Professional Documents
Culture Documents
v3
Last updated January 2023
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
controlsinfo@cisecurity.org
Editors
Thomas Sager
Contributors
License for Use
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing t
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-
are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
Mapping Methodology
Mapping Methodology
This page describes the methodology used to map the CIS Critical Security Controls to Microsoft Azure Se
Reference link for Azure Security Benchmark v3: https://docs.microsoft.com/en-us/security/benchmark/azu
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item
For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• Intersects: Although the CIS Control and the defensive mitigation have many similarities, neither is contai
awareness program and another requiring an information governance program.
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
Remember to download the CIS Controls Version 8 Guide where you can learn more about:
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
CIS Security
CIS Safeguard Asset Type
Control Function
1
10
11
11 11.1 Data Recover
12
13
14
15
16
17
18
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose
Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
Configure Trusted DNS Servers
on Enterprise Assets
Separate Enterprise
Workspaces on Mobile End-
User Devices
Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
administrator accounts, as well as service accounts, to enterprise assets and software.
Centralize Account
Management
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
administrator, and service accounts for enterprise assets and software.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the e
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monito
private industry sources for new threat and vulnerability information.
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Remediate Detected
Vulnerabilities
Remediate Detected
Vulnerabilities
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
attack.
Standardize Time
Synchronization
Improve protections and detections of threats from email and web vectors, as these are opportuniti
attackers to manipulate human behavior through direct engagement.
Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions
Implement DMARC
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.
Enable Anti-Exploitation
Features
Network Infrastructure
Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Operate processes and tooling to establish and maintain comprehensive network monitoring and d
against security threats across the enterprise’s network infrastructure and user base.
Securely Decommission
Service Providers
Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
controls (people, processes, and technology), and simulating the objectives and actions of an attac
l of Enterprise Assets
entory, track, and correct) all enterprise assets (end-user devices, including portable and
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to be monitored and protected within the enterprise. This will also support
zed and unmanaged assets to remove or remediate.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud environments. Additionally, it includes assets that are regularly connected
to the enterprise’s network infrastructure, even if they are not under control of the
enterprise. Review and update the inventory of all enterprise assets bi-annually, or
more frequently.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud environments. Additionally, it includes assets that are regularly connected
to the enterprise’s network infrastructure, even if they are not under control of the
enterprise. Review and update the inventory of all enterprise assets bi-annually, or
more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.
Ensure that unauthorized software is either removed from use on enterprise assets or
receives a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
must include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process.
Ensure the disposal process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations
can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.
Log sensitive data access, including modification and disposal.
of Enterprise Assets and Software
in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
ools to assign and manage authorization to credentials for user accounts, including
ts, as well as service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using MFA and a 14-character
password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise
assets. Conduct general computing activities, such as internet browsing, email, and
productivity suite use, from the user’s primary, non-privileged account.
ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise
assets upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for granting access to enterprise
assets upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Require MFA for all administrative access accounts, where supported, on all enterprise
assets, whether managed on-site or through a third-party provider.
Require MFA for all administrative access accounts, where supported, on all enterprise
assets, whether managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization
systems, including those hosted on-site or at a remote service provider. Review and
update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.
and retain audit logs of events that could help detect, understand, or recover from an
Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through
the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.
To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment
scanning and/or sandboxing.
Configure automatic updates for anti-malware signature files on all enterprise assets.
, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user and/or
device authentication.
Perform application layer filtering. Example implementations include a filtering proxy,
application layer firewall, or gateway.
Perform application layer filtering. Example implementations include a filtering proxy,
application layer firewall, or gateway.
Perform application layer filtering. Example implementations include a filtering proxy,
application layer firewall, or gateway.
Perform application layer filtering. Example implementations include a filtering proxy,
application layer firewall, or gateway.
Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
and desk best practices, such as locking their screen when they step away from their
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.
Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
training must include guidance to ensure that all users securely configure their home
network infrastructure.
evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more
characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could impact
this Safeguard.
Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management
policy. Monitoring may include periodic reassessment of service provider compliance,
monitoring service provider release notes, and dark web monitoring.
Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.
Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct
training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.
Apply secure design principles in application architectures. Secure design principles
include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
turning off unprotected ports and services, removing unnecessary programs and files,
and renaming or removing default accounts.
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
anagement
o develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using
a third-party vendor, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and
report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security incident. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel
involved in the incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows. Conduct testing on an annual basis, at a minimum.
Plan and conduct routine incident response exercises and scenarios for key personnel
involved in the incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows. Conduct testing on an annual basis, at a minimum.
