protected
via physical
security or
encryption when
they are stored,
as well as when
they are moved
across the
network. This
includes remote
backups and
cloud services.
Ensure that all

backups have at
least one backup
destination that is
not continuously
addressable
through operating
system calls.
Maintain standard,
documented
security
configuration
standards for all
authorized
network devices.
All configuration
rules that allow
traffic to flow
through network
devices should be
documented in a
configuration
management
system with a
specific business
reason for each
rule, a specific
individual’s name
responsible for
that business
need, and an
expected duration
of the need.
Compare all
network device
configuration
against approved
security
configurations
defined for each
network device in
use and alert
when any
deviations are
discovered.
Install the latest

stable version of
any security-
related updates
on all network
devices.
Manage all
network devices
using multi-factor
authentication and
encrypted
sessions.
Ensure network
engineers use a
dedicated
machine for all
administrative
tasks or tasks
requiring elevated
access. This
machine shall be
segmented from
the organization's
primary network
and not be
allowed Internet
access. This
machine shall not
be used for
reading e-mail,
composing
documents, or
surfing the
Internet.
Manage the
network
infrastructure
across network
connections that
are separated
from the business
use of that
network, relying
on separate
VLANs or,
preferably, on
entirely different
physical
connectivity for
management
sessions for
network devices.
Maintain an up-to-
date inventory of
all of the
organization's
network
boundaries.
Perform regular
scans from
outside each
trusted network
boundary to
detect any
unauthorized
connections which
are accessible
across the
boundary.
Deny
communications
with known
malicious or
unused Internet IP
addresses and
limit access only
to trusted and
necessary IP
address ranges at
each of the
organization's
network
boundaries,.
Deny
communication
over unauthorized
TCP or UDP ports
or application
traffic to ensure
that only
authorized
protocols are
allowed to cross
the network
boundary in or out
of the network at
each of the
organization's
network
boundaries.
Configure
monitoring
systems to record
network packets
passing through
the boundary at
each of the
organization's
network
boundaries.
Deploy network-
based Intrusion
Detection
Systems (IDS)
sensors to look for
unusual attack
mechanisms and
detect
compromise of
these systems at
each of the
organization's
network
boundaries.
Deploy network-
based Intrusion
Prevention
Systems (IPS) to
block malicious
network traffic at
each of the
organization's
network
boundaries.
Enable the
collection of
NetFlow and
logging data on all
network boundary
devices.
Ensure that all

network traffic to
or from the
Internet passes
through an
authenticated
application layer
proxy that is
configured to filter
unauthorized
connections.
Decrypt all
encrypted network
traffic at the
boundary proxy
prior to analyzing
the content.
However, the
organization may
use whitelists of
allowed sites that
can be accessed
through the proxy
without decrypting
the traffic.
Require all remote
login access to
the organization's
network to encrypt
data in transit and
use multi-factor
authentication.
Scan all
enterprise devices
remotely logging
into the
organization's
network prior to
accessing the
network to ensure
that each of the
organization's
security policies
has been
enforced in the
same manner as
local network
devices.
Maintain an
inventory of all
sensitive
information
stored, processed,
or transmitted by
the organization's
technology
systems, including
those located
onsite or at a
remote service
provider.
Remove sensitive
data or systems
not regularly
accessed by the
organization from
the network.
These systems
shall only be used
as stand alone
systems
(disconnected
from the network)
by the business
unit needing to
occasionally use
the system or
completely
virtualized and
powered off until
needed.
Deploy an
automated tool on
network
perimeters that
monitors for
unauthorized
transfer of
sensitive
information and
blocks such
transfers while
alerting
information
security
professionals.
Only allow access

to authorized
cloud storage or
email providers.
Monitor all traffic

leaving the
organization and
detect any
unauthorized use
of encryption.
Utilize approved
whole disk
encryption
software to
encrypt the hard
drive of all mobile
devices.
If USB storage
devices are
required,
enterprise
software should
be used that can
configure systems
to allow the use of
specific devices.
An inventory of
such devices
should be
maintained.
Configure
systems not to
write data to
external
removable media,
if there is no
business need for
supporting such
devices.
If USB storage
devices are
required, all data
stored on such
devices must be
encrypted while at
rest.
Segment the
network based on
the label or
classification level
of the information
stored on the
servers, locate all
sensitive
information on
separated Virtual
Local Area
Networks
(VLANs).
Enable firewall
filtering between
VLANs to ensure
that only
authorized
systems are able
to communicate
with other
systems
necessary to fulfill
their specific
responsibilities.
Disable all
workstation to
workstation
communication to
limit an attacker's
ability to move
laterally and
compromise
neighboring
systems, through
technologies such
as Private VLANs
or
microsegmentatio
n.
Encrypt all
sensitive
information in
transit.
Utilize an active
discovery tool to
identify all
sensitive
information
stored, processed,
or transmitted by
the organization's
technology
systems, including
those located
onsite or at a
remote service
provider and
update the
organization's
sensitive
information
inventory.
Protect all
information stored
on systems with
file system,
network share,
claims,
application, or
database specific
access control
lists. These
controls will
enforce the
principle that only
authorized
individuals should
have access to
the information
based on their
need to access
the information as
a part of their
responsibilities.
Use an automated
tool, such as host-
based Data Loss
Prevention, to
enforce access
controls to data
even when data is
copied off a
system.
Encrypt all
sensitive
information at rest
using a tool that
requires a
secondary
authentication
mechanism not
integrated into the
operating system,
in order to access
the information.
Enforce detailed
audit logging for
access to
sensitive data or
changes to
sensitive data
(utilizing tools
such as File
Integrity
Monitoring or
Security
Information and
Event Monitoring).
Maintain an
inventory of
authorized
wireless access
points connected
to the wired
network.
Configure network
vulnerability
scanning tools to
detect and alert
on unauthorized
wireless access
points connected
to the wired
network.
Use a wireless
intrusion detection
system (WIDS) to
detect and alert
on unauthorized
wireless access
points connected
to the network.
Disable wireless
access on devices
that do not have a
business purpose
for wireless
access.
Configure wireless
access on client
machines that do
have an essential
wireless business
purpose, to allow
access only to
authorized
wireless networks
and to restrict
access to other
wireless networks.
Disable peer-to-
peer (adhoc)
wireless network
capabilities on
wireless clients.
Leverage the
Advanced
Encryption
Standard (AES) to
encrypt wireless
data in transit.
Ensure that
wireless networks
use authentication
protocols such as
Extensible
Authentication
Protocol-
Transport Layer
Security
(EAP/TLS), that
requires mutual,
multi-factor
authentication.
Disable wireless
peripheral access
of devices (such
as Bluetooth and
NFC), unless such
access is required
for a business
purpose.
Create a separate
wireless network
for personal or
untrusted devices.
Enterprise access
from this network
should be treated
as untrusted and
filtered and
audited
accordingly.
Maintain an
inventory of each
of the
organization's
authentication
systems, including
those located
onsite or at a
remote service
provider.
Configure access
for all accounts
through as few
centralized points
of authentication
as possible,
including network,
security, and
cloud systems.
Require multi-
factor
authentication for
all user accounts,
on all systems,
whether managed
onsite or by a
third-party
provider.
Encrypt or hash
with a salt all
authentication
credentials when
stored.
Ensure that all

account
usernames and
authentication
credentials are
transmitted across
networks using
encrypted
channels.
Maintain an
inventory of all
accounts
organized by
authentication
system.
Establish and
follow an
automated
process for
revoking system
access by
disabling accounts
immediately upon
termination or
change of
responsibilities of
an employee or
contractor .
Disabling these
accounts, instead
of deleting
accounts, allows
preservation of
audit trails.
Disable any
account that
cannot be
associated with a
business process
or business
owner.
Automatically
disable dormant
accounts after a
set period of
inactivity.
Ensure that all

accounts have an
expiration date
that is monitored
and enforced.
Automatically lock
workstation
sessions after a
standard period of
inactivity.
Monitor attempts
to access
deactivated
accounts through
audit logging.
Alert when users
deviate from
normal login
behavior, such as
time-of-day,
workstation
location and
duration.
Perform a skills
gap analysis to
understand the
skills and
behaviors
workforce
members are not
adhering to, using
this information to
build a baseline
education
roadmap.
Deliver training to
address the skills
gap identified to
positively impact
workforce
members' security
behavior.
Create a security
awareness
program for all
workforce
members to
complete on a
regular basis to
ensure they
understand and
exhibit the
necessary
behaviors and
skills to help
ensure the
security of the
organization. The
organization's
security
awareness
program should
be communicated
in a continuous
and engaging
manner.
Ensure that the

