Sub--Control Title

1.1 Utilize an Active Discovery Tool

1.2 Use a Passive Asset Discovery Tool

1.3 Use DHCP Logging to Update Asset Inventory

1.4 Maintain Detailed Asset Inventory

1.5 Maintain Asset Inventory Information

1.6 Address Unauthorized Assets

1.7 Deploy Port Level Access Control

Utilize Client Certificates to Authenticate Hardware Assets

1.8

2.1 Maintain Inventory of Authorized Software

2.2 Ensure Software is Supported by Vendor

2.3 Utilize Software Inventory Tools

2.4 Track Software Inventory Information

2.5 Integrate Software and Hardware Asset

Inventories
2.6 Address unapproved software

2.7 Utilize Application Whitelisting

2.8 Implement Application Whitelisting of Libraries

2.9 Implement Application Whitelisting of Scripts

2.10 Physically or Logically Segregate High Risk

Applications

3.1 Run Automated Vulnerability Scanning Tools

3.2 Perform Authenticated Vulnerability Scanning

3.3 Protect Dedicated Assessment Accounts

Deploy Automated Operating System Patch Management Tools

3.4

Deploy Automated Software Patch Management Tools

3.5
3.6 Compare Back-to-back Vulnerability Scans

3.7 Utilize a Risk-rating Process

4.1 Maintain Inventory of Administrative Accounts

4.2 Change Default Passwords

Ensure the Use of Dedicated Administrative Accounts

4.3

4.4 Use Unique Passwords

4.5 Use Multifactor Authentication For All

Administrative Access
4.6 Use of Dedicated Machines For All Administrative Tasks

4.7 Limit Access to Script Tools

Log and Alert on Changes to Administrative Group Membership

4.8

4.9 Log and Alert on Unsuccessful Administrative

Account Login
5.1 Establish Secure Configurations

5.2 Maintain Secure Images

5.3 Securely Store Master Images

5.4 Deploy System Configuration Management Tools

Implement Automated Configuration Monitoring Systems

5.5

6.1 Utilize Three Synchronized Time Sources

6.2 Activate audit logging

6.3 Enable Detailed Logging

6.4 Ensure adequate storage for logs

6.5 Central Log Management

6.6 Deploy SIEM or Log Analytic tool

6.7 Regularly Review Logs

6.8 Regularly Tune SIEM

 Ensure Use of Only Fully Supported Browsers and Email
7.1 Clients

7.2 Disable Unnecessary or Unauthorized Browser or

Email Client Plugins
7.3 Limit Use of Scripting Languages in Web
Browsers and Email Clients

7.4 Maintain and Enforce Network-Based URL Filters

7.5 Subscribe to URL-Categorization service

7.6 Log all URL requests

7.7 Use of DNS Filtering Services

7.8 Implement DMARC and Enable Receiver-Side Verification

7.9 Block Unnecessary File Types

7.10 Sandbox All Email Attachments

8.1 Utilize Centrally Managed Anti-malware Software

Ensure Anti-Malware Software and Signatures are Updated

8.2

Enable Operating System Anti-Exploitation Features/ Deploy

Anti-Exploit Technologies
8.3

Configure Anti-Malware Scanning of Removable Devices

8.4

8.5 Configure Devices Not To Auto-run Content

8.6 Centralize Anti-malware Logging

8.7 Enable DNS Query Logging

8.8 Enable Command-line Audit Logging

9.1 Associate Active Ports, Services and Protocols to

Asset Inventory
Ensure Only Approved Ports, Protocols and Services Are
9.2 Running

9.3 Perform Regular Automated Port Scans

9.4 Apply Host-based Firewalls or Port Filtering

9.5 Implement Application Firewalls

10.1 Ensure Regular Automated Back Ups

10.2 Perform Complete System Backups

10.3 Test Data on Backup Media

10.4 Ensure Protection of Backups

10.5 Ensure Backups Have At least One Non-

Continuously Addressable Destination
11.1 Maintain Standard Security Configurations for
Network Devices
11.2 Document Traffic Configuration Rules

Use Automated Tools to Verify Standard Device Configurations

11.3 and Detect Changes
 CIS Controls Mea

Description

Utilize an active discovery tool to identify devices connected to the organization's network and update the
hardware asset inventory.
Utilize a passive discovery tool to identify devices connected to the organization's network and automatically
update the organization's hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management
tools to update the organization's hardware asset inventory.
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory
shall include all hardware assets, whether connected to the organization's
network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine name,
data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.

Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is
updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the
network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to
the network.

Use client certificates to authenticate hardware assets connecting to the organization's trusted network.

Maintain an up-to-date list of all authorized software that is required in the enterprise for any business
purpose on any business system.
Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's
authorized software inventory. Unsupported software should be tagged as
unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all software on
business systems.
The software inventory system should track the name, version, publisher, and install date for all software, including operating systems
authorized by the organization.

The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.

Utilize application whitelisting technology on all assets to ensure that only authorized software executes and
all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc) are
allowed to load into a system process.

The organization's application whitelisting software must ensure that only authorized, digitally signed scripts
(such as *.ps1, *.py, macros, etc) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required for
business operations but incur higher risk for the organization.
Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the
network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.

Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with
elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should
be tied to specific machines at specific IP addresses.

Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates
provided by the software vendor.

Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security
updates provided by the software vendor.
Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been
remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized
individuals have elevated privileges.

Before deploying any new asset, change all default passwords to have values consistent with administrative
level accounts.
Ensure that all users with administrative account access use a dedicated or secondary account for elevated
activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords
that are unique to that system.

Use multi-factor authentication and encrypted channels for all administrative account access.

Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be
segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading e-mail,
composing documents, or browsing the Internet.

Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to
access those capabilities.

Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative
privileges.

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

Maintain documented, standard security configuration standards for all authorized operating systems and
software.
Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any
new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.

Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only
authorized changes to the images are possible.

Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly
scheduled intervals.

Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration
elements, catalog approved exceptions, and alert when unauthorized changes
occur.
Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so
that timestamps in logs are consistent.

Ensure that local logging has been enabled on all systems and networking devices.

Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination
addresses, and other useful elements.

Ensure that all systems that store logs have adequate storage space for the logs generated.

Ensure that appropriate logs are being aggregated to a central log management system for analysis and
review.
Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.

On a regular basis, review logs to identify anomalies or abnormal events.

On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.
Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest
version of the browsers and email clients provided by the vendor.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall
be enforced for each of the organization's systems, whether they are
physically at an organization's facilities or not.
Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website
category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order to identify potentially malicious
activity and assist incident handlers with identifying potentially compromised
systems.
Use DNS filtering services to help block access to known malicious domains.

To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and
Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys
Identified Mail(DKIM) standards.

Block all e-mail attachments entering the organization's e-mail gateway if the file types are unnecessary for
the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.

Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization's workstations and servers.

Ensure that the organization's anti-malware software updates its scanning engine and signature database on a regular basis.

Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are
available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications
and executables.

Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.

Configure devices to not auto-run content from removable media.

Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting.

Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.

Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.

Associate active ports, services and protocols to the hardware assets in the asset inventory.

Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.

Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are
detected on a system.
Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and
ports that are explicitly allowed.

Place application firewalls in front of any critical servers to verify and validate the traffic going to the server.
Any unauthorized traffic should be blocked and logged.
Ensure that all system data is automatically backed up on regular basis.
Ensure that each of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to ensure
that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved
across the network. This includes remote backups and cloud services.

Ensure that all backups have at least one backup destination that is not continuously addressable through
operating system calls.
Maintain standard, documented security configuration standards for all authorized network devices.

All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system
with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration
of the need.