X X X Superset AM-1
X X X Superset AM-3
X X X
X X
X X
X Subset AM-1
X X X Superset AM-1
X X X Superset AM-3
X X X
X X X
X X Superset AM-1
X X Superset AM-2
X X Superset AM-5
X X Superset AM-2
X X Superset AM-5
X Superset AM-2
X Superset AM-5
X X X Equivalent GS-3
X X X Subset DP-1
X X X Subset IM-7
X X X Superset PA-7
X X X Superset AM-4
X X X
X X X
X X X
X X Subset GS-3
X X Subset DP-1
X X
X X
X X Equivalent DP-3
X X Equivalent DP-4
X X Superset DP-5
X X Equivalent NS-1
X X Superset NS-2
X X Subset GS-2
X X Subset GS-3
X Superset DP-1
X Subset DP-2
X Superset NS-1
X X X Superset PV-1
X X X Superset PV-2
X X X Superset PV-3
X X X Superset PV-4
X X X Subset GS-5
X X X Subset PV-1
X X X Subset PV-2
X X X Subset GS-5
X X X
X X X Subset NS-1
X X X Subset NS-2
X X X Subset NS-3
X X X Subset NS-7
X X X Superset NS-8
X X X Subset GS-9
X X X
X X X
X X X
X X Subset NS-3
X X Subset NS-8
X X Subset AM-2
X X Superset AM-5
X X Equivalent NS-10
X X
X X
X X X Subset PA-4
X X X
X X X Subset PA-4
X X X Subset IM-2
X X X Superset PA-1
X X Subset PA-4
X X Subset PV-5
X X Superset GS-6
X X X Subset PA-3
X X X Superset PA-8
X X X Subset PA-3
X X X Superset PA-8
X X X Subset IM-6
X X X Subset IM-6
X X X Subset IM-7
X X X Superset IM-2
X X X Subset GS-6
X X
X X Equivalent IM-1
X X Subset IM-9
X X Subset GS-6
X Superset PA-1
X Superset PA-7
X X X Superset PV-5
X X X Subset PV-6
X X X Subset PV-6
X X X Subset PV-6
X X Superset DS-6
X X Subset PV-5
X X Subset PV-5
X X Superset DS-6
X X Equivalent PV-6
X X Subset DS-6
X X X Subset GS-7
X X X Superset LT-3
X X X Superset LT-4
X X X Superset DS-7
X X X Subset LT-6
X X Equivalent LT-7
X X Superset LT-3
X X Superset LT-4
X X Superset DS-7
X X Superset LT-4
X X Superset LT-4
X X
X X Equivalent LT-5
X X Superset DS-7
X X Equivalent LT-6
X X Subset LT-1
X X Subset LT-2
X X Subset LT-5
X X Subset DS-7
X Superset LT-3
X X X
X X X Subset NS-10
X X
X X
X X
X X
X X X Equivalent ES-2
X X X Subset GS-9
X X X Equivalent ES-3
X X X
X X
X X
X X
X X
X X X Equivalent GS-8
X X X Equivalent BR-1
X X X Equivalent BR-2
X X X Superset BR-3
X X X
X X Equivalent BR-4
X X X
X X Subset GS-4
X X
X X Subset GS-4
X X Equivalent IM-1
X X Superset IM-5
X X Subset IM-9
X X
X X Superset NS-9
X Equivalent PA-6
X X Equivalent LT-5
X X Subset GS-7
X X Subset NS-4
X X Subset NS-4
X X
X X Subset IM-7
X X Superset PA-6
X X Subset LT-4
X Subset NS-4
X Equivalent ES-1
X Subset NS-4
X Subset NS-3
X Subset NS-4
X Subset NS-5
X Subset NS-6
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X Subset GS-1
X X X
X X
X X
X X
X X Superset DS-6
X X Equivalent GS-10
X X Subset GS-10
X X
X X Subset DS-2
X X
X X Subset DS-2
X X Subset DS-3
X X Subset DS-6
X X
X X Subset IM-8
X X Subset DS-1
X X Subset DS-2
X Subset IM-8
X Superset DS-4
X Superset DS-5
X
X Equivalent DS-1
X X X Subset IR-2
X X X Subset GS-7
X X X Superset IR-2
X X Superset IR-1
X X Superset IR-5
X X Subset GS-7
X X
X X Subset IR-2
X X Subset IR-1
X X Subset GS-7
X X Equivalent IR-7
X Subset IR-3
X Subset IR-5
X X Subset PV-7
X X Subset PV-7
X X Subset PV-7
X Subset PV-7
X Subset PV-7
Recommendation
Monitor backups
Connect on-premises or
cloud network privately
Track your asset inventory by query and discover all your cloud resources. Logically organize your assets
Ensure your security organization can monitor the risks of the cloud assets by which security insights and r
Ensure security attributes or configurations of the assets are always updated during the asset lifecycle.
Track your asset inventory by query and discover all your cloud resources. Logically organize your assets
Ensure your security organization can monitor the risks of the cloud assets by which security insights and r
Track your asset inventory by query and discover all your cloud resources. Logically organize your assets
Ensure your security organization can monitor the risks of the cloud assets by which security insights and r
Ensure security attributes or configurations of the assets are always updated during the asset lifecycle.