organization's
security
awareness
program is
updated
frequently (at least
annually) to
address new
technologies,
threats, standards
and business
requirements.
Train workforce
members on the
importance of
enabling and
utilizing secure
authentication.
Train the
workforce on how
to identify different
forms of social
engineering
attacks, such as
phishing, phone
scams and
impersonation
calls.
Train workforce
on how to identify
and properly
store, transfer,
archive and
destroy sensitive
information.
Train workforce
members to be
aware of causes
for unintentional
data exposures,
such as losing
their mobile
devices or
emailing the
wrong person due
to autocomplete in
email.
Train employees
to be able to
identify the most
common
indicators of an
incident and be
able to report
such an incident.
Establish secure
coding practices
appropriate to the
programming
language and
development
environment being
used.
For in-house
developed
software, ensure
that explicit error
checking is
performed and
documented for all
input, including for
size, data type,
and acceptable
ranges or formats.
Verify that the

version of all
software acquired
from outside your
organization is still
supported by the
developer or
appropriately
hardened based
on developer
security
recommendations.
Only use up-to-

date and trusted
third-party
components for
the software
developed by the
organization.
Use only
standardized and
extensively
reviewed
encryption
algorithms.
Ensure that all

software
development
personnel receive
training in writing
secure code for
their specific
development
environment and
responsibilities.
Apply static and
dynamic analysis
tools to verify that
secure coding
practices are
being adhered to
for internally
developed
software.
Establish a
process to accept
and address
reports of
software
vulnerabilities,
including
providing a means
for external
entities to contact
your security
group.
Maintain separate
environments for
production and
nonproduction
systems.
Developers
should not have
unmonitored
access to
production
environments.
Protect web
applications by
deploying web
application
firewalls (WAFs)
that inspect all
traffic flowing to
the web
application for
common web
application
attacks. For
applications that
are not web-
based, specific
application
firewalls should be
deployed if such
tools are available
for the given
application type. If
the traffic is
encrypted, the
device should
either sit behind
the encryption or
be capable of
decrypting the
traffic prior to
analysis. If neither
option is
appropriate, a
host-based web
application firewall
should be
deployed.
For applications
that rely on a
database, use
standard
hardening
configuration
templates. All
systems that are
part of critical
business
processes should
also be tested.
Ensure that there
are written
incident response
plans that defines
roles of personnel
as well as phases
of incident
handling/manage
ment.
Assign job titles

and duties for
handling computer
and network
incidents to
specific
individuals and
ensure tracking
and
documentation
throughout the
incident through
resolution.
Designate
management
personnel, as well
as backups, who
will support the
incident handling
process by acting
in key decision-
making roles.
Devise
organization-wide
standards for the
time required for
system
administrators and
other workforce
members to report
anomalous events
to the incident
handling team, the
mechanisms for
such reporting,
and the kind of
information that
should be
included in the
incident
notification.
Assemble and
maintain
information on
third-party contact
information to be
used to report a
security incident,
such as Law
Enforcement,
relevant
government
departments,
vendors, and
ISAC partners.
Publish
information for all
workforce
members,
regarding
reporting
computer
anomalies and
incidents to the
incident handling
team. Such
information should
be included in
routine employee
awareness
activities.
Plan and conduct

routine incident
response
exercises and
scenarios for the
workforce
involved in the
incident response
to maintain
awareness and
comfort in
responding to real
world threats.
Exercises should
test
communication
channels, decision
making, and
incident
responders
technical
capabilities using
tools and data
available to them.
Create incident
scoring and
prioritization
schema based on
known or potential
impact to your
organization.
Utilize score to
define frequency
of status updates
and escalation
procedures.
Establish a
program for
penetration tests
that includes a full
scope of blended
attacks, such as
wireless, client-
based, and web
application
attacks.
Conduct regular
external and
internal
penetration tests
to identify
vulnerabilities and
attack vectors that
can be used to
exploit enterprise
systems
successfully.
Perform periodic
Red Team
exercises to test
organizational
readiness to
identify and stop
attacks or to
respond quickly
and effectively.
Include tests for
the presence of
unprotected
system
information and
artifacts that
would be useful to
attackers,
including network
diagrams,
configuration files,
older penetration
test reports, e-
mails or
documents
containing
passwords or
other information
critical to system
operation.
Create a test bed

that mimics a
production
environment for
specific
penetration tests
and Red Team
attacks against
elements that are
not typically tested
in production,
such as attacks
against
supervisory
control and data
acquisition and
other control
systems.
Use vulnerability
scanning and
penetration testing
tools in concert.
The results of
vulnerability
scanning
assessments
should be used as
a starting point to
guide and focus
penetration testing
efforts.
Wherever
possible, ensure
that Red Teams
results are
documented using
open, machine-
readable
standards (e.g.,
SCAP). Devise a
scoring method
for determining
the results of Red
Team exercises
so that results can
be compared over
time.
Any user or
system accounts
used to perform
penetration testing
should be
controlled and
monitored to
make sure they
are only being
used for legitimate
purposes, and are
removed or
restored to normal
function after
testing is over.
How
What impact What impact foreseeable is
could this could this What risk it that this
Risk -
threat pose to threat pose to Will we What would this safeguard risk
Likelihood x
our our accept, safeguard can recommended would occur
Highest
objectives? obligations? reduce, we use to control pose and create an
Impact Score.
transfer, or better to the impact?
Use risk Use risk avoid this implement the mission,
Acceptable
assessment assessment risk? CIS Control? objectives, or Use risk
risk < '9'
criteria as criteria as obligations? assessment
guidance guidance criteria as
guidance
Risk Safeguard
Objectives Obligations Recommende Safeguard
Risk Score Treatment Threat
Impact Impact d Safeguard Risk
Option Likelihood
4 2 4 Accept
4 2 4 Accept
All attempts at
accessing
SSH services
[CIS Control
in diary device
12.11]
controllers will
Require all
be blocked
usage of SSH
unless clients
and all
use soft-certs
authentication
to access
on diary
SSH
device
4 3 12 Reduce sessions. 1
controllers to
Attackers may
use soft-certs
seize and re-
stored on
use soft-certs
client devices
during 8-hour
as a second
long clinical
factor of
visits and may
authentication
attack
.
controllers as
a result.
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
What impact What impact What impact
could this could this could this
safeguard risk safeguard risk safeguard risk
pose to our pose to our pose to our
mission? objectives? obligations? Safeguard
Risk Score
Use risk Use risk Use risk
assessment assessment assessment
criteria as criteria as criteria as
guidance guidance guidance
Safeguard Safeguard Safeguard

Safeguard
Mission Objectives Obligations
Risk Score
Impact Impact Impact
0
0
3 3 2 3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
The risks stated in this risk register were identified by evaluating how
Summary well the CIS Controls are applied to information assets at [Name of
organization or scope of the assessment]

Acceptable Risk Score is less than 9
What threats could compromise

Which attack path model is
Unique ID information assets as part of this
associated with this risk?
attack model?
Risk # Attack Path Model Threat
Delivery: Hacker sends phishing

Example Ransomware
email to selected personnel.
Initial Compromise: Personnel

Example Ransomware open phishing email and trigger an
install of the ransomware payload.



