0% found this document useful (0 votes)

172 views300 pages

CIS RAM v2.1 For IG3 Workbook 22.05

Uploaded by

Romeo Andreica

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

172 views300 pages

CIS RAM v2.1 For IG3 Workbook 22.05

Uploaded by

Romeo Andreica

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 300

CIS RAM v2.

1 for IG3
The CIS RAM for IG3 Workbook protects most cells in the Risk Register and lookup t
accidentally changing the formulas and lookups that automate the risk analysis.
If users are confident in their use of Microsoft® Excel and wish to modify values, such
Criteria, they may “unprotect” the document by going to the “Review” tab in the Excel
“Unprotect sheet” button. However, guidance for maintenance of the Workbook, form
cells is beyond the scope of this document.

Additionally, CIS RAM v2.1 for IG3 is customized to incorporate values from the CIS C
instances, enterprises may choose to deviate from the data inputs that are pre-popula
However, guidance for deviations is beyond the scope of this document.
r IG3
ster and lookup tables to prevent users from
k analysis.
dify values, such as Risk Acceptance
tab in the Excel menu and selecting the
Workbook, formulas, lookups, and protected

es from the CIS CDM v2.0 analysis. In some

at are pre-populated in the Workbook.
ent.
Remember to download the CIS Critical Security Controls (CIS Controls) Version 8 Guide where you can learn more about:
• This Version of the CIS Controls
• The CIS Controls Ecosystem ("It's not about the list")
• How to Get Started
• Using or Transitioning from Prior Versions of the CIS Controls
• Structure of the CIS Controls
• Implementation Groups
• Why is this Control critical?
• Procedures and Tools

https://www.cisecurity.org/controls/v8/

This is a free tool with a dynamic list of the CIS Safeguards that can be filtered by Implementation Groups and mappings to multiple
frameworks.

https://www.cisecurity.org/controls/v8

Join our Community where you can discuss the CIS Controls with our global army of experts and volunteers!
https://workbench.cisecurity.org/dashboard

CIS CSAT (Controls Self Assessment Tool)

Overview: The CIS Controls® Self Assessment Tool, also known as CIS CSAT, enables organizations to assess and track their
implementation of the CIS Controls for Versions 8 and 7.1. The CIS Controls are a prioritized set of consensus-developed security best
practices used by organizations around the world to defend against cyber threats.

TWO TYPES:
CIS-Hosted CSAT: The CIS-hosted version of CIS CSAT is free to every organization for use in a non-commercial capacity to conduct
CIS Controls assessments of their organization. (released January 2019)
https://csat.cisecurity.org/

CIS CSAT Pro: The on-premises version of CIS CSAT is available exclusively for CIS SecureSuite Members. This version offers
additional features and benefits: Save time by using a simplified scoring method with a reduced number of questions, Decide whether to
opt in to share data and see how scores compare to industry average, Greater flexibility with organization trees for tracking
organizations, sub-organizations, and assessments, Assign users to different roles for different organizations/sub-organizations as well
as greater separation of administrative and non-administrative roles, Track multiple concurrent assessments in the same organization,
Easily access your tasks, assessments, and organizations from a consolidated home page, Includes CIS Controls Safeguard mappings
to NIST CSF, NIST SP 800-53, and PCI. (released August 2020)

https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat/
Prompt
How would you concisely describe the benefit that your
1 Mission enterprise provides your customers, clients, constituents, or the
public? This is why they engage in this risk with you.

Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your mission were acceptable, or unacceptable.

Impact Magnitude Prompt

What observable evidence would you have that your mission - as
Negligible
you defined it above - would be unaffected?
What observable evidence would you have that your mission
Acceptable
would be compromised, but it would not require correction?
What observable evidence would you have that your mission
would be compromised in a way that would require correction,
Unacceptable
but the correction could be achieved through the normal course
of business?
What observable evidence would you have that your mission
High would be compromised so badly that extraordinary efforts would
be required to restore it?

What observable evidence would you have that your mission

Catastrophic
would be compromised so badly that it could not be achieved?

Prompt

Operational What business or organizational goals does the enterprise

2 attempt to achieve?
Objectives

Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your operational objectives were acceptable, or unacceptable.

Impact Magnitude Prompt

What observable evidence would you have that your operational
Negligible
objectives - as you defined them above - would be unaffected?

What observable evidence would you have that your operational

Acceptable objectives would be compromised, but it would not require
correction?
What observable evidence would you have that your operational
objectives would be compromised in a way that would require
Unacceptable
correction, but the correction could be achieved through the
normal course of business?
What observable evidence would you have that your operational
High objectives would be compromised so badly that extraordinary
efforts would be required to restore them?
What observable evidence would you have that your operational
Catastrophic objectives would be compromised so badly that they could not be
achieved?

Prompt

What are the unexpected cost outlays that your enterprise could
3 Financial Objectives or could not tolerate?

Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your financial objectives were acceptable, or unacceptable.

Impact Magnitude Prompt

What observable evidence would you have that your financial
Negligible
objectives - as you defined them above - would be unaffected?

What observable evidence would you have that your financial

Acceptable objectives would be compromised, but it would not require
correction?
What observable evidence would you have that your financial
objectives would be compromised in a way that would require
Unacceptable
correction, but the correction could be achieved through the
normal course of business?
What observable evidence would you have that your financial
High objectives would be compromised so badly that extraordinary
efforts would be required to restore them?
Catastrophic Leave this blank

Prompt

What harm may foreseeably come to others as a result of a

4 Obligations cybersecurity incident?

Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your obligations (harm, to others) were acceptable, or unacceptable.

Impact Magnitude Prompt

Negligible Describe a condition where others would not be harmed.

Describe a condition where others would not be harmed to a

Acceptable
degree that required correction or compensation.

Describe a condition where one or few others would be harmed

Unacceptable
to a degree that you could correct.
Describe a condition where many others would be harmed to a
degree that you could correct, or where few others are harmed to
High
a degree that others would always have a small degree of
impairment.
Catastrophic Describe a condition where others would be irreparably harmed.
Response

ecurity incident. Describe in the spaces provided below how you would

Response
The mission would remain intact.
This mission would not be perfectly achieved, but could be
recovered within normal operations.

This mission would not be achieved, and would require short-

term, unplanned efforts, resources, or investments to recover.

This mission would not be achieved. If significant, unplanned

efforts, resources, or investments are not made, the mission
may not ever be achievable.

The mission would not be achievable.

Response

ecurity incident. Describe in the spaces provided below how you would
ceptable.

Response

Growth plan would be intact.

Growth plan would be off target, but within variance.

Growth plan would be out of variance, but can be recovered

within a fiscal year.

Growth plan would be out of variance, and may require multiple

years to correct.
We would not be able to grow.

Response

ecurity incident. Describe in the spaces provided below how you would
ptable.

Response

ecurity incident. Describe in the spaces provided below how you would
or unacceptable.

Response
No harm could foreseeably result.

Any harm that could result would not require correction, repair,
or compensation to make the harmed parties "whole."

Correctible harm may occur to one or few others.

Correctible harm may occur to many others, or harm that can be

partially corrected for a few others may occur.
We would not be able to protect others from any degree of
harm.
1 Enterprise Risk Assessment Criteria

2 Impact Criteria

Impact Scores
Definition
1. Negligible

2. Acceptable

3. Unacceptable

4. High

5. Catastrophic

3 Expectancy Criteria

Expectancy Score
1

4 Risk Acceptance Criteria

We would start to invest against risks to prevent

this expectancy and impact, or higher.
Enterprise Name
Scope
Last Completed (Date)

Mission Operational Objectives

The mission would remain intact. Growth plan would be intact.

This mission would not be perfectly achieved,

Growth plan would be off target, but within
but could be recovered within normal
variance.
operations.

This mission would not be achieved, and would

Growth plan would be out of variance, but
require short-term, unplanned efforts,
can be recovered within a fiscal year.
resources, or investments to recover.
This mission would not be achieved. If
significant, unplanned efforts, resources, or Growth plan would be out of variance, and
investments are not made, the mission may not may require multiple years to correct.
ever be achievable.

The mission would not be achievable. We would not be able to grow.

Expectancy Criteria
Safeguard would reliably prevent the
Remote
threat.
Safeguard would reliably prevent most
Unlikely
occurrences of the threat.
Safeguard would prevent as many threat
As likely as not
occurrences as it would miss.
Safeguard would prevent few threat
Likely
occurrences.
Safeguard would not prevent threat
Certain
occurrences.

Expectancy Impact

Acceptable Risk is less than … 0

Financial Objectives Obligations

No harm could foreseeably result.

Any harm that could result would not
require correction, repair, or
compensation to make the harmed
parties "whole."

Correctible harm may occur to one or

few others.

Correctible harm may occur to many

others, or harm that can be partially
corrected for a few others may occur.

We would not be able to protect others

from any degree of harm.
Enterprise Risk Enterprise Name
Assessment
Criteria Scope
Last Completed (Date)

Risk Register Risk Analysis

NIST CSF Security

CIS Safeguard # CIS Safeguard Title Asset Class
Function

Establish and Maintain Detailed

1.1 Devices Identify
Enterprise Asset Inventory

1.2 Address Unauthorized Assets Devices Respond

1.3 Utilize an Active Discovery Tool Devices Detect

Use Dynamic Host Configuration

Protocol (DHCP) Logging to
1.4 Devices Identify
Update Enterprise Asset
Inventory

Use a Passive Asset Discovery

1.5 Devices Detect
Tool

Establish and Maintain a

2.1 Applications Identify
Software Inventory

Ensure Authorized Software is

2.2 Applications Identify
Currently Supported

2.3 Address Unauthorized Software Applications Respond

Utilize Automated Software
2.4 Applications Detect
Inventory Tools
2.5 Allowlist Authorized Software Applications Protect

2.6 Allowlist Authorized Libraries Applications Protect

2.7 Allowlist Authorized Scripts Applications Protect

Establish and Maintain a Data

3.1 Data Identify
Management Process

Establish and Maintain a Data

3.2 Data Identify
Inventory

Configure Data Access Control

3.3 Data Protect
Lists

3.4 Enforce Data Retention Data Protect

3.5 Securely Dispose of Data Data Protect

Encrypt Data on End-User
3.6 Devices Protect
Devices

Establish and Maintain a Data

3.7 Data Identify
Classification Scheme

3.8 Document Data Flows Data Identify

Encrypt Data on Removable

3.9 Data Protect
Media
3.10 Encrypt Sensitive Data in Transit Data Protect

3.11 Encrypt Sensitive Data at Rest Data Protect

Segment Data Processing and

3.12 Network Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3.13 Data Protect
Solution

3.14 Log Sensitive Data Access Data Detect

Establish and Maintain a Secure
4.1 Applications Protect
Configuration Process

Establish and Maintain a Secure

4.2 Configuration Process for Network Protect
Network Infrastructure

Configure Automatic Session

4.3 Users Protect
Locking on Enterprise Assets

Implement and Manage a

4.4 Devices Protect
Firewall on Servers

Implement and Manage a

4.5 Devices Protect
Firewall on End-User Devices

Securely Manage Enterprise

4.6 Network Protect
Assets and Software

Manage Default Accounts on

4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable Unnecessary

4.8 Services on Enterprise Assets Devices Protect
and Software

Configure Trusted DNS Servers

4.9 Devices Protect
on Enterprise Assets

Enforce Automatic Device

4.10 Lockout on Portable End-User Devices Respond
Devices

Enforce Remote Wipe Capability

4.11 Devices Protect
on Portable End-User Devices

Separate Enterprise Workspaces

4.12 Devices Protect
on Mobile End-User Devices

Establish and Maintain an

5.1 Users Identify
Inventory of Accounts

5.2 Use Unique Passwords Users Protect

5.3 Disable Dormant Accounts Users Respond

Restrict Administrator Privileges
5.4 to Dedicated Administrator Users Protect
Accounts

Establish and Maintain an

5.5 Users Identify
Inventory of Service Accounts

5.6 Centralize Account Management Users Protect

Establish an Access Granting
6.1 Users Protect
Process

Establish an Access Revoking

6.2 Users Protect
Process

Require MFA for Externally-

6.3 Users Protect
Exposed Applications

Require MFA for Remote

6.4 Users Protect
Network Access
Require MFA for Administrative
6.5 Users Protect
Access

Establish and Maintain an

6.6 Inventory of Authentication and Users Identify
Authorization Systems

6.7 Centralize Access Control Users Protect

Define and Maintain Role-Based

6.8 Data Protect
Access Control

Establish and Maintain a

7.1 Vulnerability Management Applications Protect
Process
Establish and Maintain a
7.2 Applications Respond
Remediation Process

Perform Automated Operating

7.3 Applications Protect
System Patch Management

Perform Automated Application

7.4 Applications Protect
Patch Management

Perform Automated Vulnerability

7.5 Scans of Internal Enterprise Applications Identify
Assets

Perform Automated Vulnerability

7.6 Scans of Externally-Exposed Applications Identify
Enterprise Assets

Remediate Detected
7.7 Applications Respond
Vulnerabilities
Establish and Maintain an Audit
8.1 Network Protect
Log Management Process

8.2 Collect Audit Logs Network Detect

Ensure Adequate Audit Log
8.3 Network Protect
Storage
Standardize Time
8.4 Network Protect
Synchronization

8.5 Collect Detailed Audit Logs Network Detect

8.6 Collect DNS Query Audit Logs Network Detect

8.7 Collect URL Request Audit Logs Network Detect

Collect Command-Line Audit
8.8 Devices Detect
Logs
8.9 Centralize Audit Logs Network Detect
8.10 Retain Audit Logs Network Protect
8.11 Conduct Audit Log Reviews Network Detect

8.12 Collect Service Provider Logs Data Detect

Ensure Use of Only Fully

9.1 Supported Browsers and Email Applications Protect
Clients

9.2 Use DNS Filtering Services Network Protect

Maintain and Enforce Network-

9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9.4 Unauthorized Browser and Email Applications Protect
Client Extensions

9.5 Implement DMARC Network Protect

9.6 Block Unnecessary File Types Network Protect

Deploy and Maintain Email

9.7 Network Protect
Server Anti-Malware Protections

Deploy and Maintain Anti-

10.1 Devices Protect
Malware Software

Configure Automatic Anti-

10.2 Devices Protect
Malware Signature Updates
Disable Autorun and Autoplay for
10.3 Devices Protect
Removable Media

Configure Automatic Anti-

10.4 Malware Scanning of Removable Devices Detect
Media

10.5 Enable Anti-Exploitation Features Devices Protect

Centrally Manage Anti-Malware

10.6 Devices Protect
Software
Use Behavior-Based Anti-
10.7 Devices Detect
Malware Software

Establish and Maintain a Data

11.1 Data Recover
Recovery Process

11.2 Perform Automated Backups Data Recover

11.3 Protect Recovery Data Data Protect

Establish and Maintain an

11.4 Isolated Instance of Recovery Data Recover
Data
11.5 Test Data Recovery Data Recover
Ensure Network Infrastructure is
12.1 Network Protect
Up-to-Date

Establish and Maintain a Secure

12.2 Network Protect
Network Architecture

Securely Manage Network

12.3 Network Protect
Infrastructure

Establish and Maintain

12.4 Network Identify
Architecture Diagram(s)

Centralize Network
12.5 Authentication, Authorization, Network Protect
and Auditing (AAA)

Use of Secure Network

12.6 Management and Network Protect
Communication Protocols

Ensure Remote Devices Utilize a

12.7 VPN and are Connecting to an Devices Protect
Enterprise’s AAA Infrastructure

Establish and Maintain Dedicated

12.8 Computing Resources for All Devices Protect
Administrative Work
13.1 Centralize Security Event Alerting Network Detect

Deploy a Host-Based Intrusion

13.2 Devices Detect
Detection Solution

Deploy a Network Intrusion

13.3 Network Detect
Detection Solution

Perform Traffic Filtering Between

13.4 Network Protect
Network Segments

Manage Access Control for

13.5 Devices Protect
Remote Assets

13.6 Collect Network Traffic Flow Logs Network Detect

Deploy a Host-Based Intrusion

13.7 Devices Protect
Prevention Solution

Deploy a Network Intrusion

13.8 Network Protect
Prevention Solution

Deploy Port-Level Access

13.9 Devices Protect
Control

Perform Application Layer

13.10 Network Protect
Filtering
Tune Security Event Alerting
13.11 Network Detect
Thresholds

Establish and Maintain a Security

14.1 Enterprise Protect
Awareness Program

Train Workforce Members to

14.2 Recognize Social Engineering Enterprise Protect
Attacks

Train Workforce Members on

14.3 Enterprise Protect
Authentication Best Practices

Train Workforce on Data

14.4 Enterprise Protect
Handling Best Practices

Train Workforce Members on

14.5 Causes of Unintentional Data Enterprise Protect
Exposure
Train Workforce Members on
14.6 Recognizing and Reporting Enterprise Protect
Security Incidents