Track your asset inventory by query and discover all your cloud resources. Logically organize your assets
Ensure your security organization can monitor the risks of the cloud assets by which security insights and r
Ensure that only approved cloud services can be used by auditing and restricting which services users can
Ensure that only authorized software executes by creating an allow list and block the unauthorized softwar
Ensure that only approved cloud services can be used by auditing and restricting which services users can
Ensure that only authorized software executes by creating an allow list and block the unauthorized softwar
Ensure that only approved cloud services can be used by auditing and restricting which services users can
Ensure that only authorized software executes by creating an allow list and block the unauthorized softwar
N/A
Establish and maintain an inventory of the sensitive data based on the defined sensitive data scope. Use t
Explicitly validate trusted signals to allow or deny user access to resources as part of a zero-trust
access model. Signals to validate should include strong authentication of user account, behavioral
analytics of user account, device trustworthiness, user or group membership, locations and so on.
Follow the just enough administration (least privilege) principle to manage the permission at fine-
grained level. Use features such as role-based access control (RBAC) to manage resource
access through role assignments.
Limit users' access to asset management features such to avoid accidental or malicious
modification of the assets in your cloud.
N/A
Establish and maintain an inventory of the sensitive data based on the defined sensitive data scope. Use t
To complement access controls, data in transit should be protected against 'out of band' attacks (such as t
Set the network boundary and service scope where data in transit encryption is mandatory within and outs
To complement access controls, data at rest should be protected against 'out of band' attacks (such as acc
When required due to regulatory compliance reason, define the use case and service scope where custom
N/A
N/A
Establish and maintain an inventory of the sensitive data based on the defined sensitive data scope. Use t
Monitor for anomalies around sensitive data, such as unauthorized transfer of data to locations outside of e
Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce t
Define the secure configuration baselines for your compute resources, such as VMs and containers. Use c
Continuously monitor and alert when there is a deviation from the defined configuration baseline in your co
N/A
Define the secure configuration baselines for different resource types in the cloud. Alternatively, use config
Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce t
N/A
Deploy firewall to perform advanced filtering on network traffic to and from external networks. You can also
At minimum, block known bad IP addresses and high-risk protocols like remote management (like RDP an
When managing a complex network environment, use tools to simplify, centralize and enhance the networ
Detect and disable insecure services and protocols at the OS, application, or software package layer. Dep
N/A
Deploy firewall to perform advanced filtering on network traffic to and from external networks. You can also
At minimum, block known bad IP addresses and high-risk protocols like remote management (like RDP an
Detect and disable insecure services and protocols at the OS, application, or software package layer. Dep
Ensure that only approved cloud services can be used by auditing and restricting which services users can
Ensure that only authorized software executes by creating an allow list and block the unauthorized softwar
Ensure Domain Name System (DNS) security configuration protects against known risks:
- Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client
- Separate the public and private DNS resolution so the DNS resolution process for the private network can
- Ensure your DNS security strategy also includes mitigations against common attacks like dangling DNS,
Perform periodic review of privileged accounts and entitlements at the different resource tiers regularly. En
Perform periodic review of privileged accounts and entitlements at the different resource tiers regularly. En
Secure your identity and authentication system as a high priority in your organization's cloud security pract
- Restrict privileged roles and accounts
- Require strong authentication for all privileged access
- Monitor and audit high risk activities
Ensure you are identifying all high business impact accounts in your cloud's control plane, management pl
Ensure to assign privileged accounts with different roles based on the job functions and distinguish these p
Perform periodic review of privileged accounts and entitlements at the different resource tiers regularly. En
Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or when on dem
Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Fo
N/A
Use an automated process or technical control to manage the identity and access lifecycle including the re
Establish an approval process and access path for requesting and approving vendor support request and t
Use an automated process or technical control to manage the identity and access lifecycle including the re
Establish an approval process and access path for requesting and approving vendor support request and t
When deploying strong authentication, configure administrators and privileged users first to ensure the hig
Note: If legacy password-based authentication is required for legacy applications and scenarios, ensure pa
When deploying strong authentication, configure administrators and privileged users first to ensure the hig
Explicitly validate trusted signals to allow or deny user access to resources as part of a zero-trust access m
Secure your identity and authentication system as a high priority in your organization's cloud security pract
- Restrict privileged roles and accounts
- Require strong authentication for all privileged access
- Monitor and audit high risk activities
N/A
Use a centralized identity and authentication system to govern organization's identities and authentications
Ensure you are identifying all high business impact accounts in your cloud's control plane, management pl
Ensure to assign privileged accounts with different roles based on the job functions and distinguish these p
Follow the just enough administration (least privilege) principle to manage the permission at fine-grained le
Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or when on dem
Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Fo
Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources
Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources
Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources
Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment sta
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure mana
- Ensure VM, container images and other artifacts are secure from malicious manipulation.
- Scan the workload artifacts (i.e., container image, dependencies, SAST and DAST scan) prior to the dep
- Deploy vulnerability assessment and threat detection capability into the production environment and cont
Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or when on dem
Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Fo
Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or when on dem
Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Fo
Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment sta
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure mana
- Ensure VM, container images and other artifacts are secure from malicious manipulation.
