Cis Guide v8
Cis Guide v8
Cis Guide v8
contents
Control 1: Inventory and Control of Enterprise Assets ------------------------------------------------- 9
Control 2: Inventory and Control of Software Assets ------------------------------------------------- 11
Control 3: Data Protection --------------------------------------------------------------------------------------- 14
Control 4: Secure Configuration of Enterprise Assets and Software ----------------------------- 16
Control 5: Account Management ----------------------------------------------------------------------------- 19
Control 6: Access Control Management -------------------------------------------------------------------- 21
Control 7: Continuous Vulnerability Management ----------------------------------------------------- 23
Control 8: Audit Log Management --------------------------------------------------------------------------- 25
Control 9: Email and Web Browser Protections ---------------------------------------------------------- 28
Control 10: Malware Defenses ---------------------------------------------------------------------------------- 29
Control 11: Data Recovery ---------------------------------------------------------------------------------------- 30
Control 12: Network Infrastructure Management -------------------------------------------------------- 31
Control 13: Network Monitoring and Defense ------------------------------------------------------------- 32
Control 14: Security Awareness and Skills Training ----------------------------------------------------- 36
Control 15: Service Provider Management ----------------------------------------------------------------- 38
Control 16: Application Software Security ----------------------------------------------------------------- 39
Control 17: Incident Response Management -------------------------------------------------------------- 40
Control 18: Penetration Testing -------------------------------------------------------------------------------- 41
You may not copy, reproduce, distribute, publish, display, perform, modify,
create derivative works, transmit, or in any way exploit the Material without
ManageEngine’s express written permission. The ManageEngine logo and all other
ManageEngine marks are registered trademarks of Zoho Corporation Pvt. Ltd.
Any other names of software products or companies referred to in this Material
and not expressly mentioned herein are the trademarks of their respective owners.
Names and characters used in this Material are either the products of the author’s
imagination or used in a fictitious manner. Any resemblance to actual persons,
living or dead, is purely coincidental.
A brief introduction to the CIS Controls®
The CIS Controls are a prescriptive, prioritized, and simplified set of cybersecurity best
practices and defensive actions that help support compliance in this multi-framework era.
The CIS Controls were formulated by a group of IT experts at the Center for Internet Security (CIS)
using information gathered from actual attacks and their effective defenses. They are comprised of
the world leverage the CIS Controls to get clear guidance on how to achieve the objectives described
by multiple legal, regulatory, and policy frameworks. Based on your organization’s cybersecurity
maturity, risk exposure, and availability of security resources, you can plan and prioritize the
In the latest version, v8, the CIS Controls are split into Implementation Groups (IGs). IGs are
self-assessed categories aimed at helping enterprises prioritize the implementation of the CIS Controls.
Implementing all of the CIS Controls is the definition of an effective cybersecurity program.
Effectively implementing IG1 represents basic cyberhygiene for any organization. The CIS Controls
map to most major compliance frameworks, including the NIST Cybersecurity Framework, NIST 800-53,
ISO 27000 series, and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA.
4
CIS Controls Control 1: Inventory and Control of Enterprise Assets
6
Implementation Group 1
IG1 focuses on basic cyberhygiene. It is comprised of the foundational set of cyberdefense Safeguards
that every enterprise should apply to guard against the most common attacks. Small to medium-sized
organizations with limited cybersecurity expertise and low-sensitivity data will need to implement the
cyberdefense Safeguards that typically fall under the IG1 category.
Implementation Group 2
Organizations with moderate resources (employing individuals responsible for managing and protecting
IT infrastructures) and greater risk exposure from handling more sensitive assets and data will need to
implement the IG2 Controls along with IG1. These Controls focus on helping security teams manage
sensitive client or company information.
Implementation Group 3
Mature organizations with significant resources (employing security experts who specialize in the different
facets of cybersecurity) and high risk exposure from handling critical assets and data need to implement
the Safeguards under the IG3 category along with IG1 and IG2. Safeguards selected for IG3 abate targeted
attacks from sophisticated adversaries and reduce the impact of zero-day attacks.
The CIS Controls are not a one-size-fits-all solution; based on your organization’s cybersecurity maturity,
you can plan and prioritize the implementation of various Controls.
7
The role of
ManageEngine solutions
ManageEngine’s suite of IT management solutions that focus
on security and risk management will help you meet the discrete
CIS Control requirements and will in turn aid your organization in
carefully planning and developing a best-in-class security program
to achieve better cyberhygiene.