Train Workforce on How to

Identify and Report if Their
14.7 Enterprise Protect
Enterprise Assets are Missing
Security Updates

Train Workforce on the Dangers

of Connecting to and
14.8 Enterprise Protect
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific Security

14.9 Enterprise Protect
Awareness and Skills Training

Establish and Maintain an

15.1 Enterprise Identify
Inventory of Service Providers

Establish and Maintain a Service

15.2 Enterprise Identify
Provider Management Policy

15.3 Classify Service Providers Enterprise Identify

Ensure Service Provider

15.4 Contracts Include Security Enterprise Protect
Requirements

15.5 Assess Service Providers Enterprise Identify

15.6 Monitor Service Providers Data Detect

Securely Decommission Service

15.7 Data Protect
Providers

Establish and Maintain a Secure

16.1 Application Applications Protect
Development Process
Establish and Maintain a Process
16.2 to Accept and Address Software Applications Protect
Vulnerabilities

Perform Root Cause Analysis on

16.3 Applications Protect
Security Vulnerabilities

Establish and Manage an

16.4 Inventory of Third-Party Software Applications Protect
Components

Use Up-to-Date and Trusted

16.5 Third-Party Software Applications Protect
Components

Establish and Maintain a Severity

16.6 Rating System and Process for Applications Protect
Application Vulnerabilities

Use Standard Hardening

16.7 Configuration Templates for Applications Protect
Application Infrastructure

Separate Production and Non-

16.8 Applications Protect
Production Systems

Train Developers in Application

16.9 Security Concepts and Secure Applications Protect
Coding

Apply Secure Design Principles

16.10 Applications Protect
in Application Architectures

Leverage Vetted Modules or

16.11 Services for Application Security Applications Protect
Components
Implement Code-Level Security
16.12 Applications Protect
Checks

Conduct Application Penetration

16.13 Applications Protect
Testing

16.14 Conduct Threat Modeling Applications Protect

Designate Personnel to Manage

17.1 Enterprise Respond
Incident Handling

Establish and Maintain Contact

17.2 Information for Reporting Enterprise Respond
Security Incidents

Establish and Maintain an

17.3 Enterprise Process for Reporting Enterprise Respond
Incidents

Establish and Maintain an

17.4 Enterprise Respond
Incident Response Process

Assign Key Roles and

17.5 Enterprise Respond
Responsibilities

Define Mechanisms for

17.6 Communicating During Incident Enterprise Respond
Response

Conduct Routine Incident

17.7 Enterprise Recover
Response Exercises

17.8 Conduct Post-Incident Reviews Enterprise Recover

Establish and Maintain Security

17.9 Enterprise Recover
Incident Thresholds

Establish and Maintain a

18.1 Enterprise Identify
Penetration Testing Program
Perform Periodic External
18.2 Network Identify
Penetration Tests

Remediate Penetration Test

18.3 Network Protect
Findings
18.4 Validate Security Measures Network Protect
Perform Periodic Internal
18.5 Enterprise Identify
Penetration Tests
CDM Attack Type Risks Associated Risks Associated
Risks with Malware with Ransomware
High 0 0
Average
Unacceptable Count 0 0

Defends Against Defends Against

IG1 IG2 IG3 Asset Name
Malware Ransomware

x x x No No

x x No No

x No No

x x x Yes Yes

x x x Yes Yes
x x Yes Yes

x x Yes Yes

x Yes Yes

x x x Yes Yes

x x x No No

x x No No

x x Yes Yes

x No No

x No No
x x x Yes Yes

x x x Yes Yes

x x x No No

x x x Yes Yes

x x Yes Yes

x x No Yes

x x Yes Yes

x x No No

x No No

x x x Yes Yes

x x x Yes Yes
x x x Yes Yes

x x Yes Yes

x x No No

x x x Yes Yes

x x No No

x Yes Yes

x x x Yes Yes

x x Yes Yes

x x Yes Yes
x x x Yes Yes

x x x Yes Yes

x x No No

x x No No
x x Yes Yes
x x Yes Yes
x x No No

x No No

x x x Yes Yes

x x Yes Yes

x x No No

x x Yes Yes

x Yes Yes

x x x Yes Yes

x x x Yes Yes
x x x Yes Yes

x x No No

x x Yes Yes

x x No No

x x Yes Yes

x x x Yes No

x x x Yes Yes

x x Yes No

x x x Yes Yes

x x Yes Yes

x x No No

x x Yes Yes

x Yes Yes
x x No No

x x Yes Yes

x x No No

x Yes Yes

x No No

x Yes Yes

x No No

x x x Yes Yes

x x x Yes No
x x x Yes Yes

x x x No No

x x Yes Yes

x x x No No

x x No No

x No No

x Yes No

x x Yes Yes
x x Yes No

x x Yes No

x x No No

x x Yes Yes

x x Yes No
x Yes No

x Yes Yes

x No No

x x x No No

x x No No

x No No

x x Yes Yes
x x Yes Yes

x x Yes Yes

x No No

x Yes Yes
Risks Associated Risks Associated with Risks Associated
with Web App Insider and Privilege with Targeted
Hacking Misuse Intrusions
0 0 0

0 0 0

Defends Against Defends Against

Defends Against Defends Against
Web Application Insider and Privilege
Targeted Intrusions All Attack Types
Hacking Misuse

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

No No No 0
Yes Yes Yes 5

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

Yes Yes No 4

Yes Yes Yes 5

No No Yes 2

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

No No Yes 1

No No No 0

No No No 0
Yes Yes Yes 5
Yes Yes Yes 5
No No Yes 1

No No No 0

Yes No No 3

No No Yes 3

Yes Yes Yes 5

Yes No No 3

No No No 0

Yes Yes Yes 5

Yes Yes No 4

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No Yes Yes 3

Yes Yes Yes 5

No Yes Yes 3

Yes No Yes 4

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No Yes No 2
Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes No 3

Yes Yes Yes 5

Yes Yes Yes 4

No No No 0

Yes Yes Yes 5

Yes Yes Yes 4

Yes Yes Yes 5

No No No 0

Yes No Yes 4
Yes Yes Yes 5

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

Evidence of
Our Implementation Vulnerabilities Threats
Implementation
Impact to Impact to
Safeguard Expectancy Impact to
VCDB Index Operational Financial
Maturity Score Score Mission
Objectives Objectives

1
1

3
1

3
3

1
1

1
1
1
1

1
1

3
3

1
1

3
1

3
Risk Register Risk Treatment

Impact to Risk Treatment Risk Treatment Risk Treatment

Risk Score Risk Level
Obligations Option Safeguard Safeguard Title

Establish and Maintain

1.1 Detailed Enterprise Asset
Inventory

Address Unauthorized
1.2
Assets

Utilize an Active Discovery

1.3
Tool

Use Dynamic Host

Configuration Protocol
1.4
(DHCP) Logging to Update
Enterprise Asset Inventory

Use a Passive Asset

1.5
Discovery Tool

Establish and Maintain a

2.1
Software Inventory

Ensure Authorized
2.2 Software is Currently
Supported

Address Unauthorized
2.3
Software
Utilize Automated Software
2.4
Inventory Tools
Allowlist Authorized
2.5
Software

Allowlist Authorized
2.6
Libraries

2.7 Allowlist Authorized Scripts

Establish and Maintain a

3.1
Data Management Process

Establish and Maintain a

3.2
Data Inventory

Configure Data Access

3.3
Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

Encrypt Data on End-User
3.6
Devices

Establish and Maintain a

3.7 Data Classification
Scheme

3.8 Document Data Flows

Encrypt Data on
3.9
Removable Media
Encrypt Sensitive Data in
3.10
Transit

Encrypt Sensitive Data at

3.11
Rest

Segment Data Processing

3.12 and Storage Based on
Sensitivity

Deploy a Data Loss

3.13
Prevention Solution

3.14 Log Sensitive Data Access

Establish and Maintain a
4.1 Secure Configuration
Process

Establish and Maintain a

Secure Configuration
4.2
Process for Network
Infrastructure
Configure Automatic
4.3 Session Locking on
Enterprise Assets
Implement and Manage a
4.4
Firewall on Servers
Implement and Manage a
4.5 Firewall on End-User
Devices

Securely Manage
4.6 Enterprise Assets and
Software

Manage Default Accounts

4.7 on Enterprise Assets and
Software
Uninstall or Disable
Unnecessary Services on
4.8
Enterprise Assets and
Software
Configure Trusted DNS
4.9 Servers on Enterprise
Assets

Enforce Automatic Device

4.10 Lockout on Portable End-
User Devices

Enforce Remote Wipe

4.11 Capability on Portable End-
User Devices
Separate Enterprise
4.12 Workspaces on Mobile
End-User Devices

Establish and Maintain an

5.1
Inventory of Accounts

5.2 Use Unique Passwords

5.3 Disable Dormant Accounts

Restrict Administrator
5.4 Privileges to Dedicated
Administrator Accounts

Establish and Maintain an

5.5 Inventory of Service
Accounts

Centralize Account
5.6
Management
Establish an Access
6.1
Granting Process

Establish an Access
6.2
Revoking Process

Require MFA for

6.3 Externally-Exposed
Applications
Require MFA for Remote
6.4
Network Access
Require MFA for
6.5
Administrative Access

Establish and Maintain an

6.6 Inventory of Authentication
and Authorization Systems

6.7 Centralize Access Control

Define and Maintain Role-

6.8
Based Access Control

Establish and Maintain a

7.1 Vulnerability Management
Process
Establish and Maintain a
7.2
Remediation Process
Perform Automated
7.3 Operating System Patch
Management
Perform Automated
7.4 Application Patch
Management

Perform Automated
7.5 Vulnerability Scans of
Internal Enterprise Assets

Perform Automated
Vulnerability Scans of
7.6
Externally-Exposed
Enterprise Assets
Remediate Detected
7.7
Vulnerabilities
Establish and Maintain an
8.1 Audit Log Management
Process

8.2 Collect Audit Logs

Ensure Adequate Audit
8.3
Log Storage
Standardize Time
8.4
Synchronization

8.5 Collect Detailed Audit Logs

Collect DNS Query Audit

8.6
Logs
Collect URL Request Audit
8.7
Logs
Collect Command-Line
8.8
Audit Logs
8.9 Centralize Audit Logs
8.10 Retain Audit Logs
Conduct Audit Log
8.11
Reviews

Collect Service Provider

8.12
Logs

Ensure Use of Only Fully

9.1 Supported Browsers and
Email Clients

9.2 Use DNS Filtering Services

Maintain and Enforce

9.3
Network-Based URL Filters

Restrict Unnecessary or
9.4 Unauthorized Browser and
Email Client Extensions

9.5 Implement DMARC

Block Unnecessary File

9.6
Types
Deploy and Maintain Email
9.7 Server Anti-Malware
Protections
Deploy and Maintain Anti-
10.1
Malware Software
Configure Automatic Anti-
10.2 Malware Signature
Updates
Disable Autorun and
10.3 Autoplay for Removable
Media
Configure Automatic Anti-
10.4 Malware Scanning of
Removable Media

Enable Anti-Exploitation
10.5
Features

Centrally Manage Anti-

10.6
Malware Software
Use Behavior-Based Anti-
10.7
Malware Software

Establish and Maintain a

11.1
Data Recovery Process

Perform Automated
11.2
Backups
11.3 Protect Recovery Data

Establish and Maintain an

11.4 Isolated Instance of
Recovery Data
11.5 Test Data Recovery
Ensure Network
12.1
Infrastructure is Up-to-Date

Establish and Maintain a

12.2 Secure Network
Architecture
Securely Manage Network
12.3
Infrastructure

Establish and Maintain

12.4
Architecture Diagram(s)

Centralize Network
Authentication,
12.5
Authorization, and Auditing
(AAA)

Use of Secure Network

12.6 Management and
Communication Protocols

Ensure Remote Devices

Utilize a VPN and are
12.7 Connecting to an
Enterprise’s AAA
Infrastructure
Establish and Maintain
Dedicated Computing
12.8
Resources for All
Administrative Work
Centralize Security Event
13.1
Alerting

Deploy a Host-Based
13.2 Intrusion Detection
Solution

Deploy a Network Intrusion

13.3
Detection Solution

Perform Traffic Filtering

13.4 Between Network
Segments

Manage Access Control for

13.5
Remote Assets

Collect Network Traffic

13.6
Flow Logs
Deploy a Host-Based
13.7 Intrusion Prevention
Solution

Deploy a Network Intrusion

13.8
Prevention Solution

Deploy Port-Level Access

13.9
Control

Perform Application Layer

13.10
Filtering
Tune Security Event
13.11
Alerting Thresholds

Establish and Maintain a

14.1 Security Awareness
Program

Train Workforce Members

14.2 to Recognize Social
Engineering Attacks

Train Workforce Members

14.3 on Authentication Best
Practices

Train Workforce on Data

14.4
Handling Best Practices

Train Workforce Members

14.5 on Causes of Unintentional
Data Exposure
Train Workforce Members
on Recognizing and
14.6
Reporting Security
Incidents

Train Workforce on How to

Identify and Report if Their
14.7
Enterprise Assets are
Missing Security Updates

Train Workforce on the

Dangers of Connecting to
14.8 and Transmitting
Enterprise Data Over
Insecure Networks

Conduct Role-Specific
14.9 Security Awareness and
Skills Training

Establish and Maintain an

15.1 Inventory of Service
Providers

Establish and Maintain a

15.2 Service Provider
Management Policy

15.3 Classify Service Providers

Ensure Service Provider

15.4 Contracts Include Security
Requirements

15.5 Assess Service Providers

15.6 Monitor Service Providers

Securely Decommission
15.7
Service Providers

Establish and Maintain a

16.1 Secure Application
Development Process
Establish and Maintain a
Process to Accept and
16.2
Address Software
Vulnerabilities

Perform Root Cause

16.3 Analysis on Security
Vulnerabilities

Establish and Manage an

16.4 Inventory of Third-Party
Software Components

Use Up-to-Date and

16.5 Trusted Third-Party
Software Components

Establish and Maintain a

Severity Rating System
16.6
and Process for Application
Vulnerabilities

Use Standard Hardening

Configuration Templates
16.7
for Application
Infrastructure
Separate Production and
16.8
Non-Production Systems

Train Developers in
Application Security
16.9
Concepts and Secure
Coding

Apply Secure Design

16.10 Principles in Application
Architectures

Leverage Vetted Modules

16.11 or Services for Application
Security Components
Implement Code-Level
16.12
Security Checks

Conduct Application
16.13
Penetration Testing

16.14 Conduct Threat Modeling

Designate Personnel to
17.1
Manage Incident Handling

Establish and Maintain

Contact Information for
17.2
Reporting Security
Incidents

Establish and Maintain an

17.3 Enterprise Process for
Reporting Incidents

Establish and Maintain an

17.4
Incident Response Process

Assign Key Roles and

17.5
Responsibilities

Define Mechanisms for

17.6 Communicating During
Incident Response

Conduct Routine Incident

17.7
Response Exercises

Conduct Post-Incident
17.8
Reviews

Establish and Maintain

17.9 Security Incident
Thresholds

Establish and Maintain a

18.1 Penetration Testing
Program
Perform Periodic External
18.2
Penetration Tests

Remediate Penetration
18.3
Test Findings
18.4 Validate Security Measures
Perform Periodic Internal
18.5
Penetration Tests
Risk Treatment
Safeguard Description

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the
potential to store or process data, to include: end-user devices (including portable and mobile), network
devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if
static), hardware address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type
tools can support this process, where appropriate. This inventory includes assets connected to the
infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes
assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under
control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more
frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may
choose to remove the asset from the network, deny the asset from connecting remotely to the network, or
quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the
active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the
enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or
more frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use
scans to update the enterprise’s asset inventory at least weekly, or more frequently.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The
software inventory must document the title, publisher, initial install/use date, and business purpose for
each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s),
deployment mechanism, and decommission date. Review and update the software inventory bi-annually,
or more frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for
enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission,
document an exception detailing mitigating controls and residual risk acceptance. For any unsupported
software without an exception documentation, designate as unauthorized. Review the software list to
verify software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a
documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and
documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software can
execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so,
etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a
system process. Reassess bi-annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized
scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from
executing. Reassess bi-annually, or more frequently.
Establish and maintain a data management process. In the process, address data sensitivity, data owner,
handling of data, data retention limits, and disposal requirements, based on sensitivity and retention
standards for the enterprise. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory
sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on
sensitive data.