- Scan the workload artifacts (i.e., container image, dependencies, SAST and DAST scan) prior to the dep
- Deploy vulnerability assessment and threat detection capability into the production environment and cont
Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure mana
- Ensure VM, container images and other artifacts are secure from malicious manipulation.
- Scan the workload artifacts (i.e., container image, dependencies, SAST and DAST scan) prior to the dep
N/A
Enable logging for your cloud resources to meet the requirements for security incident
investigations and security response and compliance purposes.
Enable logging for your network services to support network-related incident investigations, threat
hunting, and security alert generation. The network logs may include logs from network services
such as IP filtering, network and application firewall, DNS, flow monitoring and so on.
Ensure your logging and monitoring scope includes non-production environments and CI/CD
workflow elements used in DevOps (and any other development processes). The vulnerabilities
and threats targeting these environments can introduce significant risks to your production
environment if they are not monitored properly. The events from the CI/CD build, test and
deployment workflow should also be monitored to identify any deviations in the CI/CD workflow
jobs.
Plan your log retention strategy according to your compliance, regulation, and business
requirements. Configure the log retention policy at the individual logging services to ensure the
logs are archived appropriately.
Ensure approved time synchronization sources are used for your logging time stamp which should include
Enable logging for your cloud resources to meet the requirements for security incident
investigations and security response and compliance purposes.
Enable logging for your network services to support network-related incident investigations, threat
hunting, and security alert generation. The network logs may include logs from network services
such as IP filtering, network and application firewall, DNS, flow monitoring and so on.
Ensure your logging and monitoring scope includes non-production environments and CI/CD
workflow elements used in DevOps (and any other development processes). The vulnerabilities
and threats targeting these environments can introduce significant risks to your production
environment if they are not monitored properly. The events from the CI/CD build, test and
deployment workflow should also be monitored to identify any deviations in the CI/CD workflow
jobs.
Enable logging for your network services to support network-related incident investigations, threat
hunting, and security alert generation. The network logs may include logs from network services
such as IP filtering, network and application firewall, DNS, flow monitoring and so on.
Enable logging for your network services to support network-related incident investigations, threat
hunting, and security alert generation. The network logs may include logs from network services
such as IP filtering, network and application firewall, DNS, flow monitoring and so on.
Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure
Ensure your logging and monitoring scope includes non-production environments and CI/CD
workflow elements used in DevOps (and any other development processes). The vulnerabilities
and threats targeting these environments can introduce significant risks to your production
environment if they are not monitored properly. The events from the CI/CD build, test and
deployment workflow should also be monitored to identify any deviations in the CI/CD workflow
jobs.
Plan your log retention strategy according to your compliance, regulation, and business
requirements. Configure the log retention policy at the individual logging services to ensure the
logs are archived appropriately.
Monitor different types of threats and anomalies against different resource types in cloud. Configure your a
Detect threats for identities and access management by monitoring the user and application sign-in and ac
Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure
Ensure your logging and monitoring scope includes non-production environments and CI/CD
workflow elements used in DevOps (and any other development processes). The vulnerabilities
and threats targeting these environments can introduce significant risks to your production
environment if they are not monitored properly. The events from the CI/CD build, test and
deployment workflow should also be monitored to identify any deviations in the CI/CD workflow
jobs.
Enable logging for your cloud resources to meet the requirements for security incident
investigations and security response and compliance purposes.
Ensure Domain Name System (DNS) security configuration protects against known risks:
- Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client
- Separate the public and private DNS resolution so the DNS resolution process for the private network can
- Ensure your DNS security strategy also includes mitigations against common attacks like dangling DNS,
Use anti-malware solutions capable of real-time protection and periodic scanning.
N/A
Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution.
N/A
Ensure backup of business-critical resources either during resource creation or enforced through policy for
Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/ma
Periodically perform data recovery test of your backup to verify that the backup configurations and
availability of the backup data meets the recovery needs as per defined in the RTO and RPO.
N/A
N/A
Use a centralized identity and authentication system to govern organization's identities and authentications
Use single sign-on (SSO) to simplify the user experience for authenticating to resources including applicati
In a hybrid environment where you have on-premises applications or non-native cloud applications using le
- Enforce a centralized strong authentication
- Monitor and control risky end-user activities
- Monitor and remediate risky legacy applications activities
- Detect and prevent sensitive data transmission
Use private connections for secure communication between different networks such as cloud
service provider datacenters and on-premises infrastructure in a colocation environment.
Secured, isolated workstations are critically important for the security of sensitive roles like
administrator, developer, and critical service operator.
Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure
N/A
Use network intrusion detection/intrusion prevention systems (IDS/IPS) to inspect the network and/or paylo
For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based
Use network intrusion detection/intrusion prevention systems (IDS/IPS) to inspect the network and/or paylo
For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based
Explicitly validate trusted signals to allow or deny user access to resources as part of a zero-trust
access model. Signals to validate should include strong authentication of user account, behavioral
analytics of user account, device trustworthiness, user or group membership, locations and so on.