Misuse/Escalate Privilege:
Example Ransomware Malware encrypts the local storage
volume.
Misuse/Escalate Privilege:
Example Ransomware Malware encrypts the local storage
volume.
Execute Mission Objectives:

Example Ransomware Hackers require payment for
release of information back to us.
4
5
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
risk register were identified by evaluating how
e applied to information assets at [Name of
f the assessment]
Information asset or asset class CIS Control CIS Control Number
Information Asset CIS Control CIS Sub-Control
Email server, SMTP gateway. Malware Defenses 8.1
Email client Malware Defenses 8.1

End-user OS 7.4
Protections
Security Skills Assessment
Personnel and Appropriate Training to 17.2
Fill Gaps

Proxy server 7.4
Protections
Advanced malware appliance Malware Defenses 8.5
End-user OS Malware Defenses 8.1

Storage volume Data Recovery Capabilities 10.1

Cash or data 19.1
Management

1.1
Hardware Assets

1.2
Hardware Assets

1.3
Hardware Assets

1.4
Hardware Assets
1.5
Hardware Assets

1.6
Hardware Assets

1.7
Hardware Assets

1.8
Hardware Assets

2.1
Software Assets

2.2
Software Assets

2.3
Software Assets
2.4
Software Assets

2.5
Software Assets

2.6
Software Assets

2.7
Software Assets

2.8
Software Assets

2.9
Software Assets

2.10
Software Assets
3.1
Management
3.2
Management
3.3
Management
3.4
Management
3.5
Management
3.6
Management
3.7
Management
Controlled Use of
4.1
Controlled Use of
4.2
Controlled Use of
4.3
Controlled Use of
4.4
Controlled Use of
4.5
Controlled Use of
4.6
Controlled Use of
4.7
Controlled Use of
4.8
Controlled Use of
4.9

5.1

5.2

5.3

5.4
5.5

6.1

6.2

6.3

6.4

6.5

6.6

6.7

6.8

7.1
Protections
7.2
Protections

7.3
Protections

7.4
Protections

7.5
Protections

7.6
Protections

7.7
Protections

7.8
Protections
7.9
Protections

7.10
Protections
Malware Defenses 8.1


Network Ports, Protocols, 9.1
and Services

and Services

and Services

and Services

and Services
Data Recovery Capabilities 10.1


11.1
Switches

11.2
Switches

11.3
Switches

11.4
Switches
11.5
Switches
11.6
Switches

11.7
Switches
Boundary Defense 12.1


Data Protection 13.1


14.1
the Need to Know

14.2
the Need to Know

14.3
the Need to Know

14.4
the Need to Know

14.5
the Need to Know
14.6
the Need to Know

14.7
the Need to Know

14.8
the Need to Know

14.9
the Need to Know
Wireless Access Control 15.1


16.1
Control

16.2
Control
16.3
Control

16.4
Control

16.5
Control

16.6
Control

16.7
Control

16.8
Control

16.9
Control

16.1
Control

16.11
Control

16.12
Control

16.13
Control
Awareness and Training 17.1
Program
Program
Program
Program
Program
Program
Program
Program
Program
Application Software Security 18.1


19.1
Management

19.2
Management
19.3
Management

19.4
Management

19.5
Management

19.6
Management

19.7
Management
19.8
Management

20.1
Team Exercises

20.2
Team Exercises

20.3
Team Exercises

20.4
Team Exercises

20.5
Team Exercises
20.6
Team Exercises

20.7
Team Exercises

20.8
Team Exercises
CIS Control Title CIS Control Description
Title Description
Utilize centrally managed anti-

malware software to
continuously monitor and
Utilize Centrally Managed Anti-malware Software
defend each of the
organization's workstations and
servers.

malware software to
defend each of the
servers.
Enforce network-based URL

filters that limit a system's
ability to connect to websites
not approved by the
organization. This filtering shall
Maintain and Enforce Network-Based URL Filters
be enforced for each of the
organization's systems,
whether they are physically at
an organization's facilities or
not.
Deliver training to address the
skills gap identified to positively
Deliver Training to Fill the Skills Gap
impact workforce members'
security behavior.

not approved by the
not.

malware software to
Centrally managed anti-malware
defend each of the
servers.

malware software to
defend each of the
servers.
Ensure that all system data is
Ensure Regular Automated Back Ups automatically backed up on
regular basis.
Ensure that there are written

incident response plans that
Document Incident Response Procedures defines roles of personnel as
well as phases of incident
handling/management.
Utilize an active discovery tool

to identify devices connected
Utilize an Active Discovery Tool to the organization's network
and update the hardware asset
inventory.
Utilize a passive discovery tool

to identify devices connected
to the organization's network
Use a Passive Asset Discovery Tool
and automatically update the
organization's hardware asset
inventory.
Use Dynamic Host

Configuration Protocol (DHCP)
logging on all DHCP servers or
Use DHCP Logging to Update Asset Inventory
IP address management tools
to update the organization's
hardware asset inventory.
Maintain an accurate and up-

to-date inventory of all
technology assets with the
potential to store or process
Maintain Detailed Asset Inventory information. This inventory
shall include all hardware
assets, whether connected to
the organization's network or
not.
Ensure that the hardware asset
inventory records the network
address, hardware address,
machine name, data asset
Maintain Asset Inventory Information owner, and department for
each asset and whether the
hardware asset has been
approved to connect to the
network.
Ensure that unauthorized

assets are either removed from
Address Unauthorized Assets the network, quarantined or the
inventory is updated in a timely
manner.
Utilize port level access

control, following 802.1x
standards, to control which
devices can authenticate to the
network. The authentication
Deploy Port Level Access Control
system shall be tied into the
hardware asset inventory data
to ensure only authorized
devices can connect to the
network.
Use client certificates to

Utilize Client Certificates to Authenticate Hardware authenticate hardware assets
Assets connecting to the
organization's trusted network.
Maintain an up-to-date list of all

authorized software that is
Maintain Inventory of Authorized Software required in the enterprise for
any business purpose on any
business system.
Ensure that only software

applications or operating
systems currently supported by
the software's vendor are
Ensure Software is Supported by Vendor added to the organization's
authorized software inventory.
Unsupported software should
be tagged as unsupported in
the inventory system.
Utilize software inventory tools

throughout the organization to
Utilize Software Inventory Tools automate the documentation of
all software on business
systems.
The software inventory system
should track the name, version,
publisher, and install date for
Track Software Inventory Information
all software, including
operating systems authorized
by the organization.
The software inventory system

should be tied into the
hardware asset inventory so all
Integrate Software and Hardware Asset Inventories
devices and associated
software are tracked from a
single location.
Ensure that unauthorized

software is either removed or
Address unapproved software
the inventory is updated in a
timely manner
Utilize application whitelisting

technology on all assets to
ensure that only authorized
Utilize Application Whitelisting software executes and all
unauthorized software is
blocked from executing on
assets.
The organization's application

whitelisting software must
Implement Application Whitelisting of Libraries
software libraries (such as *.dll,
*.ocx, *.so, etc) are allowed to
load into a system process.
The organization's application

whitelisting software must
ensure that only authorized,
Implement Application Whitelisting of Scripts digitally signed scripts (such as
*.ps1,
*.py, macros, etc) are allowed
to run on a system.
Physically or logically
segregated systems should be
Physically or Logically Segregate High Risk used to isolate and run
Applications software that is required for
business operations but incur
higher risk for the organization.
Utilize an up-to-date SCAP-
compliant vulnerability
scanning tool to automatically
scan all systems on the
Run Automated Vulnerability Scanning Tools
network on a weekly or more
frequent basis to identify all
potential vulnerabilities on the
organization's systems.
Perform authenticated
vulnerability scanning with
agents running locally on each
Perform Authenticated Vulnerability Scanning system or with remote
scanners that are configured
with elevated rights on the
system being tested.
Use a dedicated account for

authenticated vulnerability
scans, which should not be
used for any other
Protect Dedicated Assessment Accounts
administrative activities and
should be tied to specific
machines at specific IP
addresses.
Deploy automated software

update tools in order to ensure
Deploy Automated Operating System Patch that the operating systems are
Management Tools running the most recent
security updates provided by
the software vendor.
Deploy automated software

update tools in order to ensure
that third-party software on all
Deploy Automated Software Patch Management
systems is running the most
Tools
recent security updates
provided by the software
vendor.
Regularly compare the results

from back-to-back vulnerability
Compare Back-to-back Vulnerability Scans scans to verify that
vulnerabilities have been
remediated in a timely manner.
Utilize a risk-rating process to

Utilize a Risk-rating Process prioritize the remediation of
discovered vulnerabilities.
Use automated tools to
inventory all administrative
accounts, including domain
Maintain Inventory of Administrative Accounts
and local accounts, to ensure
that only authorized individuals
have elevated privileges.
Before deploying any new

asset, change all default
Change Default Passwords passwords to have values
consistent with administrative
level accounts.
Ensure that all users with

administrative account access
use a dedicated or secondary
account for elevated activities.
Ensure the Use of Dedicated Administrative
This account should only be
Accounts
used for administrative
activities and not internet
browsing, email, or similar
activities.
Where multi-factor
authentication is not supported
(such as local administrator,
Use Unique Passwords
root, or service accounts),
accounts will use passwords
that are unique to that system.
Use multi-factor authentication

