0% found this document useful (0 votes)

321 views3,475 pages

AuditScripts CIS Controls Master Mappings v7.1c

The document outlines 20 critical security controls that organizations should implement to improve their cybersecurity posture. The controls cover areas such as inventory and control of hardware/software assets, continuous vulnerability assessment, secure configurations, control of administrative privileges, audit logging, email/web protections, malware defenses, network security, data recovery capabilities, boundary defenses, wireless access controls, and security awareness training. Implementing these controls helps mitigate risks from threats while complying with regulations and standards.

Uploaded by

sgmiconsultores

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

321 views3,475 pages

AuditScripts CIS Controls Master Mappings v7.1c

Uploaded by

sgmiconsultores

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 3475

Critical Security Control

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

Critical Security Control #4: Controlled Use of Administrative Privileges

Critical Security Control #5: Secure Configurations for Hardware and Software

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs

Critical Security Control #7: Email and Web Browser Protections

Critical Security Control #8: Malware Defenses

Critical Security Control #9: Limitation and Control of Network Ports

Critical Security Control #10: Data Recovery Capabilities

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers
and Switches

Critical Security Control #12: Boundary Defense

Critical Security Control #13: Data Protection

Critical Security Control #14: Controlled Access Based on the Need to Know

Critical Security Control #15: Wireless Access Control

Critical Security Control #16: Account Monitoring and Control

Critical Security Control #17: Implement a Security Awareness and Training Program

Critical Security Control #18: Application Software Security

Critical Security Control #19: Incident Response and Management

Critical Security Control #20: Penetration Tests and Red Team Exercises
CIS Controls Master Mappings Tool (v7.1c)

NIST 800-53 rev4 NIST CSF v1.0

CA-7: Continuous Monitoring

CM-8: Information System Component Inventory ID.AM-1
IA-3: Device Identification and Authentication ID.AM-3
SA-4: Acquisition Process
SC-17: Public Key Infrastructure Certificates ID.AM-4
SI-4: Information System Monitoring PR.DS-3
PM-5: Information System Inventory

CA-7: Continuous Monitoring

CM-2: Baseline Configuration
CM-8: Information System Component Inventory
CM-10: Software Usage Restrictions
CM-11: User-Installed Software ID.AM-2
SA-4: Acquisition Process PR.DS-6
SC-18: Mobile Code
SC-34: Non-Modifiable Executable Programs
SI-4: Information System Monitoring
PM-5: Information System Inventory

CA-2: Security Assessments ID.RA-1

CA-7: Continuous Monitoring ID.RA-2
RA-5: Vulnerability Scanning
SC-34: Non-Modifiable Executable Programs PR.IP-12
SI-4: Information System Monitoring DE.CM-8
SI-7: Software, Firmware, and Information Integrity RS.MI-3

AC-2: Account Management

AC-6: Least Privilege
AC-17: Remote Access PR.AC-4
AC-19: Access Control for Mobile Devices PR.AT-2
CA-7: Continuous Monitoring
IA-2: Identification and Authentication (Organizational Users) PR.MA-2
IA-4: Identifier Management PR.PT-3
IA-5: Authenticator Management
SI-4: Information System Monitoring
CA-7: Continuous Monitoring
CM-2: Baseline Configuration
CM-3: Configuration Change Control
CM-5: Access Restrictions for Change
CM-6: Configuration Settings
CM-7: Least Functionality
CM-8: Information System Component Inventory
CM-9: Configuration Management Plan
CM-11: User-Installed Software PR.IP-1
MA-4: Nonlocal Maintenance
RA-5: Vulnerability Scanning
SA-4: Acquisition Process
SC-15: Collaborative Computing Devices
SC-34: Non-Modifiable Executable Programs
SI-2: Flaw Remediation
SI-4: Information System Monitoring