Secured, isolated workstations are critically important for the security of sensitive roles like
administrator, developer, and critical service operator.
Enable logging for your network services to support network-related incident investigations, threat
hunting, and security alert generation. The network logs may include logs from network services
such as IP filtering, network and application firewall, DNS, flow monitoring and so on.
Use network intrusion detection/intrusion prevention systems (IDS/IPS) to inspect the network and/or paylo
For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based
Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security
Use network intrusion detection/intrusion prevention systems (IDS/IPS) to inspect the network and/or paylo
For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based
Deploy firewall to perform advanced filtering on network traffic to and from external networks. You can also
At minimum, block known bad IP addresses and high-risk protocols like remote management (like RDP an
Use network intrusion detection/intrusion prevention systems (IDS/IPS) to inspect the network and/or paylo
For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based
Deploy distributed denial of service (DDoS) protection to protect your network and applications from attack
Deploy web application firewall (WAF) and configure the appropriate rules to protect your web applications
N/A
Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment sta
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure mana
- Ensure VM, container images and other artifacts are secure from malicious manipulation.
- Scan the workload artifacts (i.e., container image, dependencies, SAST and DAST scan) prior to the dep
- Deploy vulnerability assessment and threat detection capability into the production environment and cont
N/A
N/A
Ensure your enterprise’s SDLC (Software Development Lifecycle) or process include a set of
security controls to govern the in-house and third-party software components (including both
proprietary and open-source software) where your applications have dependencies. Define gating
criteria to prevent vulnerable or malicious components being integrated and deployed into the
environment.
The software supply chain security controls at least should include following aspects:
- Identify the upstream dependencies required at the development, build, integration and
deployment phase.
- Inventory and track the in-house and third-party software components for known vulnerability
when there is a fix available in the upstream.
- Assess the vulnerabilities and malware in the software components using static and dynamic
application testing for unknown vulnerabilities.
- Ensure the vulnerabilities and malware are mitigated using the appropriate approach. This may
include source code local or upstream fix, feature exclusion and/or applying compensating controls
if the direct mitigation is not available.
Note: If closed source third-party components are used in your production environment where you
may have limited visibility to its security posture. You should consider additional controls such as
access control, network isolation and endpoint security to minimize the impact if there is a
malicious activity or vulnerability associated with the component.
Ensure your enterprise’s SDLC (Software Development Lifecycle) or process include a set of
security controls to govern the in-house and third-party software components (including both
proprietary and open-source software) where your applications have dependencies. Define gating
criteria to prevent vulnerable or malicious components being integrated and deployed into the
environment.
The software supply chain security controls at least should include following aspects:
- Identify the upstream dependencies required at the development, build, integration and
deployment phase.
- Inventory and track the in-house and third-party software components for known vulnerability
when there is a fix available in the upstream.
- Assess the vulnerabilities and malware in the software components using static and dynamic
application testing for unknown vulnerabilities.
- Ensure the vulnerabilities and malware are mitigated using the appropriate approach. This may
include source code local or upstream fix, feature exclusion and/or applying compensating controls
if the direct mitigation is not available.
Note: If closed source third-party components are used in your production environment where you
may have limited visibility to its security posture. You should consider additional controls such as
access control, network isolation and endpoint security to minimize the impact if there is a
malicious activity or vulnerability associated with the component.
Ensure the DevOps infrastructure and pipeline follow security best practices across environments including
- Artifact repositories that store source code, built packages and images, project artifacts and business dat
- Servers, services, and tooling that hosting CI/CD pipelines.
- CI/CD pipeline configuration.
Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment sta
- Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure mana
- Ensure VM, container images and other artifacts are secure from malicious manipulation.
- Scan the workload artifacts (i.e., container image, dependencies, SAST and DAST scan) prior to the dep
- Deploy vulnerability assessment and threat detection capability into the production environment and cont
Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and D
Perform threat modeling to identify the potential threats and enumerate the mitigating controls. Ensure you
- Secure your applications and services in the production run-time stage.
- Secure the artifacts, underlying CI/CD pipeline and other tooling environment used for build, test, and dep
The threat modeling at least should include the following aspects:
- Define the security requirements of the application. Ensure these requirements are adequately addressed
- Analyze application components, data connections and their relationship. Ensure this analysis also includ
- List the potential threats and attack vectors that your application components, data connections and upst
- Identify the applicable security controls that can be used to mitigate the threats enumerated and identify a
- Enumerate and design the controls that can mitigate the vulnerabilities identified.
Ensure your enterprise’s SDLC (Software Development Lifecycle) or process include a set of
security controls to govern the in-house and third-party software components (including both
proprietary and open-source software) where your applications have dependencies. Define gating
criteria to prevent vulnerable or malicious components being integrated and deployed into the
environment.
The software supply chain security controls at least should include following aspects:
- Identify the upstream dependencies required at the development, build, integration and
deployment phase.