Use Multifactor Authentication For All Administrative
and encrypted channels for all
Access
administrative account access.
Ensure administrators use a

dedicated machine for all
administrative tasks or tasks
requiring administrative
access. This machine will be
Use of Dedicated Machines For All Administrative segmented from the
Tasks organization's primary network
and not be allowed Internet
access. This machine will not
be used for reading e-mail,
composing documents, or
browsing the Internet.
Limit access to scripting tools
(such as Microsoft PowerShell
and Python) to only
Limit Access to Script Tools
administrative or development
users with the need to access
those capabilities.
Configure systems to issue a

log entry and alert when an
Log and Alert on Changes to Administrative Group account is added to or
Membership removed from any group
assigned administrative
privileges.
Configure systems to issue a
Log and Alert on Unsuccessful Administrative log entry and alert on
Account Login unsuccessful logins to an
administrative account.
Maintain documented,
standard security configuration
Establish Secure Configurations standards for all authorized
operating systems and
software.
Maintain secure images or

templates for all systems in the
enterprise based on the
organization's approved
configuration standards. Any
Maintain Secure Images
new system deployment or
existing system that becomes
compromised should be
imaged using one of those
images or templates.
Store the master images and

templates on securely
configured servers, validated
Securely Store Master Images with integrity monitoring tools,
to ensure that only authorized
changes to the images are
possible.
Deploy system configuration

management tools that will
automatically enforce and
Deploy System Configuration Management Tools
redeploy configuration settings
to systems at regularly
scheduled intervals.
Utilize a Security Content
Automation Protocol (SCAP)
compliant configuration
Implement Automated Configuration Monitoring monitoring system to verify all
Systems security configuration
elements, catalog approved
exceptions, and alert when
unauthorized changes occur.
Use at least three

synchronized time sources
from which all servers and
Utilize Three Synchronized Time Sources network devices retrieve time
information on a regular basis
so that timestamps in logs are
consistent.
Ensure that local logging has
Activate audit logging been enabled on all systems
and networking devices.
Enable system logging to
include detailed information
such as a event source, date,
Enable Detailed Logging user, timestamp, source
addresses, destination
addresses, and other useful
elements.
Ensure that all systems that

store logs have adequate
Ensure adequate storage for logs
storage space for the logs
generated.
Ensure that appropriate logs

are being aggregated to a
Central Log Management
central log management
system for analysis and review.
Deploy Security Information

and Event Management
Deploy SIEM or Log Analytic tool
(SIEM) or log analytic tool for
log correlation and analysis.
On a regular basis, review logs
Regularly Review Logs to identify anomalies or
abnormal events.
On a regular basis, tune your
SIEM system to better identify
Regularly Tune SIEM
actionable events and
decrease event noise.
Ensure that only fully

supported web browsers and
email clients are allowed to
Ensure Use of Only Fully Supported Browsers and execute in the organization,
Email Clients ideally only using the latest
version of the browsers and
email clients provided by the
vendor.
Uninstall or disable any
Disable Unnecessary or Unauthorized Browser or unauthorized browser or email
Email Client Plugins client plugins or add-on
applications.
Ensure that only authorized
Limit Use of Scripting Languages in Web Browsers scripting languages are able to
and Email Clients run in all web browsers and
email clients.

not approved by the
not.
Subscribe to URL
categorization services to
ensure that they are up-to-date
Subscribe to URL-Categorization service with the most recent website
category definitions available.
Uncategorized sites shall be
blocked by default.
Log all URL requests from

each of the organization's
systems, whether onsite or a
mobile device, in order to
Log all URL requests identify potentially malicious
activity and assist incident
handlers with identifying
potentially compromised
systems.
Use DNS filtering services to

Use of DNS Filtering Services help block access to known
malicious domains.
To lower the chance of

spoofed or modified emails
from valid domains, implement
Domain-based Message
Authentication, Reporting and
Implement DMARC and Enable Receiver-Side
Conformance (DMARC) policy
Verification
and verification, starting by
implementing the Sender
Policy Framework (SPF) and
the DomainKeys Identified
Mail(DKIM) standards.
Block all e-mail attachments
entering the organization's e-
Block Unnecessary File Types mail gateway if the file types
are unnecessary for the
organization's business.
Use sandboxing to analyze
and block inbound email
Sandbox All Email Attachments
attachments with malicious
behavior.
malware software to
defend each of the
servers.
Ensure that the organization's

anti-malware software updates
Ensure Anti-Malware Software and Signatures are
its scanning engine and
Updated
signature database on a
regular basis.
Enable anti-exploitation
features such as Data
Execution Prevention (DEP) or
Address Space Layout
Randomization (ASLR) that are
Enable Operating System Anti-Exploitation
available in an operating
Features/ Deploy Anti-Exploit Technologies
system or deploy appropriate
toolkits that can be configured
to apply protection to a broader
set of applications and
executables.
Configure devices so that they

automatically conduct an anti-
Configure Anti-Malware Scanning of Removable
malware scan of removable
Devices
media when inserted or
connected.
Configure devices to not auto-
Configure Devices Not To Auto-run Content run content from removable
media.
Send all malware detection
events to enterprise anti-
Centralize Anti-malware Logging malware administration tools
and event log servers for
analysis and alerting.
Enable Domain Name System

(DNS) query logging to detect
Enable DNS Query Logging
hostname lookups for known
malicious domains.
Enable command-line audit
logging for command shells,
Enable Command-line Audit Logging
such as Microsoft PowerShell
and Bash.
Associate active ports, services

Associate Active Ports, Services and Protocols to
and protocols to the hardware
Asset Inventory
assets in the asset inventory.
Ensure that only network ports,

protocols, and services
Ensure Only Approved Ports, Protocols and
listening on a system with
Services Are Running
validated business needs, are
running on each system.
Perform automated port scans

on a regular basis against all
Perform Regular Automated Port Scans systems and alert if
unauthorized ports are
detected on a system.
Apply host-based firewalls or

port filtering tools on end
systems, with a default-deny
Apply Host-based Firewalls or Port Filtering
rule that drops all traffic except
those services and ports that
are explicitly allowed.
Place application firewalls in

front of any critical servers to
verify and validate the traffic
Implement Application Firewalls
going to the server. Any
unauthorized traffic should be
blocked and logged.
Ensure that all system data is
Ensure Regular Automated Back Ups automatically backed up on
regular basis.
Ensure that each of the
organization's key systems are
backed up as a complete
Perform Complete System Backups system, through processes
such as imaging, to enable the
quick recovery of an entire
system.
Test data integrity on backup

media on a regular basis by
Test Data on Backup Media performing a data restoration
process to ensure that the
backup is properly working.
Ensure that backups are
properly protected via physical
security or encryption when
they are stored, as well as
Ensure Protection of Backups
when they are moved across
the network. This includes
remote backups and cloud
services.
Ensure that all backups have

at least one backup destination
Ensure Backups Have At least One Non-
that is not continuously
Continuously Addressable Destination
addressable through operating
system calls.
Maintain standard,
Maintain Standard Security Configurations for documented security
Network Devices configuration standards for all
authorized network devices.
All configuration rules that

allow traffic to flow through
network devices should be
documented in a configuration
management system with a
Document Traffic Configuration Rules
specific business reason for
each rule, a specific
individual’s name responsible
for that business need, and an
expected duration of the need.
Compare all network device

configuration against approved
Use Automated Tools to Verify Standard Device security configurations defined
Configurations and Detect Changes for each network device in use
and alert when any deviations
are discovered.
Install the latest stable version

Install the Latest Stable Version of Any Security-
of any security-related updates
related Updates on All Network Devices
on all network devices.
Manage all network devices