AC-23: Data Mining Protection

AU-2: Audit Events
AU-3: Content of Audit Records
AU-4: Audit Storage Capacity
AU-5: Response to Audit Processing Failures
AU-6: Audit Review, Analysis, and Reporting PR.PT-1
AU-7: Audit Reduction and Report Generation DE.AE-3
AU-8: Time Stamps DE.DP-1
AU-9: Protection of Audit Information DE.DP-2
AU-10: Non-repudiation DE.DP-3
AU-11: Audit Record Retention DE.DP-4
AU-12: Audit Generation DE.DP-5
AU-13: Monitoring for Information Disclosure
AU-14: Session Audit
CA-7: Continuous Monitoring
IA-10: Adaptive Identification and Authentication
SI-4: Information System Monitoring

CA-7: Continuous Monitoring

CM-2: Baseline Configuration
CM-3: Configuration Change Control
CM-5: Access Restrictions for Change
CM-6: Configuration Settings
CM-7: Least Functionality
CM-8: Information System Component Inventory
CM-9: Configuration Management Plan
CM-11: User-Installed Software PR.IP-1
MA-4: Nonlocal Maintenance
RA-5: Vulnerability Scanning
SA-4: Acquisition Process
SC-15: Collaborative Computing Devices
SC-34: Non-Modifiable Executable Programs
SI-2: Flaw Remediation
SI-4: Information System Monitoring
CA-7: Continuous Monitoring
SC-39: Process Isolation PR.PT-2
SC-44: Detonation Chambers
SI-3: Malicious Code Protection DE.CM-4
SI-4: Information System Monitoring DE.CM-5
SI-8: Spam Protection

AC-4: Information Flow Enforcement

CA-7: Continuous Monitoring
CA-9: Internal System Connections
CM-2: Baseline Configuration
CM-6: Configuration Settings
CM-8: Information System Component Inventory
SC-20: Secure Name /Address Resolution Service PR.AC-5
(Authoritative Source) DE.AE-1
SC-21: Secure Name /Address Resolution Service (Recursive
or Caching Resolver)
SC-22: Architecture and Provisioning for Name/Address
Resolution Service
SC-41: Port and I/O Device Access
SI-4: Information System Monitoring

CP-9: Information System Backup

CP-10: Information System Recovery and Reconstitution PR.IP-4
MP-4: Media Storage

AC-4: Information Flow Enforcement

CA-3: System Interconnections
CA-7: Continuous Monitoring
CA-9: Internal System Connections
CM-2: Baseline Configuration PR.AC-5
CM-3: Configuration Change Control
CM-5: Access Restrictions for Change PR.IP-1
CM-6: Configuration Settings PR.PT-4
CM-8: Information System Component Inventory
MA-4: Nonlocal Maintenance
SC-24: Fail in Known State
SI-4: Information System Monitoring

AC-4: Information Flow Enforcement

AC-17: Remote Access
AC-20: Use of External Information Systems
CA-3: System Interconnections PR.AC-3
CA-7: Continuous Monitoring PR.AC-5
CA-9: Internal System Connections
CM-2: Baseline Configuration PR.MA-2
SA-9: External Information System Services DE.AE-1
SC-7: Boundary Protection
SC-8: Transmission Confidentiality and Integrity
SI-4: Information System Monitoring
AC-3: Access Enforcement
AC-4: Information Flow Enforcement
AC-23: Data Mining Protection
CA-7: Continuous Monitoring
CA-9: Internal System Connections PR.AC-5
IR-9: Information Spillage Response PR.DS-2
MP-5: Media Transport
SA-18: Tamper Resistance and Detection PR.DS-5
SC-8: Transmission Confidentiality and Integrity PR.PT-2
SC-28: Protection of Information at Rest
SC-31: Covert Channel Analysis
SC-41: Port and I/O Device Access
SI-4: Information System Monitoring

AC-1: Access Control Policy and Procedures

AC-2: Account Management
AC-3: Access Enforcement PR.AC-4
AC-6: Least Privilege PR.AC-5
AC-24: Access Control Decisions PR.DS-1
CA-7: Continuous Monitoring PR.DS-2
MP-3: Media Marking PR.PT-2
RA-2: Security Categorization PR.PT-3
SC-16: Transmission of Security Attributes
SI-4: Information System Monitoring