Compare all network device configuration against approved security configurations defined for each network device in use and alert
when any deviations are discovered.
CIS Controls Measures and Metrics for Version 7

Sensor

Active Device Discovery System

Passive Device Discovery System

Log Management System / SIEM

Asset Inventory System

Asset Inventory System

Asset Inventory System

Network Level Authentication (NLA)

Public Key Infrastruture (PKI)

Software Application Inventory

Software Application Inventory

Software Application Inventory

Software Application Inventory

Software Application Inventory

Software Application Inventory

Software Whitelisting System

Software Whitelisting System

Software Whitelisting System

Network Firewall / Access Control

System
SCAP Based Vulnerability Management System

SCAP Based Vulnerability Management System

SCAP Based Vulnerability Management System

Patch Management System

Patch Management System

 SCAP Based Vulnerability Management
System
SCAP Based Vulnerability Management
System

Privileged Account Management System

Privileged Account Management System

Privileged Account Management System

Privileged Account Management System

Multi-Factor Authentication System

Dedicated Administration Systems

Software Whitelisting System

Log Management System / SIEM

Log Management System / SIEM

System Configuration Baselines &

Images
System Configuration Baselines & Images

System Configuration Baselines & Images

System Configuration Enforcement System

SCAP Based Vulnerability Management System

Network Time Protocol (NTP) Systems

Log Management System / SIEM

Log Management System / SIEM

Log Management System / SIEM

Log Management System / SIEM

Log Management System / SIEM

Log Management System / SIEM

Log Management System / SIEM

 Software Whitelisting System

Software Whitelisting System

System Configuration Enforcement

System

Network URL Filtering System

Network URL Filtering System

Log Management System / SIEM

DNS Domain Filtering System

Anti-Spam Gateway

Anti-Spam Gateway

Anti-Spam Gateway

Endpoint Protection System

Endpoint Protection System

System Configuration Enforcement System

Endpoint Protection System

System Configuration Enforcement

System

Endpoint Protection System

DNS Domain Filtering System

Log Management System / SIEM

SCAP Based Vulnerability Management

System
SCAP Based Vulnerability Management System

SCAP Based Vulnerability Management

System

Host Based Firewall

Application Aware Firewall

Backup / Recovery System

 Backup / Recovery System

Backup / Recovery System

Backup / Recovery System

Backup / Recovery System

Network Device Management System

Network Device Management System

Network Device Management System

d Metrics for Version 7

Measure

What percentage of the organization's networks have not recently been scanned by an active asset
discovery tool?
What percentage of the organization's networks are not being monitored by a passive asset discovery tool?

What percentage of the organization's DHCP servers do not have logging enabled?

What percentage of the organization's hardware assets are not presently included in the organization's asset inventory?

What percentage of the organization's hardware assets as a whole are not documented in the organization's
asset inventory with the appropriate network address, hardware address, machine name, data asset owner, and department for each
asset?
What percentage of the organization's unauthorized assets have not been removed from the network,
quarantined or added to the inventory in a timely manner?
What percentage of the organization's network switches are not configured to require network-based port level access control for all
client connections?

What percentage of the organization's network switches are not configured to require network-based port level access control utilizing
client certificates to authenticate all client connections?

What percentage of the organization's software are not presently included in the organization's software
inventory?
What percentage of the organization's software applications or operating systems are not currently supported by the software's vendor?

What percentage of the organization's hardware assets have not recently been scanned by a software
inventory tool to document the software installed on the system?
What percentage of software assets are not documented in a software inventory system that tracks the name, version, publisher, and
install date for all software, including operating systems authorized by the
organization?
Is the organization's software inventory system tied into the hardware asset inventory system?

What percentage of the organization unauthorized software are either removed or the inventory is updated
in a timely manner?
What percentage of the organization's hardware assets are not utilizing application whitelisting technology to
block unauthorized applications from executing on the system?
What percentage of the organization's hardware assets are not utilizing application whitelisting technology to block unauthorized
applications at the library level from executing on the system?

What percentage of the organization's hardware assets are not utilizing application whitelisting technology to
block unauthorized scripts from executing on the system?
What percentage of high risk business applications have not been physically or logically segregated from
other business systems?
What percentage of the organization's hardware assets have not recently been scanned by an SCAP
compliant configuration monitoring system to identify all potential vulnerabilities on the organization's systems?

What percentage of the organization's hardware assets have not recently been scanned by an SCAP compliant configuration monitoring
system to identify all potential vulnerabilities on the organization's
systems utilizing an authenticated connection to the system?
What percentage of the organization's hardware assets have not recently been scanned by an SCAP
compliant configuration monitoring system to identify all potential vulnerabilities on the organization's systems utilizing a dedicated
service account and host-based restrictions?
What percentage of the organization's hardware assets are not regularly updated by an automated software update tools in order to
ensure that the operating systems are running the most recent security updates
provided by the software vendor?
What percentage of the organization's hardware assets are not regularly updated by an automated software
update tools in order to ensure that third-party software is running the most recent security updates provided by the software vendor?
What percentage of the organization's identified vulnerabilities have not been remediated in a timely
manner?
Has the organization utilized a risk-rating process to prioritize the remediation of discovered vulnerabilities?

What percentage of the organization's hardware assets have not recently utilized automated tools to inventory all administrative accounts
to ensure that only authorized individuals have elevated privileges?

What percentage of the organization's systems utilize default passwords for accounts with elevated
capabilities?
What percentage of the organization's user accounts with elevated rights do not utilize a dedicated or secondary account for elevated
activities?

What percentage of the organization's systems, where multi-factor authentication is not supported (such as local administrator, root, or
service accounts), accounts will use passwords that are unique to that system?

What percentage of the organization's hardware assets are not configured to utilize multi-factor
authentication and encrypted channels for all elevated account access?
What percentage of the organization's system administrators are not required to use a dedicated machine for all administrative tasks or
tasks requiring elevated access?

What percentage of the organization's systems limit access to scripting tools (such as Microsoft PowerShell and Python) to only
administrative or development users with the need to access those capabilities?

What percentage of the organizations hardware assets are not configured to issue a log entry and alert when an account is added to or
removed from any group assigned elevated privileges?

What percentage of the organization's hardware assets are not configured to issue a log entry and alert on
unsuccessful logins to an administrative account?
What percentage of the organization's authorized operating systems and software does not have a
documented, standard security configuration?
What percentage of the organization's hardware assets are not based upon secure images or templates based on the organization's
approved configuration standards?

What percentage of the organization's master images are not stored on securely configured servers, validated with integrity checking
tools, to ensure that only authorized changes to the images are possible?

What percentage of the organization's hardware assets are not automatically configured via system
configuration management tools that automatically enforce and redeploy configuration settings to systems at regularly scheduled
intervals?
What percentage of the organization's hardware assets have not recently been scanned by an SCAP compliant configuration monitoring
system to verify all security configuration elements, and alert when
unauthorized changes occur?
What percentage of the organization's hardware assets do not utilize at least three synchronized time sources from which all servers and
network devices retrieve time information on a regular basis so that
timestamps in logs are consistent?
What percentage of the organization's hardware assets are not configured to require local logging on the
asset?
What percentage of the organization's hardware assets are not configured to require local logging to include
detailed information such as a event source, date, timestamp, source addresses, destination addresses, and other useful elements on
the asset?
What percentage of the organization's hardware assets do not have adequate storage space for the logs
generated?
What percentage of the organization's hardware assets are not configured to aggregate appropriate logs to a
central log management system for analysis and review?
What percentage of the organization's hardware assets are not configured to aggregate appropriate logs to a Security Information and
Event Management (SIEM) or log analytic tools for log correlation and analysis?

What percentage of the organization's hardware assets have not had their logs reviewed recently to identify
anomalies or abnormal events?
What percentage of the organization's SIEM systems have not recently been tuned to better identify
actionable events and decrease event noise?
What percentage of the organization's hardware assets are running unsupported web browsers and email client software?

What percentage of the organization's hardware assets are utilizing unauthorized browser or email client
plugins or add-on applications?
What percentage of the organization's hardware assets are utilizing unauthorized scripting languages that
run in all web browsers and email clients?
What percentage of the organization's hardware assets (whether physically at an organization's facilities or not) are not required to utilize
network-based URL filters?

Has the organization subscribed to URL categorization services to ensure that they are up-to-date with the
most recent website category definitions available?
What percentage of the organization's hardware assets (whether physically at an organization's facilities or not) are not required to log all
URL requests made from the organization's system?

What percentage of the organization's DNS servers are using DNS filtering to help block access to known
malicious domains?
Has the organization implemented Domain-based Message Authentication, Reporting and Conformance (DMARC), starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM) standards?

Has the organization blocked all e-mail attachments entering the organization's e-mail gateway if the file
types are unnecessary for the organization's business?
Does the organization utilize sandboxing to analyze and block inbound email attachments with malicious
behavior?
What percentage of the organization's hardware assets do not utilize centrally managed anti-malware software to continuously monitor
and defend each of the organization's workstations and servers?

What percentage of the organization's hardware assets do not utilize recently updated, centrally managed
anti-malware software to continuously monitor and defend each of the organization's workstations and servers?

What percentage of the organization's hardware assets are not configured to require anti-exploitation features such as Data Execution
Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate
toolkits that can be configured to apply protection to a broader set of applications and executables?