Manage Network Devices Using Multi-Factor using multi-factor
Authentication and Encrypted Sessions authentication and encrypted
sessions.
Ensure network engineers use
a dedicated machine for all
administrative tasks or tasks
requiring elevated access. This
machine shall be segmented
Use Dedicated Machines For All Network
from the organization's primary
Administrative Tasks
network and not be allowed
Internet access. This machine
shall not be used for reading e-
mail, composing documents, or
surfing the Internet.
Manage the network

infrastructure across network
connections that are separated
from the business use of that
Manage Network Infrastructure Through a
network, relying on separate
Dedicated Network
VLANs or, preferably, on
entirely different physical
connectivity for management
sessions for network devices.
Maintain an up-to-date
inventory of all of the
Maintain an Inventory of Network Boundaries
organization's network
boundaries.
Perform regular scans from
outside each trusted network
Scan for Unauthorized Connections across Trusted boundary to detect any
Network Boundaries unauthorized connections
which are accessible across
the boundary.
Deny communications with

known malicious or unused
Internet IP addresses and limit
Deny Communications with Known Malicious IP
access only to trusted and
Addresses
necessary IP address ranges
at each of the organization's
network boundaries,.
Deny communication over

unauthorized TCP or UDP
ports or application traffic to
Deny Communication over Unauthorized Ports protocols are allowed to cross
the network boundary in or out
of the network at each of the
boundaries.
Configure monitoring systems
to record network packets
Configure Monitoring Systems to Record Network
passing through the boundary
Packets
at each of the organization's
network boundaries.
Deploy network-based
Intrusion Detection Systems
(IDS) sensors to look for
unusual attack mechanisms
Deploy Network-based IDS Sensor
and detect compromise of
these systems at each of the
boundaries.
Deploy network-based
Intrusion Prevention Systems
Deploy Network-Based Intrusion Prevention (IPS) to block malicious
Systems network traffic at each of the
boundaries.
Enable the collection of

Deploy NetFlow Collection on Networking Boundary
NetFlow and logging data on
Devices
all network boundary devices.
Ensure that all network traffic

to or from the Internet passes
through an authenticated
Deploy Application Layer Filtering Proxy Server
application layer proxy that is
configured to filter
unauthorized connections.
Decrypt all encrypted network

traffic at the boundary proxy
prior to analyzing the content.
However, the organization may
Decrypt Network Traffic at Proxy
use whitelists of allowed sites
that can be accessed through
the proxy without decrypting
the traffic.
Require all remote login access

Require All Remote Login to Use Multi-factor to the organization's network to
Authentication encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices
remotely logging into the
organization's network prior to
accessing the network to
Manage All Devices Remotely Logging into Internal
ensure that each of the
Network
organization's security policies
has been enforced in the same
manner as local network
devices.
Maintain an inventory of all

sensitive information stored,
processed, or transmitted by
Maintain an Inventory Sensitive Information the organization's technology
systems, including those
located onsite or at a remote
service provider.
Remove sensitive data or

systems not regularly accessed
by the organization from the
network. These systems shall
only be used as stand alone
Remove Sensitive Data or Systems Not Regularly
systems (disconnected from
Accessed by Organization
the network) by the business
unit needing to occasionally
use the system or completely
virtualized and powered off
until needed.
Deploy an automated tool on

network perimeters that
monitors for unauthorized
Monitor and Block Unauthorized Network Traffic transfer of sensitive information
and blocks such transfers while
alerting information security
professionals.
Only allow access to

Only Allow Access to Authorized Cloud Storage or
authorized cloud storage or
Email Providers
email providers.
Monitor all traffic leaving the
Monitor and Detect Any Unauthorized Use of organization and detect any
Encryption unauthorized use of
encryption.
Utilize approved whole disk
encryption software to encrypt
Encrypt the Hard Drive of All Mobile Devices.
the hard drive of all mobile
devices.
If USB storage devices are
required, enterprise software
should be used that can
Manage USB Devices configure systems to allow the
use of specific devices. An
inventory of such devices
should be maintained.
Configure systems not to write

data to external removable
Manage System's External Removable Media's
media, if there is no business
Read/write Configurations
need for supporting such
devices.
If USB storage devices are
required, all data stored on
Encrypt Data on USB Storage Devices
such devices must be
encrypted while at rest.
Segment the network based on

the label or classification level
of the information stored on the
Segment the Network Based on Sensitivity servers, locate all sensitive
information on separated
Virtual Local Area Networks
(VLANs).
Enable firewall filtering

between VLANs to ensure that
only authorized systems are
Enable Firewall Filtering Between VLANs
able to communicate with other
systems necessary to fulfill
their specific responsibilities.
Disable all workstation to

workstation communication to
limit an attacker's ability to
Disable Workstation to Workstation Communication move laterally and compromise
neighboring systems, through
technologies such as Private
VLANs or microsegmentation.
Encrypt all sensitive

Encrypt All Sensitive Information in Transit
information in transit.
Utilize an active discovery tool

to identify all sensitive
information stored, processed,
or transmitted by the
Utilize an Active Discovery Tool to Identify Sensitive organization's technology
Data systems, including those
located onsite or at a remote
service provider and update
the organization's sensitive
information inventory.
Protect all information stored
on systems with file system,
network share, claims,
application, or database
specific access control lists.
These controls will enforce the
Protect Information through Access Control Lists
principle that only authorized
individuals should have access
to the information based on
their need to access the
information as a part of their
responsibilities.
Use an automated tool, such

as host-based Data Loss
Enforce Access Control to Data through Automated
Prevention, to enforce access
Tools
controls to data even when
data is copied off a system.
Encrypt all sensitive

information at rest using a tool
that requires a secondary
Encrypt Sensitive Information at Rest authentication mechanism not
integrated into the operating
system, in order to access the
information.
Enforce detailed audit logging

for access to sensitive data or
changes to sensitive data
Enforce Detail Logging for Access or Changes to
(utilizing tools such as File
Sensitive Data
Integrity Monitoring or Security
Information and Event
Monitoring).
Maintain an inventory of
Maintain an Inventory of Authorized Wireless authorized wireless access
Access Points points connected to the wired
network.
Configure network vulnerability

scanning tools to detect and
Detect Wireless Access Points Connected to the
alert on unauthorized wireless
Wired Network
access points connected to the
wired network.
Use a wireless intrusion

detection system (WIDS) to
detect and alert on
Use a Wireless Intrusion Detection System
unauthorized wireless access
points connected to the
network.
Disable wireless access on
Disable Wireless Access on Devices if Not devices that do not have a
Required business purpose for wireless
access.
Configure wireless access on

client machines that do have
an essential wireless business
Limit Wireless Access on Client Devices purpose, to allow access only
to authorized wireless networks
and to restrict access to other
wireless networks.
Disable peer-to-peer (adhoc)

Disable Peer-to-peer Wireless Network Capabilities
wireless network capabilities
on Wireless Clients
on wireless clients.
Leverage the Advanced

Leverage the Advanced Encryption Standard (AES)
Encryption Standard (AES) to
to Encrypt Wireless Data
encrypt wireless data in transit.
Ensure that wireless networks

use authentication protocols
such as Extensible
Use Wireless Authentication Protocols that Require Authentication Protocol-
Mutual, Multi-Factor Authentication Transport Layer Security
(EAP/TLS), that requires
mutual, multi-factor
authentication.
Disable wireless peripheral

access of devices (such as
Disable Wireless Peripheral Access of Devices Bluetooth and NFC), unless
such access is required for a
business purpose.
Create a separate wireless

network for personal or
untrusted devices. Enterprise
Create Separate Wireless Network for Personal and
access from this network
Untrusted Devices
should be treated as untrusted
and filtered and audited
accordingly.
Maintain an inventory of each

of the organization's
Maintain an Inventory of Authentication Systems authentication systems,
including those located onsite
or at a remote service provider.
Configure access for all

accounts through as few
centralized points of
Configure Centralized Point of Authentication
authentication as possible,
including network, security, and
cloud systems.
Require multi-factor
authentication for all user
Require Multi-factor Authentication accounts, on all systems,
whether managed onsite or by
a third-party provider.
Encrypt or hash with a salt all
Encrypt or Hash all Authentication Credentials authentication credentials
when stored.
Ensure that all account

usernames and authentication
Encrypt Transmittal of Username and
credentials are transmitted
Authentication Credentials
across networks using
encrypted channels.
Maintain an inventory of all

