CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0
CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0
31 Baseline Security Co
Last updated Dec 2021
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]
Editors
Thomas Sager
Contributors
License for Use
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-
are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
CIS Controls Navigator
Remember to download the CIS Controls Version 8 Guide where you can learn more about:
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
Mapping Methodology
Mapping Methodology
This page describes the methodology used to map the CIS Controls to FS.31 GSMA Baseline Security Co
Reference link for FS.31 GSMA Baseline Security Controls: https://www.gsma.com/security/resources/fs-3
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item
For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of 5 possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• Intersects: Although the CIS Control and the defensive mitigation have many similarities, neither is contai
awareness program and another requiring an information governance program.
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
CIS Security
CIS Safeguard Asset Type
Control Function
5
5 5.1 Users Identify
10
10 10.1 Devices Protect
11
12
13
14
15
17
18
Actively manage (inventory, track, and correct) all software (operating systems and applications) o
network so that only authorized software is installed and can execute, and that unauthorized and u
software is found and prevented from installation or execution.
Establish and Maintain a
Software Inventory
Ensure Authorized Software is
Currently Supported
Address Unauthorized Software
Utilize Automated Software
Inventory Tools
Allowlist Authorized Software
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose
Establish and maintain the secure configuration of enterprise assets (end-user devices, including p
mobile; network devices; non-computing/IoT devices; and servers) and software (operating system
applications).
Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
administrator accounts, as well as service accounts, to enterprise assets and software.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
administrator, and service accounts for enterprise assets and software.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the e
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monito
private industry sources for new threat and vulnerability information.
Establish and Maintain a
Vulnerability Management
Process
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Remediate Detected
Vulnerabilities
Remediate Detected
Vulnerabilities
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
attack.
Standardize Time
Synchronization
Improve protections and detections of threats from email and web vectors, as these are opportuniti
attackers to manipulate human behavior through direct engagement.
Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions
Implement DMARC
Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.
Enable Anti-Exploitation
Features
Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
and trusted state.
Network Infrastructure
Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure
Establish and Maintain
Dedicated Computing
Resources for All Administrative
Work
Operate processes and tooling to establish and maintain comprehensive network monitoring and d
against security threats across the enterprise’s network infrastructure and user base.
Establish and maintain a security awareness program to influence behavior among the workforce t
conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
critical IT platforms or processes, to ensure these providers are protecting those platforms and dat
appropriately.
Establish and Maintain an
Inventory of Service Providers
Establish and Maintain a
Service Provider Management
Policy
Securely Decommission
Service Providers
Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
remediate security weaknesses before they can impact the enterprise.
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, p
defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Designate Personnel to
Manage Incident Handling
Establish and Maintain Contact
Information for Reporting
Security Incidents
Establish and Maintain an
Enterprise Process for
Reporting Incidents
Establish and Maintain an
Enterprise Process for
Reporting Incidents
Establish and Maintain an
Incident Response Process
Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
controls (people, processes, and technology), and simulating the objectives and actions of an attac
l of Enterprise Assets
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to beservers. Ensure
monitored andtheprotected
inventory within
recordsthe
theenterprise.
network address (if static),
This will hardware
also support
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud
servers. environments.
Ensure Additionally,
the inventory records theit includes assets that
network address are regularly
(if static), connected
hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within
Ensurecloud
that aenvironments.
process existsAdditionally,
to address itunauthorized
includes assets thaton
assets are regularly
a weekly connected
basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.
enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
Uniform Resource
software inventory Locator (URL),assets.
for enterprise app store(s), version(s),
If software deployment
is unsupported, yet mechanism,
necessary for
and decommission date. Review and update the software inventory bi-annually,
the fulfillment of the enterprise’s mission, document an exception detailing mitigating or
controls and residual risk acceptance. For any unsupported software without an
exception
Ensure that documentation, designate
unauthorized software is as unauthorized.
either removed fromReview
use the software list
on enterprise to verify
assets or
receives a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
nd technical controls to identify, classify, securely handle, retain, and dispose of data.
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur that
Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
must include both minimum and maximum timelines.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets,
Implementincluding those located
an automated onsite
tool, such asor
a at a remote Data
host-based service provider,
Loss and update
Prevention the
(DLP) tool
enterprise's sensitive data inventory.
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's
Log sensitivesensitive data inventory.
data access, including modification and disposal.
Log sensitive data access, including modification and disposal.
in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually,
Establish or
andwhen significant
maintain enterprise
a secure changes
configuration occur for
process thatenterprise
could impact this(end-user
assets
Safeguard.
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using MFA and a 14-character
password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise
assets upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.
