0% found this document useful (0 votes)
106 views82 pages

CIS Controls v8 Mapping To ASD Essential Eight - 2-2023

Uploaded by

gregoryhage
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
106 views82 pages

CIS Controls v8 Mapping To ASD Essential Eight - 2-2023

Uploaded by

gregoryhage
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 82

This document contains mappings of the CIS Critical Security Controls (CIS Controls) and CIS Safeguards t

"Essential Eight"
Last updated January 2023
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editors
Thomas Sager

Contributors
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
to the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-

u are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to the Australian Sign
Reference link for ASD Essential Eight: https://www.cyber.gov.au/acsc/view-all-content/essential-eight

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item

CIS Control 6.1 - Establish an Access Granting Process


Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
CIS Controls Navigator
Remember to download the CIS Controls Version 8 Guide where you can learn more about:

- This Version of the CIS Controls


- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
CIS Security
CIS Safeguard Asset Type
Control Function
1

1 1.1 Devices Identify

1 1.2 Devices Respond

1 1.3 Devices Detect

1 1.4 Devices Identify

1 1.5 Devices Detect


2

2 2.2 Applications Identify

2 2.3 Applications Respond

2 2.4 Applications Detect


3
3 3.1 Data Identify

3 3.2 Data Identify

3 3.3 Data Protect

3 3.4 Data Protect

3 3.5 Data Protect

3 3.6 Devices Protect

3 3.7 Data Identify

3 3.8 Data Identify

3 3.9 Data Protect

3 3.10 Data Protect

3 3.11 Data Protect

3 3.12 Network Protect

3 3.13 Data Protect

4 4.2 Network Protect


4 4.3 Users Protect

4 4.4 Devices Protect

4 4.5 Devices Protect

4 4.6 Network Protect

4 4.9 Devices Protect

4 4.10 Devices Respond

4 4.11 Devices Protect

4 4.12 Devices Protect

5 5.1 Users Identify

5 5.6 Users Protect


6

6 6.1 Users Protect


6 6.2 Users Protect

6 6.6 Users Identify

6 6.7 Users Protect


7

7 7.2 Applications Respond

7 7.7 Applications Respond


8

8 8.1 Network Protect

8 8.2 Network Detect

8 8.3 Network Protect

8 8.4 Network Protect

8 8.5 Network Detect

8 8.6 Network Detect


8 8.7 Network Detect

8 8.8 Devices Detect


8 8.9 Network Detect
8 8.10 Network Protect
8 8.11 Network Detect

8 8.12 Data Detect


9

9 9.2 Network Protect

9 9.3 Network Protect

9 9.5 Network Protect

9 9.6 Network Protect

9 9.7 Network Protect

10

10 10.1 Devices Protect

10 10.3 Devices Protect

10 10.4 Devices Detect

10 10.5 Devices Protect

10 10.6 Devices Protect

10 10.7 Devices Detect


11

11 11.3 Data Protect

12
12 12.1 Network Protect

12 12.2 Network Protect

12 12.3 Network Protect

12 12.4 Network Identify

12 12.5 Network Protect

12 12.6 Network Protect

12 12.7 Devices Protect

13

13 13.1 Network Detect

13 13.2 Devices Detect

13 13.3 Network Detect

13 13.4 Network Protect

13 13.5 Devices Protect

13 13.6 Network Detect

13 13.7 Devices Protect


13 13.8 Network Protect

13 13.9 Devices Protect

13 13.10 Network Protect

13 13.11 Network Detect


14

14 14.1 N/A Protect

14 14.2 N/A Protect

14 14.3 N/A Protect

14 14.4 N/A Protect

14 14.5 N/A Protect

14 14.6 N/A Protect

14 14.7 N/A Protect

14 14.8 N/A Protect

14 14.9 N/A Protect


15

15 15.1 N/A Identify

15 15.2 N/A Identify

15 15.3 N/A Identify

15 15.4 N/A Protect

15 15.5 N/A Identify

15 15.6 Data Detect

15 15.7 Data Protect

16

16 16.1 Applications Protect


16 16.2 Applications Protect

16 16.3 Applications Protect

16 16.4 Applications Protect

16 16.5 Applications Protect

16 16.6 Applications Protect

16 16.7 Applications Protect

16 16.8 Applications Protect

16 16.9 Applications Protect

16 16.10 Applications Protect


16 16.11 Applications Protect

16 16.12 Applications Protect

16 16.13 Applications Protect

16 16.14 Applications Protect

17

17 17.1 N/A Respond

17 17.2 N/A Respond

17 17.3 N/A Respond

17 17.4 N/A Respond


17 17.5 N/A Respond

17 17.6 N/A Respond

17 17.7 N/A Recover

17 17.8 N/A Recover

17 17.9 N/A Recover

18

18 18.1 N/A Identify

18 18.2 Network Identify

18 18.3 Network Protect

18 18.4 Network Protect

18 18.5 N/A Identify


Title
Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including p
network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the inf
virtually, remotely, and those within cloud environments, to accurately know the totality of assets t