AC-18: Wireless Access

AC-19: Access Control for Mobile Devices
CA-3: System Interconnections
CA-7: Continuous Monitoring
CM-2: Baseline Configuration
IA-3: Device Identification and Authentication
SC-8: Transmission Confidentiality and Integrity
SC-17: Public Key Infrastructure Certificates
SC-40: Wireless Link Protection
SI-4: Information System Monitoring

AC-2: Account Management

AC-3: Access Enforcement
AC-7: Unsuccessful Logon Attempts
AC-11: Session Lock
AC-12: Session Termination PR.AC-1
CA-7: Continuous Monitoring PR.AC-4
IA-5: Authenticator Management PR.PT-3
IA-10: Adaptive Identification and Authentication
SC-17: Public Key Infrastructure Certificates
SC-23: Session Authenticity
SI-4: Information System Monitoring
AT-1: Security Awareness and Training Policy and Procedures
AT-2: Security Awareness Training
AT-3: Role-Based Security Training PR.AT-1
AT-4: Security Training Records PR.AT-2
SA-11: Developer Security Testing and Evaluation PR.AT-3
SA-16: Developer-Provided Training PR.AT-4
PM-13: Information Security Workforce PR.AT-5
PM-14: Testing, Training, & Monitoring
PM-16: Threat Awareness Program

SA-13: Trustworthiness
SA-15: Development Process, Standards, and Tools
SA-16: Developer-Provided Training
SA-17: Developer Security Architecture and Design
SA-20: Customized Development of Critical Components
SA-21: Developer Screening PR.DS-7
SC-39: Process Isolation
SI-10: Information Input Validation
SI-11: Error Handling
SI-15: Information Output Filtering
SI-16: Memory Protection

PR.IP-10
DE.AE-2
IR-1: Incident Response Policy and Procedures DE.AE-4
IR-2: Incident Response Training DE.AE-5
IR-3: Incident Response Testing DE.CM-1-7
IR-4: Incident Handling RS.RP-1
IR-5: Incident Monitoring RS.CO-1-5
IR-6: Incident Reporting RS.AN-1-4
IR-7: Incident Response Assistance RS.MI-1-2
IR-8: Incident Response Plan RS.IM-1-2
IR-10: Integrated Information Security Analysis Team RC.RP-1
RC.IM-1-2
RC.CO-1-3

CA-2: Security Assessments

CA-5: Plan of Action and Milestones
CA-6: Security Authorization
CA-8: Penetration Testing
RA-6: Technical Surveillance Countermeasures Survey
SI-6: Security Function Verification
PM-6: Information Security Measures of Performance
PM-14: Testing, Training, & Monitoring