Require MFA for all administrative access accounts, where supported, on all enterprise
assets, whether managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization
systems, including those hosted on-site or at a remote service provider. Review and
update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all
theprivileges are authorized,
access rights on each
necessary for a recurring schedule
role within at a minimum
the enterprise annually, orcarry
to successfully more out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.
Establish and maintain a documented vulnerability management process for enterprise
assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
and retain audit logs of events that could help detect, understand, or recover from an
Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise
Establish and changes
maintain an auditoccur that could impact
log management this that
process Safeguard.
defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise
Establish and changes
maintain an auditoccur that could impact
log management this that
process Safeguard.
defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise
Establish and changes
maintain an auditoccur that could impact
log management this that
process Safeguard.
defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through
the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.
To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data. Review
and update
Establish documentation
and maintain a dataannually,
recoveryor process.
when significant enterprise
In the process, changes
address the occur
scopethat
of
could impact this Safeguard.
data recovery activities, recovery prioritization, and the security of backup data. Review
and update documentation annually, or when significant enterprise changes occur that
could impact
Perform this Safeguard.
automated backups of in-scope enterprise assets. Run backups weekly, or
more frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through offline, cloud,
or off-site systems or services.
, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include
running the latest stable release of software and/or using currently supported network-
as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
to verify software support.
Establish and maintain a secure network architecture. A secure network architecture
must address segmentation, least privilege, and availability, at a minimum.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication services
prior to accessing enterprise resources on end-user devices.
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where
appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.
Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where
appropriate and/or supported. Example implementations include use of an Endpoint
Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example
implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user and/or
device authentication.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user and/or
device authentication.
Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
training must include guidance to ensure that all users securely configure their home
network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations
include secure system administration courses for IT professionals, (OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.
evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
for each service provider. Review and update the inventory annually, or when
Establish
significantand maintain
enterprise a service
changes provider
occur management
that could policy.
impact this Ensure the policy
Safeguard.
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes
characteristics, suchoccur thatsensitivity,
as data could impactdatathis Safeguard.
volume, availability requirements,
applicable regulations,
Ensure service providerinherent risk,
contracts and mitigated
include risk. Update and
security requirements. review
Example
classifications annually, or when significant enterprise changes occur
requirements may include minimum security program requirements, security that could impact
incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.
Ensure service provider contracts include security requirements. Example
requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
Ensure service
enterprise’s provider
service contracts
provider include security
management requirements.
policy. Review serviceExample
provider contracts
requirements
annually to ensure contracts are not missing security requirements. security incident
may include minimum security program requirements,
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
Ensure service
enterprise’s provider
service contracts
provider include security
management requirements.
policy. Review serviceExample
provider contracts
requirements
annually to ensure contracts are not missing security requirements. security incident
may include minimum security program requirements,
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
Ensure service
enterprise’s provider
service contracts
provider include security
management requirements.
policy. Review serviceExample
provider contracts
requirements
annually to ensure contracts are not missing security requirements. security incident
may include minimum security program requirements,
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
Ensure service
enterprise’s provider
service contracts
provider include security
management requirements.
policy. Review serviceExample
provider contracts
requirements
annually to ensure contracts are not missing security requirements. security incident
may include minimum security program requirements,
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service
Ensure service provider
provider management
contracts policy. Review
include security serviceExample
requirements. provider contracts
annually to ensure
requirements contracts
may include are not security
minimum missing program
security requirements.
requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
requirements may include
annually to ensure minimum
contracts are not security
missing program requirements, security incident
security requirements.
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service scope
policy. Assessment provider
maymanagement
vary based policy. Review service
on classification(s), provider
and contracts
may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
policy. Assessment
questionnaires, scope
or other may vary based
appropriately on classification(s),
rigorous and may
processes. Reassess include
service review
providers
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment
policy. Card Industry
Assessment (PCI)
scope may Attestation
vary based onofclassification(s),
Compliance (AoC), customized
and may include review
questionnaires,
of standardized assessment reports, such as Service Organization Control 2 providers
or other appropriately rigorous processes. Reassess service (SOC 2)
Assess service
and Payment providers
Card consistent
Industry with the enterprise’s
(PCI) Attestation of Complianceservice
(AoC),provider management
customized
policy. Assessment
questionnaires, scope
or other may vary based
appropriately on classification(s),
rigorous and may
processes. Reassess include
service review
providers
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
Assess service providers
questionnaires, consistent with
or other appropriately the enterprise’s
rigorous processes.service
Reassessprovider management
service providers
policy. Assessment scope may vary based on classification(s),
annually, at a minimum, or with new and renewed contracts. and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
annually, at a minimum, or with new and renewed contracts.