Configure data access control lists based on a user’s need to know. Apply data access control lists, also
known as access permissions, to local and remote file systems, databases, and applications.

Retain data according to the enterprise’s data management process. Data retention must include both
minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal
process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can include:
Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use
labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels.
Review and update the classification scheme annually, or when significant enterprise changes occur that
could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be based
on the enterprise’s data management process. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS)
and Open Secure Shell (OpenSSH).

Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-
layer encryption, also known as server-side encryption, meets the minimum requirement of this
Safeguard. Additional encryption methods may include application-layer encryption, also known as client-
side encryption, where access to the data storage device(s) does not permit access to the plain-text data.

Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data
on enterprise assets intended for lower sensitivity data.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all
sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite
or at a remote service provider, and update the enterprise's sensitive data inventory.

Log sensitive data access, including modification and disposal.

Establish and maintain a secure configuration process for enterprise assets (end-user devices, including
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and
applications). Review and update documentation annually, or when significant enterprise changes occur
that could impact this Safeguard.

Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general
purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the
period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual
firewall, operating system firewall, or a third-party firewall agent.

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny
rule that drops all traffic except those services and ports that are explicitly allowed.

Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces
over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure
(HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP,
unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can include: disabling default accounts or making
them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file
sharing service, web application module, or service function.

Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets
to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of local failed authentication
attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed
authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts.
Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile
maxFailedAttempts.

Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed
appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.

Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example
implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate
enterprise applications and data from personal applications and data.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include
both user and administrator accounts. The inventory, at a minimum, should contain the person’s name,
username, start/stop dates, and department. Validate that all active accounts are authorized, on a
recurring schedule at a minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an
8-character password for accounts using MFA and a 14-character password for accounts not using MFA.

Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct
general computing activities, such as internet browsing, email, and productivity suite use, from the user’s
primary, non-privileged account.

Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain
department owner, review date, and purpose. Perform service account reviews to validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

Centralize account management through a directory or identity service.

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new
hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling
accounts, instead of deleting accounts, may be necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported.
Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this
Safeguard.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether
managed on-site or through a third-party provider.

Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including
those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum,
annually, or more frequently.

Centralize access control for all enterprise assets through a directory service or SSO provider, where
supported.
Define and maintain role-based access control, through determining and documenting the access rights
necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access
control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule
at a minimum annually, or more frequently.
Establish and maintain a documented vulnerability management process for enterprise assets. Review
and update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with
monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch management on a
monthly, or more frequent, basis.

Perform application updates on enterprise assets through automated patch management on a monthly, or
more frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent,
basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability
scanning tool.

Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant

vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more
frequent, basis, based on the remediation process.
Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise
assets. Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been
enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log
management process.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise
assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source,
date, username, timestamp, source addresses, destination addresses, and other useful elements that
could assist in a forensic investigation.

Collect DNS query audit logs on enterprise assets, where appropriate and supported.

Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from
PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential
threat. Conduct reviews on a weekly, or more frequent, basis.

Collect service provider logs, where supported. Example implementations include collecting authentication
and authorization events, data creation and disposal events, and user management events.

Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using
the latest version of browsers and email clients provided through the vendor.

Use DNS filtering services on all enterprise assets to block access to known malicious domains.

Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially
malicious or unapproved websites. Example implementations include category-based filtering, reputation-
based filtering, or through the use of block lists. Enforce filters for all enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client
plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and
verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys
Identified Mail (DKIM) standards.

Block unnecessary file types attempting to enter the enterprise’s email gateway.

Deploy and maintain email server anti-malware protections, such as attachment scanning and/or
sandboxing.

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft®
Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System
Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

Establish and maintain a data recovery process. In the process, address the scope of data recovery
activities, recovery prioritization, and the security of backup data. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.

Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently,
based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data
separation, based on requirements.

Establish and maintain an isolated instance of recovery data. Example implementations include, version
controlling backup destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest
stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review
software versions monthly, or more frequently, to verify software support.

Establish and maintain a secure network architecture. A secure network architecture must address
segmentation, least privilege, and availability, at a minimum.

Securely manage network infrastructure. Example implementations include version-controlled-

infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and
update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2
(WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing
enterprise resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically separated, for all
administrative tasks or tasks requiring administrative access. The computing resources should be
segmented from the enterprise's primary network and not be allowed internet access.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log
analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.

Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or
supported.

Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example
implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud
service provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources. Determine amount of
access to enterprise resources based on: up-to-date anti-malware software installed, configuration
compliance with the enterprise’s secure configuration process, and ensuring the operating system and
applications are up-to-date.

Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or
supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or
host-based IPS agent.

Deploy a network intrusion prevention solution, where appropriate. Example implementations include the
use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access
control protocols, such as certificates, and may incorporate user and/or device authentication.

Perform application layer filtering. Example implementations include a filtering proxy, application layer
firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.

Establish and maintain a security awareness program. The purpose of a security awareness program is to
educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner.
Conduct training at hire and, at a minimum, annually. Review and update content annually, or when
significant enterprise changes occur that could impact this Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and
tailgating.

Train workforce members on authentication best practices. Example topics include MFA, password
composition, and credential management.

Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive
data. This also includes training workforce members on clear screen and desk best practices, such as
locking their screen when they step away from their enterprise asset, erasing physical and virtual
whiteboards at the end of meetings, and storing data and assets securely.

Train workforce members to be aware of causes for unintentional data exposure. Example topics include
mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended
audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an
incident.

Train workforce to understand how to verify and report out-of-date software patches or any failures in
automated processes and tools. Part of this training should include notifying IT personnel of any failures in
automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks
for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure
that all users securely configure their home network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations include secure
system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and
prevention training for web application developers, and advanced social engineering awareness training
for high-profile roles.
Establish and maintain an inventory of service providers. The inventory is to list all known service
providers, include classification(s), and designate an enterprise contact for each service provider. Review
and update the inventory annually, or when significant enterprise changes occur that could impact this
Safeguard.

Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and
update the policy annually, or when significant enterprise changes occur that could impact this Safeguard.

Classify service providers. Classification consideration may include one or more characteristics, such as
data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated
risk. Update and review classifications annually, or when significant enterprise changes occur that could
impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may include
minimum security program requirements, security incident and/or data breach notification and response,
data encryption requirements, and data disposal commitments. These security requirements must be
consistent with the enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.

Assess service providers consistent with the enterprise’s service provider management policy.
Assessment scope may vary based on classification(s), and may include review of standardized
assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI)
Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes.
Reassess service providers annually, at a minimum, or with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring
may include periodic reassessment of service provider compliance, monitoring service provider release
notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account
deactivation, termination of data flows, and secure disposal of enterprise data within service provider
systems.

Establish and maintain a secure application development process. In the process, address such items as:
secure application design standards, secure coding practices, developer training, vulnerability
management, security of third-party code, and application security testing procedures. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities, including
providing a means for external entities to report. The process is to include such items as: a vulnerability
handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a
process for intake, assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring timing for
identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to set
expectations for outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis
is the task of evaluating underlying issues that create vulnerabilities in code, and allows development
teams to move beyond just fixing individual vulnerabilities as they arise.

Establish and manage an updated inventory of third-party components used in development, often
referred to as a “bill of materials,” as well as components slated for future use. This inventory is to include
any risks that each third-party component could pose. Evaluate the list at least monthly to identify any
changes or updates to these components, and validate that the component is still supported.

Use up-to-date and trusted third-party software components. When possible, choose established and
proven frameworks and libraries that provide adequate security. Acquire these components from trusted
sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates
prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum
level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of
triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed
first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure
components. This includes underlying servers, databases, and web servers, and applies to cloud
containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house
developed software to weaken configuration hardening.

Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code for their specific
development environment and responsibilities. Training can include general security principles and
application security standard practices. Conduct training at least annually and design in a way to promote
security within the development team, and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles include the concept
of least privilege and enforcing mediation to validate every operation that the user makes, promoting the
concept of "never trust user input." Examples include ensuring that explicit error checking is performed
and documented for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as turning off
unprotected ports and services, removing unnecessary programs and files, and renaming or removing
default accounts.

Leverage vetted modules or services for application security components, such as identity management,
encryption, and auditing and logging. Using platform features in critical security functions will reduce
developers’ workload and minimize the likelihood of design or implementation errors. Modern operating
systems provide effective mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and extensively
reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain
secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding
practices are being followed.
Conduct application penetration testing. For critical applications, authenticated penetration testing is better
suited to finding business logic vulnerabilities than code scanning and automated security
testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an
authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security
design flaws within a design, before code is created. It is conducted through specially trained individuals
who evaluate the application design and gauge security risks for each entry point and access level. The
goal is to map out the application, architecture, and infrastructure in a structured way to understand its
weaknesses.
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling
process. Management personnel are responsible for the coordination and documentation of incident
response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors,
or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise
to oversee any third-party work. Review annually, or when significant enterprise changes occur that could
impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents.
Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers,
relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other
stakeholders. Verify contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process
includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum
information to be reported. Ensure the process is publicly available to all of the workforce. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant enterprise
changes occur that could impact this Safeguard.

Assign key roles and responsibilities for incident response, including staff from legal, IT, information
security, facilities, public relations, human resources, incident responders, and analysts, as applicable.
Review annually, or when significant enterprise changes occur that could impact this Safeguard.

Determine which primary and secondary mechanisms will be used to communicate and report during a
security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain
mechanisms, such as emails, can be affected during a security incident. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the
incident response process to prepare for responding to real-world incidents. Exercises need to test
communication channels, decision making, and workflows. Conduct testing on an annual basis, at a
minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying
lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an
incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness,
data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.

Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of
the enterprise. Penetration testing program characteristics include scope, such as network, web
application, Application Programming Interface (API), hosted services, and physical premise controls;
frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information;
remediation, such as how findings will be routed internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than annually.
External penetration testing must include enterprise and environmental reconnaissance to detect
exploitable information. Penetration testing requires specialized skills and experience and must be
conducted through a qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and
prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and
capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The
testing may be clear box or opaque box.
Risk Treatment Risk Treatment
Risk Treatment Risk Treatment
Our Planned Safeguard Safeguard Impact
Safeguard Safeguard Impact
Implementation Expectancy to Operational
Maturity Score to Mission
Score Objectives
Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
to Financial Acceptable Safeguard Cost
to Obligations Score
Objectives

No
No

No
No
No
No

No
No

No
Reasonable Annual Cost

Impact to
Implementation Implementation
Financial Year Reasonable?
Quarter Year
Objectives

$ - 2021 Yes

$ - 2022 Yes

$ - 2023 Yes

$ - 2024 Yes

$ - 2025 Yes

$ - 2026 Yes

$ - 2027 Yes

$ - 2028 Yes
$ - 2029 Yes

$ - 2030 Yes
Color

Color Key

Risk Register Title

CIS Safeguard #
CIS Safeguard Title
Asset Class

IG1

IG2

IG3

NIST CSF Security Function

Asset Name

Defends Against Ransomware

Defends Against Malware

Defends Against Web
Application Hacking
Defends Against Insider and
Privilege Misuse
Risk Analysis Defends Against Targeted
Intrusions
Defends Against All Attack
Types
Our Implementation
Evidence of Implementation
Vulnerabilities
Threats
Safeguard Maturity Score
VCDB Index

Expectancy Score
Impact to Mission
Impact to Operational Objectives
Impact to Financial Objectives
Impact to Obligations
Risk Score
Risk Level
Risk Treatment Option
Risk Treatment Safeguard
Risk Treatment
Safeguard Title
Risk Treatment
Safeguard Description
Our Planned Implementation
Risk Treatment Safeguard
Maturity Score
Risk Treatment
Safeguard Expectancy Score
Risk Treatment Safeguard
Impact to Mission

Risk Treatment Risk Treatment Safeguard

Impact to Operational Objectives

Risk Treatment Safeguard

Impact to Financial Objectives

Risk Treatment Safeguard

Impact to Obligations
Risk Treatment Safeguard Risk
Score
Reasonable and Acceptable
Risk Treatment Safeguard Cost
Implementation Quarter
Implementation Year
Impact to Financial Objectives
Reasonable Annual Year
Cost
Reasonable?
Meaning
Automated or fixed values on the Risk Analysis side of the Risk Register. While the worksheet is in protected
mode, these values cannot be changed.
Automated or fixed values on the Risk Treatment side of the Risk Register. While the worksheet is in protected
mode, these values cannot be changed.
Automated or fixed values on the Risk Treatment side of the Risk Register. While the worksheet is in protected
mode, these values cannot be changed.
For user input. Risk assessors will add values into these columns.
For optional user input. Risk assessors may add values into these columns if it's useful to them.
Automated or fixed values on the Reasonable Annual Cost side of the Risk Register. While the worksheet is in
protected mode, these values cannot be changed.

Meaning
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.
The asset class, as published in the CIS Controls.

The Implementation Group, as published in the CIS Controls.

Mapping between the NIST CSF Security Functions and CIS Safeguards, as published in the CIS Controls.
An optional field used to input the name of an individual asset to distinguish its risks from other Asset Class
risks.
Fixed 'Y' or 'N' value that states whether the CIS Safeguard in a given row defends against the Attack Type.

Fixed 'Y' or 'N' value that states whether the CIS Safeguard in a given row defends against the Attack Type.

Fixed 'Y' or 'N' value that states whether the CIS Safeguard in a given row defends against the Attack Type.
An automatically calculated value, on a scale of '1' to '5' that states how many of the top five Attack Types the
CIS Safeguard in a given row defends against.
A brief description of how the Safeguard is already implemented and operated in the enterprise.
Proof to show how the Safeguard is implemented and operated in the enterprise.
An optional field used to record a vulnerability with a specific asset, such as a vulnerability in an application, as
an example.
A potential or foreseeable event that could compromise the security of information assets.
A score of '1' through '5' designating the reliability of a Safeguard's effectiveness against threats.
An automatically calculated value to represent how common the related threat is as a cause for reported
cybersecurity incidents.
An automatically calculated value to represent how commonly the related threat would be the cause of a
cybersecurity incident, given your current Safeguard and the reported commonality of the attack.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Financial Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three Impacts.
An evaluation of the risk as negligible, acceptable, unacceptable, high, or catastrophic.
A statement about whether the enterprise will accept or reduce the risk.
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.

The description of the CIS Safeguard, as published in the CIS Controls.

A brief description of how the Safeguard will be implemented and operated in the enterprise.
A score of '1' through '5' designating the planned reliability of a Safeguard's effectiveness against threats.
An automatically calculated value to represent how commonly the related threat would be the cause of a
cybersecurity incident, given the planned Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.

The magnitude of harm that a successful threat would cause to your Operational Objectives.

The magnitude of harm that a successful threat would cause to your Financial Objectives.

The magnitude of harm that a successful threat would cause to your Obligations.