ManageEngine products
mapped to Controls
We have mapped our products to the IG Safeguards they
help meet. To learn more about this, please reach out to us at
[email protected]
Control 1: Inventory and Control of Enterprise Assets
Actively manage all enterprise assets connected to your infrastructure physically, virtually, or remotely, or those within cloud environments,
to accurately determine the totality of assets that need to be monitored and protected. This will also support identifying unauthorized and
unmanaged assets to remove or remediate.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
1.1 Devices Identify Establish and Establish and maintain an accurate, X X X AssetExplorer
Maintain Detailed detailed, and up-to-date inventory of all AssetExplorer helps you iden-
Enterprise Asset enterprise assets with the potential to tify and manage assets in your
Inventory store or process data, to include: end- network. It scans your infra-
user devices (including portable and structure to deliver
mobile), network devices, non-comput- complete inventory data.
ing/IoT devices, and servers. Ensure the
inventory records the network address ServiceDesk Plus
(if static), hardware address, machine If you would like incident
name, enterprise asset owner, depart- management along with asset
ment for each asset, and whether the as- inventory, you should look at
set has been approved to connect to the ServiceDesk Plus, which has a
network. For mobile end-user devices, built-in asset module.
MDM type tools can support this pro-
cess, where appropriate. This inventory Endpoint Central
includes assets connected to the infra- Endpoint Central offers patch
structure physically, virtually, remotely, management along with inven-
and those within cloud environments. tory management. This inven-
Additionally, it includes assets that are tory is for specific OSs, like
regularly connected to the enterprise’s Windows, macOS, and Linux.
network infrastructure, even if they are
not under control of the enterprise.
Review and update the inventory of all
enterprise assets bi-annually, or more
frequently.
9
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
1.2 Devices Respond Address Ensure that a process exists to address X X X OpUtils
Unauthorized unauthorized assets on a weekly basis. Handle rogue device detection
Assets The enterprise may choose to remove and prevention with power-
the asset from the network, deny the ful switch port management
asset from connecting remotely to the capabilities, and gain control
network, or quarantine the asset. over who or what is connecting
to your network.
1.3 Devices Detect Utilize an Active Utilize an active discovery tool to X X OpUtils
Discovery Tool identify assets connected to the OpUtils periodically scans
enterprise’s network. Configure the routers, switches, and gateway
active discovery tool to execute daily, servers to discover the devices
or more frequently. in your network.
1.4 Devices Identify Use Dynamic Use DHCP logging on all DHCP X X OpUtils
Host Configuration servers or Internet Protocol (IP) address OpUtils’ DHCP monitoring tool
Protocol (DHCP) management tools to update the integrates with IP, switch port,
Logging to Update enterprise’s asset inventory. Review and DHCP management solu-
Enterprise Asset and use logs to update the enterprise’s tions. Having all these features
Inventory asset inventory weekly, or more in one console enables you to
frequently. easily discover and monitor
devices connected to your
network.
1.5 Devices Detect Use a Passive Asset Use a passive discovery tool to X OpUtils
Discovery Tool identify assets connected to the Scan for devices connected
enterprise’s network. Review and use to your network and block the
scans to update the enterprise’s asset switch port when you find an
inventory at least weekly, or more unauthorized device that’s
frequently. connected.
10
Control 2: Inventory and Control of Software Assets
Actively manage all software in your network to ensure that only authorized software is installed and executed and
that unauthorized and unmanaged software is found and prevented from being installed or executed.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
2.1 Appli- Identify Establish and Establish and maintain a detailed X X X AssetExplorer, ServiceDesk
cations Maintain a Soft- inventory of all licensed software Plus, Endpoint Central
ware Inventory installed on enterprise assets. The All three solutions can scan for
software inventory must document software inventory, collecting
the title, publisher, initial install/use date, information such as the vendor
and business purpose for each entry; and the install date. You can
where appropriate, include the Uniform add additional fields to assets
Resource Locator (URL), app store(s), or software to note custom
version(s), deployment mechanism, and details like business process.
decommission date. Review and update This can also be achieved using
the software inventory bi-annually, or the CMDB of AssetExplorer or
more frequently. ServiceDesk Plus.
2.2 Appli- Identify Ensure Ensure that only currently supported X X X Endpoint Central, Application
cations Authorized software is designated as authorized Control Plus
Software is in the software inventory for enterprise Whitelist applications
Currently assets. If software is unsupported, and remove any unauthorized
Supported yet necessary for the fulfillment of software. If software is unsup-
the enterprise’s mission, document ported but necessary for the
an exception detailing mitigating fulfillment of your enterprise’s
controls and residual risk acceptance. mission, it can be documented
For any unsupported software without as an exception.
an exception documentation, designate
as unauthorized. Review the software
list to verify software support at least
monthly, or more frequently.
11
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
2.3 Appli- Respond Address Ensure that unauthorized X X X Application Control Plus,
cations Unauthorized software is either removed from use Endpoint Central
Software on enterprise assets or receives a Use application blacklisting
documented exception. Review to instantly block applications
monthly, or more frequently. that might hamper either the
security or productivity of your
enterprise.
2.4 Appli- Detect Utilize Automated Utilize software inventory tools, when X X AssetExplorer
cations Software Inventory possible, throughout the enterprise to Scan your network for assets,
Tools automate the discovery and documenta- including installed software,
tion of installed software. using AssetExplorer.
ServiceDesk Plus
ServiceDesk Plus has asset
management capabilities along
with ITIL functions.
Endpoint Central
Carry out patch management
for Windows, macOS, and Linux
devices with Endpoint Central.
The product’s inventory feature
includes a software inventory.