This work is licensed under a Creative Commons Attribution-ShareAlik

NIST CSF v1.1 NIST 800-82 rev2

ID.AM-1
ID.AM-3 6.2.16
ID.AM-4 6.2.17
PR.DS-3

ID.AM-2 6.2.16
PR.DS-6 6.2.17

ID.RA-1
ID.RA-2
PR.IP-12 6.2.16
DE.CM-8 6.2.17
RS.AN-5
RS.MI-3

PR.AC-4 5.15
PR.AT-2 6.2.7
PR.MA-2 6.2.16
PR.PT-3 6.2.17
6.2.16
PR.IP-1
6.2.17

PR.PT-1
DE.AE-3
DE.DP-1 5.16
DE.DP-2 6.2.16
DE.DP-3 6.2.17
DE.DP-4
DE.DP-5

6.2.16
PR.IP-1
6.2.17
PR.PT-2
6.2.16
DE.CM-4
6.2.17
DE.CM-5

PR.AC-5 6.2.16
DE.AE-1 6.2.17

6.2.16
PR.IP-4
6.2.17

PR.AC-5
5.15
PR.IP-1
6.2.7
PR.PT-4

PR.AC-3
PR.AC-5
5.1 - 5.11
PR.MA-2
DE.AE-1
PR.AC-5
PR.DS-2
PR.DS-5
PR.PT-2

PR.AC-4
PR.AC-5 5.1
PR.DS-1 5.4
PR.DS-2 5.5
PR.PT-2 6.2.1
PR.PT-3

PR.AC-1
PR.AC-4
5.15
PR.AC-6
6.2.7
PR.AC-7
PR.PT-3
PR.AT-1
PR.AT-2
PR.AT-3 6.2.2
PR.AT-4
PR.AT-5

PR.DS-7

PR.IP-10
DE.AE-2
DE.AE-4
DE.AE-5
DE.CM-1-7
RS.RP-1
5.17
RS.CO-1-5
6.2.8
RS.AN-1-4
RS.MI-1-2
RS.IM-1-2
RC.RP-1
RC.IM-1-2
RC.CO-1-3

6.2.3
6.2.4

ons Attribution-ShareAlike 4.0 International License.

NIST SMB Guide DHS CDM Program

4.0d HWAM: Hardware Asset Management

HWAM: Hardware Asset Management

SWAM: Software Asset Management

3.2c VUL: Vulnerability Management

CSM: Configuration Settings Management

3.3b Generic Audit Monitoring

3.2f
4.0b
4.0c
CSM: Configuration Settings Management
4.0e
4.0g
4.0i
3.3a

Boundary Protection

3.5a
3.5b

CSM: Configuration Settings Management

Boundary Protection

3.2d Boundary Protection

TRUST: Access Control Management
3.2g
PRIV: Privileges

3.2e

3.1a
3.1c CRED: Credentials and Authentication
3.2a Management
4.0h
3.2i BEHV: Security-Related Behavior Management

VUL: Vulnerability Management

Plan for Events

3.4a
Respond to Events
ISO 27002:2013 ISO 27002:2005 IEC 62443-3-3:2013

A.8.1.1 A.7.1.1 SR 1.2

A.9.1.2 A.10.6.1 - A.10.6.2 SR 2.3
A.13.1.1 A.11.4.6 SR 7.8

A.12.5.1
SR 1.2
A.12.6.2

A.12.6.1
A.12.6.1
A.13.1.2
A.14.2.8
A.15.2.2

A.9.1.1
A.9.2.2 - A.9.2.6
A.11.5.1 - A.11.5.3
A.9.3.1
A.9.4.1 - A.9.4.4
A.14.2.4
A.14.2.8 A.15.2.2
A.18.2.3

SR 1.12
A.12.4.1 - A.12.4.4 SR 2.8 - 2.11
A.10.10.1 - A.10.10.6
A.12.7.1 SR 3.9
SR 6.1 - 6.2

A.13.2.3
A.14.2.4
A.15.2.2
A.14.2.8
A.18.2.3
A.8.3.1
A.10.4.1 - A.10.4.2
A.12.2.1 SR 3.2
A.10.7.1
A.13.2.3

A.9.1.2
A.13.1.1 A.10.6.1 - A.10.6.2
A.13.1.2 A.11.4.4
A.14.1.2

A.10.1.1 A.10.5.1
SR 7.3 - 7.4
A.12.3.1 A.10.8.3

A.10.6.1 - A.10.6.2
A.9.1.2
A.11.4.5
A.13.1.1 SR 7.6
A.11.4.7
A.13.1.3
A.11.5.1 - A.11.5.3

A.10.6.1 - A.10.6.2
A.9.1.2
A.10.10.2
A.12.4.1 SR 1.13
A.11.4.2
A.12.7.1 SR 2.3
A.11.4.5
A.13.1.1 SR 5.2
A.11.4.7
A.13.1.3
A.11.5.1 - A.11.5.3
A.13.2.3
A.11.7.1 - A.11.7.2
A.8.3.1 A.10.7.1
A.10.1.1 - A.10.1.2 A.12.3.1 - A.12.3.2 SR 3.1
A.13.2.3 A.12.5.4 SR 4.3
A.18.1.5 A.15.1.6

A.10.7.1
SR 2.1
A.10.10.1 - A.10.10.3
A.8.3.1 SR 4.1
A.11.4.5
A.9.1.1 SR 5.1
A.11.4.7
A.10.1.1 SR 5.3
A.11.6.1 - A.11.6.2
SR 7.7
A.12.5.4