- Inventory and track the in-house and third-party software components for known vulnerability
when there is a fix available in the upstream.
- Assess the vulnerabilities and malware in the software components using static and dynamic
application testing for unknown vulnerabilities.
- Ensure the vulnerabilities and malware are mitigated using the appropriate approach. This may
include source code local or upstream fix, feature exclusion and/or applying compensating controls
if the direct mitigation is not available.
Note: If closed source third-party components are used in your production environment where you
may have limited visibility to its security posture. You should consider additional controls such as
access control, network isolation and endpoint security to minimize the impact if there is a
malicious activity or vulnerability associated with the component.
- Avoid embedding the credentials and secrets into the code and configuration files
- Use key vault or a secure key store service to store the credentials and secrets
- Scan for credentials in source code.
Ensure static application security testing (SAST) are part of the gating controls in the CI/CD workflow. The
Ensure dynamic application security testing (DAST) are part of the gating controls in the CI/CD workflow. T
Perform threat modeling to identify the potential threats and enumerate the mitigating controls. Ensure you
- Secure your applications and services in the production run-time stage.
- Secure the artifacts, underlying CI/CD pipeline and other tooling environment used for build, test, and dep
The threat modeling at least should include the following aspects:
- Define the security requirements of the application. Ensure these requirements are adequately addressed
- Analyze application components, data connections and their relationship. Ensure this analysis also includ
- List the potential threats and attack vectors that your application components, data connections and upst
- Identify the applicable security controls that can be used to mitigate the threats enumerated and identify a
- Enumerate and design the controls that can mitigate the vulnerabilities identified.
Ensure the security alerts and incident notification from the cloud service provider's platform and your envi
N/A
Ensure the security alerts and incident notification from the cloud service provider's platform and your envi
Ensure your organization follows industry best practice to develop processes and plans to respond to secu
Regularly test the incident response plan and handling process to ensure they're up to date.
Provide context to security operations team on which incidents to focus on first based on alert severity and
N/A
Ensure the security alerts and incident notification from the cloud service provider's platform and your envi
Ensure your organization follows industry best practice to develop processes and plans to respond to secu
Regularly test the incident response plan and handling process to ensure they're up to date.
N/A
Conduct lesson learned in your organization periodically and/or for major incidents to improve your future c
Based on the nature of the incident, retain of the evidence related to the incident for the period defined in t
Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you
High-quality alerts can be built based on experience from past incidents, validated community sources, and
Provide context to security operations team on which incidents to focus on first based on alert severity and
Red team operations such as penetration testing should be conducted to simulate the real-world attacks to
Follow the other industry best practices to design, prepare and conduct such kind of testing.
Red team operations such as penetration testing should be conducted to simulate the real-world attacks to
Follow the other industry best practices to design, prepare and conduct such kind of testing.
Red team operations such as penetration testing should be conducted to simulate the real-world attacks to
Follow the other industry best practices to design, prepare and conduct such kind of testing.
Red team operations such as penetration testing should be conducted to simulate the real-world attacks to
Follow the other industry best practices to design, prepare and conduct such kind of testing.
Red team operations such as penetration testing should be conducted to simulate the real-world attacks to
Follow the other industry best practices to design, prepare and conduct such kind of testing.
nize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics
sset lifecycle.
nize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics
nize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics
sset lifecycle.
nize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics
ata scope. Use tools to discover, classify and label the in scope sensitive data.
ata scope. Use tools to discover, classify and label the in scope sensitive data.
ttacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
y within and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on ext
cks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or
pe where customer-managed key option is needed. Enable and implement data at rest encryption using customer-ma
nization.
sily remediated.
so disable or restrict access from public network when possible.
ata scope. Use tools to discover, classify and label the in scope sensitive data.
tions outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or un
nization.
sily remediated.
tively, use configuration management tools to establish the configuration baseline automatically before or during reso
seline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant config
ontainers. Use custom image to build the desired configuration baseline into the compute resource image template.
seline in your compute resources. Enforce the desired configuration according to the baseline configuration by deny
tively, use configuration management tools to establish the configuration baseline automatically before or during reso
seline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant config
nization.
sily remediated.
so disable or restrict access from public network when possible.
ks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom
ent (like RDP and SSH) and intranet protocols like SMB and Kerberos.
kage layer. Deploy compensating controls if disabling insecure services and protocols are not possible.
ks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom
ent (like RDP and SSH) and intranet protocols like SMB and Kerberos.
kage layer. Deploy compensating controls if disabling insecure services and protocols are not possible.
ers regularly. Ensure the accounts and their level of access are valid.
ers regularly. Ensure the accounts and their level of access are valid.
ud security practice. Common security controls include the follow aspects:
management plane, and data/workload plane. Limit the number of privileged/administrative accounts.
stinguish these privileged accounts from the regular accounts used for non-privileged tasks.
ers regularly. Ensure the accounts and their level of access are valid.