monitored and protected within the enterprise. This will also support identifying unauthorized and u
remove or remediate.

Establish and Maintain Detailed


Enterprise Asset Inventory

Address Unauthorized Assets

Utilize an Active Discovery Tool

Use Dynamic Host


Configuration Protocol (DHCP)
Logging to Update Enterprise
Asset Inventory
Use a Passive Asset Discovery
Tool
Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) o
only authorized software is installed and can execute, and that unauthorized and unmanaged softw
prevented from installation or execution.

Ensure Authorized Software is


Currently Supported

Address Unauthorized Software


Utilize Automated Software
Inventory Tools
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose
Establish and Maintain a Data
Management Process

Establish and Maintain a Data


Inventory

Configure Data Access Control


Lists

Enforce Data Retention

Securely Dispose of Data


Encrypt Data on End-User
Devices

Establish and Maintain a Data


Classification Scheme

Document Data Flows

Encrypt Data on Removable


Media
Encrypt Sensitive Data in
Transit

Encrypt Sensitive Data at Rest

Segment Data Processing and


Storage Based on Sensitivity

Deploy a Data Loss Prevention


Solution

Secure Configuration of Enterprise Assets and Software


Establish and maintain the secure configuration of enterprise assets (end-user devices, including p
network devices; non-computing/IoT devices; and servers) and software (operating systems and ap
Establish and Maintain a
Secure Configuration Process
for Network Infrastructure
Configure Automatic Session
Locking on Enterprise Assets

Implement and Manage a


Firewall on Servers
Implement and Manage a
Firewall on End-User Devices

Securely Manage Enterprise


Assets and Software

Configure Trusted DNS Servers


on Enterprise Assets

Enforce Automatic Device


Lockout on Portable End-User
Devices

Enforce Remote Wipe


Capability on Portable End-User
Devices
Separate Enterprise
Workspaces on Mobile End-
User Devices
Account Management

Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
accounts, as well as service accounts, to enterprise assets and software.

Establish and Maintain an


Inventory of Accounts

Centralize Account
Management
Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
and service accounts for enterprise assets and software.

Establish an Access Granting


Process
Establish an Access Revoking
Process

Establish and Maintain an


Inventory of Authentication and
Authorization Systems

Centralize Access Control


Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the e
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monito
industry sources for new threat and vulnerability information.
Establish and Maintain a
Remediation Process
Remediate Detected
Vulnerabilities
Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover

Establish and Maintain an Audit


Log Management Process

Collect Audit Logs


Ensure Adequate Audit Log
Storage
Standardize Time
Synchronization

Collect Detailed Audit Logs

Collect DNS Query Audit Logs


Collect URL Request Audit
Logs
Collect Command-Line Audit
Logs
Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews

Collect Service Provider Logs


Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportuniti
manipulate human behavior through direct engagement.
Use DNS Filtering Services

Maintain and Enforce Network-


Based URL Filters

Implement DMARC

Block Unnecessary File Types


Deploy and Maintain Email
Server Anti-Malware
Protections
Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
Deploy and Maintain Anti-
Malware Software
Disable Autorun and Autoplay
for Removable Media
Configure Automatic Anti-
Malware Scanning of
Removable Media

Enable Anti-Exploitation
Features

Centrally Manage Anti-Malware


Software
Use Behavior-Based Anti-
Malware Software
Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
trusted state.

Protect Recovery Data


Network Infrastructure
Management

Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
exploiting vulnerable network services and access points.
Ensure Network Infrastructure is
Up-to-Date

Establish and Maintain a


Secure Network Architecture
Securely Manage Network
Infrastructure

Establish and Maintain


Architecture Diagram(s)

Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
Management and
Communication Protocols 
Ensure Remote Devices Utilize
a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure
Network Monitoring and
Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and d
security threats across the enterprise’s network infrastructure and user base.