What percentage of the organization's hardware assets are not configured so that they automatically conduct an anti-malware scan of
removable media when inserted or connected?

What percentage of the organization's hardware assets are not configured to not auto-run content from
removable media?
What percentage of the organization's hardware assets do not utilize centrally managed anti-malware software to continuously monitor
and defend each of the organization's workstations and servers?

What percentage of the organization's Domain Name System (DNS) servers are not configured to require query logging to detect
hostname lookups for known malicious domains?

What percentage of the organization's hardware assets have not enabled command-line audit logging for command shells, such as
Python or Windows PowerShell with enhanced logging enabled?

What percentage of the organization's hardware assets do not associate active ports, services and protocols
to the hardware assets in the asset inventory?
What percentage of the organization's hardware assets are not configured to require that only network ports, protocols, and services
listening on a system with validated business needs, are running on each system?

What percentage of the organization's hardware assets are not regularly scanned by a port scanner to alert
if unauthorized ports are detected on a system?
What percentage of the organization's hardware assets are not utilizing host-based firewalls or port filtering tools on end systems, with a
default-deny rule that drops all traffic except those services and ports that are
explicitly allowed?
What percentage of the organization's critical servers are not required to utilize application layer firewalls to
verify and validate the traffic going to the server?
What percentage of the organization's hardware assets are not configured to back up system data
automatically on a regular basis?
What percentage of the organization's hardware assets are not configured to back up the complete asset
automatically on a regular basis?
What percentage of the organization's hardware asset backups have not been tested recently to ensure that
the backup is working properly?
What percentage of the organization's hardware asset backups are not properly protected via physical security or encryption when they
are stored, as well as when they are moved across the network (this
includes remote backups and cloud services as well)?
What percentage of the organization's hardware assets does not have at least one backup destination that
is not continuously addressable through operating system calls?
What percentage of the organization's network devices do not utilize a standard, documented security
configuration standard for the device?
What percentage of the organization's network devices do not have all configuration rules that allow traffic to flow through network
devices be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name
responsible for that business need, and an
expected duration of the need?
What percentage of the organization's network devices are not regularly compared against approved security configurations defined for
each network device in use and alert when any deviations are
discovered?
Sigma Level Sigma Level Sigma Level Sigma Level Sigma Level Sigma Level
One Two Three Four Five Six

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

No Yes

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
No Yes

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

No Yes

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
No
Yes

No Yes

No Yes

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
6.7% or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 0.62% or 0.023% or 0.00034%
Less Less 6.7% or Less Less Less or Less

69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%

Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
69% or 31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less Less or Less

69% or 31% or 0.62% or 0.023% or 0.00034%

Less Less 6.7% or Less Less Less or Less
Sigma Level Four

Manage Network Devices Using Multi-Factor

11.5 Authentication and Encrypted Sessions

12.10 Decrypt Network Traffic at Proxy

Manage All Devices Remotely Logging into

12.12
Internal Network

Remove sensitive data or systems not regularly accessed by the organizati

13.2 Remove Sensitive Data or Systems Not Regularly
Accessed by Organization
 14.1 Segment the Network Based on Sensitivity

Disable Workstation to Workstation

14.3 Communication

Enforce Access Control to Data through

14.7 Automated Tools

11.4
Install the Latest Stable Version of Any Security-
related Updates on All Network Devices
11.6
Use Dedicated Machines For All Network Administrative Ensure network engineers use a dedicated machine for all administrativ
Tasks be segmented from the organization's primary network and not be allow
Manage Network Infrastructure Through a e-mail, composing documents, or surfing the Internet.
Manage the network infrastructure across network connections that are

11.7 Dedicated Network that network, relying on separate VLANs or, preferably, on entirely
management sessions for network devices.
12.1 Maintain an Inventory of Network Boundaries Maintain an up-to-d

12.2
Scan for Unauthorized Connections across Trusted Network Perform regular scans from outside each trusted network boundary to detec
Boundaries the boundary.
Deny Communications with Known Malicious IP Deny communications with known malicious or unused Internet IP addresse

12.3 Addresses trusted and necessary IP address ranges at each of the organiz
Deny communication over unauthorized TCP or UDP ports or ap

12.4 Deny Communication over Unauthorized Ports authorized protocols are allowed to cross the network boundary in or ou
organization's network boundaries.

12.5
Configure Monitoring Systems to Record Network Configure monitoring systems to record network packets passing through the boundary at
 Packets organization's network boundaries.
12.6 Deploy Network-based IDS Sensor Deploy network-based Intrusion Detection Systems (IDS) sensors to look
Deploy Network-Based Intrusion Prevention these systems at each of the organization's network boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malici

12.7 Systems organization's network boundaries.

12.8
Deploy NetFlow Collection on Networking Enable the collection of NetFlow and logging data on all network bound
Boundary Devices logging data on the devices?

12.9 Deploy Application Layer Filtering Proxy Server

Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy
that is configured to filter unauthorized connections.
12.11
Require All Remote Login to Use Multi-factor Require all remote login access to the organization's network to encrypt d
Authentication authentication.

13.1 Maintain an Inventory Sensitive Information

Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's
technology systems, including those located onsite or at a remote service provider.
13.3 Monitor and Block Unauthorized Network Traffic
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive
information and blocks such transfers while alerting information security professionals.
13.4
Only Allow Access to Authorized Cloud Storage Only allow access to authorized cloud storage or email providers.
or Email Providers
13.5
Monitor and Detect Any Unauthorized Use of Monitor all traffic le
Encryption
13.6 Encrypt th

13.7 Manage USB Devices

If USB storage devices are required, enterprise software should be used that can configure systems to allow
the use of specific devices. An inventory of

13.8
Manage System's External Removable Media's Configure systems not to write data to external removable media, if there is no business need
Read/write Configurations such devices.
13.9 Encrypt Data on USB Storage Devices If USB storage devices are required, all data stored on such devices must be encrypted w

14.2 Enable Firewall Filtering Between VLANs

Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate
with other systems necessary to fulfill their specific responsibilities.
14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitiv

Utilize an Active Discovery Tool to Identify Sensitive Data Utilize an active discovery tool to identify all sensitive information stored
systems, including those located onsite or at a remote service provider
14.5 Protect all information stored on systems with file system, network share

14.6 Protect Information through Access Control Lists

Encrypt all sensitive information at rest

mechanism not
14.8 Encrypt Sensitive Information at Rest integrated into the operating system, in order to access the information

14.9
Enforce Detail Logging for Access or Changes to
Sensitive Data
15.1
Maintain an Inventory of Authorized Wireless Maintain an inventory of authorized wireless access points connected to t
Access Points wireless access point inventory?

15.2
Detect Wireless Access Points Connected to the
Wired Network connected to the wired network.
15.3 Use a Wireless Intrusion Detection System
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthoriz
points connected to the network.

Sub--Control Title
 ing Multi-Factor What pe
d Sessions Manage all network devices using multi-factor authentication and encrypted Multi-Factor Authentication System
sessions. encrypted sessions?

Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the
organization may use whitelists of allowed sites that can be accessed through the proxy without Network Firewall / Access Control W
decrypting the traffic. encrypted System netw

Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to
System Configuration Enforcement
ensure that each of the organization's security policies has been enforced in the same manner as local System
network devices.

Remove sensitive data or systems not regularly accessed by the organization from the network. These
ms Not Regularly systems shall only be used as stand alone systems (disconnected from the network) by the business Data Inventory / Classification System
unit needing to occasionally use the system or completely virtualized and powered off until needed.
 Segment the network based on the label or classification level of the information stored on the Network Firewall / Access Control W
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs). Area System Networks

Disable all workstation to workstation communication to limit an attacker's ability to move laterally and Network Firewall / Access Control W
compromise neighboring systems, through technologies such as Private VLANs or or System Area Network
microsegmentation.

Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even Host Based Data Loss Prevention (DLP) W
Data
when data is copied off a System
system.

Install the latest stable version of any security-related updates on all network devices. Network Device Management System What percen

security-related updates?
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall Dedicated Administration Sy
be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading the organization
e-mail, composing documents, or surfing the Internet. What percentag
Manage the network infrastructure across network connections that are separated from the business use of

that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for Dedicated A
management sessions for network devices.
12.1 Maintain an Inventory of Network Boundaries Maintain an up-to-date inventory of all of the organization's network boundaries.

Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across System Configu
the boundary. Network Firewal
Deny communications with known malicious or unused Internet IP addresses and limit access only to

trusted and necessary IP address ranges at each of the organization's network boundaries,. Sy
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only Network Firewa

authorized protocols are allowed to cross the network boundary in or out of the network at each of the
organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of the Network Packet Capture S
 organization's network boundaries. Network Based In
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of
these systems at each of the organization's network boundaries. Network Based
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the

organization's network boundaries. Sy

Enable the collection of NetFlow and logging data on all network boundary devices. Network Device Management System What p

logging data on the devices?

k traffic to or from the Internet passes through an authenticated application layer proxy Network Fire

Require all remote login access to the organization's network to encrypt data in transit and use multi-factor Multi-Factor Authentication Sy
authentication. factor authenticat
of all sensitive information stored, processed, or transmitted by the organization's Data Inventory / Classificati
remote service provider. the organization
tool on network perimeters that monitors for unauthorized transfer of sensitive Network Based D
mation security professionals. (DLP
Only allow access to authorized cloud storage or email providers. Network Firewall / Access Control
System

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

13.6 Encrypt the Hard Drive of All Mobile Devices. Utilize approved whole disk encryption softw

e required, enterprise software should be used that can configure systems to allow Endpoint Protection System
What percentage of the organization's hardware assets are not
the use of specific devices. An inventory of such devices should be maintained.
figure systems not to write data to external removable media, if there is no business need for supporting What percentage of the organization's ha
Endpoint Protection System
such devices. devices, if the
f USB storage devices are required, all data stored on such devices must be encrypted while at rest. Endpoint Protection System What percentage of the organization's

g between VLANs to ensure that only authorized systems are able to communicate Network Firew
sibilities.
14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.

Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology
systems, including those located onsite or at a remote service provider and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application, or database Data Inventory / Cla

specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the System Configu
information based on their need to access the information as a part of their
responsibilities.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication Host Based Data Loss Prevention (D
mechanism not
integrated into the operating system, in order to access the information.

Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such Log Management System /
as File Integrity Monitoring or Security Information and Event Monitoring). data is accesed?
Maintain an inventory of authorized wireless access points connected to the wired network. Network Device Management System What perce
wireless access point inventory?
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points SCAP Based Vulne
connected to the wired network. Sy
tem
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access Wireless Intrusi
points connected to the network. (W

Description Sensor
 What percentage of the organization's network devices are not managed using multi-factor authentication and 69% or
Authentication System Less
sessions?

irewall / Access Control What percentage of the organization's network boundaries are not configured to decrypt all 69% or
System network traffic prior to analyzing the content? Less

What percentage of the organization's devices remotely logging into the organization's network are not
nfiguration Enforcement scanned prior to accessing the network to ensure that each of the organization's security policies has 69% or
been enforced in the same manner as local network devices? Less
System

Does the organization regularly remove sensitive data sets or systems not regularly accessed by
ry / Classification System the organization from the network?
irewall / Access Control What percentage of the organization's network devices are not located on dedicated Virtual Local 69% or
em Networks (VLANs)? Less

irewall / Access Control What percentage of the organization's workstation devices are not located on dedicated Private Virtual Local 69%
Area Networks (PVLANs)? Less

Data Loss Prevention (DLP) What percentage of the organizations systems do not use an automated tool, such as host-based 69% or
Loss Prevention, to enforce access controls to data even when data is copied off a Less
system?

Management System What percentage of the organization's network devices are not utilizing the latest stable version of any

What percentage of the organization's network engineers are not utilizing a dedicated machine for all administrative tasks or tasks requir
Dedicated Administration Systems
the organization's network devices?
What percentage of the organization's network engineers are not utilizing a dedicated machine, located on a

Dedicated Administration Systems
daries.
System Configuration Enforcement System
Network Firewall / Access Control
dedicated management network, for all administrative tasks or tasks requiring elevated access to the
organization's network devices?
Network Firewall / Access Control
Does the organization maintain an up-to-date inventory of all of the organization's network boundaries?
System
What percentage of the organization's hardware assets have not recently been scanned to identify unauthorize
boundaries?
Are each of the organization's network boundaries configured to deny communications with known

System malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address
Network Firewall / Access Control Are each of the organization's network boundaries configured to deny communication over unauthorized

System TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the
network boundary in or out of the network?

Network Packet Capture System

What percentage of the organization's network boundaries are not configured to to record network packets
 Network Based Intruston Detection System passing through the boundary?
(NIDS) What percentage of the organization's network boundaries are not configured to require network-based Intrusi
Network Based Intrusion Prevention (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems the boundary?
What percentage of the organization's organization's network boundaries are not configured to require

System (IPS) network-based Intrusion Prevention Systems (IPS) sensors to look for unusual attack mechanisms and
detect compromise of these systems the boundary?
e Management System What percentage of the organization's network boundary devices are not required to use NetFlow and

Network Firewall / Access Control What percentage of the organization's network boundaries are not configured to pass through an
System authenticated application layer proxy that is configured to filter unauthorized connections?

Multi-Factor Authentication System

What percentage of the organization's hardware devices are not required to utilize encryption and multi-
factor authentication when remotely accessing the organization's network systems?
Data Inventory / Classification System
Does the organization maintain an inventory of all sensitive information stored, processed, or transmitted by
the organization's technology systems, including those located onsite or at a remote service provider?
Network Based Data Loss Prevention Has the organization deployed an automated tool on network perimeters that monitors for sensitive
(DLP) System information and blocks such transfers while alerting information security professionals?
ss Control
System Does the organization only allow access to authorized cloud storage or email providers?

se of encryption. What percentage of the organization's network boundaries are not configured to monitor all traffic leaving
Network Based Data Loss Prevention

(DLP) System the organization and detect any unauthorized use of encryption?
ed whole disk encryption software to encrypt the hard drive of all mobile devices. Whole Disk Encryption System What percentage of the organization's mobile devices do not

tion's hardware assets are not configured to only allow the use of specific
USB devices?
entage of the organization's hardware assets are not configured not to write data to USB storage
devices, if there is no business need for supporting such devices?
What percentage of the organization's hardware assets are not configured to encrypt all data stored on USB

devices?
Network Firewall / Access Control What percentage of the organization's network devices are not located on dedicated Virtual Local Area
System Networks (VLANs) separated by firewall filters?
System Configuration Enforcement
What percentage of the organization's sensitive information is not encrypted
System
What percentage of the organization's assets have not been scanned by an active discovery tool to identify all se
stored, processed, or transmitted by the organization's technology systems?
Data Inventory / Classification System

System Configuration Enforcement System What percentage of the organization's hardware assets have not been configured with appropriate file system,
claims, application, or database specific access control lists?

Host Based Data Loss Prevention (DLP)

What percentage of the organization's sensitive information is not encrypted at rest and requires a
System secondary authentication mechanism not integrated into the operating system, in order to access the
information?
What percentage of the organization's sensitive information does not require detailed audit logging when the
Log Management System / SIEM
data is accesed?
Management System What percentage of the organization's wireless access points have not been authorized in the organization's

SCAP Based Vulnerability Management What percentage of the organization's hardware assets have not recently been scanned to detect and alert
System on unauthorized wireless access points connected to the wired network?
Wireless Intrusion Detection System What percentage of the organization's facilities do not have a wireless intrusion detection system (WIDS) to
(WIDS) detect and alert on unauthorized wireless access points connected to the network?