The product of the Expectancy and the highest of the three impacts, given the planned Safeguard.
A determination of whether the planned Safeguard is reasonable and acceptable.
An estimate of how much the Safeguard is expected to cost.
When the Safeguard is planned for completion of implementation (which quarter).
When the Safeguard is planned for completion of implementation (which year).
The total Risk Treatment Safeguard Cost for the year.
The year the total cost was incurred.
Whether or not the total cost falls above or below the acceptable limit, based on the Acceptable Criteria for the
enterprise's Financial Objectives.
Impact Criteria
Impact Scores Mission

Definition Required

1. Negligible Use Default or Custom Responses

2. Acceptable Use Default or Custom Responses
3. Unacceptable Use Default or Custom Responses

4. High Use Default or Custom Responses

5. Catastrophic Use Default or Custom Responses

Risk Levels
Red Red indicates that the risk is “urgent.”
Yellow indicates that the risk is
Yellow
“unacceptably high, but not urgent.”
Green indicates that the risk evaluates
Green
as “acceptable.”
Impact Criteria
Operational Objectives Financial Objectives

Required Optional

Use Default or Custom Responses Optional

Use Default or Custom Responses Optional
Use Default or Custom Responses Optional

Use Default or Custom Responses Optional

Use Default or Custom Responses
Obligations

Required

Use Default or Custom Responses

Use Default or Custom Responses
Use Default or Custom Responses

Use Default or Custom Responses

Use Default or Custom Responses
Asset Classes

Asset Classes
Applications
Data
Devices
Enterprise
Network
Users

Maturity Scores

Maturity Scores
1
2
3
4
5

Expectancy Criteria

Expectancy Scores
1
2

3
4
5

Risk Acceptance Criteria

Acceptable Risk Score

Complete the Risk Acceptance Criteria
table in Enterprise Parameters

VCDB Index
Incident Count
Asset Class
Enterprise
Applications
Data
Devices
Network
Users
Unknown

VCDB Index Weight Table

VCDB Index Lookup

51
52
53
54
55
41
42
43
44
45
31
32
33
34
35
21
22
23
24
25
11
12
13
14
15
Used to associate Safeguards with Asset Classes

Used for "Safeguard Maturity Score" and "Risk Treatment Safeguard

Maturity Score"

Definition
Safeguard is not implemented or is inconsistently implemented.
Safeguard is implemented fully on some assets or partially on all
assets.
Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation
over time.

Used for "Expectancy Score" and "Risk Treatment Safeguard

Expectancy Score"

Expectancy
Remote
Unlikely

As likely as not
Likely
Certain

Used to evaluate risk acceptance

Risk Acceptance Criteria

Complete the Risk Acceptance Criteria table in Enterprise parameters.

Used to populate "VCDB Index"

8893
Sum of Threat Count / Industry
4458
1253
4458
798
62
4458
863

Used to calculate "Expectancy Score" and "Risk Treatment Safeguard

Expectancy Score"

Maturity
5
5
5
5
5
4
4
4
4
4
3
3
3
3
3
2
2
2
2
2
1
1
1
1
1
Criteria
Safeguard would reliably prevent the threat.
Safeguard would reliably prevent most occurrences of the
threat.
Safeguard would prevent as many threat occurrences as it
would miss.
Safeguard would prevent few threat occurrences.
Safeguard would not prevent threat occurrences.
As of 7/29/2021
Percentage Index
50% 3
14% 1
50% 3
9% 1
1% 1
50% 3
10% 1

VCDB Index Expectancy

1 1
2 1
3 1
4 2
5 2
1 1
2 2
3 2
4 3
5 3
1 1
2 2
3 3
4 4
5 5
1 3
2 3
3 4
4 4
5 5
1 4
2 4
3 5
4 5
5 5
CIS CSAT Pro
CIS CSAT Pro for CIS Controls v8

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v8 Safeguard #
Score (Stripped) Score Final

1.1
1.2
1.3
1.4
1.5
2.1
2.2
2.3
2.4
2.5
2.6

2.7

3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
5.1
5.2
5.3
5.4
5.5
5.6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
9.1
9.2
9.3
9.4
9.5
9.6
9.7
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
12.8
13.1
13.2
13.3
13.4
13.5
13.6
13.7
13.8
13.9
13.10
13.11
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
15.5
15.6
15.7
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
16.13
16.14
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
Instructions for Importing CIS CSAT Pro Scores into
CIS RAM
1) In CIS CSAT Pro, filter on IG1, IG2, and IG3 and Export Filtered CSV.
a. Go to the Assessment Summary page for the assessment of interest (this is reachable from the Assessment Summary tab at
the top of the Assessment Dashboard for that assessment).

b. All three IGs should be displayed by default when navigating to the Assessment Summary page without needing filtering.

c. Click the "Export Filtered CSV" button to export the report.

2) Copy your scores from the exported CSAT Pro CSV file to the CIS RAM for IG3 Workbook.
a. In the CSAT Pro CSV file, copy the contents of column E (labeled “Sub-Control Score”) excluding the heading row.
b. Go to the “CIS CSAT Pro” tab in the CIS RAM for IG3 Workbook.
c. Note that CIS RAM for IG3 is only available for CIS Controls v8.
d. Paste the copied data into the appropriate section of the “CIS CSAT Pro” tab.
e. For instance, for Controls v8, you might copy cells E2 to E154 from the CSAT Pro CSV to C5 to C157 in the “CIS CSAT Pro”
tab of the CIS RAM for IG3 Workbook.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, go to the tab, “3a. Risk Register Controls v8,” for v8 of the CIS Controls.
5) Copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguard Maturity Score” column of the tab, “3a. Risk
Register Controls v8,” for v8 of the CIS Controls.
a. Right-click to copy and “Paste Special” as “Values” (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT” tabs, if present. If copied,
these values can be deleted from the “Safeguard Maturity Score” cell and will not affect the functionality of the CIS RAM Risk
Register.
Note: Please ensure that your enterprise's method for scoring Safeguards in CSAT Pro
aligns closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.

Maturity Scores

2
3
4
5
lease ensure that your enterprise's method for scoring Safeguards in CSAT Pro
closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.

Definition

Safeguard is not implemented or is inconsistently implemented.

Safeguard is implemented fully on some assets or partially on all assets.

Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation over time.
CIS-Hosted CSAT Maturity
Policy Defined Control Implemented
Scores

1 No Policy Not Implemented

2 Informal Policy Parts of Policy Implemented
3 Partially Written Policy Implemented on Some Systems

4 Written Policy Implemented on Most Systems

5 Approved Written Policy Implemented on All Systems

Unknown - Unscored None None
Unknown - N/A Not Applicable Not Applicable

CIS-Hosted CSAT for CIS

CIS-Hosted CSAT Values From XLSX E
Controls v8

v8 Safeguard # Policy Defined Control Implemented

1.1
1.2
1.3
1.4
1.5
2.1
2.2
2.3
2.4
2.5
2.6
2.7
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
5.1
5.2
5.3
5.4
5.5
5.6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
9.1
9.2
9.3
9.4
9.5
9.6
9.7
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
12.8
13.1
13.2
13.3
13.4
13.5
13.6
13.7
13.8
13.9
13.10
13.11
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
15.5
15.6
15.7
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
16.13
16.14
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
CIS-Hosted CSAT
CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores

Not Automated Not Reported 1

Parts of Policy Automated Parts of Policy Reported 2
Automated on Some Systems Reported on Some Systems 3

Automated on Most Systems Reported on Most Systems 4

Automated on All Systems Reported on All Systems 5

None None Unknown - Unscored
Not Applicable Not Applicable Unknown - N/A

CSAT Values From XLSX Export Calculated Numerical Sco

Control Automated Control Reported Policy Defined

#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
#N/A
T

Calculated Numerical Score

CIS RAM Maturity CIS RAM Maturity
Score Average Score Final
Control Implemented Control Automated Control Reported
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A #N/A
Instructions for Importing CIS-Hosted CSAT Scores
RAM

1) In CIS-Hosted CSAT, filter on IG1, IG2, and IG3 and export the filtered Safeguards.

a. Go to the All Controls page for the assessment of interest (this is reachable from the All Controls link on the menu on t
Assessment”).
b. Click the Filter button.
c. Select “Group 1,” “Group 2,” and “Group 3” for the Implementation Group filter and click Filter.
d. Check to see if any of these Safeguards are in the blue (Not Assessed) state. You can see this in the “#” column – ther
each row by the Safeguard number. Any Safeguards that have a blue circle there will not export; if you have any blue Safe
continue these steps, one way to get them out of the blue state is to:
i. Select the checkbox next to each blue Safeguard.
ii. Select “Mark as Applicable” from the Bulk Action option dropdown and click the “Save” butt
Please note: If any of the selected Safeguards were not applicable, this will make them applicable.
e. Click the Download Report button to export the report.
2) Copy your scores from the exported CIS-Hosted CSAT XLSX file to the CIS RAM for IG3 Workbook.

a. In the CIS-Hosted CSAT XLSX file, copy the contents of columns E through H (labeled Policy Defined, Control Implem
and Control Reported) excluding the heading row.

b. Go to the “CIS-Hosted CSAT” tab in the CIS RAM for IG3 Workbook.

c. Paste the copied data into the appropriate section of the “CIS-Hosted CSAT” tab.
d. For instance, for Controls v8, you might copy the cells from E2:E154 over to H2:H154 from the CIS-Hosted CSAT XLS
“CIS-Hosted CSAT” tab in the CIS RAM for IG3 Workbook and paste them there.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, go to the tab, “3a. Risk Register Controls v8,” for v8 of the CIS Controls.
5) Copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguard Maturity Score” column of the tab, “3a. Risk
of the CIS Controls.
a. Right-click to copy and “Paste Special” as “Values” (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT” tabs, if present. If co
deleted from the “Safeguard Maturity Score” cell and will not affect the functionality of the CIS RAM Risk Register.
Note: This method will average the four scoring categories in CIS-Hosted CSAT for each Safegu
those averages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, a
to ensure this method aligns closely enough for your enterprise's scoring practice

Maturity Scores

2
3
4

5
is method will average the four scoring categories in CIS-Hosted CSAT for each Safeguard and aligns
ages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, as defined below,
to ensure this method aligns closely enough for your enterprise's scoring practices.

Definition

Safeguard is not implemented or is inconsistently implemented.

Safeguard is implemented fully on some assets or partially on all assets.

Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.

Safeguard has mechanisms that ensure consistent implementation over time.

1 Mission

Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your mission were acceptable, or unacceptable.

Impact Magnitude
Negligible

Acceptable

Unacceptable

High

Catastrophic

Operational
2
Objectives

Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your operational objectives were acceptable, or unacceptable.

Impact Magnitude
Negligible

Acceptable

Unacceptable

High
Catastrophic

3 Financial Objectives

Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your financial objectives were acceptable, or unacceptable.

Impact Magnitude
Negligible

Acceptable

Unacceptable

High

Catastrophic

4 Obligations

Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your obligations (harm, to others) were acceptable, or unacceptable.

Impact Magnitude
Negligible

Acceptable

Unacceptable
High

Catastrophic
Prompt
How would you concisely describe the benefit that your enterprise
provides your customers, clients, constituents, or the public? This is
why they engage in this risk with you.

agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your mission were acceptable, or unacceptable.

Prompt
What observable evidence would you have that your mission - as you
defined it above - would be unaffected?

What observable evidence would you have that your mission would be
compromised, but it would not require correction?

What observable evidence would you have that your mission would be
compromised in a way that would require correction, but the correction
could be achieved through the normal course of business?

What observable evidence would you have that your mission would be
compromised so badly that extraordinary efforts would be required to
restore it?

What observable evidence would you have that your mission would be
compromised so badly that it could not be achieved?

Prompt

What business or organizational goals does the enterprise attempt to

achieve?

agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your operational objectives were acceptable, or unacceptable.

Prompt
What observable evidence would you have that your operational
objectives - as you defined them above - would be unaffected?

What observable evidence would you have that your operational

objectives would be compromised, but it would not require correction?

What observable evidence would you have that your operational

objectives would be compromised in a way that would require
correction, but the correction could be achieved through the normal
course of business?
What observable evidence would you have that your operational
objectives would be compromised so badly that extraordinary efforts
would be required to restore them?
What observable evidence would you have that your operational
objectives would be compromised so badly that they could not be
achieved?

Prompt

What are the unexpected cost outlays that your enterprise could or
could not tolerate?

agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your financial objectives were acceptable, or unacceptable.

Prompt
What observable evidence would you have that your financial objectives
- as you defined them above - would be unaffected?

What observable evidence would you have that your financial objectives
would be compromised, but it would not require correction?

What observable evidence would you have that your financial objectives
would be compromised in a way that would require correction, but the
correction could be achieved through the normal course of business?

What observable evidence would you have that your financial objectives
would be compromised so badly that extraordinary efforts would be
required to restore them?
Leave this blank

Prompt

What harm may foreseeably come to others as a result of a

cybersecurity incident?

agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your obligations (harm, to others) were acceptable, or unacceptable.

Prompt
Describe a condition where others would not be harmed.

Describe a condition where others would not be harmed to a degree

that required correction or compensation.

Describe a condition where one or few others would be harmed to a

degree that you could correct.
Describe a condition where many others would be harmed to a degree
that you could correct, or where few others are harmed to a degree that
others would always have a small degree of impairment.

Describe a condition where others would be irreparably harmed.

Response
Reliably produce just-in-time, custom widgets that meet
demanding resiliency and design specifications, and
within market-leading turnaround times.

incident. Describe in the spaces provided below how you would

All data on this page is considered
to reflect any one individual orga
Only to be used for de
Response
All orders would be produced within specifications and on
time and without unplanned effort.
All orders would be produced within specifications and on
time, but some may require unplanned effort to stay within
tolerance metrics.

Few orders each quarter (outside of our tolerance metrics)

may miss targets, but could be corrected with adjustments
or discounts.

We would repeatedly miss targets outside of tolerance

metrics, requiring regular adjustments or discounts per
quarter, or would require significant re-investment to
operate regularly within our tolerance metrics.

We could not meet our mission.

Response

To maintain our market position as the best custom

widgets manufacturer.

incident. Describe in the spaces provided below how you would

le.

Response
Ranked as #1 in all categories in annual "Custom Widget
World" Magazine poll.

Ranked as #1 in only one category of "Custom Widget

World" Magazine poll for only one year.

Not ranked #1 in any category of "Custom Widget World"

Magazine poll for one year.

Not ranked in top three in any category of "Custom

Widget World" Magazine poll for two years or more.
Unable to rank well in annual "Custom Widget World"
Magazine poll.

Response

To achieve our profit goals each year.

incident. Describe in the spaces provided below how you would

Response
$1,000
This enterprise could
tolerate a loss up to
$500,000 $500,000.
If this enterprise loses
more than $2,500,000,
$2,500,000 they could not recover.

$5,000,000

Response

To protect our customers from harm due to loss of their

intellectual property.

incident. Describe in the spaces provided below how you would

cceptable.

Response
No customer would suffer a loss of competitive
advantage.

One or few customers may be concerned about potential

loss of competitive advantage, but no harm would result.

One or few customers would suffer minor loss of

competitive advantage, but they could be made whole
within a fiscal year.
Many customers would suffer minor loss of competitive
advantage, or one to few customers would suffer harm
that would require significant business investment or
planning to recover.
We would not be able to protect our customers from
losses due to intellectual property theft.
on this page is considered sample data only, and is not meant
ect any one individual organization's Impact Criteria Survey.
Only to be used for demonstration purposes.
1 Enterprise Risk Assessment Criteria

2 Impact Criteria

Impact Scores

Definition

1. Negligible

2. Acceptable

3. Unacceptable

4. High

5. Catastrophic

3 Expectancy Criteria

Expectancy Score
1
2

3
4
5

4 Risk Acceptance Criteria

We would start to invest against risks to prevent

this expectancy and impact, or higher.
Enterprise Name
Scope
Last Completed (Date)

Mission
Reliably produce just-in-time, custom widgets that meet
demanding resiliency and design specifications, and
within market-leading turnaround times.
All orders would be produced within specifications and on
time and without unplanned effort.
All orders would be produced within specifications and on
time, but some may require unplanned effort to stay within
tolerance metrics.
Few orders each quarter (outside of our tolerance
metrics) may miss targets, but could be corrected with
adjustments or discounts.

We would repeatedly miss targets outside of tolerance

metrics, requiring regular adjustments or discounts per
quarter, or would require significant re-investment to
operate regularly within our tolerance metrics.

We could not meet our mission.

Expectancy
Remote
Unlikely

As likely as not
Likely
Certain

Expectancy
3
Acceptable Risk is less than …
Example Manufacturer
Enterprise
31-Jul-21

Operational Objectives

To maintain our market position as the best custom

widgets manufacturer.

Ranked as #1 in all categories in annual "Custom Widget

World" Magazine poll.

Ranked as #1 in only one category of "Custom Widget

World" Magazine poll for only one year.

Not ranked #1 in any category of "Custom Widget World"

Magazine poll for one year.

Not ranked in top three in any category of "Custom

Widget World" Magazine poll for two years or more.

Unable to rank well in annual "Custom Widget World"

Magazine poll.

Criteria
Safeguard would reliably prevent the threat.
Safeguard would reliably prevent most occurrences of the
threat.
Safeguard would prevent as many threat occurrences as
it would miss.
Safeguard would prevent few threat occurrences.
Safeguard would not prevent threat occurrences.