Centralize Security Event


Alerting

Deploy a Host-Based Intrusion


Detection Solution

Deploy a Network Intrusion


Detection Solution

Perform Traffic Filtering


Between Network Segments

Manage Access Control for


Remote Assets

Collect Network Traffic Flow


Logs

Deploy a Host-Based Intrusion


Prevention Solution
Deploy a Network Intrusion
Prevention Solution

Deploy Port-Level Access


Control

Perform Application Layer


Filtering
Tune Security Event Alerting
Thresholds
Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce t
conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Establish and Maintain a


Security Awareness Program

Train Workforce Members to


Recognize Social Engineering
Attacks
Train Workforce Members on
Authentication Best Practices

Train Workforce on Data


Handling Best Practices

Train Workforce Members on


Causes of Unintentional Data
Exposure
Train Workforce Members on
Recognizing and Reporting
Security Incidents
Train Workforce on How to
Identify and Report if Their
Enterprise Assets are Missing
Security Updates
Train Workforce on the Dangers
of Connecting to and
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific Security


Awareness and Skills Training
Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
platforms or processes, to ensure these providers are protecting those platforms and data appropr

Establish and Maintain an


Inventory of Service Providers

Establish and Maintain a


Service Provider Management
Policy

Classify Service Providers

Ensure Service Provider


Contracts Include Security
Requirements

Assess Service Providers

Monitor Service Providers

Securely Decommission
Service Providers
Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
security weaknesses before they can impact the enterprise.

Establish and Maintain a


Secure Application
Development Process
Establish and Maintain a
Process to Accept and Address
Software Vulnerabilities

Perform Root Cause Analysis


on Security Vulnerabilities

Establish and Manage an


Inventory of Third-Party
Software Components

Use Up-to-Date and Trusted


Third-Party Software
Components

Establish and Maintain a


Severity Rating System and
Process for Application
Vulnerabilities

Use Standard Hardening


Configuration Templates for
Application Infrastructure

Separate Production and Non-


Production Systems

Train Developers in Application


Security Concepts and Secure
Coding

Apply Secure Design Principles


in Application Architectures
Leverage Vetted Modules or
Services for Application
Security Components

Implement Code-Level Security


Checks

Conduct Application Penetration


Testing

Conduct Threat Modeling

Incident Response Management


Establish a program to develop and maintain an incident response capability (e.g., policies, plans, p
roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Designate Personnel to Manage


Incident Handling

Establish and Maintain Contact


Information for Reporting
Security Incidents

Establish and Maintain an


Enterprise Process for
Reporting Incidents

Establish and Maintain an


Incident Response Process
Assign Key Roles and
Responsibilities

Define Mechanisms for


Communicating During Incident
Response

Conduct Routine Incident


Response Exercises

Conduct Post-Incident Reviews

Establish and Maintain Security


Incident Thresholds

Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
(people, processes, and technology), and simulating the objectives and actions of an attacker.

Establish and Maintain a


Penetration Testing Program

Perform Periodic External


Penetration Tests

Remediate Penetration Test


Findings
Validate Security Measures
Perform Periodic Internal
Penetration Tests
Description
l of Enterprise Assets
entory, track, and correct) all enterprise assets (end-user devices, including portable and mobile;
-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically,
nd those within cloud environments, to accurately know the totality of assets that need to be
cted within the enterprise. This will also support identifying unauthorized and unmanaged assets to

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records
the network address (if static), hardware address, machine name, enterprise asset owner,
department for each asset, and whether the asset has been approved to connect to the network.
For mobile end-user devices, MDM type tools can support this process, where appropriate. This
inventory includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud environments. Additionally, it includes assets that are regularly connected to the
enterprise’s network infrastructure, even if they are not under control of the enterprise. Review
and update the inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure
the active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to
update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset
inventory weekly, or more frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and
use scans to update the enterprise’s asset inventory at least weekly, or more frequently.
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the network so that
ware is installed and can execute, and that unauthorized and unmanaged software is found and
Ensure that only currently supported software is designated as authorized in the software
lation or execution.
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the
enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
Ensure that unauthorized software is either removed from use on enterprise assets or receives a
frequently.
documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the
discovery and documentation of installed software.

nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data sensitivity, data
owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and
retention standards for the enterprise. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Retain data according to the enterprise’s data management process. Data retention must include
both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may
use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to
those labels. Review and update the classification scheme annually, or when significant
enterprise changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should
be based on the enterprise’s data management process. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.