Sigma Sigma Sigma Level

Measure
Level One Level Two Three
 0.62% or
Less
0.62% or
69% or 31% or
Less 6.7% or Less Less
Less

0.62% or

Less

0.62% or
Less
Yes

0.62% or
Less

Yes

Yes

0.62% or
Less
0.62% or
Less
0.62% or
Less
0.62% or
Less
0.62% or
Less
0.62% or
69% or 31% or
Less 6.7% or Less Less
Less
0.62% or
Less

69% or 31% or 0.62% or

Less 6.7% or Less
Less Less

Yes

Yes
No

Yes

Yes

0.62% or
Less
0.62% or
 Less
0.62% or
Less
0.62% or
Less
0.62% or
Less
69% or 31% or 0.62% or
Less 6.7% or Less Less
Less
0.62% or
Less
Virtual Local 69% 31% or 0.62% or
Less 6.7% or Less Less
Less
0.62% or
Less
0.62% or
Less

0.62% or

Less

0.62% or
69% or 31% or
Less 6.7% or Less Less
Less
0.62% or
Less
0.62% or
Less
0.62% or
Less
0.62% or
Less
0.62% or
Less
69% or 31% or 6.7% or Less
Less Less
machine for all administrative tasks or tasks requiring elevated access to 69% or 31% or 6.7% or Less
Less Less
69% or 31% or

or tasks requiring elevated access to the Less Less

6.7% or Less

of the organization's network boundaries? No

e not recently been scanned to identify unauthorized network 69% or 31% or 6.7% or Less
Less Less
d to deny communications with known

only to trusted and necessary IP address No ranges?

d to deny communication over unauthorized

y authorized protocols are allowed to cross the No

ord network packets 69% or 31% or 6.7% or Less

 Less Less
re not configured to require network-based Intrusion Detection Systems 69% or 6.7% or Less Less
31% or

tect compromise of these systems the boundary? Less 31% or

k boundaries are not configured to require 69% or

to look for unusual attack mechanisms and Less Less

6.7% or Less

69% or 31% or 6.7% or Less

Less Less
re not configured to pass through an 69% or 31% or 6.7% or Less
er unauthorized connections? Less Less
ption and multi- 69% or 31% or 6.7% or Less
Less Less
sed, or transmitted by

erimeters that monitors for sensitive

security professionals? No

storage or email providers? No

not configured to monitor all traffic leaving 69% or 31% or 6.7% or Less
? Less Less
System What percentage of the organization's mobile devices do not utilize approved whole disk encryption
69% or 31% or 6.7%
software? Less Less
69% or 31% or 6.7%

Less Less
69% or 31% or 6.7%
Less Less
69% or 31% or 6.7%
or Less
Less Less
ot located on dedicated Virtual Local Area 69% or 31% or 6.7% or Less
Less Less
ganization's sensitive information is not encrypted in transit? 69% or
31% or 6.7% or Less
Less Less
anned by an active discovery tool to identify all sensitive information 69% or 31% or
6.7% or Less Less
ogy systems? Less

e not been configured with appropriate file system, network share, 69% or 31% or 6.7% or Less
Less Less

quires a 69% or 31% or

he operating system, in order to access the Less Less
6.7% or Less

udit logging when the 69% or 31% or 6.7% or Less

Less Less
69% or 31% or 6.7% or Less
Less Less
tly been scanned to detect and alert 69% or 31% or 6.7% or Less
wired network? Less Less
reless intrusion detection system (WIDS) to 69% or 31% or 6.7% or Less
ed to the network? Less Less

Sigma Sigma Level

Level Two Three
 Sigma Level Sigma Level
Five Six

0.62% or 0.023% or 0.00030%

Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less

0.62% or 0.023% or 0.00030%

Less Less or Less

0.62% or 0.023% or 0.00030%

Less Less or Less
Yes

0.62% or 0.023% or 0.00030%

Less Less or Less

Yes

Yes

0.62% or 0.023% or 0.00030%

Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less

0.62% or 0.023% or 0.00030%

Less Less or Less

Yes

Yes

Yes

Yes

0.62% or 0.023% or 0.00030%

Less Less or Less
or Less 0.62% or 0.023% or 0.00030%
 or Less
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
or Less
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less

0.62% or 0.023% or 0.00030%

Less Less or Less

0.62% or 0.023% or 0.00030%

Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
0.62% or 0.023% or 0.00030%
Less Less or Less
6.7% or Less

6.7% or Less

Less
6.7% or Less

6.7% or Less

6.7% or Less
Less
6.7% or Less Less
31% or

31% or

Less
6.7% or Less

6.7% or Less

6.7% or Less

6.7% or Less

6.7% or Less

1% or 6.7%
ess
1% or 6.7%

Less
1% or 6.7%
Less
1% or 6.7%
or Less
or Less
6.7% or Less

6.7% or Less

31% or
6.7% or Less Less

6.7% or Less

31% or

Less
6.7% or Less

6.7% or Less

6.7% or Less

6.7% or Less
Less
6.7% or Less
Sub--Control Title
15.4 Disable Wireless Access on Devices if Not
Required

15.5 Limit Wireless Access on Client Devices

Configure wireless access on client machines that do have an essential wirele
System authorized wireless networks and to restrict access for other wireless networks

15.6
Disable Peer-to-peer Wireless Network Disable peer-to-peer (adhoc) wireless network capabilities on wireless clients.
Capabilities on Wireless Clients
15.7
Leverage the Advanced Encryption Standard Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
(AES) to Encrypt Wireless Data
Use Wireless Authentication Protocols that Ensure that wireless networks use authentic
15.8 Require Mutual, Multi-Factor Authentication Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Network D

15.9 Disable Wireless Peripheral Access of Devices

Disable wireless peripheral access of devices (such as Bluetooth and NFC), un
for a b

15.10
Create Separate Wireless Network for Personal Create a separate wireless network for personal or untru

and Untrusted Devices should be treated as untrusted and filtered and audited accordingly.
16.1
Maintain an inventory of each of the organization's authentication systems, including
Maintain an Inventory of Authentication Systems
at a remote service provider.
16.2 Configure Centralized Point of Authentication
Configure access for all accounts through as few centralized points of authent
network, security, and cloud systems.
16.3 Require Multi-factor Authentication Require multi-factor authentication for all user accounts, on all systems, whether managed

third-p
16.4 Encrypt or Hash all Authentication Credentials Encrypt or hash with a salt all authentication creden

16.5
Encrypt Transmittal of Username and Ensure that all account usernames and authentication cre
Authentication Credentials encrypted channels.
16.6 Maintain an Inventory of Accounts Maintain an inventory of all accounts organized by au

Establish and follow an automated process for revoking system access by disabling accounts immediately
16.7 Establish Process for Revoking Access upon termination or change of responsibilities of an e

16.8 Disable Any Unassociated Accounts Disable any account that cannot be associated with a

16.9 Disable Dormant Accounts Automatically disable dormant accounts after a set pe

16.10 Ensure All Accounts Have An Expiration Date Ensure that all accounts have an expiration date tha

instead of deleting accounts, allows pre

enforced? Less
16.11 Lock Workstation Sessions After Inactivity Automatically lock workstation sessions after a standard period of inactivity.

16.12 Monitor Attempts to Access Deactivated

Monitor a

16.13 Alert on Acc

17.1 Perform a Skills Gap Analysis

 17.2 Deliver Train

Create a security awareness program for all workforce members to complete on a regular basis to ensure
17.3 Implement a Security Awareness Program
they understand and exhibit the necessary behaviors and skills to help ensure the security of the Training
engaging manner. con

17.4 Update Awareness Content Freque

17.5 Train Work

17.6
Train Workforce on Identifying Social Eng

17.7 Train Workf

17.8
Train Workforce on Causes of Unintention

17.9
Train Workforce Members on Identifying an

18.1 Establish Secure Coding Practices

18.2
Ensure Explicit Error Checking is Performed f

18.3 Verify That Acquired Software is Still Su

18.

18.5 Use Only Standardized and Extensively Reviewed

Use only

18.6
Ensure Software Development Personnel

18.7 Apply Static and Dynamic Code Ana

18.8
Establish a Process to Accept and Addres

18.9
Separate Production and Non-Production

Accounts

using this information to build a baselin

organization. The organization's securit

address new technologies, threats, stan

Attacks scams and impersonation calls.