2.5 Appli- Protect Allowlist Use technical controls, such as appli- X X Application Control Plus,
cations Authorized cation allowlisting, to ensure that only Endpoint Central
Software authorized software can execute or be Whitelist applications and
accessed. Reassess bi-annually, or more remove any unauthorized
frequently. software.
12
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
2.6 Appli- Protect Allowlist Use technical controls to ensure X X Application Control Plus,
cations Authorized that only authorized software libraries, Endpoint Central
Libraries such as specific .dll, .ocx, .so, etc., View all executable files of the
files, are allowed to load into a system running processes, includ-
process. Block unauthorized libraries ing those that don’t have a
from loading into a system process. valid digital certificate. Choose
Reassess bi-annually, or more all the files that you wish to
frequently. whitelist; after that, even the
smallest change to the file, such
as a revision of the file’s ver-
sion, will change its hash value,
meaning the file will be instantly
removed from the application
whitelist. This policy is perfect if
you want to run only extremely
specific executables.
2.7 Appli- Protect Allow list Use technical controls, such as digital X Application Control Plus,
cations Authorized signatures and version control, to ensure Endpoint Central
Scripts that only authorized scripts, such as Whitelist applications not just
specific .ps1, .py, etc., files, are allowed by vendor or product name but
to execute. Block unauthorized scripts also using a verified executable
from executing. Reassess bi-annually, or and file hash.
more frequently.
13
Control 3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
3.1 Data Identify Establish and Establish and maintain a data manage- X X X DataSecurity Plus
Maintain a Data ment process. In the process, address data With the help of DataSecurity
Management sensitivity, data owner, handling of data, Plus’ Risk Analysis module, you
Process data retention limits, and disposal require- can locate risky content such
ments, based on sensitivity and retention as PII or ePHI and maintain an
standards for the enterprise. Review and inventory of the personal data
update documentation annually, or when you store. Scan for passport
significant enterprise changes occur that numbers, email addresses,
could impact this Safeguard. credit card numbers, and over
50 other types of personal
data with preconfigured and
customizable data discovery
policies. Automate the clas-
sification of files containing PII
or ePHI to better understand
which files need elevated data
security measures.
3.2 Data Identify Establish and Establish and maintain a data inventory, X X X PAM360
Maintain a Data based on the enterprise’s data manage- Store, manage, and share many
Inventory ment process. Inventory sensitive data, at types of sensitive data, such as
a minimum. Review and update inventory digital certificates, license keys,
annually, at a minimum, with a priority on files, documents, and photo-
sensitive data. copies. During retrieval, a link
to the file is provided for it to be
saved locally to the disk.
14
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
3.3 Data Protect Configure Data Configure data access control lists X X PAM360, DataSecurity Plus
Access Control based on a user’s need to know. Apply Protect access permissions for
Lists data access control lists, also known as local and remote file systems,
access permissions, to local and remote databases, and applications.
file systems, databases, and applications. Audit file servers via DataSecu-
rity Plus. Manage passwords for
databases, applications, and
other resources with PAM360.
3.9 Data Protect Encrypt Data Encrypt data on removable media. X X Device Control Plus
on Removable While we don’t offer a solution
Media for encrypting data on remov-
able devices, you can use De-
vice Control Plus to allow only
BitLocker-encrypted USB devic-
es to access organizational data
in order to view information or
perform specific file actions.
3.13 Data Protect Deploy a Data Implement an automated tool, such as a X DataSecurity Plus
Loss Prevention host-based Data Loss Prevention (DLP) Discover and classify data.
Solution tool to identify all sensitive data stored, Delete or quarantine files, and
processed, or transmitted through en- stop USB data transfers. Spot
terprise assets, including those located instances of anomalous user
onsite or at a remote service provider, behavior, and prevent files from
and update the enterprise’s sensitive data being exfiltrated via external
inventory. storage devices or via email
(Outlook).
3.14 Data Detect Log Sensitive Log sensitive data access, including X DataSecurity Plus
Data Access modification and disposal. Audit file or folder changes, like
creation, movement, deletion,
and permission changes.
15
Control 4: Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets and software.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
4.1 Appli- Protect Establish Establish and maintain a secure con- X X X Endpoint Central
cations and Maintain figuration process for enterprise assets Endpoint Central’s many com-
a Secure (end-user devices, including portable and puter security configurations
Configuration mobile, non-computing/IoT devices, and aid in hardening the security of
Process servers) and software (operating systems your endpoints. It offers config-
and applications). Review and update urations for certificate distribu-
documentation annually, or when signifi- tion; firewall settings, permis-
cant enterprise changes occur that could sion management; securing
impact this Safeguard. USBs; setting up environmental
variables, registry settings,
shortcuts, and Wi-Fi settings;
power management; group
management; managing desk-
tops’ display settings and file/
folder operations (copy, move,
delete); and displaying legal
notices and other announce-
ments.
4.2 Network Protect Establish and Establish and maintain a secure configura- X X X Network Configuration
Maintain a Se- tion process for network devices. Review Manager, OpManager Plus
cure Configura- and update documentation annually, or Schedule device configuration
tion Process for when significant enterprise changes occur backups, track user activity, and
Network Infra- that could impact this Safeguard. spot changes by comparing
structure configuration versions, all from
a centralized web GUI.