Encrypt data on removable media.


Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security
(TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data.
Storage-layer encryption, also known as server-side encryption, meets the minimum requirement
of this Safeguard. Additional encryption methods may include application-layer encryption, also
known as client-side encryption, where access to the data storage device(s) does not permit
access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not process
sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify
all sensitive data stored, processed, or transmitted through enterprise assets, including those
located onsite or at a remote service provider, and update the enterprise's sensitive data
inventory.
of Enterprise Assets and Software
in the secure configuration of enterprise assets (end-user devices, including portable and mobile;
-computing/IoT devices; and servers) and software (operating systems and applications).
Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For
general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user
devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations include
a virtual firewall, operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative
interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype
Network) and HTTP, unless operationally essential.
Configure trusted DNS servers on enterprise assets. Example implementations include:
configuring assets to use enterprise-controlled DNS servers and/or reputable externally
accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed
authentication attempts on portable end-user devices, where supported. For laptops, do not allow
more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed
authentication attempts. Example implementations include Microsoft® InTune Device Lock and
Apple® Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed
appropriate such as lost or stolen devices, or when an individual no longer supports the
enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported.
Example implementations include using an Apple® Configuration Profile or Android™ Work
Profile to separate enterprise applications and data from personal applications and data.

ools to assign and manage authorization to credentials for user accounts, including administrator
service accounts, to enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should contain
the person’s name, username, start/stop dates, and department. Validate that all active accounts
are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

Centralize account management through a directory or identity service.

ools to create, assign, manage, and revoke access credentials and privileges for user, administrator,
for enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to enterprise assets
upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems,
including those hosted on-site or at a remote service provider. Review and update the inventory,
at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider,
where supported.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and private
new threat and vulnerability information.
Establish and maintain a risk-based remediation strategy documented in a remediation process,
with monthly, or more frequent, reviews.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or
more frequent, basis, based on the remediation process.

and retain audit logs of events that could help detect, understand, or recover from an attack.

Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit
log management process.
Standardize time synchronization. Configure at least two synchronized time sources across
enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event
source, date, username, timestamp, source addresses, destination addresses, and other useful
elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from
PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a
potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting
authentication and authorization events, data creation and disposal events, and user
management events.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for attackers to
ehavior through direct engagement.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to
potentially malicious or unapproved websites. Example implementations include category-based
filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise
assets.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy
and verification, starting with implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or
sandboxing.

e installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Deploy and maintain anti-malware software on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible, such as
Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or
Apple® System Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and

Protect recovery data with equivalent controls to the original data. Reference encryption or data
separation, based on requirements.

, and actively manage (track, report, correct) network devices, in order to prevent attackers from
network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.
Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-controlled-
infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services prior to


accessing enterprise resources on end-user devices.

nd tooling to establish and maintain comprehensive network monitoring and defense against
ss the enterprise’s network infrastructure and user base.

Centralize security event alerting across enterprise assets for log correlation and analysis. Best
practice implementation requires the use of a SIEM, which includes vendor-defined event
correlation alerts. A log analytics platform configured with security-relevant correlation alerts also
satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or
supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example
implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent
cloud service provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources. Determine
amount of access to enterprise resources based on: up-to-date anti-malware software installed,
configuration compliance with the enterprise’s secure configuration process, and ensuring the
operating system and applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network
devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or
supported. Example implementations include use of an Endpoint Detection and Response (EDR)
client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations
include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network
access control protocols, such as certificates, and may incorporate user and/or device
authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application
layer firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.
and Skills Training

in a security awareness program to influence behavior among the workforce to be security


rly skilled to reduce cybersecurity risks to the enterprise.
Establish and maintain a security awareness program. The purpose of a security awareness
program is to educate the enterprise’s workforce on how to interact with enterprise assets and
data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and
update content annually, or when significant enterprise changes occur that could impact this
Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting,
and tailgating. 

Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset, erasing
physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics
include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to
unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to report such
an incident. 

Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations include
secure system administration courses for IT professionals, (OWASP® Top 10 vulnerability
awareness and prevention training for web application developers, and advanced social
engineering awareness training for high-profile roles.
evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT
es, to ensure these providers are protecting those platforms and data appropriately.

Establish and maintain an inventory of service providers. The inventory is to list all known service
providers, include classification(s), and designate an enterprise contact for each service provider.
Review and update the inventory annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers.
Review and update the policy annually, or when significant enterprise changes occur that could
impact this Safeguard.
Classify service providers. Classification consideration may include one or more characteristics,
such as data sensitivity, data volume, availability requirements, applicable regulations, inherent
risk, and mitigated risk. Update and review classifications annually, or when significant enterprise
changes occur that could impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may
include minimum security program requirements, security incident and/or data breach notification
and response, data encryption requirements, and data disposal commitments. These security
requirements must be consistent with the enterprise’s service provider management policy.
Review service provider contracts annually to ensure contracts are not missing security
requirements.
Assess service providers consistent with the enterprise’s service provider management policy.
Assessment scope may vary based on classification(s), and may include review of standardized
assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry
(PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous
processes. Reassess service providers annually, at a minimum, or with new and renewed
contracts.
Monitor service providers consistent with the enterprise’s service provider management policy.
Monitoring may include periodic reassessment of service provider compliance, monitoring service
provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service
account deactivation, termination of data flows, and secure disposal of enterprise data within
service provider systems.
Security
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate
before they can impact the enterprise.
Establish and maintain a secure application development process. In the process, address such
items as: secure application design standards, secure coding practices, developer training,
vulnerability management, security of third-party code, and application security testing
procedures. Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities,
including providing a means for external entities to report. The process is to include such items
as: a vulnerability handling policy that identifies reporting process, responsible party for handling
vulnerability reports, and a process for intake, assignment, remediation, and remediation
testing. As part of the process, use a vulnerability tracking system that includes severity ratings,
and metrics for measuring timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to
set expectations for outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause
analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows
development teams to move beyond just fixing individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development,
often referred to as a “bill of materials,” as well as components slated for future use. This
inventory is to include any risks that each third-party component could pose. Evaluate the list at
least monthly to identify any changes or updates to these components, and validate that the
component is still supported. 
Use up-to-date and trusted third-party software components. When possible, choose established
and proven frameworks and libraries that provide adequate security. Acquire these components
from trusted sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that
facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes
setting a minimum level of security acceptability for releasing code or applications. Severity
ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps
ensure the most severe bugs are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application
infrastructure components. This includes underlying servers, databases, and web servers, and
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken configuration hardening.

Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities. Training can include general security
principles and application security standard practices. Conduct training at least annually and
design in a way to promote security within the development team, and build a culture of security
among the developers.
Apply secure design principles in application architectures. Secure design principles include the
concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of "never trust user input." Examples include ensuring that explicit
error checking is performed and documented for all input, including for size, data type, and
acceptable ranges or formats. Secure design also means minimizing the application infrastructure
attack surface, such as turning off unprotected ports and services, removing unnecessary
programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity
management, encryption, and auditing and logging. Using platform features in critical security
functions will reduce developers’ workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide effective mechanisms for identification,
authentication, and authorization and make those mechanisms available to applications. Use only
standardized, currently accepted, and extensively reviewed encryption algorithms. Operating
systems also provide mechanisms to create and maintain secure audit logs.

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding
practices are being followed.
Conduct application penetration testing. For critical applications, authenticated penetration testing
is better suited to finding business logic vulnerabilities than code scanning and automated
security testing. Penetration testing relies on the skill of the tester to manually manipulate an
application as an authenticated and unauthenticated user. 
Conduct threat modeling. Threat modeling is the process of identifying and addressing application
security design flaws within a design, before code is created. It is conducted through specially
trained individuals who evaluate the application design and gauge security risks for each entry
point and access level. The goal is to map out the application, architecture, and infrastructure in a
structured way to understand its weaknesses.
anagement
o develop and maintain an incident response capability (e.g., policies, plans, procedures, defined
ommunications) to prepare, detect, and quickly respond to an attack.

Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal to
the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate
at least one person internal to the enterprise to oversee any third-party work. Review annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-
to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT,
information security, facilities, public relations, human resources, incident responders, and
analysts, as applicable. Review annually, or when significant enterprise changes occur that could
impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report
during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind
that certain mechanisms, such as emails, can be affected during a security incident. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in
the incident response process to prepare for responding to real-world incidents. Exercises need
to test communication channels, decision making, and workflows. Conduct testing on an annual
basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating
between an incident and an event. Examples can include: abnormal activity, security vulnerability,
security weakness, data breach, privacy incident, etc. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

s and resiliency of enterprise assets through identifying and exploiting weaknesses in controls
nd technology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size, complexity, and
maturity of the enterprise. Penetration testing program characteristics include scope, such as
network, web application, Application Programming Interface (API), hosted services, and physical
premise controls; frequency; limitations, such as acceptable hours, and excluded attack types;
point of contact information; remediation, such as how findings will be routed internally; and
retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than
annually. External penetration testing must include enterprise and environmental reconnaissance
to detect exploitable information. Penetration testing requires specialized skills and experience
and must be conducted through a qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and
prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and
capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than
annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship Security Control

X X X

X X X

X X

X X

X X X Subset Patch Applications

X X X

X X
X X X

X X X

X X X

X X X

X X X

X X X

X X

X X

X X

X X

X X

X X

X X X
X X X

X X X

X X X

X X X

X X

X X

X X

X X X

X X

X X X
X X X

X X

X X

X X X

X X

X X X

X X X

X X X

X X

X X

X X
X X

X X
X X
X X
X X

X
X X X

X X

X X

X X

X X X

X X X

X X

X X

X X

X X

X X X
X X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X X

X
X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X X

X X
X X X

X X

X X

X X

X X
X X

X X

X X

X X

X X

X X

X X

X X

X X
X X

X X X

X X X

X X X

X X
X X

X X

X X

X X

X X

X X

X X

X
Description

Once a patch is released by a vendor, the patch should be


applied in a timeframe commensurate with an
organisation’s exposure to the security vulnerability and
the level of cyber threat the organisation is aiming to
protect themselves against.
The following CIS Safeguards are NOT mapped to one of the ASD Essential Eight

1.1

1.2

1.3

1.4

1.5

2.3
2.4

3.1

3.2

3.3
3.4

3.5

3.6

3.7

3.8
3.9
3.10

3.11

3.12

3.13

4.2
4.3

4.4

4.5

4.6

4.9

4.10

4.11

4.12

5.1
5.6
6.1

6.2

6.6
6.7
7.2

7.7

8.1
8.2
8.3
8.4

8.5
8.6
8.7

8.8
8.9
8.10
8.11

8.12
9.2

9.3

9.5
9.6
9.7
10.1
10.3
10.4

10.5
10.6
10.7
11.3

12.1

12.2

12.3

12.4
12.5
12.6
12.7

13.1
13.2

13.3
13.4

13.5
13.6

13.7

13.8
13.9
13.10
13.11

14.1
14.2
14.3

14.4

14.5
14.6

14.7

14.8

14.9

15.1

15.2

15.3

15.4

15.5

15.6

15.7

16.1
16.2

16.3

16.4

16.5

16.6

16.7
16.8

16.9

16.10

16.11
16.12

16.13

16.14

17.1
17.2

17.3

17.4

17.5

17.6

17.7
17.8

17.9

18.1

18.2
18.3

18.4
18.5
The following CIS Safeguards are NOT mapped to one of the ASD Essential Eight

Establish and Maintain Detailed Enterprise Asset Inventory

Address Unauthorized Assets

Utilize an Active Discovery Tool

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Use a Passive Asset Discovery Tool