Impact
3
9
Financial Objectives

To achieve our profit goals each year.

$ 1,000.00

$ 500,000.00

$ 2,500,000.00

$ 5,000,000.00
All data on this page is considered
one individual organization's
demo

Obligations

To protect our customers from harm due to loss of their

intellectual property.

No customer would suffer a loss of competitive

advantage.

One or few customers may be concerned about potential

loss of competitive advantage, but no harm would result.

One or few customers would suffer minor loss of

competitive advantage, but they could be made whole
within a fiscal year.

Many customers would suffer minor loss of competitive

advantage, or one to few customers would suffer harm
that would require significant business investment or
planning to recover.

We would not be able to protect our customers from

losses due to intellectual property theft.
page is considered sample data only, and is not meant to reflect any
idual organization's Impact Criteria Survey. Only to be used for
demonstration purposes.
Enterprise
Enterprise Name Example Manufacturer
Risk
Assessment Scope Enterprise
Criteria Last Completed (Date) 31-Jul-21

Risk Register Risk Analysis

NIST CSF Security

CIS Safeguard # CIS Safeguard Title Asset Class
Function

Establish and Maintain Detailed

1.1 Devices Identify
Enterprise Asset Inventory

1.2 Address Unauthorized Assets Devices Respond

1.3 Utilize an Active Discovery Tool Devices Detect

Use Dynamic Host Configuration

Protocol (DHCP) Logging to
1.4 Devices Identify
Update Enterprise Asset
Inventory

Use a Passive Asset Discovery

1.5 Devices Detect
Tool
Establish and Maintain a
2.1 Applications Identify
Software Inventory

Ensure Authorized Software is

2.2 Applications Identify
Currently Supported

2.3 Address Unauthorized Software Applications Respond

Utilize Automated Software

2.4 Applications Detect
Inventory Tools

2.5 Allowlist Authorized Software Applications Protect

2.6 Allowlist Authorized Libraries Applications Protect

2.7 Allowlist Authorized Scripts Applications Protect

Establish and Maintain a Data

3.1 Data Identify
Management Process

Establish and Maintain a Data

3.2 Data Identify
Inventory

Configure Data Access Control

3.3 Data Protect
Lists

3.4 Enforce Data Retention Data Protect

3.5 Securely Dispose of Data Data Protect

Encrypt Data on End-User
3.6 Devices Protect
Devices

Establish and Maintain a Data

3.7 Data Identify
Classification Scheme

3.8 Document Data Flows Data Identify

Encrypt Data on Removable

3.9 Data Protect
Media

3.10 Encrypt Sensitive Data in Transit Data Protect

3.11 Encrypt Sensitive Data at Rest Data Protect

Segment Data Processing and

3.12 Network Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3.13 Data Protect
Solution

3.14 Log Sensitive Data Access Data Detect

Establish and Maintain a Secure

4.1 Applications Protect
Configuration Process

Establish and Maintain a Secure

4.2 Configuration Process for Network Protect
Network Infrastructure

Configure Automatic Session

4.3 Users Protect
Locking on Enterprise Assets

Implement and Manage a

4.4 Devices Protect
Firewall on Servers
Implement and Manage a
4.5 Devices Protect
Firewall on End-User Devices

Securely Manage Enterprise

4.6 Network Protect
Assets and Software

Manage Default Accounts on

4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable Unnecessary

4.8 Services on Enterprise Assets Devices Protect
and Software

Configure Trusted DNS Servers

4.9 Devices Protect
on Enterprise Assets

Enforce Automatic Device

4.10 Lockout on Portable End-User Devices Respond
Devices

Enforce Remote Wipe Capability

4.11 Devices Protect
on Portable End-User Devices

Separate Enterprise Workspaces

4.12 Devices Protect
on Mobile End-User Devices

Establish and Maintain an

5.1 Users Identify
Inventory of Accounts

5.2 Use Unique Passwords Users Protect

5.3 Disable Dormant Accounts Users Respond

Restrict Administrator Privileges

5.4 to Dedicated Administrator Users Protect
Accounts
Establish and Maintain an
5.5 Users Identify
Inventory of Service Accounts

5.6 Centralize Account Management Users Protect

Establish an Access Granting

6.1 Users Protect
Process

Establish an Access Revoking

6.2 Users Protect
Process

Require MFA for Externally-

6.3 Users Protect
Exposed Applications

Require MFA for Remote

6.4 Users Protect
Network Access

Require MFA for Administrative

6.5 Users Protect
Access

Establish and Maintain an

6.6 Inventory of Authentication and Users Identify
Authorization Systems

6.7 Centralize Access Control Users Protect

Define and Maintain Role-Based

6.8 Data Protect
Access Control

Establish and Maintain a

7.1 Vulnerability Management Applications Protect
Process

Establish and Maintain a

7.2 Applications Respond
Remediation Process

Perform Automated Operating

7.3 Applications Protect
System Patch Management

Perform Automated Application

7.4 Applications Protect
Patch Management
Perform Automated Vulnerability
7.5 Scans of Internal Enterprise Applications Identify
Assets

Perform Automated Vulnerability

7.6 Scans of Externally-Exposed Applications Identify
Enterprise Assets

Remediate Detected
7.7 Applications Respond
Vulnerabilities

Establish and Maintain an Audit

8.1 Network Protect
Log Management Process

8.2 Collect Audit Logs Network Detect

Ensure Adequate Audit Log

8.3 Network Protect
Storage

Standardize Time
8.4 Network Protect
Synchronization

8.5 Collect Detailed Audit Logs Network Detect

8.6 Collect DNS Query Audit Logs Network Detect

8.7 Collect URL Request Audit Logs Network Detect

Collect Command-Line Audit

8.8 Devices Detect
Logs

8.9 Centralize Audit Logs Network Detect

8.10 Retain Audit Logs Network Protect
8.11 Conduct Audit Log Reviews Network Detect

8.12 Collect Service Provider Logs Data Detect

Ensure Use of Only Fully

9.1 Supported Browsers and Email Applications Protect
Clients

9.2 Use DNS Filtering Services Network Protect

Maintain and Enforce Network-

9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9.4 Unauthorized Browser and Email Applications Protect
Client Extensions

9.5 Implement DMARC Network Protect

9.6 Block Unnecessary File Types Network Protect

Deploy and Maintain Email

9.7 Network Protect
Server Anti-Malware Protections

Deploy and Maintain Anti-

10.1 Devices Protect
Malware Software

Configure Automatic Anti-

10.2 Devices Protect
Malware Signature Updates

Disable Autorun and Autoplay for

10.3 Devices Protect
Removable Media

Configure Automatic Anti-

10.4 Malware Scanning of Removable Devices Detect
Media

10.5 Enable Anti-Exploitation Features Devices Protect

Centrally Manage Anti-Malware

10.6 Devices Protect
Software
Use Behavior-Based Anti-
10.7 Devices Detect
Malware Software
Establish and Maintain a Data
11.1 Data Recover
Recovery Process

11.2 Perform Automated Backups Data Recover

11.3 Protect Recovery Data Data Protect

Establish and Maintain an

11.4 Isolated Instance of Recovery Data Recover
Data

11.5 Test Data Recovery Data Recover

Ensure Network Infrastructure is

12.1 Network Protect
Up-to-Date

Establish and Maintain a Secure

12.2 Network Protect
Network Architecture

Securely Manage Network

12.3 Network Protect
Infrastructure

Establish and Maintain

12.4 Network Identify
Architecture Diagram(s)

Centralize Network
12.5 Authentication, Authorization, Network Protect
and Auditing (AAA)

Use of Secure Network

12.6 Management and Network Protect
Communication Protocols

Ensure Remote Devices Utilize a

12.7 VPN and are Connecting to an Devices Protect
Enterprise’s AAA Infrastructure

Establish and Maintain Dedicated

12.8 Computing Resources for All Devices Protect
Administrative Work

13.1 Centralize Security Event Alerting Network Detect

Deploy a Host-Based Intrusion
13.2 Devices Detect
Detection Solution

Deploy a Network Intrusion

13.3 Network Detect
Detection Solution

Perform Traffic Filtering Between

13.4 Network Protect
Network Segments

Manage Access Control for

13.5 Devices Protect
Remote Assets

13.6 Collect Network Traffic Flow Logs Network Detect

Deploy a Host-Based Intrusion

13.7 Devices Protect
Prevention Solution

Deploy a Network Intrusion

13.8 Network Protect
Prevention Solution

Deploy Port-Level Access

13.9 Devices Protect
Control

Perform Application Layer

13.10 Network Protect
Filtering
Tune Security Event Alerting
13.11 Network Detect
Thresholds

Establish and Maintain a Security

14.1 Enterprise Protect
Awareness Program

Train Workforce Members to

14.2 Recognize Social Engineering Enterprise Protect
Attacks

Train Workforce Members on

14.3 Enterprise Protect
Authentication Best Practices

Train Workforce on Data

14.4 Enterprise Protect
Handling Best Practices
Train Workforce Members on
14.5 Causes of Unintentional Data Enterprise Protect
Exposure

Train Workforce Members on

14.6 Recognizing and Reporting Enterprise Protect
Security Incidents

Train Workforce on How to

Identify and Report if Their
14.7 Enterprise Protect
Enterprise Assets are Missing
Security Updates

Train Workforce on the Dangers

of Connecting to and
14.8 Enterprise Protect
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific Security

14.9 Enterprise Protect
Awareness and Skills Training

Establish and Maintain an

15.1 Enterprise Identify
Inventory of Service Providers

Establish and Maintain a Service

15.2 Enterprise Identify
Provider Management Policy

15.3 Classify Service Providers Enterprise Identify

Ensure Service Provider

15.4 Contracts Include Security Enterprise Protect
Requirements
15.5 Assess Service Providers Enterprise Identify

15.6 Monitor Service Providers Data Detect

Securely Decommission Service

15.7 Data Protect
Providers

Establish and Maintain a Secure

16.1 Application Applications Protect
Development Process

Establish and Maintain a Process

16.2 to Accept and Address Software Applications Protect
Vulnerabilities

Perform Root Cause Analysis on

16.3 Applications Protect
Security Vulnerabilities

Establish and Manage an

16.4 Inventory of Third-Party Software Applications Protect
Components

Use Up-to-Date and Trusted

16.5 Third-Party Software Applications Protect
Components
Establish and Maintain a Severity
16.6 Rating System and Process for Applications Protect
Application Vulnerabilities

Use Standard Hardening

16.7 Configuration Templates for Applications Protect
Application Infrastructure

Separate Production and Non-

16.8 Applications Protect
Production Systems

Train Developers in Application

16.9 Security Concepts and Secure Applications Protect
Coding

Apply Secure Design Principles

16.10 Applications Protect
in Application Architectures

Leverage Vetted Modules or

16.11 Services for Application Security Applications Protect
Components

Implement Code-Level Security

16.12 Applications Protect
Checks

Conduct Application Penetration

16.13 Applications Protect
Testing
16.14 Conduct Threat Modeling Applications Protect

Designate Personnel to Manage

17.1 Enterprise Respond
Incident Handling

Establish and Maintain Contact

17.2 Information for Reporting Enterprise Respond
Security Incidents

Establish and Maintain an

17.3 Enterprise Process for Reporting Enterprise Respond
Incidents

Establish and Maintain an

17.4 Enterprise Respond
Incident Response Process

Assign Key Roles and

17.5 Enterprise Respond
Responsibilities

Define Mechanisms for

17.6 Communicating During Incident Enterprise Respond
Response

Conduct Routine Incident

17.7 Enterprise Recover
Response Exercises

17.8 Conduct Post-Incident Reviews Enterprise Recover

Establish and Maintain Security
17.9 Enterprise Recover
Incident Thresholds

Establish and Maintain a

18.1 Enterprise Identify
Penetration Testing Program

Perform Periodic External

18.2 Network Identify
Penetration Tests

Remediate Penetration Test

18.3 Network Protect
Findings

18.4 Validate Security Measures Network Protect

Perform Periodic Internal

18.5 Enterprise Identify
Penetration Tests
Risks
CDM Attack Risks Associated
Associated with
Type Risks with Ransomware
Malware
High 12 12
Average 6.666666666667 6.66666666666667
Unacceptable
3 3
Count

Defends Against Defends Against

IG1 IG2 IG3 Asset Name
Malware Ransomware

x x x No No

x x No No

x No No
x x x Yes Yes

x x x Yes Yes

x x Yes Yes

x Yes Yes

x x x Yes Yes

x x x No No
x x x No No

x x No No

x x Yes Yes

x No No

x x x Yes Yes

x x x No No

x x x Yes Yes
x x x Yes Yes

x x x Yes Yes

x x Yes Yes

x x Yes No

x x Yes Yes

x x No No

x No No

x x x Yes Yes

x x x Yes Yes
x x Yes Yes

x x No No

x x x Yes Yes

x x No No

x Yes Yes

x x x Yes Yes

x x x Yes Yes
x x Yes Yes

x x Yes Yes

x x x Yes Yes

x x No No

x x Yes Yes
x x Yes Yes
x x No No

x No No

x x x Yes Yes

x x Yes Yes

x x No No

x x Yes Yes

x Yes Yes

x x x Yes Yes

x x No No

x x Yes Yes

x x No No

x x Yes Yes
x x x No Yes

x x x No Yes

x x x Yes Yes

x x No Yes

x x x Yes Yes

x x Yes Yes

x x No No

x x Yes Yes

x Yes Yes

x x No No
x x Yes Yes

x x Yes Yes

x x No No

x Yes Yes

x No No

x Yes Yes

x No No

x x x Yes Yes

x x x Yes Yes
x x x No Yes

x x x Yes Yes

x x x No No

x x Yes Yes

x x x No No

x x No No

x x No No
x No No

x No No

x No Yes

x x Yes Yes

x x No Yes

x x No Yes
x x No No

x x No No

x x Yes Yes

x x No Yes

x No Yes

x Yes Yes
x No No

x x x No No

x x No No

x x No No
x No No

x x Yes Yes

x No No

x Yes Yes
Risks Associated with Risks Associated
Risks Associated with
Insider and Privilege with Targeted
Web App Hacking
Misuse Intrusions
12 12 15
6.66666666666667 8.75 8.75
3 3 4

Defends
Defends Against Web Defends Against Insider Defends Against
Against All
Application Hacking and Privilege Misuse Targeted Intrusions
Attack Types

No No No 0

No No No 0
Yes Yes Yes 5

Yes Yes Yes 5

No No No 0
No No No 0

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

Yes Yes No 4

Yes Yes Yes 5

No No Yes 2

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

No Custom Yes 1

No No No 0

Yes Yes Yes 5

Yes Yes Yes 5
No No Yes 1

No No No 0

Yes No No 3

No No Yes 3

Yes Yes Yes 5

Yes No No 3

No No No 0

Yes Yes Yes 5

Yes Yes No 4

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No Yes Yes 3

Yes Yes Yes 5

No Yes Yes 3

Yes No Yes 4

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0
Yes Yes Yes 5

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No Yes No 2

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

No No No 0

No No No 0
No No No 0

No No No 0

Yes Yes No 3

Yes Yes Yes 5

Yes Yes Yes 4

No No No 0

Yes Yes Yes 5

Yes Yes Yes 4

Yes Yes Yes 5

No No No 0

No No No 0
No No No 0

Yes No Yes 4

Yes Yes Yes 5

No No No 0

Yes Yes Yes 5

All data on this page is considered sample data only, and is not meant to refl

Evidence of
Our Implementation Vulnerabilities Threats
Implementation
Recently published threats
Alerts and correlation in the
The "Log Management that are detectable by
SIEM have not been fine-
Standard" applies to all evaluating correlated
tuned to threats in our
systems in the enterprise. indicators may exploit
specific networks.
systems undetected.

All network devices, Some systems' log Well-funded attackers may

systems, and applications services may be stopped block evidence of their
send logs to the tiered as part of a well-funded attacks by shutting down
repository. attack. logging services.
We use a tiered log
New threats that create
repository. Three months Some unlikely attack
tremendous log messaging
are stored in the primary methods may flood the
may require more storage
repository. One year is network with messages,
space, but bursts would be
stored in archives. We do making threats difficult to
detectable in days with
not use more than 50% of analyze.
enough time to respond.
available space.

Attackers exploit a system

Each system uses a If some system clocks whose clock is not synced
primary and secondary stray from others in the with other networked
time server hosted by network, log analysis may systems, making
authoritative services. become difficult. correlation and detection
difficult for us.