Maintain an Inventory of Accounts accounts organized by
authentication system.
Establish and follow an

automated process for
revoking system access by
disabling accounts immediately
upon termination or change of
Establish Process for Revoking Access
responsibilities of an employee
or contractor . Disabling these
accounts, instead of deleting
accounts, allows preservation
of audit trails.
Disable any account that

cannot be associated with a
Disable Any Unassociated Accounts
business process or business
owner.
Automatically disable dormant
Disable Dormant Accounts accounts after a set period of
inactivity.
Ensure that all accounts have
Ensure All Accounts Have An Expiration Date an expiration date that is
monitored and enforced.
Automatically lock workstation
Lock Workstation Sessions After Inactivity sessions after a standard
period of inactivity.
Monitor attempts to access
Monitor Attempts to Access Deactivated Accounts deactivated accounts through
audit logging.
Alert when users deviate from

normal login behavior, such as
Alert on Account Login Behavior Deviation
time-of-day, workstation
location and duration.
Perform a skills gap analysis to
understand the skills and
behaviors workforce members
Perform a Skills Gap Analysis
are not adhering to, using this
information to build a baseline
education roadmap.
Deliver training to address the

skills gap identified to positively
Deliver Training to Fill the Skills Gap
impact workforce members'
security behavior.
Create a security awareness

program for all workforce
members to complete on a
regular basis to ensure they
understand and exhibit the
necessary behaviors and skills
Implement a Security Awareness Program
to help ensure the security of
the organization. The
organization's security
awareness program should be
communicated in a continuous
and engaging manner.
Ensure that the organization's

security awareness program is
updated frequently (at least
Update Awareness Content Frequently annually) to address new
technologies, threats,
standards and business
requirements.
Train workforce members on

Train Workforce on Secure Authentication the importance of enabling and
utilizing secure authentication.
Train the workforce on how to

identify different forms of social
Train Workforce on Identifying Social Engineering
engineering attacks, such as
Attacks
phishing, phone scams and
impersonation calls.
Train workforce on how to

identify and properly store,
Train Workforce on Sensitive Data Handling
transfer, archive and destroy
sensitive information.
Train workforce members to be
aware of causes for
unintentional data exposures,
Train Workforce on Causes of Unintentional Data
such as losing their mobile
Exposure
devices or emailing the wrong
person due to autocomplete in
email.
Train employees to be able to

Train Workforce Members on Identifying and identify the most common
Reporting Incidents indicators of an incident and be
able to report such an incident.
Establish secure coding

practices appropriate to the
Establish Secure Coding Practices programming language and
development environment
being used.
For in-house developed

software, ensure that explicit
error checking is performed
Ensure Explicit Error Checking is Performed for All
and documented for all input,
In-house Developed Software
including for size, data type,
and acceptable ranges or
formats.
Verify that the version of all

software acquired from outside
your organization is still
Verify That Acquired Software is Still Supported supported by the developer or
appropriately hardened based
on developer security
recommendations.
Only use up-to-date and

Only Use Up-to-date And Trusted Third-Party trusted third-party components
Components for the software developed by
the organization.
Use only standardized and

Use Only Standardized and Extensively Reviewed
extensively reviewed
Encryption Algorithms
encryption algorithms.
Ensure that all software
development personnel receive
Ensure Software Development Personnel are training in writing secure code
Trained in Secure Coding for their specific development
environment and
responsibilities.
Apply static and dynamic

analysis tools to verify that
Apply Static and Dynamic Code Analysis Tools secure coding practices are
being adhered to for internally
developed software.
Establish a process to accept
and address reports of
Establish a Process to Accept and Address Reports software vulnerabilities,
of Software Vulnerabilities including providing a means for
external entities to contact your
security group.
Maintain separate
environments for production
and nonproduction systems.
Separate Production and Non-Production Systems
Developers should not have
unmonitored access to
production environments.
Protect web applications by

deploying web application
firewalls (WAFs) that inspect all
traffic flowing to the web
application for common web
application attacks. For
applications that are not web-
based, specific application
firewalls should be deployed if
Deploy Web Application Firewalls (WAFs) such tools are available for the
given application type. If the
traffic is encrypted, the device
should either sit behind the
encryption or be capable of
decrypting the traffic prior to
analysis. If neither option is
appropriate, a host-based web
application firewall should be
deployed.
For applications that rely on a

database, use standard
hardening configuration
Use Standard Hardening Configuration Templates
templates. All systems that are
for Databases
part of critical business
processes should also be
tested.
Ensure that there are written

incident response plans that
Document Incident Response Procedures defines roles of personnel as
well as phases of incident
handling/management.
Assign job titles and duties for

handling computer and
network incidents to specific
Assign Job Titles and Duties for Incident Response
individuals and ensure tracking
and documentation throughout
the incident through resolution.
Designate management
personnel, as well as backups,
Designate Management Personnel to Support
who will support the incident
Incident Handling
handling process by acting in
key decision-making roles.
Devise organization-wide
standards for the time required
for system administrators and
other workforce members to
Devise Organization-wide Standards for Reporting report anomalous events to the
Incidents incident handling team, the
mechanisms for such reporting,
and the kind of information that
should be included in the
incident notification.
Assemble and maintain

information on third-party
contact information to be used
Maintain Contact Information For Reporting to report a security incident,
Security Incidents such as Law Enforcement,
relevant government
departments, vendors, and
ISAC partners.
Publish information for all

workforce members, regarding
reporting computer anomalies
Publish Information Regarding Reporting Computer and incidents to the incident
Anomalies and Incidents handling team. Such
information should be included
in routine employee awareness
activities.
Plan and conduct routine

incident response exercises
and scenarios for the workforce
involved in the incident
response to maintain
awareness and comfort in
Conduct Periodic Incident Scenario Sessions for
responding to real world
Personnel
threats. Exercises should test
communication channels,
decision making, and incident
responders technical
capabilities using tools and
data available to them.
Create incident scoring and
prioritization schema based on
known or potential impact to
Create Incident Scoring and Prioritization Schema your organization. Utilize score
to define frequency of status
updates and escalation
procedures.
Establish a program for

penetration tests that includes
Establish a Penetration Testing Program a full scope of blended attacks,
such as wireless, client-based,
and web application attacks.
Conduct regular external and

internal penetration tests to
Conduct Regular External and Internal Penetration identify vulnerabilities and
Tests attack vectors that can be used
to exploit enterprise systems
successfully.
Perform periodic Red Team

exercises to test organizational
Perform Periodic Red Team Exercises readiness to identify and stop
attacks or to respond quickly
and effectively.
Include tests for the presence

of unprotected system
information and artifacts that
would be useful to attackers,
Include Tests for Presence of Unprotected System including network diagrams,
Information and Artifacts configuration files, older
penetration test reports, e-
mails or documents containing
passwords or other information
critical to system operation.
Create a test bed that mimics a

production environment for
specific penetration tests and
Red Team attacks against
Create Test Bed for Elements Not Typically Tested
elements that are not typically
in Production
tested in production, such as
attacks against supervisory
control and data acquisition
and other control systems.
Use vulnerability scanning and
penetration testing tools in
concert. The results of
Use Vulnerability Scanning and Penetration Testing vulnerability scanning
Tools in Concert assessments should be used
as a starting point to guide and
focus penetration testing
efforts.
Wherever possible, ensure that

Red Teams results are
documented using open,
Ensure Results from Penetration Test are machine-readable standards
Documented Using Open, Machine-readable (e.g., SCAP). Devise a scoring
Standards method for determining the
results of Red Team exercises
so that results can be
compared over time.
Any user or system accounts

used to perform penetration
testing should be controlled
Control and Monitor Accounts Associated with and monitored to make sure
Penetration Testing they are only being used for
legitimate purposes, and are
removed or restored to normal
function after testing is over.
How foreseeable is it
that this threat would
occur and create an
How the control is currently What vulnerabilities are present, given the
impact?
implemented way the CIS Control is Implemented
Use risk assessment
Current Control Vulnerability Threat Likelihood
Advanced malware detection

and prevention operates within
End-users may be victims of phishing over
the SMTP gateway. It detects
personal email services that they can
and quarantines attachments 2
access from offices and on work
and hyperlinks associated with
computers.
malicious files and suspicious
or blocked URLs.
Advanced malware prevention is not