Address Unauthorized Software


Utilize Automated Software Inventory Tools

Establish and Maintain a Data Management Process

Establish and Maintain a Data Inventory

Configure Data Access Control Lists


Enforce Data Retention

Securely Dispose of Data

Encrypt Data on End-User Devices

Establish and Maintain a Data Classification Scheme

Document Data Flows


Encrypt Data on Removable Media
Encrypt Sensitive Data in Transit

Encrypt Sensitive Data at Rest

Segment Data Processing and Storage Based on Sensitivity

Deploy a Data Loss Prevention Solution

Establish and Maintain a Secure Configuration Process for Network Infrastructure


Configure Automatic Session Locking on Enterprise Assets

Implement and Manage a Firewall on Servers

Implement and Manage a Firewall on End-User Devices

Securely Manage Enterprise Assets and Software

Configure Trusted DNS Servers on Enterprise Assets

Enforce Automatic Device Lockout on Portable End-User Devices

Enforce Remote Wipe Capability on Portable End-User Devices

Separate Enterprise Workspaces on Mobile End-User Devices

Establish and Maintain an Inventory of Accounts


Centralize Account Management
Establish an Access Granting Process

Establish an Access Revoking Process

Establish and Maintain an Inventory of Authentication and Authorization Systems


Centralize Access Control
Establish and Maintain a Remediation Process

Remediate Detected Vulnerabilities

Establish and Maintain an Audit Log Management Process


Collect Audit Logs
Ensure Adequate Audit Log Storage
Standardize Time Synchronization

Collect Detailed Audit Logs


Collect DNS Query Audit Logs
Collect URL Request Audit Logs

Collect Command-Line Audit Logs


Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews

Collect Service Provider Logs


Use DNS Filtering Services

Maintain and Enforce Network-Based URL Filters

Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email Server Anti-Malware Protections
Deploy and Maintain Anti-Malware Software
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media

Enable Anti-Exploitation Features


Centrally Manage Anti-Malware Software
Use Behavior-Based Anti-Malware Software
Protect Recovery Data

Ensure Network Infrastructure is Up-to-Date

Establish and Maintain a Secure Network Architecture

Securely Manage Network Infrastructure

Establish and Maintain Architecture Diagram(s)


Centralize Network Authentication, Authorization, and Auditing (AAA)
Use of Secure Network Management and Communication Protocols 
Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Centralize Security Event Alerting


Deploy a Host-Based Intrusion Detection Solution

Deploy a Network Intrusion Detection Solution


Perform Traffic Filtering Between Network Segments

Manage Access Control for Remote Assets


Collect Network Traffic Flow Logs

Deploy a Host-Based Intrusion Prevention Solution

Deploy a Network Intrusion Prevention Solution


Deploy Port-Level Access Control
Perform Application Layer Filtering
Tune Security Event Alerting Thresholds

Establish and Maintain a Security Awareness Program


Train Workforce Members to Recognize Social Engineering Attacks
Train Workforce Members on Authentication Best Practices

Train Workforce on Data Handling Best Practices

Train Workforce Members on Causes of Unintentional Data Exposure


Train Workforce Members on Recognizing and Reporting Security Incidents

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Conduct Role-Specific Security Awareness and Skills Training

Establish and Maintain an Inventory of Service Providers

Establish and Maintain a Service Provider Management Policy

Classify Service Providers

Ensure Service Provider Contracts Include Security Requirements

Assess Service Providers

Monitor Service Providers

Securely Decommission Service Providers

Establish and Maintain a Secure Application Development Process


Establish and Maintain a Process to Accept and Address Software Vulnerabilities

Perform Root Cause Analysis on Security Vulnerabilities

Establish and Manage an Inventory of Third-Party Software Components

Use Up-to-Date and Trusted Third-Party Software Components

Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

Use Standard Hardening Configuration Templates for Application Infrastructure


Separate Production and Non-Production Systems

Train Developers in Application Security Concepts and Secure Coding

Apply Secure Design Principles in Application Architectures

Leverage Vetted Modules or Services for Application Security Components


Implement Code-Level Security Checks

Conduct Application Penetration Testing

Conduct Threat Modeling

Designate Personnel to Manage Incident Handling


Establish and Maintain Contact Information for Reporting Security Incidents

Establish and Maintain an Enterprise Process for Reporting Incidents

Establish and Maintain an Incident Response Process

Assign Key Roles and Responsibilities

Define Mechanisms for Communicating During Incident Response

Conduct Routine Incident Response Exercises


Conduct Post-Incident Reviews

Establish and Maintain Security Incident Thresholds

Establish and Maintain a Penetration Testing Program

Perform Periodic External Penetration Tests


Remediate Penetration Test Findings

Validate Security Measures


Perform Periodic Internal Penetration Tests
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to s
user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the
address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and wheth
connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate.
assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additiona
regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Re
enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remo
the asset from connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discove
frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpris
logs to update the enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to upda
least weekly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented excep
frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documenta
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling o
disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documen
enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive d
update inventory annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as a
remote file systems, databases, and applications.
Retain data according to the enterprise’s data management process. Data retention must include both minimum and
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and
data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLoc
crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as
“Public,” and classify their data according to those labels. Review and update the classification scheme annually, or
occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be based on the ent
Review and update documentation annually, or when significant enterprise changes occur that could impact this Saf
Encrypt data on removable media.
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open S
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encry
encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include applicatio
client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterpr
sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data sto
through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's
Establish and maintain a secure configuration process for network devices. Review and update documentation annu
changes occur that could impact this Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose op
exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, o
party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that
and ports that are explicitly allowed.