16
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
4.3 Users Protect Configure Configure automatic session locking on X X X Endpoint Central
Automatic enterprise assets after a defined period of With Endpoint Central for desk-
Session Locking inactivity. For general purpose operating top operating system and mobile
on Enterprise systems, the period must not exceed 15 devices you can turn off the
Assets minutes. For mobile end-user devices, the display, lock the screen after a
period must not exceed 2 minutes. specified period of inactivity.
4.7 Users Protect Manage Default Manage default accounts on enterprise X X X PAM360
Accounts on assets and software, such as root, admin- Scan your network and discover
Enterprise Assets istrator, and other pre-configured vendor critical assets to automatically
and Software accounts. Example implementations can onboard privileged accounts into
include: disabling default accounts or a secure vault that offers
making them unusable. central management.
4.8 Devices Protect Uninstall or Uninstall or disable unnecessary services X X Endpoint Central
Disable Unneces- on enterprise assets and software, such as Add the list of software that is
sary Services on an unused file sharing service, web appli- prohibited in your company to
Enterprise Assets cation module, or service function. look for those applications during
and Software the regular scan cycles.
4.10 Devices Respond Enforce Enforce automatic device lockout X X Mobile Device Manager Plus,
Automatic following a predetermined threshold Endpoint Central
Device Lock- of local failed authentication attempts on Apply polices for passcodes,
out on Portable portable end-user devices, where support- device auto-lock, and other
End-User Devices ed. For laptops, do not allow more than 20 security features to protect
failed authentication attempts; for tablets corporate data on enterprise
and smartphones, no more than 10 failed devices.
authentication attempts. Example imple-
mentations include Microsoft® InTune
Device Lock and Apple® Configuration
Profile maxFailedAttempts.
17
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
4.11 Devices Protect Enforce Remote Remotely wipe enterprise data from X X Mobile Device Manager Plus,
Wipe Capability enterprise-owned portable end-user Endpoint Central
on Portable devices when deemed appropriate such Perform remote wipe
End-User Devices as lost or stolen devices, or when an functionalities on Windows
individual no longer supports the laptops, desktops, and tablets.
enterprise. Windows, Android, and iOS
devices are also supported.
4.12 Devices Protect Separate Ensure separate enterprise workspaces X Mobile Device Manager Plus,
Enterprise Work- are used on mobile end-user devices, Endpoint Central
spaces on Mobile where supported. Example implementa- Create containers to segregate
End-User Devices tions include using an Apple® Configura- enterprise data from personal
tion Profile or Android™ Work Profile to data, which is especially import-
separate enterprise applications and data ant for corporate devices.
from personal applications and data.
18
Control 5: Account Management
Use processes and tools to assign and manage authorization to handle the credentials of user accounts,
including administrator accounts, as well as service accounts associated with enterprise assets and software.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
5.2 Users Protect Use Unique Use unique passwords for all enterprise X X X PAM360
Passwords assets. Best practice implementation Automate the process of
includes, at a minimum, an 8-character scheduled password rotation
password for accounts using MFA and a to eliminate manual password
14-character password for accounts not change procedures.
using MFA.
19
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
5.3 Users Respond Disable Dormant Delete or disable any dormant accounts X X X ADManager Plus
Accounts after a period of 45 days of inactivity, Manage and clean up inactive
where supported. or unused user and computer
accounts in bulk, right from
ADManager Plus’ reports. Once
you generate the inactive users
or computers report, you can
select the desired objects from
the report and delete, disable,
or move them to a different OU,
or even enable the disabled
ones, using the management
options right within the report.
20
Control 6: Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator,
and service accounts for enterprise assets and software.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
6.1 Users Protect Establish an Establish and follow a process, preferably X X X PAM360
Access Granting automated, for granting access to enter- Grant users access to resources
Process prise assets upon new hire, rights grant, or by creating user and resource
role change of a user. groups.
6.2 Users Protect Establish an Establish and follow a process, prefer- X X X PAM360
Access Revoking ably automated, for revoking access When you remove a user from
Process to enterprise assets, through disabling a user group in PAM360—for
accounts immediately upon termination, instance, because their role
rights revocation, or role change of a user. changed or they were termi-
Disabling accounts, instead of deleting nated—their privilege also gets
accounts, may be necessary to preserve revoked.
audit trails.
6.3 Users Protect Require MFA Require all externally-exposed enterprise X X X ADSelfService Plus
for Externally-Ex- or third-party applications to enforce MFA, Secure multiple points of
posed Applica- where supported. Enforcing MFA through access to your organization’s
tions a directory service or SSO provider is a sensitive resources using
satisfactory implementation of this endpoint MFA.
Safeguard.
21
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
6.4 Users Protect Require MFA for Require MFA for remote network access. X X X PAM360
Remote Network Offer access to network
Access resources within PAM360.
6.5 Users Protect Require MFA for Require MFA for all administrative X X X PAM360
Administrative access accounts, where supported, on Require MFA for logging in to
Access all enterprise assets, whether managed PAM360; this acts as a second-
on-site or through a third-party provider. ary layer of security.
6.7 Users Protect Centralize Centralize access control for all enterprise X X ADSelfService Plus
Access Control assets through a directory service or SSO Eliminate the need for multi-
provider, where supported. ple user IDs and passwords,
streamline the login experience
for users, and improve security
with single sign-on. ADSelfSer-
vice Plus uses Active Directory
credentials to verify users’ iden-
tities, and OU and group-based
policies to controls access to
various cloud applications.
Users have to remember only
their Windows username and
password to access all their
enterprise applications.
6.8 Data Protect Define and Define and maintain role-based access X PAM360
Maintain Role- control, through determining and docu- By default, PAM360 has six
Based Access menting the access rights necessary for predefined roles that come with
Control each role within the enterprise to success- a specific set of permissions.
fully carry out its assigned duties. Perform If you’d like to create custom
access control reviews of enterprise assets roles, you can do that as well.
to validate that all privileges are autho-
rized, on a recurring schedule at a mini-
mum annually, or more frequently.
22
Control 7: Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within your enterprise’s infrastructure to remediate flaws and
minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
7.1 Appli- Protect Establish Establish and maintain a documented X X X Vulnerability Manager Plus
cations and Maintain vulnerability management process for Scan your network’s endpoints
a Vulnerabil- enterprise assets. Review and update for vulnerabilities.
ity Management documentation annually, or when
Process significant enterprise changes occur that
could impact this Safeguard.
7.2 Applica- Respond Establish Establish and maintain a risk-based X X X Vulnerability Manager Plus,
tions and Maintain remediation strategy documented in a Endpoint Central
a Remediation remediation process, with monthly, or Identify vulnerabilities on
Process more frequent, reviews. specific OSs, web servers, and
databases and fetch the patch
the vendor has provided for the
vulnerability.
7.3 Applica- Protect Perform Perform operating system updates on X X X Endpoint Central,
tions Automated enterprise assets through automated Patch Manager Plus,
Operating patch management on a monthly, or more Vulnerability Manager Plus
System Patch frequent, basis. Carry out patch management
Management for Windows, macOS, and Linux
devices as well as third-party
patching.
23
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
7.5 Applica- Identify Perform Perform automated vulnerability scans of X X Vulnerability Manager Plus,
tions Automated internal enterprise assets on a quarterly, Endpoint Central
Vulnerability or more frequent, basis. Conduct both Maintain uninterrupted
Scans of Internal authenticated and unauthenticated scans, visibility into endpoints across
Enterprise Assets using a SCAP-compliant vulnerability your entire global hybrid IT with
scanning tool. our advanced, multipurpose
agents. From scanning threats
and vulnerabilities to deploy-
ing remediations, everything is
carried out seamlessly with the
help of our lightweight, remote
agents.
7.6 Applica- Identify Perform Perform automated vulnerability scans of X X X Vulnerability Manager Plus,
tions Automated externally-exposed enterprise assets using Endpoint Central
Vulnerability a SCAP-compliant vulnerability scanning Scan devices in your network
Scans of Exter- tool. Perform scans on a monthly, or more for software vulnerabilities,
nally-Exposed frequent, basis. zero-day vulnerabilities, system
Enterprise Assets misconfigurations, high-risk
software, and web server
misconfigurations.
24
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
7.7 Applica- Respond Remediate Remediate detected vulnerabilities in X X Vulnerability Manager Plus,
tions Detected software through processes and tooling Endpoint Central
Vulnerabilities on a monthly, or more frequent, basis, Identify vulnerabilities and
based on the remediation process. remediate them by applying
the patches provided by the
respective vendor.
25
Control 8: Audit Log Management
Collect, alert on, review, and retain audit logs of events that could help you detect, understand, or recover from an attack.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
8.1 Net- Protect Establish and Establish and maintain an audit log X X X Log360
work Maintain an Audit management process that defines the Collect, review, and retain audit
Log Management enterprise’s logging requirements. At a logs for enterprise assets.
Process minimum, address the collection, review,
and retention of audit logs for enterprise
assets. Review and update documentation
annually, or when significant enterprise
changes occur that could impact this
Safeguard.
8.2 Network Detect Collect Audit Collect audit logs. Ensure that logging, X X X Log360
Logs per the enterprise’s audit log management Collect logs from various
process, has been enabled across sources in your infrastructure:
enterprise assets. Windows infrastructure, da-
tabases like Oracle Database
and MySQL, firewalls, IDSs and
IPSs, hypervisors (Microsoft
and VMware), Linux and Unix
systems, routers and switches,
vulnerability scanners, web
servers, servers, workstations,
cloud platforms, and other
applications.
8.3 Network Protect Ensure Ensure that logging destinations maintain X X X OpManager Plus
Adequate Audit adequate storage to comply with the en- Use OpManager Plus to make
Log Storage terprise’s audit log management process. sure you have enough space to
accommodate the collected
logs. You can also set
thresholds.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
8.5 Network Detect Collect Detailed Configure detailed audit logging for X X Log360
Audit Logs enterprise assets containing sensitive Log data collected by Log360
data. Include event source, date, includes event source, date,
username, timestamp, source addresses, username, timestamp, source
destination addresses, and other useful address, and destination
elements that could assist in a forensic address.
investigation.
8.6 Network Detect Collect DNS Collect DNS query audit logs on enterprise X X ADAudit Plus, Log360
Query Audit Logs assets, where appropriate and supported. Run out-of-the-box reports on
your domain, DNS changes,
and added, removed, or
modified DNS nodes.
8.7 Network Detect Collect URL Collect URL request audit logs on X X Firewall Analyzer,
Request Audit enterprise assets, where appropriate OpManager Plus
Logs and supported. View the top allowed and
denied URLs as part of the web
usage reports, with source and
destination details.
27
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
8.9 Network Detect Centralize Audit Centralize, to the extent possible, audit log X X Log360
Logs collection and retention across enterprise Audit Active Directory changes,
assets. network device logs, Exchange
Server, Exchange
Online, Azure Active Directory,
and your public cloud infra-
structure from a single console.
8.11 Network Detect Conduct Audit Conduct reviews of audit logs to X X Log360
Log Reviews detect anomalies or abnormal events that Continuously monitor user and
could indicate a potential threat. Conduct device activity. UEBA learns
reviews on a weekly, or more frequent, about every user and creates a
basis. baseline of regular
activities for each user and
entity.
28
Control 9: Email and Web Browser Protections
Improve protection and detection of threats from email and web vectors because these are opportunities for attackers to manipulate
human behavior through direct engagement.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
9.1 Appli- Protect Ensure Use Ensure only fully supported browsers and X X X Browser Security Plus,
cations of Only Fully email clients are allowed to execute in the Endpoint Central
Supported enterprise, only using the latest version Manage browsers, add-ons,
Browsers and of browsers and email clients provided extensions, and plug-ins.
Email Clients through the vendor.
9.3 Network Protect Maintain Enforce and update network-based URL X X Browser Security Plus,
and Enforce filters to limit an enterprise asset from Endpoint Central
Network-Based connecting to potentially malicious or Group unapproved websites
URL Filters unapproved websites. Example and restrict access to websites
implementations include category-based and web applications. Deny
filtering, reputation-based filtering, or access to websites that are not
through the use of block lists. Enforce needed in your organization.
filters for all enterprise assets.
9.4 Applica- Protect Restrict Restrict, either through uninstalling or dis- X X Browser Security Plus,
tions Unnecessary or abling, any unauthorized or unnecessary Endpoint Central
Unauthorized browser or email client plugins, exten- Disable Chrome extensions
Browser and sions, and add-on applications. and only grant access to
Email Client IT-approved extensions.
Extensions
29
Control 10: Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
10.3 Devices Protect Disable Autorun Disable autorun and autoplay auto-exe- X X X Device Control Plus,
and Autoplay cute functionality for removable media. Endpoint Central
for Removable Disable auto-play.
Media
30
Control 11: Data Recovery
Establish and maintain data recovery practices sufficient for restoring in-scope
enterprise assets to a pre-incident, trusted state.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
11.3 Data Protect Protect Recovery Protect recovery data with equivalent X X X RecoveryManager Plus
Data controls to the original data. Reference Back up Active Directory,
encryption or data separation, based on Azure AD, Microsoft 365,
requirements. Google Workspace, and
Exchange environments from
a single console.
31
Control 12: Network Infrastructure Management
Establish, implement, and actively manage network devices to prevent attackers from exploiting
vulnerable network services and access points.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
12.1 Network Protect Ensure Network Ensure network infrastructure is kept X X X Network Configuration,
Infrastructure is up-to-date. Example implementations Manager, OpManager Plus
Up-to-Date include running the latest stable release of Determine whether the
software and/or using currently supported software on your networking
network-as-a-service (NaaS) offerings. Re- devices is up-to-date.
view software versions monthly, or more Generate reports on EOS
frequently, to verify software support. and EOL devices.
12.2 Network Protect Establish and Establish and maintain a secure network X X PAM360
Maintain a architecture. A secure network architec- Take care of least privilege
Secure Network ture must address segmentation, least permission management.
Architecture privilege, and availability, at a minimum.
32
Control 13: Network Monitoring and Defense
Create processes and select appropriate tools to establish and maintain comprehensive network monitoring and
defense against security threats across your enterprise’s network infrastructure and user base.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
13.1 Network Detect Centralize Centralize security event alerting across X X ADAudit Plus
Security Event enterprise assets for log correlation and Collect security event logs from
Alerting analysis. Best practice implementation your Windows infrastructure
requires the use of a SIEM, which includes and generate compliance re-
vendor-defined event correlation alerts. ports based on those details.
A log analytics platform configured with
security-relevant correlation alerts also
satisfies this Safeguard.
13.2 Devices Detect Deploy a Deploy a host-based intrusion detection X X Device Control Plus
Host-Based solution on enterprise assets, where With the help of Device Control
Intrusion appropriate and/or supported. Plus, you can prevent unautho-
Detection rized removable devices from
Solution connecting to your network.
OpUtils
Using OpUtils, you can block
unauthorized devices from
connecting to your network.
DataSecurity Plus
With DataSecurity Plus, you can
detect and prevent data leaks
through USBs and email
(Outlook).
33
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
13.3 Network Detect Deploy a Network Deploy a network intrusion detection X X EventLog Analyzer
Intrusion Detec- solution on enterprise assets, where Monitor the logs from your
tion Solution appropriate. Example implementations IDS or IPS and extract the
include the use of a Network Intrusion information they provide to
Detection System (NIDS) or equivalent further secure your network.
cloud service provider (CSP) service.
13.4 Network Protect Perform Traffic Perform traffic filtering between network X X NetFlow Analyzer
Filtering Between segments, where appropriate. Monitor traffic between two
Network Seg- specific sites, which are created
ments based on IP address or IP net-
work. Site-to-site traffic moni-
toring helps you understand
the network traffic behavior
between any two user-defined
sites and filter traffic that is not
necessary for your organization.
13.5 Devices Protect Manage Access Manage access control for assets X X Endpoint Central, PAM360
Control for remotely connecting to enterprise Using PAM360, provide the min-
Remote Assets resources. Determine amount of imum access permissions for
access to enterprise resources based on: assets remotely connected to
up-to-date anti-malware software enterprise resources.
installed, configuration compliance Make sure your endpoints are
with the enterprise’s secure configuration running up-to-date operating
process, and ensuring the operating system versions and applica-
system and applications are up-to-date. tions via Endpoint Central’s
patch management, software
deployment, and Windows
configurations.
34
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
13.6 Network Detect Collect Network Collect network traffic flow logs and/or X X NetFlow Analyzer,
Traffic Flow Logs network traffic to review and alert upon OpManager Plus
from network devices. Collect logs from your
networking devices and
generate reports on the top
talkers in your network as well
as the top source destination,
port, and protocol used.
13.7 Devices Protect Deploy a Deploy a host-based intrusion X Device Control Plus
Host-Based prevention solution on enterprise assets, With the help of Device Control
Intrusion where appropriate and/or supported. Plus, you can prevent unauthor-
Prevention Example implementations include use ized removable devices from
Solution of an Endpoint Detection and Response connecting to your network.
(EDR) client or host-based IPS agent.
OpUtils
Using OpUtils, you can block
unauthorized devices from
connecting to your network.
DataSecurity Plus
With DataSecurity Plus, you can
detect and prevent data leaks
through USBs and email
(Outlook).
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
13.8 Network Protect Deploy a Network Deploy a network intrusion prevention X NetFlow Analyzer
Intrusion Preven- solution, where appropriate. Example NetFlow Analyzer’s Advanced
tion Solution implementations include the use of a Security Analytics module is a
Network Intrusion Prevention System network-flow-based security
(NIPS) or equivalent CSP service. analytics and anomaly detec-
tion tool that helps in detecting
intrusions using a Continuous
Stream Mining Engine. With
the help of the collected flows,
you can classify anomalies like
bad source destination, suspect
flows, and denial-of-service
attacks.
36
Control 14: Security Awareness and Skills Training
Establish and maintain a security awareness program to make employees more security-conscious and
ensure they have the proper skills to reduce cybersecurity risks to your enterprise.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
14.3 N/A Protect Train Workforce Train workforce members on authenti- X X X ADSelfService Plus,
Members on cation best practices. Example topics PAM360
Authentication include MFA, password composition, and With ADSelfService Plus, you
Best Practices credential management. can establish MFA for Windows,
macOS, and Linux systems.
For enterprise applications and
databases, you can achieve this
via PAM360.
14.4 N/A Protect Train Workforce Train workforce members on how to X X X Endpoint Central
on Data Handling identify and properly store, transfer, Manage and optimize the
Best Practices archive, and destroy sensitive data. This power consumption of
also includes training workforce members computer hardware to save
on clear screen and desk best practices, money and energy.
such as locking their screen when they
step away from their enterprise asset,
erasing physical and virtual whiteboards at
the end of meetings, and storing data and
assets securely.
37
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
14.5 N/A Protect Train Workforce Train workforce members to be aware of X X X DataSecurity Plus
Members on causes for unintentional data exposure. Report on the creation,
Causes of Example topics include mis-delivery of deletion, overwriting, and
Unintentional sensitive data, losing a portable end-user renaming of files and folders.
Data Exposure device, or publishing data to unintended
audiences.
14.7 N/A Protect Train Workforce Train workforce to understand how to X X X Mobile Device Manager Plus,
on How to verify and report out-of-date software Endpoint Central
Identify and patches or any failures in automated Manage OS updates for iOS,
Report if Their processes and tools. Part of this training Android, and Chrome OS
Enterprise Assets should include notifying IT personnel of devices. You can update
are Missing any failures in automated processes and immediately, delay deployment,
Security Updates tools. or schedule the update.
38
Control 15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for your enterprise’s critical
IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
15.7 Data Protect Securely Securely decommission service providers. X ADManager Plus
Decommission Example considerations include user and Decommission users and file
Service Providers service account deactivation, termination servers without the hassle of
of data flows, and secure disposal of dealing with complex custom
enterprise data within service provider scripts.
systems.
39
Control 16: Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect,
and remediate security weaknesses before they can impact your enterprise.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
16.2 Applica- Protect Establish and Establish and maintain a process to X X Vulnerability Manager Plus,
tions Maintain a accept and address reports of software Endpoint Central
Process to vulnerabilities, including providing a Scan systems for vulnerabilities
Accept and means for external entities to report. and get information on each
Address Software The process is to include such items as: vulnerability’s severity.
Vulnerabilities a vulnerability handling policy that identi- Identify and deploy the patches
fies reporting process, responsible party available for the vulnerability
for handling vulnerability reports, and a from the vendor.
process for intake, assignment, remedia-
tion, and remediation testing. As part of
the process, use a vulnerability tracking
system that includes severity ratings,
and metrics for measuring timing for
identification, analysis, and remediation
of vulnerabilities. Review and update
documentation annually, or when
significant enterprise changes occur
that could impact this Safeguard.
40
Control 17: Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures,
defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Safe Asset Security Control title Control description Implementation How ManageEngine
guard type function Groups products can help
17.9 N/A Recover Establish and Establish and maintain security incident X ServiceDesk Plus
Maintain Security thresholds, including, at a minimum, With the help of ServiceDesk
Incident differentiating between an incident and Plus’ Enterprise Service
Thresholds an event. Examples can include: abnormal Management, you can create a
activity, security vulnerability, security portal for your IT security team
weakness, data breach, privacy incident, to handle incidents with unique
etc. Review annually, or when significant notifications, SLAs, and escala-
enterprise changes occur that could tion procedures. This will not
impact this Safeguard. interfere with your regular IT
management process.
41
ManageEngine products CIS Controls v8 Safeguards
Safeguards they Application Control Plus 2.2, 2.3, 2.5, 2.6, 2.7
Endpoint Central 1.1, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 4.1, 4.3, 4.8, 4.10, 4.11, 4.12, 7.2, 7.3, 7.4, 7.5,
7.6, 7.7, 9.1, 9.3, 9.4, 10.3, 10.4, 13.5, 14.4, 14.7, 16.2
Log360 8.1, 8.2, 8.5, 8.6, 8.9, 8.11, 8.12, 10.7, 13.1, 13.3
PAM360 3.2, 3.3, 4.7, 5.1, 5.2, 5.5, 5.6, 6.1, 6.2, 6.4, 6.5, 6.8, 12.2, 13.5, 14.3
Vulnerability Manager Plus 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 16.2
ManageEngine products that will help you
with the implementation process
43
Here is the complete list of ManageEngine products
that will help your organization meet the CIS Controls.
Patch Management,
Mobile Device
ADSelfService Plus: Password self-service, endpoint MFA, Software Deployment,
Management
Configurations
conditional access, and enterprise SSO
OS Deployment
Application Control Plus: Software discovery and endpoint
privilege management
Security Add-on
BitLocker Application
Browser Security Plus: Browser security and management
Management Control
44
EventLog Analyzer: Comprehensive log and IT compliance Mobile Device Manager Plus: Comprehensive mobile
management device management
Firewall Analyzer: Firewall rule, configuration, and log NetFlow Analyzer: Bandwidth monitoring and traffic analysis
management
Network Configuration Manager: Network change and
Log360: Integrated SIEM with advanced threat analytics and configuration management
ML-driven UEBA
Log360
M365 Manager
EventLog Analyzer ADAudit Plus Plus/Exchange Cloud Security Plus Log 360 UEBA
Reporter Plus
45
OpManager Plus: Unified network, server, and application
management
OpManager Plus
OpUtils: IP address and switch port management
vulnerability management
46
Bringing ManageEngine crafts comprehensive
IT together
IT management software for all your
business needs.
47
Identity and access management Unified endpoint management and security
• Privileged identity and access management • Patch management Endpoint device security
• SSO for on-premises and cloud apps with MFA • Remote monitoring and management
• Microsoft 365 & Exchange management and auditing • Monitoring and control of peripheral devices
• Knowledge base with user self-service • Application discovery and dependency mapping
48
Security information and event management
• Unified SIEM for cloud and on-premises
Advanced IT analytics
• Self-service IT analytics
49
About ManageEngine
ManageEngine crafts the industry’s broadest suite of As you prepare for the IT management challenges ahead, we’ll
IT management software. We have everything you need lead the way with new solutions, contextual integrations, and
—more than 120 products and free tools—to manage all other advances that can only come from a company singularly
of your IT operations, from networks and servers to dedicated to its customers. And as a division of Zoho Corporation,
applications, your service desk, AD, security, desktops, we’ll continue pushing for the tight business-IT alignment you’ll
and mobile devices. need to seize future opportunities.