The SIEM alerts on rules Personnel may abuse their

Insider abuse of systems
that are provided by the access to system
and data would appear
vendor, but we have not configurations, records, or
indistinguishable from
tuned the rules to signs of network resources
normal use.
internal misuse. undetected.
d is not meant to reflect an individual organization's risk register. Only to be used for demonstration purpose

Impact to Impact to
Safeguard Expectancy Impact to
VCDB Index Operational Financial
Maturity Score Score Mission
Objectives Objectives

1
1

3
1

1
1

3
3

1
1

2 1 3 3 4 4

5 1 1 3 4 4

2 1 3 3 4 5

1
1
1

1
3

1
1

3
3

1
1

3
3

3
sed for demonstration purposes.

Risk Register Risk Treatment

Impact to Risk Treatment Risk Treatment Risk Treatment

Risk Score Risk Level
Obligations Option Safeguard Safeguard Title

Establish and Maintain

1.1 Detailed Enterprise Asset
Inventory

Address Unauthorized
1.2
Assets

Utilize an Active Discovery

1.3
Tool

Use Dynamic Host

Configuration Protocol
1.4
(DHCP) Logging to Update
Enterprise Asset Inventory

Use a Passive Asset

1.5
Discovery Tool
Establish and Maintain a
2.1
Software Inventory

Ensure Authorized
2.2 Software is Currently
Supported

Address Unauthorized
2.3
Software

Utilize Automated Software

2.4
Inventory Tools

Allowlist Authorized
2.5
Software

Allowlist Authorized
2.6
Libraries

2.7 Allowlist Authorized Scripts

Establish and Maintain a

3.1
Data Management Process

Establish and Maintain a

3.2
Data Inventory

Configure Data Access

3.3
Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

Encrypt Data on End-User
3.6
Devices

Establish and Maintain a

3.7 Data Classification
Scheme

3.8 Document Data Flows

Encrypt Data on
3.9
Removable Media

Encrypt Sensitive Data in

3.1
Transit

Encrypt Sensitive Data at

3.11
Rest

Segment Data Processing

3.12 and Storage Based on
Sensitivity

Deploy a Data Loss

3.13
Prevention Solution

3.14 Log Sensitive Data Access

Establish and Maintain a

4.1 Secure Configuration
Process

Establish and Maintain a

Secure Configuration
4.2
Process for Network
Infrastructure

Configure Automatic
4.3 Session Locking on
Enterprise Assets

Implement and Manage a

4.4
Firewall on Servers
Implement and Manage a
4.5 Firewall on End-User
Devices

Securely Manage
4.6 Enterprise Assets and
Software

Manage Default Accounts

4.7 on Enterprise Assets and
Software

Uninstall or Disable
Unnecessary Services on
4.8
Enterprise Assets and
Software

Configure Trusted DNS

4.9 Servers on Enterprise
Assets

Enforce Automatic Device

4.1 Lockout on Portable End-
User Devices

Enforce Remote Wipe

4.11 Capability on Portable End-
User Devices

Separate Enterprise
4.12 Workspaces on Mobile
End-User Devices

Establish and Maintain an

5.1
Inventory of Accounts

5.2 Use Unique Passwords

5.3 Disable Dormant Accounts

Restrict Administrator
5.4 Privileges to Dedicated
Administrator Accounts
Establish and Maintain an
5.5 Inventory of Service
Accounts

Centralize Account
5.6
Management

Establish an Access
6.1
Granting Process

Establish an Access
6.2
Revoking Process

Require MFA for

6.3 Externally-Exposed
Applications

Require MFA for Remote

6.4
Network Access

Require MFA for

6.5
Administrative Access

Establish and Maintain an

6.6 Inventory of Authentication
and Authorization Systems

6.7 Centralize Access Control

Define and Maintain Role-

6.8
Based Access Control

Establish and Maintain a

7.1 Vulnerability Management
Process

Establish and Maintain a

7.2
Remediation Process

Perform Automated
7.3 Operating System Patch
Management
Perform Automated
7.4 Application Patch
Management
Perform Automated
7.5 Vulnerability Scans of
Internal Enterprise Assets

Perform Automated
Vulnerability Scans of
7.6
Externally-Exposed
Enterprise Assets

Remediate Detected
7.7
Vulnerabilities

Establish and Maintain an

4 12 Reduce 8.1 Audit Log Management
Process

4 4 Accept 8.2 Collect Audit Logs

Ensure Adequate Audit

4 4 Accept 8.3
Log Storage

Standardize Time
4 4 Accept 8.4
Synchronization

5 15 Reduce 8.5 Collect Detailed Audit Logs

Collect DNS Query Audit

8.6
Logs
Collect URL Request Audit
8.7
Logs

Collect Command-Line
8.8
Audit Logs

8.9 Centralize Audit Logs

8.1 Retain Audit Logs
Conduct Audit Log
8.11
Reviews

Collect Service Provider

8.12
Logs

Ensure Use of Only Fully

9.1 Supported Browsers and
Email Clients

9.2 Use DNS Filtering Services

Maintain and Enforce

9.3
Network-Based URL Filters

Restrict Unnecessary or
9.4 Unauthorized Browser and
Email Client Extensions

9.5 Implement DMARC

Block Unnecessary File

Enable Anti-Exploitation
10.5
Features

Centrally Manage Anti-

10.6
Malware Software
Use Behavior-Based Anti-
10.7
Malware Software
Establish and Maintain a
11.1
Data Recovery Process

Perform Automated
11.2
Backups

11.3 Protect Recovery Data

Establish and Maintain an

11.4 Isolated Instance of
Recovery Data

11.5 Test Data Recovery

Ensure Network
12.1
Infrastructure is Up-to-Date

Establish and Maintain a

12.2 Secure Network
Architecture

Securely Manage Network

12.3
Infrastructure

Establish and Maintain

12.4
Architecture Diagram(s)

Centralize Network
Authentication,
12.5
Authorization, and Auditing
(AAA)

Use of Secure Network

12.6 Management and
Communication Protocols

Ensure Remote Devices

Utilize a VPN and are
12.7 Connecting to an
Enterprise’s AAA
Infrastructure

Establish and Maintain

Dedicated Computing
12.8
Resources for All
Administrative Work

Centralize Security Event

13.1
Alerting
Deploy a Host-Based
13.2 Intrusion Detection
Solution

Deploy a Network Intrusion

13.3
Detection Solution

Perform Traffic Filtering

13.4 Between Network
Segments

Manage Access Control for

13.5
Remote Assets

Collect Network Traffic

13.6
Flow Logs

Deploy a Host-Based
13.7 Intrusion Prevention
Solution

Deploy a Network Intrusion

13.8
Prevention Solution

Deploy Port-Level Access

13.9
Control

Perform Application Layer

13.1
Filtering
Tune Security Event
13.11
Alerting Thresholds

Establish and Maintain a

14.1 Security Awareness
Program

Train Workforce Members

14.2 to Recognize Social
Engineering Attacks

Train Workforce Members

14.3 on Authentication Best
Practices

Train Workforce on Data

14.4
Handling Best Practices
Train Workforce Members
14.5 on Causes of Unintentional
Data Exposure

Train Workforce Members

on Recognizing and
14.6
Reporting Security
Incidents

Train Workforce on How to

Identify and Report if Their
14.7
Enterprise Assets are
Missing Security Updates

Train Workforce on the

Dangers of Connecting to
14.8 and Transmitting
Enterprise Data Over
Insecure Networks

Conduct Role-Specific
14.9 Security Awareness and
Skills Training

Establish and Maintain an

15.1 Inventory of Service
Providers

Establish and Maintain a

15.2 Service Provider
Management Policy

15.3 Classify Service Providers

Ensure Service Provider

15.4 Contracts Include Security
Requirements
15.5 Assess Service Providers

15.6 Monitor Service Providers

Securely Decommission
15.7
Service Providers

Establish and Maintain a

16.1 Secure Application
Development Process

Establish and Maintain a

Process to Accept and
16.2
Address Software
Vulnerabilities

Perform Root Cause

16.3 Analysis on Security
Vulnerabilities

Establish and Manage an

16.4 Inventory of Third-Party
Software Components

Use Up-to-Date and

16.5 Trusted Third-Party
Software Components
Establish and Maintain a
Severity Rating System
16.6
and Process for Application
Vulnerabilities

Use Standard Hardening

Configuration Templates
16.7
for Application
Infrastructure

Separate Production and

16.8
Non-Production Systems

Train Developers in
Application Security
16.9
Concepts and Secure
Coding

Apply Secure Design

16.1 Principles in Application
Architectures

Leverage Vetted Modules

16.11 or Services for Application
Security Components

Implement Code-Level
16.12
Security Checks

Conduct Application
16.13
Penetration Testing
16.14 Conduct Threat Modeling

Designate Personnel to
17.1
Manage Incident Handling

Establish and Maintain

Contact Information for
17.2
Reporting Security
Incidents

Establish and Maintain an

17.3 Enterprise Process for
Reporting Incidents

Establish and Maintain an

17.4
Incident Response Process

Assign Key Roles and

17.5
Responsibilities

Define Mechanisms for

17.6 Communicating During
Incident Response

Conduct Routine Incident

17.7
Response Exercises

Conduct Post-Incident
17.8
Reviews
Establish and Maintain
17.9 Security Incident
Thresholds

Establish and Maintain a

18.1 Penetration Testing
Program

Perform Periodic External

18.2
Penetration Tests

Remediate Penetration
18.3
Test Findings

18.4 Validate Security Measures

Perform Periodic Internal

18.5
Penetration Tests
Risk Treatment Our Planned
Safeguard Description Implementation

Establish and maintain an accurate, detailed, and up-to-date inventory of

all enterprise assets with the potential to store or process data, to include:
end-user devices (including portable and mobile), network devices, non-
computing/IoT devices, and servers. Ensure the inventory records the
network address (if static), hardware address, machine name, enterprise
asset owner, department for each asset, and whether the asset has been
approved to connect to the network. For mobile end-user devices, MDM
type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes
assets that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the enterprise. Review
and update the inventory of all enterprise assets bi-annually, or more
frequently.

Ensure that a process exists to address unauthorized assets on a weekly

basis. The enterprise may choose to remove the asset from the network,
deny the asset from connecting remotely to the network, or quarantine the
asset.
Utilize an active discovery tool to identify assets connected to the
enterprise’s network. Configure the active discovery tool to execute daily,
or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address
management tools to update the enterprise’s asset inventory. Review and
use logs to update the enterprise’s asset inventory weekly, or more
frequently.

Use a passive discovery tool to identify assets connected to the

enterprise’s network. Review and use scans to update the enterprise’s
asset inventory at least weekly, or more frequently.
Establish and maintain a detailed inventory of all licensed software
installed on enterprise assets. The software inventory must document the
title, publisher, initial install/use date, and business purpose for each
entry; where appropriate, include the Uniform Resource Locator (URL),
app store(s), version(s), deployment mechanism, and decommission
date. Review and update the software inventory bi-annually, or more
frequently.

Ensure that only currently supported software is designated as authorized

in the software inventory for enterprise assets. If software is unsupported,
yet necessary for the fulfillment of the enterprise’s mission, document an
exception detailing mitigating controls and residual risk acceptance. For
any unsupported software without an exception documentation, designate
as unauthorized. Review the software list to verify software support at
least monthly, or more frequently.

Ensure that unauthorized software is either removed from use on

enterprise assets or receives a documented exception. Review monthly,
or more frequently.

Utilize software inventory tools, when possible, throughout the enterprise

to automate the discovery and documentation of installed software.

Use technical controls, such as application allowlisting, to ensure that

only authorized software can execute or be accessed. Reassess bi-
annually, or more frequently.

Use technical controls to ensure that only authorized software libraries,

such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system
process. Block unauthorized libraries from loading into a system process.
Reassess bi-annually, or more frequently.

Use technical controls, such as digital signatures and version control, to

ensure that only authorized scripts, such as specific .ps1, .py, etc., files,
are allowed to execute. Block unauthorized scripts from executing.
Reassess bi-annually, or more frequently.
Establish and maintain a data management process. In the process,
address data sensitivity, data owner, handling of data, data retention
limits, and disposal requirements, based on sensitivity and retention
standards for the enterprise. Review and update documentation annually,
or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data
management process. Inventory sensitive data, at a minimum. Review
and update inventory annually, at a minimum, with a priority on sensitive
data.
Configure data access control lists based on a user’s need to know. Apply
data access control lists, also known as access permissions, to local and
remote file systems, databases, and applications.
Retain data according to the enterprise’s data management process.
Data retention must include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management
process. Ensure the disposal process and method are commensurate
with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example
implementations can include: Windows BitLocker®, Apple FileVault®,
Linux® dm-crypt.

Establish and maintain an overall data classification scheme for the

enterprise. Enterprises may use labels, such as “Sensitive,”
“Confidential,” and “Public,” and classify their data according to those
labels. Review and update the classification scheme annually, or when
significant enterprise changes occur that could impact this Safeguard.

Document data flows. Data flow documentation includes service provider

data flows and should be based on the enterprise’s data management
process. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include:

Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data at rest on servers, applications, and databases

containing sensitive data. Storage-layer encryption, also known as server-
side encryption, meets the minimum requirement of this Safeguard.
Additional encryption methods may include application-layer encryption,
also known as client-side encryption, where access to the data storage
device(s) does not permit access to the plain-text data.

Segment data processing and storage based on the sensitivity of the

data. Do not process sensitive data on enterprise assets intended for
lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss
Prevention (DLP) tool to identify all sensitive data stored, processed, or
transmitted through enterprise assets, including those located onsite or at
a remote service provider, and update the enterprise's sensitive data
inventory.

Log sensitive data access, including modification and disposal.

Establish and maintain a secure configuration process for enterprise

assets (end-user devices, including portable and mobile,
non-computing/IoT devices, and servers) and software (operating
systems and applications). Review and update documentation annually,
or when significant enterprise changes occur that could impact this
Safeguard.

Establish and maintain a secure configuration process for network

devices. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined

period of inactivity. For general purpose operating systems, the period
must not exceed 15 minutes. For mobile end-user devices, the period
must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example
implementations include a virtual firewall, operating system firewall, or a
third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-
user devices, with a default-deny rule that drops all traffic except those
services and ports that are explicitly allowed.
Securely manage enterprise assets and software. Example
implementations include managing configuration through version-
controlled-infrastructure-as-code and accessing administrative interfaces
over secure network protocols, such as Secure Shell (SSH) and
Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP,
unless operationally essential.
Manage default accounts on enterprise assets and software, such as
root, administrator, and other pre-configured vendor accounts. Example
implementations can include: disabling default accounts or making them
unusable.

Uninstall or disable unnecessary services on enterprise assets and

software, such as an unused file sharing service, web application module,
or service function.

Configure trusted DNS servers on enterprise assets. Example

implementations include: configuring assets to use enterprise-controlled
DNS servers and/or reputable externally accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of

local failed authentication attempts on portable end-user devices, where
supported. For laptops, do not allow more than 20 failed authentication
attempts; for tablets and smartphones, no more than 10 failed
authentication attempts. Example implementations include Microsoft®
InTune Device Lock and Apple® Configuration Profile
maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user
devices when deemed appropriate such as lost or stolen devices, or
when an individual no longer supports the enterprise.

Ensure separate enterprise workspaces are used on mobile end-user

devices, where supported. Example implementations include using an
Apple® Configuration Profile or Android™ Work Profile to separate
enterprise applications and data from personal applications and data.

Establish and maintain an inventory of all accounts managed in the

enterprise. The inventory must include both user and administrator
accounts. The inventory, at a minimum, should contain the person’s
name, username, start/stop dates, and department. Validate that all
active accounts are authorized, on a recurring schedule at a minimum
quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice
implementation includes, at a minimum, an 8-character password for
accounts using MFA and a 14-character password for accounts not using
MFA.
Delete or disable any dormant accounts after a period of 45 days of
inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on
enterprise assets. Conduct general computing activities, such as internet
browsing, email, and productivity suite use, from the user’s primary, non-
privileged account.
Establish and maintain an inventory of service accounts. The inventory, at
a minimum, must contain department owner, review date, and purpose.
Perform service account reviews to validate that all active accounts are
authorized, on a recurring schedule at a minimum quarterly, or more
frequently.

Centralize account management through a directory or identity service.

Establish and follow a process, preferably automated, for granting access

to enterprise assets upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for revoking access

to enterprise assets, through disabling accounts immediately upon
termination, rights revocation, or role change of a user. Disabling
accounts, instead of deleting accounts, may be necessary to preserve
audit trails.
Require all externally-exposed enterprise or third-party applications to
enforce MFA, where supported. Enforcing MFA through a directory
service or SSO provider is a satisfactory implementation of this
Safeguard.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on

all enterprise assets, whether managed on-site or through a third-party
provider.
Establish and maintain an inventory of the enterprise’s authentication and
authorization systems, including those hosted on-site or at a remote
service provider. Review and update the inventory, at a minimum,
annually, or more frequently.
Centralize access control for all enterprise assets through a directory
service or SSO provider, where supported.
Define and maintain role-based access control, through determining and
documenting the access rights necessary for each role within the
enterprise to successfully carry out its assigned duties. Perform access
control reviews of enterprise assets to validate that all privileges are
authorized, on a recurring schedule at a minimum annually, or more
frequently.
Establish and maintain a documented vulnerability management process
for enterprise assets. Review and update documentation annually, or
when significant enterprise changes occur that could impact this
Safeguard.

Establish and maintain a risk-based remediation strategy documented in

a remediation process, with monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through

automated patch management on a monthly, or more frequent, basis.

Perform application updates on enterprise assets through automated

patch management on a monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on
a quarterly, or more frequent, basis. Conduct both
authenticated and unauthenticated scans, using a SCAP-
compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise
assets using a SCAP-compliant vulnerability scanning tool. Perform scans
on a monthly, or more frequent, basis.

Remediate detected vulnerabilities in software through processes and

tooling on a monthly, or more frequent, basis, based on the remediation
process.
Develop scenarios in
Establish and maintain an audit log management process that defines the
which personnel abuse
enterprise’s logging requirements. At a minimum, address the collection,
access. Develop SIEM
review, and retention of audit logs for enterprise assets. Review and
alerts based on those
update documentation annually, or when significant enterprise changes
scenarios. Update
occur that could impact this Safeguard.
annually.

Collect audit logs. Ensure that logging, per the enterprise’s audit log
management process, has been enabled across enterprise assets.

Ensure that logging destinations maintain adequate storage to comply

with the enterprise’s audit log management process.

Standardize time synchronization. Configure at least two synchronized

time sources across enterprise assets, where supported.

Develop scenarios in
Configure detailed audit logging for enterprise assets containing sensitive which personnel abuse
data. Include event source, date, username, timestamp, source access. Develop SIEM
addresses, destination addresses, and other useful elements that could alerts based on those
assist in a forensic investigation. scenarios. Update
annually.
Collect DNS query audit logs on enterprise assets, where appropriate and
supported.
Collect URL request audit logs on enterprise assets, where appropriate
and supported.
Collect command-line audit logs. Example implementations include
collecting audit logs from PowerShell®, BASH™, and remote
administrative terminals.
Centralize, to the extent possible, audit log collection and retention across
enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events
that could indicate a potential threat. Conduct reviews on a weekly, or
more frequent, basis.

Collect service provider logs, where supported. Example implementations

include collecting authentication and authorization events, data creation
and disposal events, and user management events.

Ensure only fully supported browsers and email clients are allowed to
execute in the enterprise, only using the latest version of browsers and
email clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to
known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset
from connecting to potentially malicious or unapproved websites.
Example implementations include category-based filtering, reputation-
based filtering, or through the use of block lists. Enforce filters for all
enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or

unnecessary browser or email client plugins, extensions, and add-on
applications.

To lower the chance of spoofed or modified emails from valid domains,

implement DMARC policy and verification, starting with implementing the
Sender Policy Framework (SPF) and the DomainKeys Identified Mail
(DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email
gateway.

Deploy and maintain email server anti-malware protections, such as

attachment scanning and/or sandboxing.

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all

enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable

media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software,

where possible, such as Microsoft® Data Execution Prevention (DEP),
Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity
Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

Establish and maintain a data recovery process. In the process, address
the scope of data recovery activities, recovery prioritization, and the
security of backup data. Review and update documentation annually, or
when significant enterprise changes occur that could impact this
Safeguard.

Perform automated backups of in-scope enterprise assets. Run backups

weekly, or more frequently, based on the sensitivity of the data.

Protect recovery data with equivalent controls to the original data.

Reference encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through
offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-
scope enterprise assets.
Ensure network infrastructure is kept up-to-date. Example
implementations include running the latest stable release of software
and/or using currently supported network-as-a-service (NaaS) offerings.
Review software versions monthly, or more frequently, to verify software
support.
Establish and maintain a secure network architecture. A secure network
architecture must address segmentation, least privilege, and availability,
at a minimum.
Securely manage network infrastructure. Example implementations
include version-controlled-infrastructure-as-code, and the use of secure
network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network
system documentation. Review and update documentation annually, or
when significant enterprise changes occur that could impact this
Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g.,

802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and

authentication services prior to accessing enterprise resources on end-
user devices.

Establish and maintain dedicated computing resources, either physically

or logically separated, for all administrative tasks or tasks requiring
administrative access. The computing resources should be segmented
from the enterprise's primary network and not be allowed internet access.

Centralize security event alerting across enterprise assets for log

correlation and analysis. Best practice implementation requires the use of
a SIEM, which includes vendor-defined event correlation alerts. A log
analytics platform configured with security-relevant correlation alerts also
satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets,
where appropriate and/or supported.

Deploy a network intrusion detection solution on enterprise assets, where

appropriate. Example implementations include the use of a Network
Intrusion Detection System (NIDS) or equivalent cloud service provider
(CSP) service.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise

resources. Determine amount of access to enterprise resources based
on: up-to-date anti-malware software installed, configuration compliance
with the enterprise’s secure configuration process, and ensuring the
operating system and applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert
upon from network devices.
Deploy a host-based intrusion prevention solution on enterprise assets,
where appropriate and/or supported. Example implementations include
use of an Endpoint Detection and Response (EDR) client or host-based
IPS agent.
Deploy a network intrusion prevention solution, where appropriate.
Example implementations include the use of a Network Intrusion
Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x,
or similar network access control protocols, such as certificates, and may
incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a
filtering proxy, application layer firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.

Establish and maintain a security awareness program. The purpose of a

security awareness program is to educate the enterprise’s workforce on
how to interact with enterprise assets and data in a secure manner.
Conduct training at hire and, at a minimum, annually. Review and update
content annually, or when significant enterprise changes occur that could
impact this Safeguard.

Train workforce members to recognize social engineering attacks, such

as phishing, pre-texting, and tailgating.

Train workforce members on authentication best practices. Example

topics include MFA, password composition, and credential management.

Train workforce members on how to identify and properly store, transfer,

archive, and destroy sensitive data. This also includes training workforce
members on clear screen and desk best practices, such as locking their
screen when they step away from their enterprise asset, erasing physical
and virtual whiteboards at the end of meetings, and storing data and
assets securely.
Train workforce members to be aware of causes for unintentional data
exposure. Example topics include mis-delivery of sensitive data, losing a
portable end-user device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and

be able to report such an incident.

Train workforce to understand how to verify and report out-of-date

software patches or any failures in automated processes and tools. Part
of this training should include notifying IT personnel of any failures in
automated processes and tools.

Train workforce members on the dangers of connecting to, and

transmitting data over, insecure networks for enterprise activities. If the
enterprise has remote workers, training must include guidance to ensure
that all users securely configure their home network infrastructure.

Conduct role-specific security awareness and skills training. Example

implementations include secure system administration courses for IT
professionals, OWASP® Top 10 vulnerability awareness and prevention
training for web application developers, and advanced social engineering
awareness training for high-profile roles.

Establish and maintain an inventory of service providers. The inventory is

to list all known service providers, include classification(s), and designate
an enterprise contact for each service provider. Review and update the
inventory annually, or when significant enterprise changes occur that
could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the

policy addresses the classification, inventory, assessment, monitoring,
and decommissioning of service providers. Review and update the policy
annually, or when significant enterprise changes occur that could impact
this Safeguard.

Classify service providers. Classification consideration may include one or

more characteristics, such as data sensitivity, data volume, availability
requirements, applicable regulations, inherent risk, and mitigated risk.
Update and review classifications annually, or when significant enterprise
changes occur that could impact this Safeguard.

Ensure service provider contracts include security requirements. Example

requirements may include minimum security program requirements,
security incident and/or data breach notification and response, data
encryption requirements, and data disposal commitments. These security
requirements must be consistent with the enterprise’s service provider
management policy. Review service provider contracts annually to ensure
contracts are not missing security requirements.
Assess service providers consistent with the enterprise’s service provider
management policy. Assessment scope may vary based on
classification(s), and may include review of standardized assessment
reports, such as Service Organization Control 2 (SOC 2) and Payment
Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess
service providers annually, at a minimum, or with new and renewed
contracts.

Monitor service providers consistent with the enterprise’s service provider

management policy. Monitoring may include periodic reassessment of
service provider compliance, monitoring service provider release notes,
and dark web monitoring.

Securely decommission service providers. Example considerations

include user and service account deactivation, termination of data flows,
and secure disposal of enterprise data within service provider systems.

Establish and maintain a secure application development process. In the

process, address such items as: secure application design standards,
secure coding practices, developer training, vulnerability management,
security of third-party code, and application security testing procedures.
Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Establish and maintain a process to accept and address reports of

software vulnerabilities, including providing a means for external entities
to report. The process is to include such items as: a vulnerability handling
policy that identifies reporting process, responsible party for handling
vulnerability reports, and a process for intake, assignment, remediation,
and remediation testing. As part of the process, use a vulnerability
tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-

facing policy that helps to set expectations for outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing

vulnerabilities, root cause analysis is the task of evaluating underlying
issues that create vulnerabilities in code, and allows development teams
to move beyond just fixing individual vulnerabilities as they arise.

Establish and manage an updated inventory of third-party components

used in development, often referred to as a “bill of materials,” as well as
components slated for future use. This inventory is to include any risks
that each third-party component could pose. Evaluate the list at least
monthly to identify any changes or updates to these components, and
validate that the component is still supported.

Use up-to-date and trusted third-party software components. When

possible, choose established and proven frameworks and libraries that
provide adequate security. Acquire these components from trusted
sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for
application vulnerabilities that facilitates prioritizing the order in which
discovered vulnerabilities are fixed. This process includes setting a
minimum level of security acceptability for releasing code or applications.
Severity ratings bring a systematic way of triaging vulnerabilities that
improves risk management and helps ensure the most severe bugs are
fixed first. Review and update the system and process annually.

Use standard, industry-recommended hardening configuration templates

for application infrastructure components. This includes underlying
servers, databases, and web servers, and applies to cloud containers,
Platform as a Service (PaaS) components, and SaaS components. Do
not allow in-house developed software to weaken configuration
hardening.
Maintain separate environments for production and non-production
systems.

Ensure that all software development personnel receive training in writing

secure code for their specific development environment and
responsibilities. Training can include general security principles and
application security standard practices. Conduct training at least annually
and design in a way to promote security within the development team,
and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design

principles include the concept of least privilege and enforcing mediation to
validate every operation that the user makes, promoting the concept of
"never trust user input." Examples include ensuring that explicit error
checking is performed and documented for all input, including for size,
data type, and acceptable ranges or formats. Secure design also means
minimizing the application infrastructure attack surface, such as turning
off unprotected ports and services, removing unnecessary programs and
files, and renaming or removing default accounts.

Leverage vetted modules or services for application security components,

such as identity management, encryption, and auditing and logging.
Using platform features in critical security functions will reduce
developers’ workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make
those mechanisms available to applications. Use only standardized,
currently accepted, and extensively reviewed encryption algorithms.
Operating systems also provide mechanisms to create and maintain
secure audit logs.

Apply static and dynamic analysis tools within the application life cycle to
verify that secure coding practices are being followed.

Conduct application penetration testing. For critical applications,

authenticated penetration testing is better suited to finding business logic
vulnerabilities than code scanning and automated security
testing. Penetration testing relies on the skill of the tester to manually
manipulate an application as an authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying
and addressing application security design flaws within a design, before
code is created. It is conducted through specially trained individuals who
evaluate the application design and gauge security risks for each entry
point and access level. The goal is to map out the application,
architecture, and infrastructure in a structured way to understand its
weaknesses.

Designate one key person, and at least one backup, who will manage the
enterprise’s incident handling process. Management personnel are
responsible for the coordination and documentation of incident response
and recovery efforts and can consist of employees internal to the
enterprise, third-party vendors, or a hybrid approach. If using a third-party
vendor, designate at least one person internal to the enterprise to
oversee any third-party work. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Establish and maintain contact information for parties that need to be

informed of security incidents. Contacts may include internal staff, third-
party vendors, law enforcement, cyber insurance providers, relevant
government agencies, Information Sharing and Analysis Center (ISAC)
partners, or other stakeholders. Verify contacts annually to ensure that
information is up-to-date.

Establish and maintain an enterprise process for the workforce to report

security incidents. The process includes reporting timeframe, personnel to
report to, mechanism for reporting, and the minimum information to be
reported. Ensure the process is publicly available to all of the workforce.
Review annually, or when significant enterprise changes occur that could
impact this Safeguard.
Establish and maintain an incident response process that addresses roles
and responsibilities, compliance requirements, and a communication plan.
Review annually, or when significant enterprise changes occur that could
impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff
from legal, IT, information security, facilities, public relations, human
resources, incident responders, and analysts, as applicable. Review
annually, or when significant enterprise changes occur that could impact
this Safeguard.
Determine which primary and secondary mechanisms will be used to
communicate and report during a security incident. Mechanisms can
include phone calls, emails, or letters. Keep in mind that certain
mechanisms, such as emails, can be affected during a security incident.
Review annually, or when significant enterprise changes occur that could
impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for
key personnel involved in the incident response process to prepare for
responding to real-world incidents. Exercises need to test communication
channels, decision making, and workflows. Conduct testing on an annual
basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent
incident recurrence through identifying lessons learned and follow-up
action.
Establish and maintain security incident thresholds, including, at a
minimum, differentiating between an incident and an event. Examples can
include: abnormal activity, security vulnerability, security weakness, data
breach, privacy incident, etc. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Establish and maintain a penetration testing program appropriate to the

size, complexity, and maturity of the enterprise. Penetration testing
program characteristics include scope, such as network, web application,
Application Programming Interface (API), hosted services, and physical
premise controls; frequency; limitations, such as acceptable hours, and
excluded attack types; point of contact information; remediation, such as
how findings will be routed internally; and retrospective requirements.