Signature-based anti-virus on included in endpoint protection
each desktop. Filtering of applications on end-user workstations
suspicious web URLs using a (other than URL filtering). End-users may 3
dictionary that is updated be victims of phishing over personal email
monthly. services that they can access from offices
and on work computers.
All Internet traffic for systems

within corporate LANs and
DMZ have URLs filtered Laptops and mobile devices bypass the
against a subscription service proxy server when used outside of the
3
that blocks sessions with LAN. Ransomware may attack systems
known-bad hosts, and blocks when they are out of the office LAN.
URLs not categorized as safe
by that service.
Personnel have been trained to
be careful not to respond to
phishing emails, or to click on
content provided in emails if Social engineering tests show that
those messages are sent personnel are still susceptible to being
4
outside of normal process. fooled into acting on content presented in
phishing emails.
Personnel who access email
outside of the LAN may
respond to phishing messages.
All Internet traffic for systems

within corporate LANs and
DMZ have URLs filtered Laptops and mobile devices bypass the
against a subscription service proxy server when used outside of the
3
that blocks sessions with LAN. Ransomware may attack systems
known-bad hosts, and blocks when they are out of the office LAN.
URLs not categorized as safe
by that service.
Vulnerability Advanced malware

prevention is not included in endpoint
Signature-based anti-virus on
protection applications on end-user
each desktop. Anti-virus filters
workstations (other than URL filtering).
suspicious web URLs using a 3
dictionary that is updated
monthly.
computers.
Vulnerability Advanced malware

prevention is not included in endpoint
Signature-based anti-virus on
protection applications on end-user
each desktop. Anti-virus filters
workstations (other than URL filtering).
suspicious web URLs using a 3
dictionary that is updated
monthly.
computers.
Data and files on end-user systems are not
automatically backed up, nor centrally
Policy requires users to store
backed up. Personnel do not adhere to
data on server-based file 3
policy requiring use of file servers to store
servers.
user data. Encrypted information may be
irrecoverable.
We use an incident response

The incident response plan does not guide
plan that guides us through live
us through response to processing 3
attacks, and response to
ransom.
confidentiality breaches.
What impact could this What impact could this What impact could this
threat pose to our threat pose to our threat pose to our Risk - Likelihood x Highest
mission? objectives? obligations? Impact Score.
Use risk assessment Use risk assessment Use risk assessment criteria Acceptable risk < '6'
criteria as guidance criteria as guidance as guidance
Mission Impact Objectives Impact Obligations Impact Risk Score
3 4 4 8
3 4 4 12
3 4 4 12
3 4 4 16
3 2 2 9
3 4 4 12
3 4 4 12
3 4 4 12
3 4 4 12
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
What risk would this
What safeguard can we
Will we accept, reduce, recommended control pose to
use to better implement the
transfer, or avoid this risk? the mission, objectives, or
CIS Control?
obligations?
Risk Treatment Option Recommended Safeguard Safeguard Risk
Accept
Unexpected cost would be

within the budget plan
threshold if modules are
restricted to laptops this year,
Add advanced malware
and extended to remaining
Reduce protection module to end-
system next year.
point protection.
Threat of malware would no
longer be expected. No impact
to our mission.
Laptops that use personal

VPNs may bypass the proxy
service.
If the proxy service is

Extend proxy server to the unavailable, it may cause users
Reduce DMZ and force laptops to to not use Internet resources
use it as a gateway. while working out of the office.
Proxy servers are not able to

detect local attacks on
systems.
service.


systems.

service.


systems.

Add advanced malware and extended to remaining
Reduce protection module to end- system next year.
point protection.
longer be foreseeable. No
impact to our mission.

Add advanced malware and extended to remaining
Reduce protection module to end- system next year.
point protection.
longer be foreseeable. No
impact to our mission.
Some personnel who have
critical information may
Provide a NAS, not directly accidentally be missed by the
routable by end-user NAS backup.
Reduce systems, that backs up
files from select end-user The cost of the NAS is not
systems. budgeted, but could be
switched for lower-priority
items.
Add to the incident Some personnel who have

response plan a critical information may
Reduce requirement that we will accidentally be missed by the
not respond to ransom NAS backup. Important
demands. information may be lost.
How foreseeable is it that
What impact could this What impact could this What impact could this
this safeguard risk would
safeguard risk pose to our safeguard risk pose to our safeguard risk pose to our
occur and create an
mission? objectives? obligations?
impact?
Use risk assessment Use risk assessment Use risk assessment
Use risk assessment
criteria as guidance criteria as guidance criteria as guidance
Safeguard Threat Safeguard Objectives Safeguard Obligations
Safeguard Mission Impact
Likelihood Impact Impact
2 1 2 1
3 2 2 4
3 2 2 4
3 2 2 4
2 1 2 1
2 1 2 1
2 3 2 1
2 4 2 1
Safeguard Risk
Score
Safeguard Risk
Score
12
12
12
4
6
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Community Attack Model (Top) The Community Attack Model (top) aligns the actions within an attack path with
Attack Path Models (Bottom)

Attack Path Models name foreseeable attacks, and describe the threats agains
CIS Community Attack Model Initial Recon Acquire/Develop Tools
control of HW, SW inventory;

Identify threat intelligence
Network logs
firewall; mail gateway filtering;

web filtering; manage ports,
Protect hardened configurations
protocols, services; continuous
vulnerability assessment
firewall; honeypot; Network

Detect audit logs; threat intelligence
authentication; Network logs
Respond honeypot
Recover
Attack Path Models Initial Recon Acquire/Develop Tools
Our web application is

accessible, as is some
information about the
Moderately skilled hackers may
architecture of the application
develop scripts to execute data
by reviewing web pages, code
Data seizure through web queries through web browsers
objects, and references to
application or scripts.
linked systems.
Asset: Out of our control.
Asset: Web application and
verbose services on the web
application stack.
Our web application is
accessible, as is some
information about the
Highly skilled hackers may
architecture of the application
develop scripts to execute
by reviewing web pages, code
Arbitrary code execution commands through application
objects, and references to
through web application or database services.
linked systems.
Asset: Web application and
verbose services on the web
application stack.
Hackers determine who in the

Moderately skilled hackers may
organization has access to
develop phishing email and
sensitive information.
ransomware exploits that target
Ransomware
selected personnel.
Asset: Public information and
social media sites that describe
personnel and responsibilities.
s within an attack path with CIS Controls that would prevent or detect the actions. If users find in their environment correlations between CIS
describe the threats against assets that would occur in the attack path.
Delivery Initial Compromise Misuse/Escalate Privilege
control of administrative
privilege
patching; hardened
continuous vulnerability control of admin privilege; data
configurations; HIPS; anti-
assessment; firewall; mail security; hardened
malware; containerization; app
gateway filtering; web filtering; configuration; continuous
whitelisting; Data Execution
secure remote access; NIPS vulnerability assessment
Protection
HIPS; anti-malware;
audit logs; Anti-malware; account monitoring; control of
containerization; app
Network Intrusion Detection admin privilege; audit logs;
whitelisting; Data Execution
system Configuration Monitoring
Prevention;
audit logs; Configuration
Incident Response - Execution Management; Account
Management
Incident Response - Execution;

control of HW, SW inventory
Delivery Initial Compromise Misuse/Escalate Privilege
Attempts at running scripts or

direct reference to commands Data exfiltration through the
and data objects on the web web app, or data exfiltration
application, such as SQL directly from the database
injection. server. Not applicable
Asset: Web application, Asset: Database server,

application server, database application server.
server, and event logs.
Attempts at running scripts or
Commands executed through
direct reference to commands Execution of sudo or runas,
application account. Files
and data objects on the web establishment or alteration of
added, altered, or replaced.
server, such as bash. existing account.
Asset: Application server,
Asset: Application server, Asset: User accounts,
database server, and event
database server, and event administrative accounts.
logs.
logs.
Personnel open phishing email

Hacker sends phishing email to and trigger an install of the Malware encrypts the local
selected personnel. ransomware payload. storage volume.
Asset: Email server, SMTP Asset: Email client, end-user Asset: End-user OS, storage
gateway. OS, personnel, proxy server, volume.
advanced malware appliance.
their environment correlations between CIS Controls and the Community Attack Model cells, they should add those controls.
Internal Recon Lateral Movement Establish Persistence
control of admin privilege;

control of admin privilege; NW
patching; hardened egress filtering; control of HW,
segmentation; Manage ports,
configurations; anti-malware; SW inventory
protocols, services
NW segmentation
account monitoring; audit logs; NW IDS; Host Intrusion

audit logs; Network Monitoring
Network Monitoring Prevention
sinkhole
Internal Recon Lateral Movement Establish Persistence
Not applicable Not applicable Not applicable

Installation of executables,
establishment of new
Directory traversal at the web Commands at the application accounts.
server. server.
Asset: Operating systems,
Asset: Application server, Asset: Application server, event logs, user accounts,
event logs. event logs. administrative accounts,
Not applicable Not applicable See Misuse/Escalate Privilege.

y should add those controls.
Execute Mission Objectives
Incident Reponses - Planning
egress filtering; NW
segmentation; data security
Data Execution Prevention;

HIPS; Network Monitoring
Incident Response - Execution
Incident Response - Execution;

Execute Mission Objectives
Data exfiltration through the

web app, or data exfiltration
directly from the database
server.
Asset: Database server,

application server.
Initiation of executables,
daemons, services, processes.
Asset: Executable processes,

daemons, services, event logs.
Hackers require payment for

release of information back to
us.