Securely manage enterprise assets and software. Example implementations include managing configuration through
code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hype
(HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operat
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
and/or reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on porta
supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no m
attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxF
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as
individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implemen
Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applicatio
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user
inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate th
on a recurring schedule at a minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling ac
rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to p
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those ho
provider. Review and update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or mo

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis,
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a m
review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when signifi
could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled acros
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, usernam
destination addresses, and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct
frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
disposal events, and user management events.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.

Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious o
implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, s
Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Deploy and maintain anti-malware software on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execu
Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based o
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify so
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, le
minimum.
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code
protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update doc
significant enterprise changes occur that could impact this Safeguard.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) En
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementa
which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant cor
Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations inc
Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to ente
date anti-malware software installed, configuration compliance with the enterprise’s secure configuration process, an
applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Exam
Endpoint Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a N
(NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocol
incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or ga
Tune security event alerting thresholds monthly, or more frequently.
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate t
interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. R
or when significant enterprise changes occur that could impact this Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating. 
Train workforce members on authentication best practices. Example topics include MFA, password composition, and
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This al
members on clear screen and desk best practices, such as locking their screen when they step away from their ente
virtual whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-deliver
end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident. 
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterpr
remote workers, training must include guidance to ensure that all users securely configure their home network infras
Conduct role-specific security awareness and skills training. Example implementations include secure system admin
(OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced so
for high-profile roles.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
enterprise contact for each service provider. Review and update the inventory annually, or when significant enterpris
this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, invent
decommissioning of service providers. Review and update the policy annually, or when significant enterprise change
Safeguard.
Classify service providers. Classification consideration may include one or more characteristics, such as data sensit
requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or
occur that could impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may include minimum secu
incident and/or data breach notification and response, data encryption requirements, and data disposal commitment
be consistent with the enterprise’s service provider management policy. Review service provider contracts annually
security requirements.
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope m
and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and P
Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess s
minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may inclu
provider compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account deactivation, te
disposal of enterprise data within service provider systems.
Establish and maintain a secure application development process. In the process, address such items as: secure ap
coding practices, developer training, vulnerability management, security of third-party code, and application security
update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a me
process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party
and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerabili
severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Revi
annually, or when significant enterprise changes occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to set expectations for
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as
Establish and manage an updated inventory of third-party components used in development, often referred to as a “
components slated for future use. This inventory is to include any risks that each third-party component could pose. 
identify any changes or updates to these components, and validate that the component is still supported. 
Use up-to-date and trusted third-party software components. When possible, choose established and proven framew
adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities befor
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing t
vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or
systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are
system and process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure components.
databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS
developed software to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific developmen
Training can include general security principles and application security standard practices. Conduct training at leas
promote security within the development team, and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles include the concept of least priv
validate every operation that the user makes, promoting the concept of "never trust user input." Examples include en
performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure des
application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary
removing default accounts.

Leverage vetted modules or services for application security components, such as identity management, encryption
platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design
operating systems provide effective mechanisms for identification, authentication, and authorization and make those
applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating
create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are bein
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to
than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually m
authenticated and unauthenticated user. 
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design fla
created. It is conducted through specially trained individuals who evaluate the application design and gauge security
level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its we
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Ma
for the coordination and documentation of incident response and recovery efforts and can consist of employees inte
vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise
Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may in
vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analy
stakeholders. Verify contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes rep
to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirem
Review annually, or when significant enterprise changes occur that could impact this Safeguard.

Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilitie
incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur tha
Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security inc
significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident respo
responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows
at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons le
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and
abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or w
occur that could impact this Safeguard.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterpr
characteristics include scope, such as network, web application, Application Programming Interface (API), hosted se
controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; re
be routed internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than annually. External penetra
and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills a
conducted through a qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to det
testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may

You might also like