or when on demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessme
ility scanners. Follow the privileged access security best practice to secure any administrative accounts used for the
ort request and temporary access to your data through a secure channel.
ort request and temporary access to your data through a secure channel.
authentication) with your centralized identity and authentication management system for all access to resources. Aut
o ensure the highest level of the strong authentication method, quickly followed by rolling out the appropriate strong a
narios, ensure password security best practices such as complexity requirements, are followed.
o ensure the highest level of the strong authentication method, quickly followed by rolling out the appropriate strong a
ro-trust access model. Signals to validate should include strong authentication of user account, behavioral analytics o
ud security practice. Common security controls include the follow aspects:
stinguish these privileged accounts from the regular accounts used for non-privileged tasks.
at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through ro
or when on demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessme
ility scanners. Follow the privileged access security best practice to secure any administrative accounts used for the
cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities, e.g., mo
cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities, e.g., mo
cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities, e.g., mo
d deployment stage. Use Azure Security Benchmark to evaluate the controls (such as network security, identity mana
rastructure management (infrastructure as code), and testing to reduce human error and attack surface.
.
prior to the deployment in the CI/CD workflow
onment and continuously use these capabilities in the run-time.
or when on demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessme
ility scanners. Follow the privileged access security best practice to secure any administrative accounts used for the
or when on demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessme
ility scanners. Follow the privileged access security best practice to secure any administrative accounts used for the
d deployment stage. Use Azure Security Benchmark to evaluate the controls (such as network security, identity mana
rastructure management (infrastructure as code), and testing to reduce human error and attack surface.
.
prior to the deployment in the CI/CD workflow
onment and continuously use these capabilities in the run-time.
cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities, e.g., mo
rastructure management (infrastructure as code), and testing to reduce human error and attack surface.
.
prior to the deployment in the CI/CD workflow
Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sour
on sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprec
g source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to pro
ensure the client (such as operating systems and applications) receive the correct resolution result.
vate network can be isolated from the public network.
e dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, etc.
hrough policy for existing resources.
ransomware/malware and malicious insiders. The security controls that should be applied include user and network
ncluding applications and data across cloud services and on-premises environments.
plications using legacy authentication, consider solutions such as cloud access security broker (CASB), application pr
g source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to pro
work and/or payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alert
or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS.
work and/or payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alert
or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS.
work and/or payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alert
or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS.
work and/or payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alert
or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS.
ks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom
ent (like RDP and SSH) and intranet protocols like SMB and Kerberos.
work and/or payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alert
or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS.
tions from attacks.
d deployment stage. Use Azure Security Benchmark to evaluate the controls (such as network security, identity mana
rastructure management (infrastructure as code), and testing to reduce human error and attack surface.
.
prior to the deployment in the CI/CD workflow
onment and continuously use these capabilities in the run-time.
D workflow. The gating can be set based on the testing results to prevent vulnerable packages from committing into
I/CD workflow. The gating can be set based on the testing results to prevent vulnerable packages from building into
rols. Ensure your threat modeling serves the following purposes:
m and your environments can be received by correct contact in your incident response organization.
m and your environments can be received by correct contact in your incident response organization.
respond to security incidents on the cloud platforms. Be mindful about the shared responsibility model and the varia
e.
alert severity and asset sensitivity defined in your organization's incident response plan.
m and your environments can be received by correct contact in your incident response organization.
respond to security incidents on the cloud platforms. Be mindful about the shared responsibility model and the varia
e.
eriod defined in the incident handling standard for further analysis or legal actions.
This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on fals
nity sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.
alert severity and asset sensitivity defined in your organization's incident response plan.
-world attacks to complement the traditional vulnerability assessment approach. The stakeholder and relevant resou
g.
-world attacks to complement the traditional vulnerability assessment approach. The stakeholder and relevant resou
g.
-world attacks to complement the traditional vulnerability assessment approach. The stakeholder and relevant resou
g.
-world attacks to complement the traditional vulnerability assessment approach. The stakeholder and relevant resou
g.
-world attacks to complement the traditional vulnerability assessment approach. The stakeholder and relevant resou
g.
or other characteristics. Ensure your security organization have access to a continuously updated inventory of asset
or other characteristics. Ensure your security organization have access to a continuously updated inventory of asset
or other characteristics. Ensure your security organization have access to a continuously updated inventory of asset
or other characteristics. Ensure your security organization have access to a continuously updated inventory of asset
modify the data.
us activities (large or unusual transfers) that could indicate unauthorized data exfiltration.
ly before or during resource deployment so the environment can be compliant by default after the deployment.
ource image template. Alternatively, use configuration management tools to establish the configuration baseline auto
ly before or during resource deployment so the environment can be compliant by default after the deployment.
t possible.