Exposure mobile devices or emailing the wrong person due to autocomple

Reporting Incidents an incident.
being used.
All In-house Developed Software input, including for size, data type, and acceptable ranges or formats
developer or appropriately hardened ba
Components
Encryption Algorithms
Trained in Secure Coding development environment and responsibilities.
internally developed software.
Reports of Software Vulnerabilities for external entities to contact your security group.
Systems unmonitored access to production environments.
 Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the
18.10 Deploy Web Application Firewalls (WAFs) application firewalls should be deployed if such tools are available for the given application type.

an

18.11
Use Standard Hardening Configuration Templates For applications that rely on a database, use standard hardening configuration templates.
for Databases are part of critical business processes should also be tested.
19.1 Document Incident Response Procedures
Ensure that there are written incident response plans that defines roles of personnel as well as phases of
incident handling/management. as

Sub--Control
 Description
Disable wireless access on devices that do not have a business purpose for wireless access. System Confi

on Client Devices
Configure wireless access on client machines that do have an essential wireless business purpose, to allow System Configuration Enforcement What
authorized wireless networks and to restrict access for other wireless networks? Less Less Less
r-to-peer Wireless Network Disable peer-to-peer (adhoc) wireless network capabilities on wireless clients.
System Configuration Enforcement What percentage of the organi
Capabilities on Wireless Clients
e Advanced Encryption Standard Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit. Network Device Management System
What percentage of the organization's hardware
(AES) to Encrypt Wireless Data
Use Wireless Authentication Protocols that Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-

al, Multi-Factor Authentication Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
Network Device Management System authentication protocols such as Extensible Auth

pheral Access of Devices

Disable wireless peripheral access of devices (such as Bluetooth and NFC), unless such access is required System Configuration Enforcement What p
for a business purpose.
arate Wireless Network for Personal Create a separate wireless network for personal or untrusted devices. Enterprise access from this network Network Device Management System

that r
should be treated as untrusted and filtered and audited accordingly.
tication Systems
Maintain an inventory of each of the organization's authentication systems, including those located onsite or
at a remote service provider.
Point of Authentication
Configure access for all accounts through as few centralized points of authentication as possible, including Identity & Access Management System Has the organization c
and cloud systems. as possible, including network, security, and
Multi-factor Authentication Require multi-factor authentication for all user accounts, on all systems, whether managed onsite or by a
Multi-Factor Authentication System What percentage of the org
third-party provider.
or Hash all Authentication Credentials Encrypt or hash with a salt all authentication credentials when stored. Identity & Access Ma

smittal of Username and Ensure that all account usernames and authentication credentials are transmitted across networks using Identity & Access Management System
W
Authentication Credentials encrypted channels.
n an Inventory of Accounts Maintain an inventory of all accounts organized by authentication system. Identity & Access Man

w an automated process for revoking system access by disabling accounts immediately Has the organization established and followed an automated process fo
h Process for Revoking Access upon termination or change of responsibilities of an employee or contractor . Disabling these accounts, Identity & Access Ma

Any Unassociated Accounts Disable any account that cannot be associated with a business process or business owner. Identity & Access Man

Dormant Accounts Automatically disable dormant accounts after a set period of inactivity. Identity & Access Man

All Accounts Have An Expiration Date Ensure that all accounts have an expiration date that is monitored and enforced. Identity & Access Ma

instead of deleting accounts, allows preservation of audit trails.

Less
Automatically lock workstation sessions after a standard period of inactivity. Identity & Access Management System Does the organiza

16.12 Monitor Attempts to Access Deactivated

Monitor attempts to access deactivated accounts through audit logging.

16.13 Alert on Account Login Behavior Deviation Alert when users deviate from normal lo

17.1 Perform a Skills Gap Analysis

Perform a skills gap analysis to understand the skills and behaviors w
 17.2 Deliver Training to Fill the Skills Gap Deliver training to address the skills gap

members to complete on a regular basis to ensure Has the organization created a security awareness program for all workforce m
d exhibit the necessary behaviors and skills to help ensure the security of the regular basis to ensure they understand and exhibit the nec
Training / Awareness Education Plans
continuous and engaging manner.

17.4 Update Awareness Content Frequently

Ensure that the organization's security awareness program is update

17.5 Train Workforce on Secure Authentication Train workforce members on the impor

17.6
Train Workforce on Identifying Social Engineering Train the workforce on how to identify different forms of social engine

17.7 Train Workforce on Sensitive Data Handling Train workforce on how to identify and p

17.8
Train Workforce on Causes of Unintentional Data Train workforce members to be aware of causes for unintentional dat

17.9
Train Workforce Members on Identifying and Train employees to be able to identify the most common indicators of

18.1 Establish Secure Coding Practices

Establish secure coding practices appropriate to the programming langu

18.2
Ensure Explicit Error Checking is Performed for For in-house developed software, ensure that explicit error checking is p

18.3 Verify That Acquired Software is Still Supported

Verify that the version of all software acquired from outside your organiz

18.4
Only Use Up-to-date And Trusted Third-Party Only use up-to-date and trusted third-pa

18.5 Use Only Standardized and Extensively Reviewed

Use only standardized and extensively reviewed encryption algorithms.

18.6
Ensure Software Development Personnel are Ensure that all software development personnel receive training in wr

18.7 Apply Static and Dynamic Code Analysis Tools

Apply static and dynamic analysis tools to verify that secure coding pr

18.8
Establish a Process to Accept and Address Establish a process to accept and address reports of software vulnera

18.9
Separate Production and Non-Production Maintain separate environments for production and nonproduction syste

using this information to build a baseline education roadmap.

organization. The organization's security awareness program should be communicated in a continuous and
address new technologies, threats, standards and business requirements.

scams and impersonation calls.

mobile devices or emailing the wrong person due to autocomplete in email.

an incident.
being used.
input, including for size, data type, and acceptable ranges or formats.
developer or appropriately hardened based on developer security recommendations.
the organ

development environment and responsibilities.

internally developed software.
for external entities to contact your security group.
unmonitored access to production environments.
applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the Has the organization protected web applications by deployin

pplication firewalls should be deployed if such tools are available for the given application type. If the traffic Web Application Firewall (WAF) web-based, specific application firewalls

analysis. If neither option is appropriate, a host-based web application firewall should be deployed.

ates For applications that rely on a database, use standard hardening configuration templates. All systems that
are part of critical business processes should also be tested.
e written incident response plans that defines roles of personnel as well as phases of Incident Management Plans
Has the organization ensured that there are written incide
as well as phases of incident handling/management.

Sub--Control Title
 Sensor Measure
System Configuration Enforcement What percentage of the organization's hardware assets is not configured to disable wireless access in
System devices that do not have a business purpose for wireless access?
uration Enforcement What percentage of the organization's hardware assets are not configured to allow access only to 69% or 31% or 6.7% or Less
0.62
ss Less
What percentage of the organization's hardware assets are not configured to disable peer-to-peer (adhoc) 69% or 31% or 6.7% or Less
0.62% or
System wireless network capabilities on wireless clients? Less
of the organization's hardware assets are not configured to leverage the Advanced 69% or 31% or 6.7% or Less
0.62% or
Encryption Standard (AES) to encrypt wireless data in transit? Less
Protocol- What percentage of the organization's hardware assets are not configured to utilize wireless networks to use
69% or 31% or 0.62% or
ocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), Less Less
6.7% or Less Less

ration Enforcement What percentage of the organization's hardware assets are not configured to disable wireless peripheral 69% or 31% or 6.7% or Less
0.62%
System
k Network Device Management System

that requires mutual, multi-factor authentication?

What percentage of the organization's authentication systems are not included in the organization's
Identity & Access Management System
inventory?
nt System
Has the organization configured access for all accounts through as few centralized points of authentication No Yes
ncluding network, security, and cloud systems?
What percentage of the organization's user accounts do not require multi-factor authentication? 69% or 31% or
6.7% or Less 0.62% or

Identity & Access Management System What percentage of the organization's hardware assets' authentication files cannot be accessed without root 69% or 31% or
6.7% or Less 0.62% or

What percentage of the organization's user accounts and authentication credentials are not transmitted
Identity & Access Management System
69% or 31% or 6.7% or Less
0
across networks using encrypted channels? Less
Identity & Access Management System What percentage of the organization's accounts are not included in the organization's inventory? 69% or 31% or

established and followed an automated process for revoking system access by

s, Identity & Access Management System disabling accounts immediately upon termination or change of responsibilities of an employee or contractor?
No

Identity & Access Management System What percentage of the organization's user accounts are not disabled if they cannot be associated with a

business process or owner?

Identity & Access Management System Does the organization automatically disable dormant accounts after a set period of inactivity?