Example impact definitions described in CIS RAM V1, Chapter 5
Example Impact Definition: Tier 1 Manufacturer
Impact
Impact to Our Mission Impact to Obligations
Score
Our customers’ intellectual

To provide customers with
property must be kept confidential
Defined products that meet their unique
to preserve their market
specifications, without fail.
advantage.
Information about jobs may be

Occasional orders cannot be
1 known, but nothing that can harm
fulfilled.
customers' market position.
Products are delivered outside of

A single customer experiences
spec and customers believe that
2 market repercussions based on a
we cannot produce custom
security incident.
products without fail.
Customers can no longer expect

We can no longer produce reliable,
3 confidentiality protection when
custom products.
working with us.
Example Impact Definition: Tier 2, 3, 4 Manufacturer
Impact
Impact to Our Mission Impact to Objectives
Score
To provide customers with To quadruple our production and

Defined products that meet their unique profits in five years through
specifications, without fail. expansion into two new markets.
Customers receive excellent

1 Our growth plan remains on target.
products, as needed.
Occasional orders cannot be Our annual targets are off year-by-

2
fulfilled. year, but within planned variance.
Our growth is too low for one year,

Contracted work for few customers
3 but can be recovered to meet the
cannot be completed as planned.
five-year goal.
Products are delivered outside of

spec and customers believe that We cannot meet the five-year
4
we cannot produce custom growth plan.
products without fail.
We can no longer produce reliable,

5 We cannot operate profitably.
custom products.
Example Impact Definition: Tier 2, 3, 4 Community Bank
Impact
Impact to Obligations Impact to Our Mission
Score
We promote opportunities to
Our customers’ intellectual
households and small businesses
property must be kept confidential
Defined in our community by providing
to preserve their market
affordable financial products and
advantage.
advisory services.
Households and small businesses

All intellectual property is
1 get the services they need to
protected.
thrive.
Occasional households and

Information about jobs may be businesses (no more than
known, but nothing that can harm 2 baseline) may be over-extended
customers' market position. and cannot achieve their financial
goals.
Information about a job leaks, and A notable increase in

a customer needs to investigate overextended customers may
3
whether it created harm. Even if occur, but could be recovered in a
direct harm would not result. fiscal year.
A notable increase in
A single customer experiences
overextended customers occurs,
market repercussions based on a 4
but could be recovered over less
security incident.
than four fiscal years.
Customers can no longer expect Our community households and

confidentiality protection when 5 businesses could not rely on us to
working with us. provide opportunities.
2, 3, 4 Community Bank Example Impact Definition
Impact
Impact to Objectives Impact to Obligations
Score
We must protect our customers’

We must retain a return-on-assets reputation and financial future
Defined
of 1.25% year-over-year. against misuse of their financial or
personal information.
Our customers' information is not

We meet our fiscal plan each
released to unauthorized, 1
quarter.
malicious people.
Our fiscal plan may be off quarter- Information that is released to

over-quarter, but could achieve its unauthorized people would not 2
annual goal. create harm.
Information that is released to

Our fiscal plan may be off of unauthorized would create harm to
planned variance, but could be few customers, but financial 3
recovered in one fiscal year. reputation could be restored within
a fiscal year.
Information that is released to

Our fiscal plan may be off of unauthorized people would create
planned variance, but could be harm to many customers. Some
4
recovered in less than four fiscal may suffer fraud. Financial
years. reputation could be restored within
a fiscal year.
Customers could not rely on us to

We could not maintain healthy protect or restore their financial
5
return-on-assets. reputation. They may be subject to
fraud.
Example Impact Definition: Tier 2, 3, 4 Telecommunications Company
Impact to Our Mission Impact to Objectives Impact to Obligations
We must protect our customers’

To instantaneously and
To grow our subscriber base, communications records to prevent
transparently connect our
communications capital, and reputational or financial harm. We
customers with the people,
revenue faster than our must meet our service level
organizations, information, and
competition and to remain number agreements with customers to
communication platforms that they
one or two in the marketplace. prevent harm that may result from
care about.
unreliable connectivity.
Our subscriber base continues to

Service to customers operates Services and confidentiality remain
grow, keeping is in first market
within planned thresholds. intact.
position.
Any service or confidentiality

Our subscriber base continues to breaches would create no impact
Service to customers may drop
grow, but we would maintain to customers, such as slow
below Minimal Service Target
second market position, close to communications within SLAs, or
(MST) within planned variance.
third market position. listings of last names of
subscribers.
Breach in service or confidentiality

Service to customers may drop A single quarter of dropping into
could create recoverable harm to
below MST outside of planned third market position, but
few, including temporary loss of
variance, but without Critical recovering back into second
service, or loss of financial
Awareness Levels (CAL) in the position may occur. Marketplace
confidentiality that we could
customer base. rumors of acquisition would result.
compensate for.

Recurring entry into third market could create recoverable harm to
CAL may be high. Customers may position drives stock prices down many, including temporary loss of
broadly state their dissatisfaction significantly, with movements service that impacts a person's
with our service. toward acquisition that we would health, a company's financial
need to fight. performance, or financial integrity
of individual subscribers.

could create unrecoverable harm,
Our reputation for providing including temporary loss of service
We may be acquired by stronger
reliable service may be low and that causes death, companies fail,
companies.
unrecoverable. or unrecoverable financial integrity
of thousands of individual
subscribers.

CIS RAM Workbook Version CC

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS RAM Workbook Version CC

Uploaded by

Copyright:

Available Formats

CIS RAM Workbook for CIS RAM Version 1.

Instructions for Use

License for Use

vatives 4.0 International Public License (the link can be found at

Step Task Key Roles

1 Defining the Scope & Scheduling Sessions Executives, Management, Assessor

2 Defining Risk Assessment Criteria Management, Assessor

3 Defining Risk Acceptance Criteria Executives, Management, Assessor

4 Risk Assessment (Control-Based)

4.1 Gather Evidence Personnel, Management, Assessor

4.2 Model the Threats Personnel, Management, Assessor

4.3 Risk Evaluation Assessor

5.1 Evaluate Proposed Safeguards Assessor, Management

Step Task Key Roles

1 Defining the Scope & Scheduling Sessions Executives, Management, Assessor

2 Defining Risk Assessment Criteria Management, Assessor

3 Defining Risk Acceptance Criteria Executives, Management, Assessor

4 Risk Assessment (Control-Based)

4.1 Gather Evidence Personnel, Management, Assessor

4.2 Model the Threats Personnel, Management, Assessor

4.3 Risk Evaluation Assessor

5.1 Evaluate Proposed Safeguards Assessor, Management

Asset Type Asset Class Business Owner

Asset Type Asset Name Business Owner

Example from the CIS RAM Document

Impact Score Impact to Our Mission Impact to Our Obligations

Provide information to help Patients may be harmed if their

Patients continue to access

We can no longer provide Many patients may be harmed

Template for Exercise

Impact Score Impact to Our Mission Impact to Our Obligations

Define the organization's

Acceptable Risk < 4

Acceptable Risk <

Example from the CIS RAM Document

Impact Score Impact to Our Mission Impact to Objectives

Provide information to help

Patients continue to access

We can no longer provide

Example from the CIS RAM Document

Impact Score Impact to Our Mission Impact to Objectives

Define the organization's Define the organization's

Describe a scenario in which no Describe a scenario in which

Describe a scenario that could Describe a scenario that

Patients do not experience loss of

Patients may be concerned, but

Some patients may be harmed

Many patients may be harmed

Some patients may be harmed

Describe a scenario in which no

Describe a scenario in which

Describe a scenario in which

Describe a scenario that others

Example from the CIS RAM Document

Impact Score Impact to Our Mission Impact to Objectives

Provide information to help

Patients continue to access

We can no longer provide

Example from the CIS RAM Document

Impact Score Impact to Our Mission Impact to Objectives

Define the organization's Define the organization's

Describe a scenario in which no Describe a scenario in which

Describe a scenario that could Describe a scenario that