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
Monitor service providers consistent with the enterprise’s service provider management
policy. Monitoring may include periodic reassessment of service provider compliance,
monitoring service provider release notes, and dark web monitoring.
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and
eaknesses before they can impact the enterprise.
Establish and maintain a secure application development process. In the process,
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application
Establish andsecurity testing
maintain procedures.
a secure Review
application and update
development documentation
process. annually, or
In the process,
when significant enterprise changes occur that could impact this Safeguard.
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security
Establish and testing
maintain procedures.
a secure Review
application and update
development documentation
process. annually, or
In the process,
when significant
address enterprise
such items changes
as: secure occur design
application that could impact this
standards, Safeguard.
secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure application development process. In the process,
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure application development process. In the process,
address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing
process, responsible procedures.
party for Review and reports,
handling vulnerability update documentation annually,
and a process for intake,or
when significant enterprise changes occur that could impact this Safeguard.
assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and update
documentation annually,
Perform root cause or when
analysis significant
on security enterprise When
vulnerabilities. changes occur that
reviewing could
vulnerabilities,
impact this analysis
root cause Safeguard.is the task of evaluating underlying issues that create
vulnerabilities in code, and
Establish and manage allows development
an updated teams to move
inventory of third-party beyond used
components just fixing
in
individual vulnerabilities as they arise.
development, often referred to as a “bill of materials,” as well as components slated for
future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these
Use up-to-date
components, andand trustedthat
validate third-party softwareiscomponents.
the component When possible, choose
still supported.
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
Establish and maintain
vulnerabilities a severity rating system and process for application
before use.
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
Establish and maintain a severity rating system and process for application
are fixed first. Review and update the system and process annually.
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application
infrastructure components. This includes underlying servers, databases, and web
servers, and applies to cloud containers, Platform as a Service (PaaS) components,
and SaaS components. Do not allow in-house developed software to weaken
configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct training
at least annually and design in a way to promote security within the development team,
and build athat
operation culture of security
the user makes,among the developers.
promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
include the concept
design also of least privilege
means minimizing and enforcing
the application mediation
infrastructure to validate
attack surface,every
such as
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
critical
turning security functions
off unprotected will and
ports reduce developers’
services, workload
removing and minimize
unnecessary the likelihood
programs and files,
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually
conducted throughmanipulate an application
specially trained as who
individuals an authenticated
evaluate the and unauthenticated
application design
and gauge security risks for each entry point and access level. The goal is to map out
anagement
o develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using
Establish andvendor,
a third-party maintain contact at
designate information
least one for parties
person that need
internal to thetoenterprise
be informed of
to oversee
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing
Establishand
andAnalysis
maintainCenter (ISAC) partners,
an enterprise or other
process for stakeholders.
the workforce Verify
to report contacts
security
annually to ensure that information is up-to-date.
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process
Establishisand
publicly available
maintain to all of the
an enterprise workforce.
process for theReview annually,
workforce or when
to report security
significant enterprise changes occur that could impact this Safeguard.
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders,
Determine which and analysts,
primary andas applicable.
secondary Review annually,
mechanisms or when
will be significant
used to communicate and
enterprise changes occur that could impact this Safeguard.
report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security
Plan incident.routine
and conduct Review annually,
incident or whenexercises
response significant enterprise
and changes
scenarios occur that
for key personnel
could impact
involved in thethis Safeguard.
incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows.
Conduct Conduct testing
post-incident on an
reviews. annual basis,
Post-incident at a minimum.
reviews help prevent incident recurrence
through identifying lessons learned and follow-up action.
differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Remediate penetration test findings based on the enterprise’s policy for remediation
scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify
rulesets and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less
than annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship Reference
X X X Subset NO-001
X X X Subset NO-004
X X X
X X
X X
X X X
X X X
X X X
X X
X X
X X
X Subset NO-005
X X X Subset BC-003
X X X
X X X Subset CN-008
X X X Subset NO-010
X X X
X X X Subset BC-12
X X X
X X Subset BC-003
X X
X X
X X Equivalent RN-001
X X Superset CN-002
X X Subset NO-010
X X Subset NO-010
X X Subset CN-008
X X Superset NO-003
X Subset CN-008
X Subset NO-010
X Subset CN-008
X Subset NO-010
X X X Subset BC-003
X X X Subset NO-002
X X X Subset NO-002
X X X Superset NO-003
X X X
X X X Superset CN-002
X X X Subset NO-004
X X X Subset NO-004
X X X
X X X Subset NO-001
X X X Subset NO-005
X X
X X
X X
X X
X
X X X Subset NO-005
X X X Subset NO-005
X X X Subset CN-008
X X X Subset NO-005
X X
X X
X X X Subset CN-001
X X X Subset CN-001
X X X
X X X
X X X Subset NO-005
X X
X X
X Subset BC-003
X Subset CN-008
X X X Subset BC-003
X X X Subset NO-006
X X X Subset BC-004
X X X Subset NO-006
X X X Superset DC-002
X X X Superset DC-002
X X Subset NO-006
X X Subset SO-005
X X Subset NO-004
X X Subset NO-006
X X Subset SO-005
X X Subset NO-006
X X Subset SO-005
X X X Subset BC-003
X X X Subset BC-004
X X X Subset NO-007
X X X Equivalent SO-001
X X X Subset SO-006
X X X Superset RI-004
X X X Subset NO-007
X X X Subset SO-001
X X X Subset SO-006
X X X
X X
X X Subset NO-005
X X Subset NO-010
X X
X X
X X
X X Subset SO-006
X X
X X Subset BC-004
X X Subset NO-007
X X Subset SO-001
X X Subset SO-006
X X X
X X X
X X
X X
X X
X X
X Subset SO-002
X X X Subset SO-002
X X X Subset SO-002
X X X
X X
X X
X X Subset SO-002
X X
X X X Subset BC-003
X X X Subset BC-008
X X X
X X X
X X X
X X Subset SO-004
X X X
X X Subset BC-003
X X Subset BC-004
X X Superset RN-007
X X Superset RI-002
X X Superset RN-006
X X Superset RN-007
X X
X X
X X
X X
X Intersects NO-005
X X Superset RI-004
X X Subset NO-007
X X Subset SO-001
X X Subset SO-006
X X
X X Superset RN-003
X X Superset RI-001
X X
X X Subset SO-001
X
X Subset NO-001
X Subset NO-004
X Superset RI-001
X Subset NO-004
X Subset NO-007
X Subset SO-006
X X X Subset BC-003
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X X
X X Subset BC-003
X X Superset SIM-001
X X
X X Subset BC-010
X X Superset SIM-002
X X Superset IOT-001
X X Superset IOT-002
X X Superset IOT-003
X X Superset IOT-004
X X Superset IOT-006
X X Superset NO-011
X Subset BC-11
X Superset IOT-001
X Superset IOT-002
X Superset IOT-003
X Superset IOT-004
X Superset IOT-005
X
X X Subset BC-003
X X Subset BC-004
X X Subset BC-005
X X Subset BC-006
X X Subset BC-007
X X
X X
X X
X X
X X Subset BC-005
X X Subset NO-006
X X
X X
X X
X X Subset BC-005
X X Subset NO-005
X X
X Subset BC-004
X
X
X X X Subset SO-004
X X X Subset SO-004
X X X Subset BC-004
X X X Subset SO-004
X X Subset BC-003
X X Subset BC-008
X X Subset SO-004
X X Subset SO-004
X X Subset SO-004
X X Subset SO-004
X X Subset SO-004
X Subset BC-004
X X Equivalent SO-005
X X Subset SO-005
X X Subset SO-005
X
X Subset SO-005
Objective
BC-001
BC-002
BC-009
DC-001
RN-002
RN-005
RI-003
CN-003
CN-004
CN-005
CN-006
CN-007
NO-009
SO-003
Description
Board Level Engagement, where organisations fail to recognise security at Board level there is likely to be a gap in t
priorities and future investment on programmes. This gap introduces unnecessary security and fraud risks.
Organisations should have a role formally recognising security as a responsibility, CISO’s often fulfil this role. Alterna
to influence and direct enterprise level investment and change.
Physical security controls. To reduce the risk of a physical attack being used to facilitate a logical attack an Operato
controls holistically.
Source devices that have secure IMEI implementations.
Prevent user tracking though the appropriate use of temporary device identities, for instance before the device has a
Ensure RAN sharing initiatives isolate data, user and control traffic correctly
Maintain an accurate record of roaming information.
Prevent eavesdropping, the unauthorised deletion and modification of voicemail content, settings and greetings and
Use customer anonymization techniques to protect identifiers that can be used to identify and track individual custom
Prevent unsolicited messaging traffic (RCS, SMS and MMS) reaching unsuspecting customers and causing potentia
elements.
To prevent fraudulent activity regular reconciliation of systems is required.
Control which devices can access the network to protect against the connection of counterfeit, stolen and substanda
Ensure cryptographic key material is protected correctly using a Cryptographic key management system (CKMS).
Utilise open source information (OSINT) and other contextual information to increase awareness of the threat landsc