Identity & Access Management System What percentage of the organization's user accounts do not have an expiration date that is monitored and

nt System Does the organization automatically lock workstation sessions after a standard period of inactivity? No

audit logging. Log Management System / SIEM Does the organization monitor attempts to access deactivated accounts through

n users deviate from normal login behavior, such as time-of-day, workstation location and duration. Log Management System / SIEM Does the organization alert when users deviate from n

and the skills and behaviors workforce members are not adhering to, Training / Awareness Education Plans
Has the organization performed a skills gap analysis to understand the skills an
 ning to address the skills gap identified to positively impact workforce members' security behavior. Training / Awareness Education Plans Has the organization delivered training to address the s

ss program for all workforce members to complete on a

nderstand and exhibit the necessary behaviors and skills to help ensure the No

awareness program is updated frequently (at least annually) to Training / Awareness Education Plans
Has the organization ensured that the organization's security awareness progr

kforce members on the importance of enabling and utilizing secure authentication. Training / Awareness Education Plans Has the organization trained workforce members on th

different forms of social engineering attacks, such as phishing, phone Training / Awareness Education Plans
Has the organization trained the workforce on how to identify different forms of

kforce on how to identify and properly store, transfer, archive and destroy sensitive information. Training / Awareness Education Plans Has the organization trained workforce on how to ident

f causes for unintentional data exposures, such as losing their Training / Awareness Education Plans
Has the organization trained workforce members to be aware of causes for uni

e most common indicators of an incident and be able to report such Training / Awareness Education Plans
Has the organization trained employees to be able to identify the most common

ate to the programming language and development environment Secure Coding Standards
Has the organization established secure coding practices appropriate to the pro

hat explicit error checking is performed and documented for all Secure Coding Standards
For in-house developed software, has the organization ensured that explicit err

red from outside your organization is still supported by the Secure Coding Standards
Has the organization verified that the version of all software acquired from outs

y Only use up-to-date and trusted third-party components for the software developed by the organization. Secure Coding Standards
Has the organization only used up-to-date and trusted third-party components f

on algorithms. Secure Coding Standards Has the organization used only standardized and extensively reviewed encryptio

ersonnel receive training in writing secure code for their specific Training / Awareness Education Plans
Has the organization ensured that all software development personnel receive

o verify that secure coding practices are being adhered to for Software Vulnerability Scanning Tool
Has the organization applied static and dynamic analysis tools to verify that sec

ss reports of software vulnerabilities, including providing a means Software Vulnerability Scanning Tool
Has the organization established a process to accept and address reports of so

ction and nonproduction systems. Developers should not have Secure Coding Standards
Has the organization maintained separate environments for production and non

location and duration?

members are not adhering to, using this information to build a baseline education roadmap.
members' security behavior.
n a continuous and security of the organization. The organization's security awareness program should be communicated in a
least annually) to address new technologies, threats, standards and business requirements.
authentication.
such as phishing, phone scams and impersonation calls.
sensitive information.
such as losing their mobile devices or emailing the wrong person due to autocomplete
be able to report such an incident.
development environment being used.
documented for all input, including for size, data type, and acceptable ranges or forma
supported by the developer or appropriately hardened based on developer security recommendations.
the organization.

code for their specific development environment and responsibilities.

being adhered to for internally developed software.
including providing a means for external entities to contact your security group.
Developers should not have unmonitored access to production environments.
 rganization protected web applications by deploying web application firewalls (WAFs) that inspect
web application for common web application attacks. For applications that are not web-based, specific
all traffic flowing to the web a
) web-based, specific application firewalls should be deployed if such tools are available for the given
No Yes is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic
capable of
deployed.
decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall
should be deployed.

System Configuration Enforcement For applications that rely on a database, has the organization used standard hardening configuration
Syst templates. All systems that are part of critical business processes should also be tested.
ed that there are written incident response plans thatem
defines roles of personnel No Yes
nt.

Description Sensor
 Sigma Sigma Level
Measure Level One Two
ercentage of the organization's hardware assets is not configured to disable wireless access in 69% or 31% or
that do not have a business purpose for wireless access? Less Less
ssets are not configured to allow access only to 69% or 31% or 6.7% or Less
0.62% or access only to authorized wireless networks and to restrict access to

o disable peer-to-peer (adhoc) 69% or 31% or 6.7% or Less

0.62% or
pabilities on wireless clients? Less Less Less
vanced 69% or 31% or 6.7% or Less
0.62% or
(AES) to encrypt wireless data in transit? Less Less Less
ation's hardware assets are not configured to utilize wireless networks to use
69% or 31% or 0.62% or
(EAP/TLS), Less Less
6.7% or Less Less

sets are not configured to disable wireless peripheral 69% or 31% or 6.7% or Less
0.62% or
access of devices (such as Bluetooth), unless such access is required for a business purpose?
Does the organization utilize a separate a wireless network for personal or untrusted devices?

n's authentication systems are not included in the organization's 69% or 31% or
Less Less
ew centralized points of authentication No Yes

i-factor authentication? 69% or 31% or

6.7% or Less 0.62% or

Less Less Less

ware assets' authentication files cannot be accessed without root 69% or 31% or
6.7% or Less 0.62% or

or administrator privileges and are not

counts and authentication credentials are not transmitted 69% or 31% or 0.62% or Less
6.7% or Less
ng encrypted channels? Less Less Less
ganization's accounts are not included in the organization's inventory? 69% or 31% or
6.7% or Less 0.62% or

Less

nation or change of responsibilities of an employee or contractor?

No

ccounts are not disabled if they cannot be associated with a

s or owner?
omatically disable dormant accounts after a set period of inactivity?
accounts do not have an expiration date that is monitored and

Less
after a standard period of inactivity? No

ystem / SIEM Does the organization monitor attempts to access deactivated accounts through audit logging? No

n location and duration. Log Management System / SIEM Does the organization alert when users deviate from normal login behavior, such as time-of-day, workstation
No

g / Awareness Education Plans

Has the organization performed a skills gap analysis to understand the skills and behaviors workforce No
 bers' security behavior. Training / Awareness Education Plans Has the organization delivered training to address the skills gap identified to positively impact workforce
No

e No

g / Awareness Education Plans

Has the organization ensured that the organization's security awareness program is updated frequently (at No

ication. Training / Awareness Education Plans Has the organization trained workforce members on the importance of enabling and utilizing secure
No

g / Awareness Education Plans

Has the organization trained the workforce on how to identify different forms of social engineering attacks, No

ensitive information. Training / Awareness Education Plans Has the organization trained workforce on how to identify and properly store, transfer, archive and destroy
No

g / Awareness Education Plans

Has the organization trained workforce members to be aware of causes for unintentional data exposures, No

/ Awareness Education Plans

Has the organization trained employees to be able to identify the most common indicators of an incident and No

Secure Coding Standards

Has the organization established secure coding practices appropriate to the programming language and No

ecure Coding Standards

For in-house developed software, has the organization ensured that explicit error checking is performed and No

Secure Coding Standards

Has the organization verified that the version of all software acquired from outside your organization is still No

ecure Coding Standards

Has the organization only used up-to-date and trusted third-party components for the software developed by No

Standards Has the organization used only standardized and extensively reviewed encryption algorithms. No

g / Awareness Education Plans

Has the organization ensured that all software development personnel receive training in writing secure No

are Vulnerability Scanning Tool

Has the organization applied static and dynamic analysis tools to verify that secure coding practices are No

re Vulnerability Scanning Tool

Has the organization established a process to accept and address reports of software vulnerabilities, No

Secure Coding Standards

Has the organization maintained separate environments for production and nonproduction systems. No

not adhering to, using this information to build a baseline education roadmap.

he organization. The organization's security awareness program should be communicated in a

y) to address new technologies, threats, standards and business requirements.

such as phishing, phone scams and impersonation calls.

such as losing their mobile devices or emailing the wrong person due to autocomplete in email.
be able to report such an incident.
nvironment being used.
documented for all input, including for size, data type, and acceptable ranges or formats.
y the developer or appropriately hardened based on developer security recommendations.

code for their specific development environment and responsibilities.

to for internally developed software.
including providing a means for external entities to contact your security group.
Developers should not have unmonitored access to production environments.
 b application attacks. For applications that are not web-based, specific
all traffic flowing to the web application for common web application attacks. For applications that are no
o Yes is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to application type. If the traffic is encrypted, the

If neither option is appropriate, a host-based web application firewall

pplications that rely on a database, has the organization used standard hardening configuration No

plates. All systems that are part of critical business processes should also be tested.
nnel No Yes

Sensor Measure
Level One Level Two
 Sigma Level Sigma Level Sigma Level Sigma Level Sigma Level
Two Three Four Five Six
31% or 6.7% or Less 0.62% or 0.023% or 0.00034%
Less Less Less or Less
networks and to restrict access to other wireless networks. 0.023% or 0.00034%
Less or Less
0.023% or 0.00030%
Less or Less
0.023% or 0.00030%
Less or Less
0.023% or 0.00030%
Less or Less
0.023% or 0.00030%
Less Less Less Less or Less
No Yes

31% or 6.7% or Less 0.62% or

0.023% or 0.00034%
Less Less Less or Less

0.023% or 0.00030%
Less Less Less or Less
0.023% or 0.00030%
dministrator privileges and are not encrypted or hashed? Less or Less
Less Less Less 0.023% or 0.00030%
Less or Less
0.023% or 0.00030%
Less Less Less Less or Less

Yes

69% or 31% or 6.7% or Less

0.62% or 0.023% or 0.00034%
Less Less Less Less or Less
No Yes

69% or 31% or 6.7% or Less

0.62% or 0.023% or 0.00034%

Less Less Less or Less

Yes

Yes

Yes

Yes
Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes
ttacks. For applications that are not
type. If the traffic is encrypted, the device should either sit behind the encryption or be

Yes

Sigma Sigma Sigma Level Sigma Sigma Sigma

Level One Level Two Three Level Four Level Five Level Six
 19.2
Assign Job Titles and Duties for Incident Assign job titles and duties for handling computer and network incident
Response tracking and documentation throughout the incident through resolution.

Devise Organization-wide Standards for Reporting

Devise organization-wide standards for the time required for system administrators and other workf
19.4 Incidents members to report anomalous events to the incident handling team, t
Maintain Contact Information For Reporting should be included in the incident notification.
Assemble and maintain information on third-party contact information

19.5 Security Incidents incident, such as Law Enforcement, relevant government departments,
19.6 Publish Information Regarding Reporting Computer Publish information for all workforce members, regarding reporting com
Anomalies and Incidents be included in routine employee awareness activities.

Plan and conduct routine incident response exercises and scenarios for the workforce involved in the
19.7
Conduct Periodic Incident Scenario Sessions for incident response to maintain awareness and comfort in responding to real world threats.
threats. Exercises should test communication channels, decision making, and incident responders technical
and data available to them.

19.8 Create Incident Scoring and Prioritization Schema

Create incident scoring and prioritization schema based on known or potential impact to your organization.
Utilize score to define frequency of status updates and escalation procedures.
20.1 Establish a Penetration Testing Program
Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless,
client-based, and web application attacks. at
20.2
Conduct Regular External and Internal Conduct regular external and internal penetration tests to identify vul
Penetration Tests be used to exploit enterprise systems successfully.

20.3 Perform Periodic Red Team Exercises

Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to
respond quickly and effectively. sto
Include Tests for Presence of Unprotected System Include tests for the presence of unprotected system information and
20.4 Information and Artifacts diagrams, configuration files, older penetration test reports, e-mails or
documents containing passwords or other information critical to syste
Create Test Bed for Elements Not Typically
Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks
20.5 Tested in Production
against elements that are not typically tested in production, such as attacks against supervisory control and
data acquisition and other control systems. su

Use Vulnerability Scanning and Penetration Testing Tools Use vulnerability scanning and penetration testing tools in concert. The re
20.6 in Concert guide and focus penetration testing efforts.

Ensure Results from Penetration Test are Wherever possible, ensure that Red Teams results are documented using open, machine-readab
20.7 Documented Using Open, Machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red T
Team exercises so that results can be compared over time.
Control and Monitor Accounts Associated with Penetration
20.8 Testing

Contact InformationCIS
31 Tech Valley DriveEast Greenbush, NY 12061 [email protected]

Designate Management Personnel to Designate management personnel, as well as backups, who will support the incident handlin
19.3 Support Incident Handling by acting in key decision-making roles.
 Assign job titles and duties for handling computer and network incidents to specific individuals and ensure
tracking and documentation throughout the incident through resolution.
rganization-wide standards for the time required for system administrators and other workforce
members to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that
should be included in the incident notification.
Assemble and maintain information on third-party contact information to be used to report a security

incident, such as Law Enforcement, relevant government departments, vendors, and ISAC partners. Incident Management Plans

Publish information for all workforce members, regarding reporting computer anomalies and incidents to the Incident Management Plans
incident handling team
be included in routine employee awareness activities.

d scenarios for the workforce involved in the Has the organization planned and conducted routine incident response exercise
incident response to maintain awareness and comfort in responding to real world threats. Exercises should Incident Management Plans
workforce involved in the incident re
d test communication channels, decision making, and incident responders technical
capabilities using tools and data available to them.

ng and prioritization schema based on known or potential impact to your organization. Incident Manag
calation procedures. to your o
enetration tests that includes a full scope of blended attacks, such as wireless, Penetration Testing Plans
Has the organization established a program for penetration tes
attacks, such as wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can
be used to exploit enterprise systems successfully.
m exercises to test organizational readiness to identify and stop attacks or to Penetration Testing Plans
Has the organization performed periodic Red Team exercises t
stop attacks or to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network
diagrams, configuration files, older penetration test reports, e-mails or Pen
documents containing passwords or other information critical to system operation.
production environment for specific penetration tests and Red Team attacks Has the organization created a test bed that mimics a p
t are not typically tested in production, such as attacks against supervisory control and Penetration Testing Plans and Red Team attacks against elements tha
supervisory control and data acquisition and other control systems.

Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning Penetration Testing Plans
assessments should be u
guide and focus penetration testing efforts.

ver possible, ensure that Red Teams results are documented using open, machine-readable Has the organization, whereve
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that Penetration Testing Plans machine-readable
Team exercises so that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being
used for legitimate purposes, and are removed or restored to normal function
after testing is over.
ush, NY 12061 [email protected]

esignate management personnel, as well as backups, who will support the incident handling process Has the organization desig
y acting in key decision-making roles. Incident Management Plans incident handling process
 Incident Management Plans
Has the organization assigned job titles and duties for handling computer and network incidents
individuals and ensure tracking and documentation throughout the incident through resolution.
Has the organization devised organization-wide standards for the time required for system adminis
Incident Management Plans

ment Plans

ement Plans
incident handling team. Such information should

ne incident response exercises and scenarios for the

rce involved in the incident response to maintain awareness and comfort in responding to real world No Yes
Personnel

Has the organization created incident scoring and prioritization schema based on known or potential impact
Incident Management Plans
to your organization. Utilize score to define frequency of status updates and escalation procedures.
d a program for penetration tests that includes a full scope of blended No Yes
ation attacks.
Penetration Testing Plans
Has the organization conducted regular external and internal penetration tests to identify vulnerabilities and
attack vectors that can be used to exploit enterprise systems successfully.
periodic Red Team exercises to test organizational readiness to identify and No Yes

Penetration Testing Plans

ated a test bed that mimics a production environment for specific penetration tests
m attacks against elements that are not typically tested in production, such as attacks against No Yes

ol systems.

g Plans
assessments should be used as a starting point to

Has the organization, wherever possible, ensured that Red Teams results are documented using open,
ns machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red No Yes
Standa

Penetration Testing Plans

Has the organization designated management personnel, as well as backups, who will support the
incident handling process by acting in key decision-making roles.
 Incident Management Plans
Has the organization assigned job titles and duties for handling computer and network incidents to specific
individuals and ensure tracking and documentation throughout the incident through resolution.
Has the organization devised organization-wide standards for the time required for system administrators
and other workforce members to report anomalous events to the incident handling team, the mechanisms No for such reporting, and the kind o
that should be included in the incident notification.
Has the organization assembled and maintain information on third-party contact information to be used to

report a security incident, such as Law Enforcement, relevant government departments, vendors, and ISAC No partners.
Has the organization published information for all workforce members, regarding reporting computer
anomalies and incidents to the incident handling team. Such information should be included in routine No employee awareness activities.

s for the
tain awareness and comfort in responding to real world No Yes
Personnel test communication channels, deci

s the organization created incident scoring and prioritization schema based on known or potential impact
ilize score to define frequency of status updates and escalation procedures.
s a full scope of blended No Yes

s the organization conducted regular external and internal penetration tests to identify vulnerabilities and
n be used to exploit enterprise systems successfully.
ational readiness to identify and No Yes

Has the organization included tests for the presence of unprotected system information and artifacts that
would be useful to attackers, including network diagrams, configuration files, older penetration test reports, e- No mails or documents containing pa
other information critical to system operation.
ronment for specific penetration tests
lly tested in production, such as attacks against No Yes

Has the organization used vulnerability scanning and penetration testing tools in concert. The results of
vulnerability scanning assessments should be used as a starting point to guide and focus penetration No testing efforts.

sured that Red Teams results are documented using open,

, SCAP). Devise a scoring method for determining the results of Red No Yes
Standards re

Has the organization ensured that any user or system accounts used to perform penetration testing should
be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed No or restored to normal function aft
over.

ment personnel, as well as backups, who will support the

No Yes
y decision-making roles.
 Yes

nd of information Yes

Yes
Yes
s.

decision making, and incident responders technical capabilities using tools

Yes

Yes

g passwords or Yes

Yes

results can be compared over time.

n after testing is Yes