. If required, use custom routes for your subnet to override the system route when you need to force the network traff
t possible.
ediated. The assessment should include all type of vulnerabilities such as vulnerabilities in Azure services, network, w
ccess to resources. Authentication based on password credentials alone is considered legacy as it is insecure and do
d.
the appropriate strong authentication policy to all users.
t, behavioral analytics of user account, device trustworthiness, user or group membership, locations and so on.
ource access through role assignments.
ediated. The assessment should include all type of vulnerabilities such as vulnerabilities in Azure services, network, w
vulnerabilities, e.g., more severe vulnerabilities in a higher value asset should be addressed as a higher priority.
vulnerabilities, e.g., more severe vulnerabilities in a higher value asset should be addressed as a higher priority.
vulnerabilities, e.g., more severe vulnerabilities in a higher value asset should be addressed as a higher priority.
k security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prio
k surface.
ediated. The assessment should include all type of vulnerabilities such as vulnerabilities in Azure services, network, w
ediated. The assessment should include all type of vulnerabilities such as vulnerabilities in Azure services, network, w
vulnerabilities, e.g., more severe vulnerabilities in a higher value asset should be addressed as a higher priority.
k surface.
at tools are used to process and access the data, and data retention requirements.
at tools are used to process and access the data, and data retention requirements.
clude user and network access control, data encryption at-rest and in-transit.
(CASB), application proxy, single sign-on (SSO) to govern the access to these applications for the following benefit
at tools are used to process and access the data, and data retention requirements.
ork IDS/IPS.
ovide high-quality alerts to your SIEM solution.
ork IDS/IPS.
ovide high-quality alerts to your SIEM solution.
ork IDS/IPS.
ork IDS/IPS.
. If required, use custom routes for your subnet to override the system route when you need to force the network traff
ork IDS/IPS.
k security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prio
k surface.
ontrols for following scope:
k security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prio
k surface.
ope.
atment plan.
s from committing into the repository, building into the packages, or deploying into the production.
ages from building into the packages or deploying into the production.
ope.
atment plan.
ity model and the variances across IaaS, PaaS and SaaS services. This will have a direct impact to how you will colla
ity model and the variances across IaaS, PaaS and SaaS services. This will have a direct impact to how you will colla
der and relevant resource owners should be informed to discuss the testing constrains and to ensure the testing will
der and relevant resource owners should be informed to discuss the testing constrains and to ensure the testing will
der and relevant resource owners should be informed to discuss the testing constrains and to ensure the testing will
der and relevant resource owners should be informed to discuss the testing constrains and to ensure the testing will
der and relevant resource owners should be informed to discuss the testing constrains and to ensure the testing will
dated inventory of assets.
dated inventory of assets.
nfiguration baseline automatically before or during the compute resource deployment so the environment can be com
ute resources.
r the deployment.
o force the network traffic to go through a network appliance for security control purpose.
o force the network traffic to go through a network appliance for security control purpose.
zure services, network, web, operating systems, misconfigurations, and so on.
as a higher priority.
as a higher priority.
as a higher priority.
y default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your Dev
y default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your Dev
as a higher priority.
for the following benefits:
o force the network traffic to go through a network appliance for security control purpose.
y default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your Dev
y default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your Dev
pact to how you will collaborate with your cloud provider in incident response and handling activities such as incident
pact to how you will collaborate with your cloud provider in incident response and handling activities such as incident
o ensure the testing will not cause damages to the production environment.
o ensure the testing will not cause damages to the production environment.
o ensure the testing will not cause damages to the production environment.
o ensure the testing will not cause damages to the production environment.
o ensure the testing will not cause damages to the production environment.
nvironment can be compliant by default after the deployment.
are in place in your DevOps process:
Ensure certificates used by the critical services in your organization are inventoried, tracked, monitored, and renewe
disruption.
Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Ha
security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum
Use managed application identities instead of creating human accounts for applications to access resources and ex
such as reducing the exposure of credentials, and automated credential rotation to ensure the security of the identiti
Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and s
Transport Layer Security (TLS) where the client-side (often a browser or client device) verifies the server by verifying
authority.
Note: Mutual authentication is when both the server and the client authenticate one-another.
Instead of creating standing privileges, use just-in-time (JIT) mechanism to assign privileged access to the different
Set up emergency access to ensure that you are not accidentally locked out of your critical cloud infrastructure (such
emergency situation.
Emergency access accounts rarely used and highly damaging to the organization if compromised, but their availabil
scenarios when they are required.
Ensure security operation team can query and use diverse data sources as they investigate potential incidents, to bu
collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensu
analysts and for future historical reference.
Automate the manual repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks t
how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of h
analysts to focus effectively on complex tasks.
1.2
1.3
1.4
2.2
2.3
3.4
3.5
3.6
3.8
3.9
4.3
4.5
4.6
4.7
4.10
4.11
4.12
5.2
6.6
8.8
9.1
9.3
9.4
9.5
9.6
9.7
10.3
10.4
10.5
10.6
10.7
11.4
12.1
12.3
12.6
13.4
13.9
13.11
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
15.2
15.3
15.4
15.5
15.6
15.7
16.3
16.5
16.8
16.13
17.5
Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email Server Anti-Malware Protections
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media
Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks