0% found this document useful (0 votes)
225 views106 pages

CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0

Baseline de Segurança.

Uploaded by

lero_lero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
225 views106 pages

CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0

Baseline de Segurança.

Uploaded by

lero_lero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 106

This document contains mappings of the CIS Controls and Safeguards to GSMA FS.

31 Baseline Security Co
Last updated Dec 2021
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editors
Thomas Sager

Contributors
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-

are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
CIS Controls Navigator
Remember to download the CIS Controls Version 8 Guide where you can learn more about:

- This Version of the CIS Controls


- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Controls to FS.31 GSMA Baseline Security Co
Reference link for FS.31 GSMA Baseline Security Controls: https://www.gsma.com/security/resources/fs-3

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item

CIS Control 6.1 - Establish an Access Granting Process


Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of 5 possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• Intersects: Although the CIS Control and the defensive mitigation have many similarities, neither is contai
awareness program and another requiring an information governance program.
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.

If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
CIS Security
CIS Safeguard Asset Type
Control Function

1 1.1 Devices Identify

1 1.1 Devices Identify

1 1.2 Devices Respond

1 1.3 Devices Detect

1 1.4 Devices Identify

1 1.5 Devices Detect

2 2.1 Applications Identify

2 2.2 Applications Identify

2 2.3 Applications Respond

2 2.4 Applications Detect


2 2.5 Applications Protect

2 2.6 Applications Protect

2 2.7 Applications Protect

3 3.1 Data Identify

3 3.2 Data Identify

3 3.3 Data Protect

3 3.3 Data Protect

3 3.4 Data Protect

3 3.5 Data Protect

3 3.6 Devices Protect

3 3.7 Data Identify


3 3.8 Data Identify
3 3.9 Data Protect

3 3.10 Data Protect


3 3.10 Data Protect

3 3.10 Data Protect

3 3.11 Data Protect

3 3.12 Network Protect

3 3.12 Network Protect

3 3.13 Data Protect

3 3.13 Data Protect


3 3.14 Data Detect
3 3.14 Data Detect

4 4.1 Applications Protect

4 4.1 Applications Protect

4 4.2 Network Protect

4 4.2 Network Protect

4 4.3 Users Protect


4 4.4 Devices Protect

4 4.4 Devices Protect

4 4.5 Devices Protect

4 4.6 Network Protect

4 4.7 Users Protect

4 4.7 Users Protect

4 4.8 Devices Protect

4 4.9 Devices Protect

4 4.10 Devices Respond

4 4.11 Devices Protect

4 4.12 Devices Protect

5
5 5.1 Users Identify

5 5.2 Users Protect

5 5.3 Users Respond

5 5.4 Users Protect

5 5.5 Users Identify

5 5.6 Users Protect

6 6.1 Users Protect

6 6.2 Users Protect

6 6.3 Users Protect

6 6.4 Users Protect

6 6.5 Users Protect


6 6.6 Users Identify

6 6.7 Users Protect

6 6.8 Data Protect

6 6.8 Data Protect

7 7.1 Applications Protect

7 7.1 Applications Protect

7 7.2 Applications Respond

7 7.2 Applications Respond

7 7.3 Applications Protect

7 7.4 Applications Protect

7 7.5 Applications Identify

7 7.5 Applications Identify


7 7.6 Applications Identify

7 7.6 Applications Identify

7 7.6 Applications Identify

7 7.7 Applications Respond

7 7.7 Applications Respond

8 8.1 Network Protect

8 8.1 Network Protect

8 8.1 Network Protect

8 8.1 Network Protect

8 8.1 Network Protect

8 8.2 Network Detect


8 8.2 Network Detect

8 8.2 Network Detect

8 8.2 Network Detect

8 8.3 Network Protect

8 8.4 Network Protect

8 8.5 Network Detect

8 8.5 Network Detect

8 8.6 Network Detect

8 8.7 Network Detect

8 8.8 Devices Detect

8 8.9 Network Detect

8 8.10 Network Protect


8 8.11 Network Detect

8 8.11 Network Detect


8 8.11 Network Detect

8 8.11 Network Detect

8 8.12 Data Detect

9 9.1 Applications Protect

9 9.2 Network Protect

9 9.3 Network Protect

9 9.4 Applications Protect

9 9.5 Network Protect

9 9.6 Network Protect

9 9.7 Network Protect

10
10 10.1 Devices Protect

10 10.2 Devices Protect

10 10.3 Devices Protect

10 10.4 Devices Detect

10 10.5 Devices Protect

10 10.6 Devices Protect

10 10.7 Devices Detect

11

11 11.1 Data Recover

11 11.1 Data Recover

11 11.2 Data Recover

11 11.3 Data Protect


11 11.4 Data Recover

11 11.5 Data Recover

12

12 12.1 Network Protect

12 12.2 Network Protect

12 12.2 Network Protect

12 12.2 Network Protect

12 12.2 Network Protect

12 12.3 Network Protect

12 12.3 Network Protect

12 12.4 Network Identify

12 12.5 Network Protect

12 12.6 Network Protect


12 12.7 Devices Protect

12 12.8 Devices Protect

13

13 13.1 Network Detect

13 13.1 Network Detect

13 13.1 Network Detect

13 13.1 Network Detect

13 13.2 Devices Detect

13 13.3 Network Detect

13 13.4 Network Protect

13 13.5 Devices Protect

13 13.6 Network Detect


13 13.7 Devices Protect

13 13.8 Network Protect

13 13.9 Devices Protect

13 13.9 Devices Protect

13 13.10 Network Protect

13 13.10 Network Protect

13 13.11 Network Detect

13 13.11 Network Detect

14

14 14.1 N/A Protect

14 14.2 N/A Protect

14 14.3 N/A Protect


14 14.4 N/A Protect

14 14.5 N/A Protect

14 14.6 N/A Protect

14 14.7 N/A Protect

14 14.8 N/A Protect

14 14.9 N/A Protect

15

15 15.1 N/A Identify

15 15.2 N/A Identify

15 15.2 N/A Identify

15 15.3 N/A Identify

15 15.4 N/A Protect


15 15.4 N/A Protect

15 15.4 N/A Protect

15 15.4 N/A Protect

15 15.4 N/A Protect

15 15.4 N/A Protect

15 15.4 N/A Protect

15 15.4 N/A Protect

15 15.5 N/A Identify

15 15.5 N/A Identify

15 15.5 N/A Identify

15 15.5 N/A Identify

15 15.5 N/A Identify

15 15.5 N/A Identify

15 15.6 Data Detect

15 15.7 Data Protect


16

16 16.1 Applications Protect

16 16.1 Applications Protect

16 16.1 Applications Protect

16 16.1 Applications Protect

16 16.1 Applications Protect

16 16.2 Applications Protect

16 16.3 Applications Protect

16 16.4 Applications Protect

16 16.5 Applications Protect

16 16.6 Applications Protect

16 16.6 Applications Protect


16 16.7 Applications Protect

16 16.8 Applications Protect

16 16.9 Applications Protect

16 16.10 Applications Protect

16 16.10 Applications Protect

16 16.11 Applications Protect

16 16.12 Applications Protect

16 16.13 Applications Protect


16 16.14 Applications Protect

17

17 17.1 N/A Respond

17 17.2 N/A Respond

17 17.3 N/A Respond

17 17.3 N/A Respond


17 17.4 N/A Respond

17 17.4 N/A Respond

17 17.4 N/A Respond

17 17.5 N/A Respond

17 17.6 N/A Respond

17 17.7 N/A Recover

17 17.8 N/A Recover

17 17.9 N/A Recover

18

18 18.1 N/A Identify

18 18.2 Network Identify

18 18.3 Network Protect

18 18.4 Network Protect


18 18.5 N/A Identify
Title

Inventory and Control of Enterprise Assets


mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected t
infrastructure physically, virtually, remotely, and those within cloud environments, to accurately kn
totality of assets that need to be monitored and protected within the enterprise. This will also suppo

Establish and Maintain Detailed


Enterprise Asset Inventory

Establish and Maintain Detailed


Enterprise Asset Inventory

Address Unauthorized Assets

Utilize an Active Discovery Tool

Use Dynamic Host


Configuration Protocol (DHCP)
Logging to Update Enterprise
Asset Inventory

Use a Passive Asset Discovery


Tool

Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) o
network so that only authorized software is installed and can execute, and that unauthorized and u
software is found and prevented from installation or execution.
Establish and Maintain a
Software Inventory
Ensure Authorized Software is
Currently Supported
Address Unauthorized Software
Utilize Automated Software
Inventory Tools
Allowlist Authorized Software

Allowlist Authorized Libraries

Allowlist Authorized Scripts

Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose

Establish and Maintain a Data


Management Process

Establish and Maintain a Data


Inventory

Configure Data Access Control


Lists

Configure Data Access Control


Lists

Enforce Data Retention

Securely Dispose of Data

Encrypt Data on End-User


Devices

Establish and Maintain a Data


Classification Scheme
Document Data Flows
Encrypt Data on Removable
Media

Encrypt Sensitive Data in


Transit
Encrypt Sensitive Data in
Transit

Encrypt Sensitive Data in


Transit
Encrypt Sensitive Data at Rest

Segment Data Processing and


Storage Based on Sensitivity

Segment Data Processing and


Storage Based on Sensitivity

Deploy a Data Loss Prevention


Solution
Deploy a Data Loss Prevention
Solution
Log Sensitive Data Access
Log Sensitive Data Access

Secure Configuration of Enterprise Assets and Software

Establish and maintain the secure configuration of enterprise assets (end-user devices, including p
mobile; network devices; non-computing/IoT devices; and servers) and software (operating system
applications).

Establish and Maintain a


Secure Configuration Process

Establish and Maintain a


Secure Configuration Process

Establish and Maintain a


Secure Configuration Process
for Network Infrastructure

Establish and Maintain a


Secure Configuration Process
for Network Infrastructure

Configure Automatic Session


Locking on Enterprise Assets
Implement and Manage a
Firewall on Servers

Implement and Manage a


Firewall on Servers

Implement and Manage a


Firewall on End-User Devices

Securely Manage Enterprise


Assets and Software

Manage Default Accounts on


Enterprise Assets and Software

Manage Default Accounts on


Enterprise Assets and Software

Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software

Configure Trusted DNS Servers


on Enterprise Assets

Enforce Automatic Device


Lockout on Portable End-User
Devices
Enforce Remote Wipe
Capability on Portable End-
User Devices
Separate Enterprise
Workspaces on Mobile End-
User Devices

Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
administrator accounts, as well as service accounts, to enterprise assets and software.

Establish and Maintain an


Inventory of Accounts

Use Unique Passwords

Disable Dormant Accounts

Restrict Administrator Privileges


to Dedicated Administrator
Accounts

Establish and Maintain an


Inventory of Service Accounts
Centralize Account
Management

Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
administrator, and service accounts for enterprise assets and software.

Establish an Access Granting


Process

Establish an Access Revoking


Process

Require MFA for Externally-


Exposed Applications

Require MFA for Remote


Network Access

Require MFA for Administrative


Access
Establish and Maintain an
Inventory of Authentication and
Authorization Systems

Centralize Access Control


Define and Maintain Role-
Based Access Control
Define and Maintain Role-
Based Access Control

Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the e
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monito
private industry sources for new threat and vulnerability information.
Establish and Maintain a
Vulnerability Management
Process

Establish and Maintain a


Vulnerability Management
Process

Establish and Maintain a


Remediation Process

Establish and Maintain a


Remediation Process

Perform Automated Operating


System Patch Management

Perform Automated Application


Patch Management

Perform Automated
Vulnerability Scans of Internal
Enterprise Assets

Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets

Remediate Detected
Vulnerabilities

Remediate Detected
Vulnerabilities

Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
attack.

Establish and Maintain an Audit


Log Management Process

Establish and Maintain an Audit


Log Management Process

Establish and Maintain an Audit


Log Management Process

Establish and Maintain an Audit


Log Management Process

Establish and Maintain an Audit


Log Management Process

Collect Audit Logs


Collect Audit Logs

Collect Audit Logs

Collect Audit Logs

Ensure Adequate Audit Log


Storage

Standardize Time
Synchronization

Collect Detailed Audit Logs

Collect Detailed Audit Logs

Collect DNS Query Audit Logs

Collect URL Request Audit


Logs
Collect Command-Line Audit
Logs

Centralize Audit Logs

Retain Audit Logs


Conduct Audit Log Reviews

Conduct Audit Log Reviews


Conduct Audit Log Reviews

Conduct Audit Log Reviews

Collect Service Provider Logs

Email and Web Browser Protections

Improve protections and detections of threats from email and web vectors, as these are opportuniti
attackers to manipulate human behavior through direct engagement.

Ensure Use of Only Fully


Supported Browsers and Email
Clients

Use DNS Filtering Services

Maintain and Enforce Network-


Based URL Filters

Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions

Implement DMARC

Block Unnecessary File Types

Deploy and Maintain Email


Server Anti-Malware
Protections

Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.

Deploy and Maintain Anti-


Malware Software

Configure Automatic Anti-


Malware Signature Updates

Disable Autorun and Autoplay


for Removable Media
Configure Automatic Anti-
Malware Scanning of
Removable Media

Enable Anti-Exploitation
Features

Centrally Manage Anti-Malware


Software

Use Behavior-Based Anti-


Malware Software

Data Recovery

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
and trusted state.

Establish and Maintain a Data


Recovery Process 
Establish and Maintain a Data
Recovery Process 
Perform Automated Backups 

Protect Recovery Data


Establish and Maintain an
Isolated Instance of Recovery
Data 

Test Data Recovery

Network Infrastructure
Management

Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.

Ensure Network Infrastructure is


Up-to-Date
Establish and Maintain a
Secure Network Architecture

Establish and Maintain a


Secure Network Architecture

Establish and Maintain a


Secure Network Architecture

Establish and Maintain a


Secure Network Architecture

Securely Manage Network


Infrastructure

Securely Manage Network


Infrastructure

Establish and Maintain


Architecture Diagram(s)

Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
Management and
Communication Protocols 
Ensure Remote Devices Utilize
a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure
Establish and Maintain
Dedicated Computing
Resources for All Administrative
Work

Network Monitoring and


Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and d
against security threats across the enterprise’s network infrastructure and user base.

Centralize Security Event


Alerting
Centralize Security Event
Alerting

Centralize Security Event


Alerting

Centralize Security Event


Alerting

Deploy a Host-Based Intrusion


Detection Solution
Deploy a Network Intrusion
Detection Solution

Perform Traffic Filtering


Between Network Segments

Manage Access Control for


Remote Assets

Collect Network Traffic Flow


Logs
Deploy a Host-Based Intrusion
Prevention Solution

Deploy a Network Intrusion


Prevention Solution

Deploy Port-Level Access


Control

Deploy Port-Level Access


Control

Perform Application Layer


Filtering

Perform Application Layer


Filtering

Tune Security Event Alerting


Thresholds

Tune Security Event Alerting


Thresholds

Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce t
conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Establish and Maintain a


Security Awareness Program
Train Workforce Members to
Recognize Social Engineering
Attacks

Train Workforce Members on


Authentication Best Practices
Train Workforce on Data
Handling Best Practices

Train Workforce Members on


Causes of Unintentional Data
Exposure
Train Workforce Members on
Recognizing and Reporting
Security Incidents
Train Workforce on How to
Identify and Report if Their
Enterprise Assets are Missing
Security Updates
Train Workforce on the Dangers
of Connecting to and
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific Security


Awareness and Skills Training

Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
critical IT platforms or processes, to ensure these providers are protecting those platforms and dat
appropriately.
Establish and Maintain an
Inventory of Service Providers
Establish and Maintain a
Service Provider Management
Policy

Establish and Maintain a


Service Provider Management
Policy

Classify Service Providers

Ensure Service Provider


Contracts Include Security
Requirements
Ensure Service Provider
Contracts Include Security
Requirements
Ensure Service Provider
Contracts Include Security
Requirements
Ensure Service Provider
Contracts Include Security
Requirements
Ensure Service Provider
Contracts Include Security
Requirements
Ensure Service Provider
Contracts Include Security
Requirements

Ensure Service Provider


Contracts Include Security
Requirements

Ensure Service Provider


Contracts Include Security
Requirements

Assess Service Providers

Assess Service Providers

Assess Service Providers

Assess Service Providers

Assess Service Providers

Assess Service Providers

Monitor Service Providers

Securely Decommission
Service Providers
Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
remediate security weaknesses before they can impact the enterprise.

Establish and Maintain a


Secure Application
Development Process
Establish and Maintain a
Secure Application
Development Process
Establish and Maintain a
Secure Application
Development Process

Establish and Maintain a


Secure Application
Development Process

Establish and Maintain a


Secure Application
Development Process

Establish and Maintain a


Process to Accept and Address
Software Vulnerabilities

Perform Root Cause Analysis


on Security Vulnerabilities
Establish and Manage an
Inventory of Third-Party
Software Components
Use Up-to-Date and Trusted
Third-Party Software
Components
Establish and Maintain a
Severity Rating System and
Process for Application
Vulnerabilities
Establish and Maintain a
Severity Rating System and
Process for Application
Vulnerabilities
Use Standard Hardening
Configuration Templates for
Application Infrastructure
Separate Production and Non-
Production Systems

Train Developers in Application


Security Concepts and Secure
Coding

Apply Secure Design Principles


in Application Architectures

Apply Secure Design Principles


in Application Architectures

Leverage Vetted Modules or


Services for Application
Security Components
Implement Code-Level Security
Checks
Conduct Application
Penetration Testing
Conduct Threat Modeling

Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, p
defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Designate Personnel to
Manage Incident Handling
Establish and Maintain Contact
Information for Reporting
Security Incidents
Establish and Maintain an
Enterprise Process for
Reporting Incidents
Establish and Maintain an
Enterprise Process for
Reporting Incidents
Establish and Maintain an
Incident Response Process

Establish and Maintain an


Incident Response Process

Establish and Maintain an


Incident Response Process

Assign Key Roles and


Responsibilities
Define Mechanisms for
Communicating During Incident
Response
Conduct Routine Incident
Response Exercises
Conduct Post-Incident Reviews
Establish and Maintain Security
Incident Thresholds

Penetration Testing

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
controls (people, processes, and technology), and simulating the objectives and actions of an attac

Establish and Maintain a


Penetration Testing Program

Perform Periodic External


Penetration Tests

Remediate Penetration Test


Findings

Validate Security Measures


Perform Periodic Internal
Penetration Tests
Description

l of Enterprise Assets
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to beservers. Ensure
monitored andtheprotected
inventory within
recordsthe
theenterprise.
network address (if static),
This will hardware
also support
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud
servers. environments.
Ensure Additionally,
the inventory records theit includes assets that
network address are regularly
(if static), connected
hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within
Ensurecloud
that aenvironments.
process existsAdditionally,
to address itunauthorized
includes assets thaton
assets are regularly
a weekly connected
basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.

l of Software Assets

entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.
enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
Uniform Resource
software inventory Locator (URL),assets.
for enterprise app store(s), version(s),
If software deployment
is unsupported, yet mechanism,
necessary for
and decommission date. Review and update the software inventory bi-annually,
the fulfillment of the enterprise’s mission, document an exception detailing mitigating or
controls and residual risk acceptance. For any unsupported software without an
exception
Ensure that documentation, designate
unauthorized software is as unauthorized.
either removed fromReview
use the software list
on enterprise to verify
assets or
receives a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

nd technical controls to identify, classify, securely handle, retain, and dispose of data.

sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur that
Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
must include both minimum and maximum timelines.

Securely dispose of data as outlined in the enterprise’s data management process.


Ensure the disposal process and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data. Example implementations


can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme
and shouldannually, or when
be based on thesignificant enterprise
enterprise’s changes occur
data management that could
process. impact
Review and this
update documentation annually, or when significant enterprise changes occur that
Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport


Layer Security (TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data in transit. Example implementations can include: Transport
Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data in transit. Example implementations can include: Transport


Layer Security (TLS) and Open Secure Shell (OpenSSH).
sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.

Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets,
Implementincluding those located
an automated onsite
tool, such asor
a at a remote Data
host-based service provider,
Loss and update
Prevention the
(DLP) tool
enterprise's sensitive data inventory.
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's
Log sensitivesensitive data inventory.
data access, including modification and disposal.
Log sensitive data access, including modification and disposal.

of Enterprise Assets and Software

in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually,
Establish or
andwhen significant
maintain enterprise
a secure changes
configuration occur for
process thatenterprise
could impact this(end-user
assets
Safeguard.
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of


inactivity. For general purpose operating systems, the period must not exceed 15
minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example
implementations include a virtual firewall, operating system firewall, or a third-party
firewall agent.

Implement and manage a firewall on servers, where supported. Example


implementations include a virtual firewall, operating system firewall, or a third-party
firewall agent.

Implement and manage a host-based firewall or port-filtering tool on end-user devices,


with a default-deny rule that drops all traffic except those services and ports that are
explicitly allowed.
managing configuration through version-controlled-infrastructure-as-code and
accessing administrative interfaces over secure network protocols, such as Secure
Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless
Manage default accounts on enterprise assets and software, such as root,
administrator, and other pre-configured vendor accounts. Example implementations
can include: disabling default accounts or making them unusable.

Manage default accounts on enterprise assets and software, such as root,


administrator, and other pre-configured vendor accounts. Example implementations
can include: disabling default accounts or making them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as


an unused file sharing service, web application module, or service function.

Configure trusted DNS servers on enterprise assets. Example implementations


include: configuring assets to use enterprise-controlled DNS servers and/or reputable
externally accessible
Enforce automatic DNSlockout
device servers.following a predetermined threshold of local failed
authentication attempts on portable end-user devices, where supported. For laptops,
do not allow more than 20 failed authentication attempts; for tablets and smartphones,
no more than 10 failed authentication attempts. Example implementations include
Microsoft® InTune
Remotely wipe Device data
enterprise Lockfrom
and enterprise-owned
Apple® Configuration Profile
portable maxFailedAttempts.
end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
ools to assign and manage authorization to credentials for user accounts, including
ts, as well as service accounts, to enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using MFA and a 14-character
password for accounts not using MFA.

Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.

Restrict administrator privileges to dedicated administrator accounts on enterprise


assets. Conduct general computing activities, such as internet browsing, email, and
productivity suite use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum,
must contain department owner, review date, and purpose. Perform service account
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.

ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to enterprise
assets upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise
assets, whether managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization
systems, including those hosted on-site or at a remote service provider. Review and
update the inventory, at a minimum, annually, or more frequently.

Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all
theprivileges are authorized,
access rights on each
necessary for a recurring schedule
role within at a minimum
the enterprise annually, orcarry
to successfully more out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more

ility Management

ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.
Establish and maintain a documented vulnerability management process for enterprise
assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Establish and maintain a documented vulnerability management process for enterprise


assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Establish and maintain a risk-based remediation strategy documented in a remediation


process, with monthly, or more frequent, reviews.

Establish and maintain a risk-based remediation strategy documented in a remediation


process, with monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch


management on a monthly, or more frequent, basis.

Perform application updates on enterprise assets through automated patch


management on a monthly, or more frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or


more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or


more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a
SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.

Perform automated vulnerability scans of externally-exposed enterprise assets using a


SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.

Perform automated vulnerability scans of externally-exposed enterprise assets using a


SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.

Remediate detected vulnerabilities in software through processes and tooling on a


monthly, or more frequent, basis, based on the remediation process.

Remediate detected vulnerabilities in software through processes and tooling on a


monthly, or more frequent, basis, based on the remediation process.

and retain audit logs of events that could help detect, understand, or recover from an

Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise
Establish and changes
maintain an auditoccur that could impact
log management this that
process Safeguard.
defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise
Establish and changes
maintain an auditoccur that could impact
log management this that
process Safeguard.
defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise
Establish and changes
maintain an auditoccur that could impact
log management this that
process Safeguard.
defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.

Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.

Standardize time synchronization. Configure at least two synchronized time sources


across enterprise assets, where supported.

Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.

Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.

Collect DNS query audit logs on enterprise assets, where appropriate and supported.

Collect URL request audit logs on enterprise assets, where appropriate and supported.

Collect command-line audit logs. Example implementations include collecting audit


logs from PowerShell®, BASH™, and remote administrative terminals.

Centralize, to the extent possible, audit log collection and retention across enterprise
assets.

Retain audit logs across enterprise assets for a minimum of 90 days.


Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Collect service provider logs, where supported. Example implementations include


collecting authentication and authorization events, data creation and disposal events,
and user management events.

ser Protections

and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.

Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through
the vendor.

Use DNS filtering services on all enterprise assets to block access to known malicious
domains.

Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary


browser or email client plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.

Block unnecessary file types attempting to enter the enterprise’s email gateway.

Deploy and maintain email server anti-malware protections, such as attachment


scanning and/or sandboxing.
e installation, spread, and execution of malicious applications, code, or scripts on

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible,


such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit
Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident

Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data. Review
and update
Establish documentation
and maintain a dataannually,
recoveryor process.
when significant enterprise
In the process, changes
address the occur
scopethat
of
could impact this Safeguard.
data recovery activities, recovery prioritization, and the security of backup data. Review
and update documentation annually, or when significant enterprise changes occur that
could impact
Perform this Safeguard.
automated backups of in-scope enterprise assets. Run backups weekly, or
more frequently, based on the sensitivity of the data.

Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through offline, cloud,
or off-site systems or services.

Test backup recovery quarterly, or more frequently, for a sampling of in-scope


enterprise assets.

, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include
running the latest stable release of software and/or using currently supported network-
as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
to verify software support.
Establish and maintain a secure network architecture. A secure network architecture
must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture


must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture


must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture


must address segmentation, least privilege, and availability, at a minimum.

Securely manage network infrastructure. Example implementations include version-


controlled-infrastructure-as-code, and the use of secure network protocols, such as
SSH and HTTPS.
Securely manage network infrastructure. Example implementations include version-
controlled-infrastructure-as-code, and the use of secure network protocols, such as
SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system
documentation. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication services
prior to accessing enterprise resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically


separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.

nd tooling to establish and maintain comprehensive network monitoring and defense


ats across the enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined
Centralize event
security correlation
event alerting alerts.
acrossAenterprise
log analytics platform
assets for logconfigured
correlationwith
and
security-relevant correlation alerts also satisfies this Safeguard.
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where
appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Determine amount of access to enterprise resources based on: up-to-date anti-


malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-

Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where
appropriate and/or supported. Example implementations include use of an Endpoint
Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example
implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user and/or
device authentication.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user and/or
device authentication.

Perform application layer filtering. Example implementations include a filtering proxy,


application layer firewall, or gateway.

Perform application layer filtering. Example implementations include a filtering proxy,


application layer firewall, or gateway.

Tune security event alerting thresholds monthly, or more frequently.

Tune security event alerting thresholds monthly, or more frequently.

and Skills Training

in a security awareness program to influence behavior among the workforce to be security


rly skilled to reduce cybersecurity risks to the enterprise.
awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a
minimum, annually. Review and update content annually, or when significant enterprise
Train workforce members to recognize social engineering attacks, such as phishing,
pre-texting, and tailgating. 

Train workforce members on authentication best practices. Example topics include


MFA, password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
and desk best practices, such as locking their screen when they step away from their
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure.
Example topics include mis-delivery of sensitive data, losing a portable end-user
device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to


report such an incident. 

Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
training must include guidance to ensure that all users securely configure their home
network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations
include secure system administration courses for IT professionals, (OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.

evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
for each service provider. Review and update the inventory annually, or when
Establish
significantand maintain
enterprise a service
changes provider
occur management
that could policy.
impact this Ensure the policy
Safeguard.
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes
characteristics, suchoccur thatsensitivity,
as data could impactdatathis Safeguard.
volume, availability requirements,
applicable regulations,
Ensure service providerinherent risk,
contracts and mitigated
include risk. Update and
security requirements. review
Example
classifications annually, or when significant enterprise changes occur
requirements may include minimum security program requirements, security that could impact
incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.
Ensure service provider contracts include security requirements. Example
requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
Ensure service
enterprise’s provider
service contracts
provider include security
management requirements.
policy. Review serviceExample
provider contracts
requirements
annually to ensure contracts are not missing security requirements. security incident
may include minimum security program requirements,
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
Ensure service
enterprise’s provider
service contracts
provider include security
management requirements.
policy. Review serviceExample
provider contracts
requirements
annually to ensure contracts are not missing security requirements. security incident
may include minimum security program requirements,
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
Ensure service
enterprise’s provider
service contracts
provider include security
management requirements.
policy. Review serviceExample
provider contracts
requirements
annually to ensure contracts are not missing security requirements. security incident
may include minimum security program requirements,
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
Ensure service
enterprise’s provider
service contracts
provider include security
management requirements.
policy. Review serviceExample
provider contracts
requirements
annually to ensure contracts are not missing security requirements. security incident
may include minimum security program requirements,
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service
Ensure service provider
provider management
contracts policy. Review
include security serviceExample
requirements. provider contracts
annually to ensure
requirements contracts
may include are not security
minimum missing program
security requirements.
requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
requirements may include
annually to ensure minimum
contracts are not security
missing program requirements, security incident
security requirements.
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service scope
policy. Assessment provider
maymanagement
vary based policy. Review service
on classification(s), provider
and contracts
may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
policy. Assessment
questionnaires, scope
or other may vary based
appropriately on classification(s),
rigorous and may
processes. Reassess include
service review
providers
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment
policy. Card Industry
Assessment (PCI)
scope may Attestation
vary based onofclassification(s),
Compliance (AoC), customized
and may include review
questionnaires,
of standardized assessment reports, such as Service Organization Control 2 providers
or other appropriately rigorous processes. Reassess service (SOC 2)
Assess service
and Payment providers
Card consistent
Industry with the enterprise’s
(PCI) Attestation of Complianceservice
(AoC),provider management
customized
policy. Assessment
questionnaires, scope
or other may vary based
appropriately on classification(s),
rigorous and may
processes. Reassess include
service review
providers
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
Assess service providers
questionnaires, consistent with
or other appropriately the enterprise’s
rigorous processes.service
Reassessprovider management
service providers
policy. Assessment scope may vary based on classification(s),
annually, at a minimum, or with new and renewed contracts. and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
annually, at a minimum, or with new and renewed contracts.
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
Monitor service providers consistent with the enterprise’s service provider management
policy. Monitoring may include periodic reassessment of service provider compliance,
monitoring service provider release notes, and dark web monitoring.

Securely decommission service providers. Example considerations include user and


service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.
Security

ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and
eaknesses before they can impact the enterprise.
Establish and maintain a secure application development process. In the process,
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application
Establish andsecurity testing
maintain procedures.
a secure Review
application and update
development documentation
process. annually, or
In the process,
when significant enterprise changes occur that could impact this Safeguard.
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security
Establish and testing
maintain procedures.
a secure Review
application and update
development documentation
process. annually, or
In the process,
when significant
address enterprise
such items changes
as: secure occur design
application that could impact this
standards, Safeguard.
secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure application development process. In the process,
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure application development process. In the process,
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing
process, responsible procedures.
party for Review and reports,
handling vulnerability update documentation annually,
and a process for intake,or
when significant enterprise changes occur that could impact this Safeguard.
assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and update
documentation annually,
Perform root cause or when
analysis significant
on security enterprise When
vulnerabilities. changes occur that
reviewing could
vulnerabilities,
impact this analysis
root cause Safeguard.is the task of evaluating underlying issues that create
vulnerabilities in code, and
Establish and manage allows development
an updated teams to move
inventory of third-party beyond used
components just fixing
in
individual vulnerabilities as they arise.
development, often referred to as a “bill of materials,” as well as components slated for
future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these
Use up-to-date
components, andand trustedthat
validate third-party softwareiscomponents.
the component When possible, choose
still supported. 
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
Establish and maintain
vulnerabilities a severity rating system and process for application
before use.
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
Establish and maintain a severity rating system and process for application
are fixed first. Review and update the system and process annually.
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application
infrastructure components. This includes underlying servers, databases, and web
servers, and applies to cloud containers, Platform as a Service (PaaS) components,
and SaaS components. Do not allow in-house developed software to weaken
configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct training
at least annually and design in a way to promote security within the development team,
and build athat
operation culture of security
the user makes,among the developers.
promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
include the concept
design also of least privilege
means minimizing and enforcing
the application mediation
infrastructure to validate
attack surface,every
such as
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
critical
turning security functions
off unprotected will and
ports reduce developers’
services, workload
removing and minimize
unnecessary the likelihood
programs and files,
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually
conducted throughmanipulate an application
specially trained as who
individuals an authenticated
evaluate the and unauthenticated
application design
and gauge security risks for each entry point and access level. The goal is to map out

anagement

o develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.

and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using
Establish andvendor,
a third-party maintain contact at
designate information
least one for parties
person that need
internal to thetoenterprise
be informed of
to oversee
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing
Establishand
andAnalysis
maintainCenter (ISAC) partners,
an enterprise or other
process for stakeholders.
the workforce Verify
to report contacts
security
annually to ensure that information is up-to-date.
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process
Establishisand
publicly available
maintain to all of the
an enterprise workforce.
process for theReview annually,
workforce or when
to report security
significant enterprise changes occur that could impact this Safeguard.
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders,
Determine which and analysts,
primary andas applicable.
secondary Review annually,
mechanisms or when
will be significant
used to communicate and
enterprise changes occur that could impact this Safeguard.
report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security
Plan incident.routine
and conduct Review annually,
incident or whenexercises
response significant enterprise
and changes
scenarios occur that
for key personnel
could impact
involved in thethis Safeguard.
incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows.
Conduct Conduct testing
post-incident on an
reviews. annual basis,
Post-incident at a minimum.
reviews help prevent incident recurrence
through identifying lessons learned and follow-up action.
differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this

s and resiliency of enterprise assets through identifying and exploiting weaknesses in


cesses, and technology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size,
complexity, and maturity of the enterprise. Penetration testing program characteristics
include scope, such as network, web application, Application Programming Interface
(API), hosted services, and physical premise controls; frequency; limitations, such as
acceptable hours, and excluded attack types; point of contact information; remediation,
Perform periodic
such as how external
findings penetration
will be tests based
routed internally; and on program requirements,
retrospective requirements.no less
than annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires
specialized skills and experience and must be conducted through a qualified party. The
testing may be clear box or opaque box.

Remediate penetration test findings based on the enterprise’s policy for remediation
scope and prioritization.

Validate security measures after each penetration test. If deemed necessary, modify
rulesets and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less
than annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship Reference

X X X Subset NO-001

X X X Subset NO-004

X X X

X X

X X

X X X

X X X

X X X

X X
X X

X X

X Subset NO-005

X X X Subset BC-003

X X X

X X X Subset CN-008

X X X Subset NO-010

X X X

X X X Subset BC-12

X X X

X X Subset BC-003
X X
X X

X X Equivalent RN-001
X X Superset CN-002

X X Subset NO-010

X X Subset NO-010

X X Subset CN-008

X X Superset NO-003

X Subset CN-008

X Subset NO-010
X Subset CN-008
X Subset NO-010

X X X Subset BC-003

X X X Subset NO-002

X X X Subset NO-002

X X X Superset NO-003

X X X
X X X Superset CN-002

X X X Subset NO-004

X X X Subset NO-004

X X X

X X X Subset NO-001

X X X Subset NO-005

X X

X X

X X

X X

X
X X X Subset NO-005

X X X Subset NO-005

X X X Subset CN-008

X X X Subset NO-005

X X

X X

X X X Subset CN-001

X X X Subset CN-001

X X X

X X X

X X X Subset NO-005
X X

X X

X Subset BC-003

X Subset CN-008

X X X Subset BC-003

X X X Subset NO-006

X X X Subset BC-004

X X X Subset NO-006

X X X Superset DC-002

X X X Superset DC-002

X X Subset NO-006

X X Subset SO-005
X X Subset NO-004

X X Subset NO-006

X X Subset SO-005

X X Subset NO-006

X X Subset SO-005

X X X Subset BC-003

X X X Subset BC-004

X X X Subset NO-007

X X X Equivalent SO-001

X X X Subset SO-006

X X X Superset RI-004
X X X Subset NO-007

X X X Subset SO-001

X X X Subset SO-006

X X X

X X

X X Subset NO-005

X X Subset NO-010

X X

X X

X X

X X Subset SO-006

X X
X X Subset BC-004

X X Subset NO-007
X X Subset SO-001

X X Subset SO-006

X X X

X X X

X X

X X

X X

X X

X Subset SO-002
X X X Subset SO-002

X X X Subset SO-002

X X X

X X

X X

X X Subset SO-002

X X

X X X Subset BC-003

X X X Subset BC-008

X X X

X X X
X X X

X X Subset SO-004

X X X

X X Subset BC-003

X X Subset BC-004

X X Superset RN-007

X X Superset RI-002

X X Superset RN-006

X X Superset RN-007

X X

X X

X X
X X

X Intersects NO-005

X X Superset RI-004

X X Subset NO-007

X X Subset SO-001

X X Subset SO-006

X X

X X Superset RN-003

X X Superset RI-001

X X

X X Subset SO-001
X

X Subset NO-001

X Subset NO-004

X Superset RI-001

X Subset NO-004

X Subset NO-007

X Subset SO-006

X X X Subset BC-003

X X X

X X X
X X X

X X X

X X X

X X X

X X X

X X

X X X

X X Subset BC-003

X X Superset SIM-001

X X

X X Subset BC-010
X X Superset SIM-002

X X Superset IOT-001

X X Superset IOT-002

X X Superset IOT-003

X X Superset IOT-004

X X Superset IOT-006

X X Superset NO-011

X Subset BC-11

X Superset IOT-001

X Superset IOT-002

X Superset IOT-003

X Superset IOT-004

X Superset IOT-005

X
X X Subset BC-003

X X Subset BC-004

X X Subset BC-005

X X Subset BC-006

X X Subset BC-007

X X

X X

X X

X X

X X Subset BC-005

X X Subset NO-006
X X

X X

X X

X X Subset BC-005

X X Subset NO-005

X X

X Subset BC-004

X
X

X X X Subset SO-004

X X X Subset SO-004

X X X Subset BC-004

X X X Subset SO-004
X X Subset BC-003

X X Subset BC-008

X X Subset SO-004

X X Subset SO-004

X X Subset SO-004

X X Subset SO-004

X X Subset SO-004

X Subset BC-004

X X Equivalent SO-005

X X Subset SO-005

X X Subset SO-005

X
X Subset SO-005
Objective

Actively manage (inventory, track, and correct) all


hardware devices on the network so that only authorized
devices are given access, and unauthorized and
unmanaged devices are found and prevented from
gaining access.
Manage (track/control/correct) the ongoing operational
use of ports, protocols, and services on networked
devices in order to minimize windows of vulnerability
available to attackers
The processes and tools used to
track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications.

organisation should abide by. Specific policies will be


constructed in relation to security and should map to the
overarching security strategy and principles of the
organisation; essentially policy should underpin the

track/control/prevent/correct secure access to critical


assets (e.g. core infrastructure) according to the formal
determination of which persons, computers, and
applications have a need and right to access these critical
Ensure database services and systems are protected from
unauthorised access and misuse.

Decommissioning of equipment should consider secure


sanitization or disposal controls to avoid the risks of
consequent data leaks.

organisation should abide by. Specific policies will be


constructed in relation to security and should map to the
overarching security strategy and principles of the
organisation; essentially policy should underpin the

Cryptographically protect GSM, GPRS, UMTS, LTE and


NR network traffic to protect against unauthorised
interception and alteration of user traffic and sensitive
signalling information.
Protect core network traffic after it is handed over from the
radio path to protect against unauthorised interception and
alteration of user traffic and sensitive signalling
information.
Ensure database services and systems are protected from
unauthorised access and misuse.
Ensure database services and systems are protected from
unauthorised access and misuse.
track/control/prevent/correct secure access to critical
assets (e.g. core infrastructure) according to the formal
determination of which persons, computers, and
applications have a need and right to access these critical
Virtualisation/Containerisation controls should be enforced
wherever network elements are virtualised e.g. Network
Function Virtualisation (NFV).secure access to critical
track/control/prevent/correct
assets (e.g. core infrastructure) according to the formal
determination of which persons, computers, and
applications have services
Ensure database a need and
andright to access
systems these critical
are protected from
unauthorised access and misuse.
assets (e.g. core infrastructure) according to the formal
determination of which persons, computers, and
Ensure database services and systems are protected from
unauthorised access and misuse.

organisation should abide by. Specific policies will be


constructed in relation to security and should map to the
overarching security strategy and principles of the
organisation; essentially
on, correct) the policy shouldof
security configuration underpin
networkthe
equipment (NE), servers, and workstations, and core
infrastructure using a rigorous configuration management
Establish,
and change implement, and actively
control process manage
in order (track,
to prevent report
attackers
on, correct) the security configuration of network
equipment (NE), servers, and workstations, and core
infrastructure using a rigorous configuration management
and change control process in order to prevent attackers
from exploiting vulnerable services and settings.
Virtualisation/Containerisation controls should be enforced
wherever network elements are virtualised e.g. Network
Function Virtualisation (NFV).
Protect core network traffic after it is handed over from the
radio path to protect against unauthorised interception and
alteration of user traffic and sensitive signalling
information.
Manage (track/control/correct) the ongoing operational
use of ports, protocols, and services on networked
devices in order to minimize windows of vulnerability
available to attackers
Manage (track/control/correct) the ongoing operational
use of ports, protocols, and services on networked
devices in order to minimize windows of vulnerability
available to attackers

Actively manage (inventory, track, and correct) all


hardware devices on the network so that only authorized
devices are given access, and unauthorized and
unmanaged devices are found and prevented from
gaining access.
The processes and tools used to
track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications.
The processes and tools used to
track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications.
The processes and tools used to
track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications. secure access to critical
track/control/prevent/correct
assets (e.g. core infrastructure) according to the formal
determination of which persons, computers, and
applications
The processeshave
anda tools
need used
and right
to to access these critical
track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications.

There should be processes for the secure provisioning


and decommissioning of users to ensure only legitimately
subscribing customers have access to services.

There should be processes for the secure provisioning


and decommissioning of users to ensure only legitimately
subscribing customers have access to services.

The processes and tools used to


track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications.
organisation should abide by. Specific policies will be
constructed in relation to security and should map to the
overarching security strategysecure
track/control/prevent/correct and principles
access toof critical
the
organisation;
assets (e.g. core infrastructure) according to thethe
essentially policy should underpin formal
determination of which persons, computers, and
applications have a need and right to access these critical

organisation should abide by. Specific policies will be


constructed in relation to security and should map to the
overarching security strategy and principles of the
organisation; essentially policy should underpin the
Continuously acquire, assess, and act on new information
in order to identify vulnerabilities, remediate, and minimize
the window of opportunity for attackers.
processes to detail operational progress against strategic
requirements. Governance should align to organisation
policy; reporting is shared with senior leadership to
Continuously acquire, assess, and act on new information
in order to identify vulnerabilities, remediate, and minimize
the window of opportunity for attackers.

Deliver security critical software updates to vulnerable


mobile devices with minimal delay.

Deliver security critical software updates to vulnerable


mobile devices with minimal delay.

Continuously acquire, assess, and act on new information


in order to identify vulnerabilities, remediate, and minimize
the window of opportunity for attackers.

Perform security assessment of live systems to test the


overall strength of an organization’s defence (the
technology, the processes, and the people) by simulating
the objectives and actions of an attacker.
Manage (track/control/correct) the ongoing operational
use of ports, protocols, and services on networked
devices in order to minimize windows of vulnerability
available to attackers

Continuously acquire, assess, and act on new information


in order to identify vulnerabilities, remediate, and minimize
the window of opportunity for attackers.

Perform security assessment of live systems to test the


overall strength of an organization’s defence (the
technology, the processes, and the people) by simulating
the objectives and actions of an attacker.

Continuously acquire, assess, and act on new information


in order to identify vulnerabilities, remediate, and minimize
the window of opportunity for attackers.

Perform security assessment of live systems to test the


overall strength of an organization’s defence (the
technology, the processes, and the people) by simulating
the objectives and actions of an attacker.

organisation should abide by. Specific policies will be


constructed in relation to security and should map to the
overarching security strategy and principles of the
functions that essentially
organisation; complement eachshould
policy other, underpin
providingthe
reporting
processes to detail operational progress against strategic
requirements. Governance should align to organisation
policy; reporting is shared with senior leadership to
explain the delivery success of the entire security
Monitor and analyse core, radio and enterprise network
traffic for potential internal or external attacks.

Collect, manage, and analyse audit logs of events that


could help detect, understand, or recover from an attack.

Implement a holistic protective monitoring approach that


ensures there is a proactive and consistent approach to
detection of abnormal behaviour on networks and
systems.
Monitor and analyse radio network traffic for potential
internal or external attacks.
Monitor and analyse core, radio and enterprise network
traffic for potential internal or external attacks.

Collect, manage, and analyse audit logs of events that


could help detect, understand, or recover from an attack.

Implement a holistic protective monitoring approach that


ensures there is a proactive and consistent approach to
detection of abnormal behaviour on networks and
systems.

The processes and tools used to


track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications.

Ensure database services and systems are protected from


unauthorised access and misuse.

Implement a holistic protective monitoring approach that


ensures there is a proactive and consistent approach to
detection of abnormal behaviour on networks and
systems.

processes to detail operational progress against strategic


requirements. Governance should align to organisation
policy; reporting is shared with senior leadership to
Monitor and analyse core, radio and enterprise network
traffic for potential internal or external attacks.
Collect, manage, and analyse audit logs of events that
could help detect, understand, or recover from an attack.
Collect, manage, correlate and analyse network traffic
flows that could help detect, understand or recover from
an attack.
Implement a holistic protective monitoring approach that
ensures there is a proactive and consistent approach to
detection of abnormal behaviour on networks and
systems.

Control the installation, spread, and execution of malicious


code at multiple points in the network, while optimizing the
use of automation to enable rapid updating of defence,
data gathering, and corrective action.
Control the installation, spread, and execution of malicious
code at multiple points in the network, while optimizing the
use of automation to enable rapid updating of defence,
data gathering, and corrective action.

Control the installation, spread, and execution of malicious


code at multiple points in the network, while optimizing the
use of automation to enable rapid updating of defence,
data gathering, and corrective action.

Control the installation, spread, and execution of malicious


code at multiple points in the network, while optimizing the
use of automation to enable rapid updating of defence,
data gathering, and corrective action.

organisation should abide by. Specific policies will be


constructed in relation to security and should map to the
overarching security
organisation’s ability strategy
to detect,and principles
prevent, of theand deal
minimise
organisation; essentially policy should underpin the of an
with the impact of disruptive events. In the aftermath
incident the BCM plan will enable critical activities within
the organisation to continue. In the longer term it will help
response infrastructure (e.g., plans, defined roles, training,
communications, management oversight) for quickly
discovering an attack and then effectively containing the

organisation should abide by. Specific policies will be


constructed in relation to security and should map to the
overarching security strategy and principles of the
functions that essentially
organisation; complement eachshould
policy other, underpin
providingthe
reporting
processes to detail operational progress against strategic
requirements. Governance should align to organisation
policy; reporting is shared with senior leadership to
explain the delivery success of the entire security
Where small cells are deployed in hostile environments
compensating controls should be implemented to manage
the risk.

Protect the roaming and interconnect network elements


(NE) from unauthorised access.

Ensure base stations are secured and maintained

Where small cells are deployed in hostile environments


compensating controls should be implemented to manage
the risk.
The processes and tools used to
track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications.

Monitor and analyse radio network traffic for potential


internal or external attacks.
Monitor and analyse core, radio and enterprise network
traffic for potential internal or external attacks.
Collect, manage, and analyse audit logs of events that
could help detect, understand, or recover from an attack.
Collect, manage, correlate and analyse network traffic
flows that could help detect, understand or recover from
an attack.
Implement a holistic protective monitoring approach that
ensures there is a proactive and consistent approach to
detection of abnormal behaviour on networks and
systems.

Detect attacks that may result in network instability; locate


anomalous activity in the network

Protection of the roaming and interconnect messaging and


customers from attacks including location tracking,
eavesdropping, denial of service and fraud over
interconnect signalling protocols and links.

Collect, manage, and analyse audit logs of events that


could help detect, understand, or recover from an attack.
Collect, manage, correlate and analyse network traffic
flows that could help detect, understand or recover from
an attack.
Actively manage (inventory, track, and correct) all
hardware devices on the network so that only authorized
devices are given access, and unauthorized and
unmanaged devices are found and prevented from
gaining access.
Manage (track/control/correct) the ongoing operational
use of ports, protocols, and services on networked
devices in order to minimize windows of vulnerability
available to attackers
Protection of the roaming and interconnect messaging and
customers from attacks including location tracking,
eavesdropping, denial of service and fraud over
interconnect signalling protocols and links.
Manage (track/control/correct) the ongoing operational
use of ports, protocols, and services on networked
devices in order to minimize windows of vulnerability
available to attackers
Monitor and analyse core, radio and enterprise network
traffic for potential internal or external attacks.
Implement a holistic protective monitoring approach that
ensures there is a proactive and consistent approach to
detection of abnormal behaviour on networks and
systems.

organisation should abide by. Specific policies will be


constructed in relation to security and should map to the
overarching security strategy and principles of the
organisation; essentially policy should underpin the
organisation should abide by. Specific policies will be
constructed in relation to security and should map to the
overarching security strategy and principles of the
organisation; essentially policy should underpin the
Establish, implement and actively manage a rigorous SIM
management programme. This programme must focus on
the secure provisioning and purchase of (e)UICC from
reputable vendors.

Operators should implement effective supply-chain and


procurement controls to ensure the services they operate
and provide comply with legal requirements and manage
supply-chain threats.
Source eUICCs that comply with the GSMA  eUICC
specifications, and have declared compliance under the
GSMA eSIM/M2M compliance programmes

IoT service providers shall comply with security by design


and privacy by design industry best practice.

IoT service platforms shall comply with IoT security


industry best practice.

IoT device endpoints shall comply with IoT security


industry best practice.

Networks shall comply with IoT security industry best


practice.

IoT device endpoints shall comply with connection


efficiency best practices to protect networks from the risks
caused by the mass deployment of inefficient, insecure or
defective
ImplementIoT devices.
cloud security principles for all private, public
and hybrid cloud (infrastructure, platform or software)
computing based provisioning, whether operated in-house
or outsourced, to provide all tenants with an effective risk
management of services.
Operators should implement 3rd party access and
outsourcing controls to ensure the risks of information
sharing and outsourcing are effectively managed.
IoT service providers shall comply with security by design
and privacy by design industry best practice.
IoT service platforms shall comply with IoT security
industry best practice.

IoT device endpoints shall comply with IoT security


industry best practice.

Networks shall comply with IoT security industry best


practice.

IoT services shall subject to a security assessment.


organisation should abide by. Specific policies will be
constructed in relation to security and should map to the
overarching security strategy and principles of the
functions that essentially
organisation; complement eachshould
policy other, underpin
providingthe
reporting
processes to detail operational progress against strategic
requirements. Governance should align to organisation
policy; reporting is shared with senior leadership to
explain the delivery success of the entire security
Ensure all projects go through a security assessment to
confirm they are secure by design.

Ensure all projects go through a data protection/privacy


assessment. This assessment should align to local policy,
industry regulation and relevant legislation. These will
inform local data management principles.
implemented, this lifecycle should include quality control
stages, with code review at module and system level,
including both static and dynamic testing. Code language
choice considers security issues such as type safety and

Ensure all projects go through a security assessment to


confirm they are secure by design.

Continuously acquire, assess, and act on new information


in order to identify vulnerabilities, remediate, and minimize
the window of opportunity for attackers.
Ensure all projects go through a security assessment to
confirm they are secure by design.

The processes and tools used to


track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on servers,
networks, and applications.

processes to detail operational progress against strategic


requirements. Governance should align to organisation
policy; reporting is shared with senior leadership to

response infrastructure (e.g., plans, defined roles, training,


communications, management oversight) for quickly
reputation,
discoveringbyandeveloping
attack and and
thenimplementing an incident
effectively containing the
response infrastructure (e.g., plans, defined roles, training,
communications, management oversight) for quickly
discovering ancomplement
functions that attack and then
eacheffectively containing
other, providing the
reporting
damage, eradicating the attacker’s presence, and
processes to detail operational progress against strategic
requirements. Governance should align to organisation
policy; reporting
reputation, is shared and
by developing withimplementing
senior leadership to
an incident
explain
response theinfrastructure
delivery success
(e.g.,of the entire
plans, security
defined roles, training,
communications, management oversight) for quickly
discovering an attack and then effectively containing the
damage, eradicating the attacker’s presence, and
Organisational policies are a set of rules that the
organisation should abide by. Specific policies will be
constructed in relation to security and should map to the
overarching security strategy and principles of the
organisation; essentially policy should underpin the
resilience of the organisation. Developing and
organisation’s security objectives.
organisation’s ability to detect, prevent, minimise and deal
with the impact of disruptive events. In the aftermath of an
incident the BCM plan will enable critical activities within
the organisation to continue. In the longer term it will help
reputation,
the business bytodeveloping and
recover and implementing
return an as
to Business incident
Usual
response infrastructure (e.g., plans, defined roles, training,
communications, management oversight) for quickly
discovering an attack and then effectively containing the
damage,
response eradicating the(e.g.,
infrastructure attacker’s
plans,presence, and training,
defined roles,
communications, management oversight) for quickly
reputation,
discoveringby andeveloping
attack and and
thenimplementing an incident
effectively containing the
response infrastructure (e.g., plans, defined roles, training,
communications, management oversight) for quickly
discovering an attack and then effectively containing the
response infrastructure
damage, eradicating the(e.g., plans,presence,
attacker’s defined roles,
and training,
communications, management oversight) for quickly
discovering an attack and
response infrastructure then
(e.g., effectively
plans, definedcontaining the
roles, training,
communications, management oversight) for quickly
discovering
processes toan attack
detail and then effectively
operational containing
progress against the
strategic
requirements. Governance should align to organisation
policy; reporting is shared with senior leadership to

Perform security assessment of live systems to test the


overall strength of an organization’s defence (the
technology, the processes, and the people) by simulating
the objectives and actions of an attacker.
Perform security assessment of live systems to test the
overall strength of an organization’s defence (the
technology, the processes, and the people) by simulating
the objectives and actions of an attacker.
Perform security assessment of live systems to test the
overall strength of an organization’s defence (the
technology, the processes, and the people) by simulating
the objectives and actions of an attacker.
Perform security assessment of live systems to test the
overall strength of an organization’s defence (the
technology, the processes, and the people) by simulating
the objectives and actions of an attacker.
Reference

BC-001

BC-002

BC-009
DC-001
RN-002
RN-005
RI-003
CN-003
CN-004

CN-005
CN-006

CN-007
NO-009
SO-003
Description
Board Level Engagement, where organisations fail to recognise security at Board level there is likely to be a gap in t
priorities and future investment on programmes. This gap introduces unnecessary security and fraud risks.
Organisations should have a role formally recognising security as a responsibility, CISO’s often fulfil this role. Alterna
to influence and direct enterprise level investment and change.
Physical security controls. To reduce the risk of a physical attack being used to facilitate a logical attack an Operato
controls holistically.
Source devices that have secure IMEI implementations.
Prevent user tracking though the appropriate use of temporary device identities, for instance before the device has a
Ensure RAN sharing initiatives isolate data, user and control traffic correctly
Maintain an accurate record of roaming information.
Prevent eavesdropping, the unauthorised deletion and modification of voicemail content, settings and greetings and
Use customer anonymization techniques to protect identifiers that can be used to identify and track individual custom
Prevent unsolicited messaging traffic (RCS, SMS and MMS) reaching unsuspecting customers and causing potentia
elements.
To prevent fraudulent activity regular reconciliation of systems is required.

Control which devices can access the network to protect against the connection of counterfeit, stolen and substanda
Ensure cryptographic key material is protected correctly using a Cryptographic key management system (CKMS).
Utilise open source information (OSINT) and other contextual information to increase awareness of the threat landsc

You might also like