Perform periodic external penetration tests based on program

requirements, no less than annually. External penetration testing must
include enterprise and environmental reconnaissance to detect
exploitable information. Penetration testing requires specialized skills and
experience and must be conducted through a qualified party. The testing
may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for
remediation scope and prioritization.
Validate security measures after each penetration test. If deemed
necessary, modify rulesets and capabilities to detect the techniques used
during testing.
Perform periodic internal penetration tests based on program
requirements, no less than annually. The testing may be clear box or
opaque box.
Risk Treatment Risk Treatment Risk Treatment
Risk Treatment Risk Treatment
Safeguard Safeguard Impact Safeguard Impact
Safeguard Safeguard Impact
Expectancy to Operational to Financial
Maturity Score to Mission
Score Objectives Objectives
4 1 2 2 2

4 1 2 2 2
Risk Treatment Risk Treatment
Reasonable and Risk Treatment Implementation
Safeguard Impact Safeguard Risk
Acceptable Safeguard Cost Quarter
to Obligations Score

No
No

3 3 Yes $ 150,000 Q3

Yes

3 3 Yes Q3

No
No
No

No
No

No
Reasonable Annual Cost

Impact to
Implementation
Financial Year Reasonable?
Year
Objectives

$ - 2021 Yes

$ 150,000.00 2022 Yes

$ - 2023 Yes

$ - 2024 Yes

$ - 2025 Yes
$ - 2026 Yes

$ - 2027 Yes

$ - 2028 Yes

$ - 2029 Yes

$ - 2030 Yes
2022

2022
All data on this
CIS CSAT Pro only, and is not m
organization's CS
for de
CIS CSAT Pro for CIS Controls v8.0
CIS RAM
CSAT Pro Export CSAT Pro Score Maturity
v8 Safeguard #
Score (Stripped) Score
1.1 5 (81-100%) 5 Final
5
1.2 3 (41-60%) 3 3
1.3 4 (61-80%) 4 4
1.4 3 (41-60%) 3 3
1.5 2 (21-40%) 2 2
2.1 4 (61-80%) 4 4
2.2 4 (61-80%) 4 4
2.3 2 (21-40%) 2 2
2.4 2 (21-40%) 2 2
2.5 5 (81-100%) 5 5
2.6 2 (21-40%) 2 2
2.7
3.1 Not Applicable N N
3.2
3.3 Not Available N N
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9 5 (81-100%) 5 5
4.10
4.11
4.12
5.1
5.2 5 (81-100%) 5 5
5.3
5.4 3 (41-60%) 3 3
5.5 3 (41-60%) 3 3
5.6 2 (21-40%) 2 2
6.1 4 (61-80%) 4 4
6.2 4 (61-80%) 4 4
6.3 2 (21-40%) 2 2
6.4 2 (21-40%) 2 2
6.5 5 (81-100%) 5 5
6.6 4 (61-80%) 4 4
6.7 2 (21-40%) 2 2
6.8 2 (21-40%) 2 2
7.1 5 (81-100%) 5 5
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
9.1
9.2
9.3
9.4
9.5
9.6
9.7
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
12.8
13.1
13.2
13.3
13.4
13.5
13.6
13.7
13.8
13.9
13.10
13.11
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
15.5
15.6
15.7
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
16.13
16.14
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
l data on this page is considered sample data
y, and is not meant to reflect any one individual
anization's CSAT/RAM scoring. Only to be used
for demonstration purposes.
C
CIS-Hosted CSAT
Policy Defined Control Implemented
Maturity Scores
1 No Policy Not Implemented
2 Informal Policy Parts of Policy Implemented
3 Partially Written Policy Implemented on Some Systems
4 Written Policy Implemented on Most Systems
5 Approved Written Policy Implemented on All Systems
Unknown - Unscored None None
Unknown - N/A Not Applicable Not Applicable

CIS-Hosted CSAT for

CIS-Hosted CSAT Values From XLSX Export
CIS Controls v8.0

v8 Safeguard # Policy Defined Control Implemented

1.1 Approved Written Policy Implemented on Most Systems
1.2 Partially Written Policy Implemented on Some Systems
1.3 Approved Written Policy Implemented on All Systems
1.4 Partially Written Policy Implemented on Some Systems
1.5 Informal Policy Parts of Policy Implemented
2.1 Partially Written Policy Implemented on Some Systems
2.2 Partially Written Policy Implemented on Some Systems
2.3 Partially Written Policy Implemented on All Systems
2.4 Approved Written Policy Implemented on All Systems
2.5 Approved Written Policy Implemented on Some Systems
2.6 Approved Written Policy Implemented on Most Systems
2.7 Partially Written Policy Implemented on Most Systems
3.1 Partially Written Policy Implemented on Most Systems
3.2 No Policy Not Implemented
3.3 No Policy Not Implemented
3.4 No Policy Not Implemented
3.5 Approved Written Policy Implemented on Most Systems
3.6 Written Policy Implemented on Most Systems
3.7 Partially Written Policy Implemented on Most Systems
3.8 Written Policy Implemented on All Systems
3.9 Written Policy Implemented on All Systems
3.10 Approved Written Policy Implemented on Most Systems
3.11 None None

3.12 None None

3.13 None None

3.14 None None

4.1 None None
4.2 Approved Written Policy Implemented on All Systems
4.3 Approved Written Policy Implemented on All Systems
4.4 Approved Written Policy Implemented on All Systems
4.5 None None

4.6 None None

4.7 Approved Written Policy Implemented on All Systems
4.8 Approved Written Policy Implemented on All Systems
4.9 None None

4.10 None None

4.11 None None

4.12 None None

5.1 None None

5.2 None None

5.3 Approved Written Policy Implemented on All Systems
5.4 None None

5.5 None None

5.6 No Policy Not Implemented
6.1 No Policy Not Implemented
6.2 Approved Written Policy Implemented on Most Systems
6.3 Written Policy Implemented on Most Systems
6.4 Partially Written Policy Implemented on Most Systems
6.5 Written Policy Implemented on All Systems
6.6 Written Policy Implemented on All Systems
6.7 Approved Written Policy Implemented on Most Systems
6.8 Partially Written Policy Implemented on Most Systems
7.1 Written Policy Implemented on All Systems
7.2 Written Policy Implemented on All Systems
7.3 No Policy Not Implemented
7.4 No Policy Not Implemented
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
9.1
9.2
9.3
9.4
9.5
9.6
9.7
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
12.8
13.1
13.2
13.3
13.4
13.5
13.6
13.7
13.8
13.9
13.10
13.11
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
15.5
15.6
15.7
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
16.13
16.14
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
CIS-Hosted CSAT
CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores
Not Automated Not Reported 1
Parts of Policy Automated Parts of Policy Reported 2
Automated on Some Systems Reported on Some Systems 3
Automated on Most Systems Reported on Most Systems 4
Automated on All Systems Reported on All Systems 5
Unknown -
None None
Unscored
Not Applicable Not Applicable Unknown - N/A

d CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

Automated on All Systems Reported on Some Systems 5 4
Automated on Some Systems Reported on Most Systems 3 3
Automated on All Systems Reported on All Systems 5 5
Automated on Most Systems Reported on All Systems 3 3
Parts of Policy Automated Reported on Some Systems 2 2
Automated on Some Systems Reported on Most Systems 3 3
Automated on Some Systems Reported on Some Systems 3 3
Automated on Some Systems Reported on Most Systems 3 5
Automated on All Systems Reported on All Systems 5 5
Automated on Most Systems Reported on All Systems 5 3
Automated on Most Systems Reported on All Systems 5 4
Automated on All Systems Reported on Most Systems 3 4
Automated on Most Systems Reported on Most Systems 3 4
Parts of Policy Automated Not Reported 1 1
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
Automated on Most Systems Reported on Most Systems 5 4
Automated on All Systems Reported on Some Systems 4 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Automated on All Systems Reported on Most Systems 5 4
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

Automated on All Systems Not Applicable 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
Automated on Most Systems Reported on Most Systems 5 4
Automated on All Systems Reported on Some Systems 4 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Automated on All Systems Reported on Most Systems 5 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
All data on this page is considered sample data
only, and is not meant to reflect any one individual
organization's CSAT/RAM scoring. Only to be
used for demonstration purposes.

ulated Numerical Score

CIS RAM Maturity Score CIS RAM Maturity Score
Average Final
Control Automated Control Reported
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
4 5 4 4
4 5 5 5
5 5 5 5
2 1 1 1
1 1 1 1
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A

Alumni Management System Report
63% (30)
Alumni Management System Report
53 pages
CGRC Dumps Demo
No ratings yet
CGRC Dumps Demo
20 pages
Gastrointestinal Physiology
No ratings yet
Gastrointestinal Physiology
6 pages
National Emblem of India c443d287
No ratings yet
National Emblem of India c443d287
6 pages
Automotive E&E Arch
No ratings yet
Automotive E&E Arch
12 pages
Cpar 95 Far Final PB
No ratings yet
Cpar 95 Far Final PB
14 pages
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
From Everand
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
Byte Books
No ratings yet
CRISC Certified In Risk and Information Systems Control Exam Practice Questions And Dumps ISACA CRISC Exam Guidebook And Updated Questions
From Everand
CRISC Certified In Risk and Information Systems Control Exam Practice Questions And Dumps ISACA CRISC Exam Guidebook And Updated Questions
Byte Books
No ratings yet
Smarto Life C
No ratings yet
Smarto Life C
16 pages
Lab 2 NguyễnTrọngĐứcHải HE180930
No ratings yet
Lab 2 NguyễnTrọngĐứcHải HE180930
5 pages
NG Âm Bu I 1
No ratings yet
NG Âm Bu I 1
6 pages
Software in 30 Days: How Agile Managers Beat the Odds, Delight Their Customers, and Leave Competitors in the Dust
From Everand
Software in 30 Days: How Agile Managers Beat the Odds, Delight Their Customers, and Leave Competitors in the Dust
Ken Schwaber
4.5/5 (14)
Shell Omala S2 G 680
No ratings yet
Shell Omala S2 G 680
4 pages
Creativity Room Transcripts
No ratings yet
Creativity Room Transcripts
16 pages
NutcrackerMarch WW
No ratings yet
NutcrackerMarch WW
20 pages
TUQ English
No ratings yet
TUQ English
3 pages
Information Assurance and Security 2
100% (2)
Information Assurance and Security 2
9 pages
Đ Thees Dương Ia1902 Iaa202 Lab4
No ratings yet
Đ Thees Dương Ia1902 Iaa202 Lab4
9 pages
CIRM - Assignment 2 - Solved
No ratings yet
CIRM - Assignment 2 - Solved
16 pages
Bibliographic Record
No ratings yet
Bibliographic Record
3 pages
The Impact of E-Banking On Customer Satisfaction: Evidence From Banking Sector of Pakistan
No ratings yet
The Impact of E-Banking On Customer Satisfaction: Evidence From Banking Sector of Pakistan
15 pages
1 HALOCK Cyber Security Summit Chicago CIS RAM Aug 29.2
No ratings yet
1 HALOCK Cyber Security Summit Chicago CIS RAM Aug 29.2
38 pages
RD 01 Mus 2
No ratings yet
RD 01 Mus 2
9 pages
Cyber Security Brochure
No ratings yet
Cyber Security Brochure
3 pages
(Answers) 20200915172413prl3 - v1 - 0 - Exercise - Year - End - Federal - 2017 - 0120
100% (1)
(Answers) 20200915172413prl3 - v1 - 0 - Exercise - Year - End - Federal - 2017 - 0120
13 pages
Employee Safety and Health
No ratings yet
Employee Safety and Health
4 pages
Biology Course Outline 2021-2022
No ratings yet
Biology Course Outline 2021-2022
5 pages
Cyber Security IBM
No ratings yet
Cyber Security IBM
68 pages
Museum Security: How Do We Protect The Museum and Its Collection From Theft or Damage?
No ratings yet
Museum Security: How Do We Protect The Museum and Its Collection From Theft or Damage?
2 pages
Data Structures & Algorithm Design: Trees
No ratings yet
Data Structures & Algorithm Design: Trees
38 pages
Study of A Novel Cathode Tool Structure For Improving Heat Removal in Electrochemical Micro-Machining
No ratings yet
Study of A Novel Cathode Tool Structure For Improving Heat Removal in Electrochemical Micro-Machining
7 pages
Fundamentals of Cybersecurity
No ratings yet
Fundamentals of Cybersecurity
13 pages
Crisis Lec1
No ratings yet
Crisis Lec1
11 pages
CYB238 Lecture 1 V2
No ratings yet
CYB238 Lecture 1 V2
18 pages
Unit I Architectures - Ann: Ee6006 Applied Soft Computing LTPC 3 0 0 3
No ratings yet
Unit I Architectures - Ann: Ee6006 Applied Soft Computing LTPC 3 0 0 3
1 page
Cybersecurity Resources Guide
No ratings yet
Cybersecurity Resources Guide
25 pages
Lec 1
No ratings yet
Lec 1
35 pages
Info Sec Revision
No ratings yet
Info Sec Revision
20 pages
College of Teacher Education Modular Learning: Module Format For UEP
No ratings yet
College of Teacher Education Modular Learning: Module Format For UEP
4 pages
Cybercrime and Cybersecurity
No ratings yet
Cybercrime and Cybersecurity
30 pages
2 Disbursement Request Form
No ratings yet
2 Disbursement Request Form
1 page
WGU C725 Practice Test 2022
No ratings yet
WGU C725 Practice Test 2022
45 pages
Healthcare Provider Under HIPPA Compliance Law
100% (1)
Healthcare Provider Under HIPPA Compliance Law
8 pages
Lecture 4 - Agggregate Properties
No ratings yet
Lecture 4 - Agggregate Properties
45 pages
CIS RAM Workbook Version CC
No ratings yet
CIS RAM Workbook Version CC
551 pages
Totaltester 122125
No ratings yet
Totaltester 122125
28 pages
Ir 4426
No ratings yet
Ir 4426
12 pages
CS687 - Introduction - Winter 2024 - NP3
No ratings yet
CS687 - Introduction - Winter 2024 - NP3
66 pages
Hacienda Luisita and Agrarian Reform
No ratings yet
Hacienda Luisita and Agrarian Reform
34 pages
Foundations of Cyber Security
No ratings yet
Foundations of Cyber Security
447 pages
(1905) Baltimore Bargain House Catalogue
No ratings yet
(1905) Baltimore Bargain House Catalogue
34 pages
Lecture 8
No ratings yet
Lecture 8
33 pages
Research 7 Q3 W4
No ratings yet
Research 7 Q3 W4
9 pages
Cis Ram
100% (1)
Cis Ram
2 pages
ISF Sample Exam en v1.0
No ratings yet
ISF Sample Exam en v1.0
15 pages
Module 1 Introduction
No ratings yet
Module 1 Introduction
32 pages
CIS RAM v2.1 For IG2 Workbook 23.03
No ratings yet
CIS RAM v2.1 For IG2 Workbook 23.03
364 pages
Cyber Risk Controls, Data Analyatics and ICT Stu
No ratings yet
Cyber Risk Controls, Data Analyatics and ICT Stu
10 pages
AUDCIS Information Security
No ratings yet
AUDCIS Information Security
21 pages
Update Ms-Isac-Cybersecurity-Resources Guide 51822
No ratings yet
Update Ms-Isac-Cybersecurity-Resources Guide 51822
14 pages
CIS RAM v2.1 For IG1 Workbook.22.05
No ratings yet
CIS RAM v2.1 For IG1 Workbook.22.05
174 pages
Trust Receipts Law
No ratings yet
Trust Receipts Law
5 pages
CySA+ Study Guide Public
No ratings yet
CySA+ Study Guide Public
61 pages
Untitled
No ratings yet
Untitled
8 pages
(@CyberBankSa) End+of+Book+Review
No ratings yet
(@CyberBankSa) End+of+Book+Review
24 pages
Cybersecurity Risk
No ratings yet
Cybersecurity Risk
72 pages
Introduction 2
No ratings yet
Introduction 2
65 pages
Lecture 01
No ratings yet
Lecture 01
22 pages
Law of Karma Value Systems For Success.
No ratings yet
Law of Karma Value Systems For Success.
51 pages
CISM Practice Questions To Prep For The Exam
No ratings yet
CISM Practice Questions To Prep For The Exam
25 pages
22 1201 Safecom Guide To Cybersecurity Risk Assessment 508-r1
No ratings yet
22 1201 Safecom Guide To Cybersecurity Risk Assessment 508-r1
8 pages
Lo3 Riskmanagement MCQ
No ratings yet
Lo3 Riskmanagement MCQ
31 pages
CySA Plus 001
No ratings yet
CySA Plus 001
393 pages
Governance Isaca Crisc Cert Study Guide
No ratings yet
Governance Isaca Crisc Cert Study Guide
8 pages
CIS RAM For IG1 Workbook v21.10.25
No ratings yet
CIS RAM For IG1 Workbook v21.10.25
144 pages
Cyber Security
No ratings yet
Cyber Security
32 pages
Chapter 0 - Reader's Guide
No ratings yet
Chapter 0 - Reader's Guide
31 pages
Domain 1 Cisa
No ratings yet
Domain 1 Cisa
93 pages
A Definition of Cyber Security
No ratings yet
A Definition of Cyber Security
5 pages
1 InfoSec+Risk MGMT
No ratings yet
1 InfoSec+Risk MGMT
145 pages
Incident and Disaster Management MCQS
No ratings yet
Incident and Disaster Management MCQS
24 pages
CySA+ Study Guide Public
100% (3)
CySA+ Study Guide Public
63 pages
Nse 1
No ratings yet
Nse 1
14 pages
Cryptography and Network Security Overview & Chapter 1
No ratings yet
Cryptography and Network Security Overview & Chapter 1
32 pages
Assessment Presentation: Fundamentals of Information Systems Security
No ratings yet
Assessment Presentation: Fundamentals of Information Systems Security
24 pages
SR - CR Examples-WSjkku
No ratings yet
SR - CR Examples-WSjkku
14 pages
What Is IT-Security?
No ratings yet
What Is IT-Security?
27 pages
Administering Security
100% (1)
Administering Security
47 pages
IRM Lecture 6 - Information Security and Risk Management
No ratings yet
IRM Lecture 6 - Information Security and Risk Management
7 pages
Risk Analysis Notes
No ratings yet
Risk Analysis Notes
26 pages