A.10.1.1
SR 1.6
A.12.4.1
SR 2.2
A.12.7.1

A.9.1.1 A.8.3.3
A.9.2.1 - A.9.2.6 A.11.2.1 SR 1.1 - 1.13
A.9.3.1 A.11.2.3 - A.11.2.4 SR 2.1
A.9.4.1 - A.9.4.3 A.11.3.1 - A.11.3.3 SR 2.5
A.11.2.8 A.11.5.1 - A.11.5.3
A.7.2.2 A.8.2.2

A.10.1.4
A.9.4.5
A.12.2.1
A.12.1.4
A.12.2.4 SR 3.3 - 3.8
A.14.2.1
A.12.5.2
A.14.2.6 - A.14.2.8
A.12.5.5

A.6.1.3 A.6.1.6
A.7.2.1 A.8.2.1
A.16.1.2 A.13.1.1
A.16.1.4 - A.16.1.7 A.13.2.1 - A.13.2.2

A.14.2.8 A.6.1.8
A.18.2.1 A.15.2.2 SR 3.3
A.18.2.3 A.15.3.1
NIST 800-171 NSA MNP

Map Your Network

Baseline Management
Document Your Network
Personal Electronic Device Management
Network Access Control
Log Management

Baseline Management
3.4.8
Executable Content Restrictions
3.4.9
Configuration and Change Management

3.11.2
Patch Management
3.11.3
Log Management
3.12.2
Configuration and Change Management
3.14.1

3.1.5 - 3.1.7
3.4.5 - 3.4.6 User Access
3.7.1 - 3.7.2 Baseline Management
3.7.5 - 3.7.6 Log Management
3.13.3
Patch Management
Baseline Management
3.4.1 - 3.4.3
Data-at-Rest Protection
Configuration and Change Management

3.3.1 - 3.3.9
Log Management
3.14.7

Patch Management
Baseline Management
Data-at-Rest Protection
Configuration and Change Management
Device Accessibility
Virus Scanners and Host Intrusion Prevention
3.7.4 Systems
3.14.2 - 3.14.6 Security Gateways, Proxies, and Firewalls
Network Security Monitoring
Log Management

Baseline Management
3.4.7
Configuration and Change Management

3.8.9 Backup Strategy

Map Your Network

Patch Management
3.4.1 - 3.4.3 Baseline Management
3.7.5 - 3.7.6 Document Your Network
Security Gateways, Proxies, and Firewalls
Configuration and Change Management

3.1.3 Map Your Network

3.1.12 - 3.1.15 Network Architecture
3.1.18 Baseline Management
3.1.20 - 3.1.22 Document Your Network
3.13.1 Personal Electronic Device Management
3.13.6 - 3.13.8 Security Gateways, Proxies, and Firewalls
3.13.12 - 3.13.13 Remote Access Security
3.13.15 Network Security Monitoring
Log Management
3.1.19 Network Architecture
3.1.21 Device Accessibility
3.8.7 - 3.8.8 Security Gateways, Proxies, and Firewalls
3.13.16 Network Security Monitoring

3.1.2
Network Architecture
3.1.3
Device Accessibility
3.1.5
User Access
3.8.2
Data-at-Rest Protection
3.8.5 - 3.8.6
Log Management
3.13.4 - 3.13.6

Map Your Network

Baseline Management
3.1.16 - 3.1.17 Document Your Network
Personal Electronic Device Management
Network Access Control

3.1.8
3.1.10 - 3.1.11 User Access
3.5.1 - 3.5.9 Baseline Management
3.9.2 Log Management
3.13.9
3.2.2 - 3.2.3 Training

Training

3.6.1 - 3.6.3 Incident Response and Disaster Recovery Plans

Audit Strategy
DHS Chem Anti-Terrorism Australian Essential Eight Australian Top 35

8.8.2

1
1 14
17

2
2-3
6

4
5 9
7 11
25
3 2-5
4 21

15-16
35

2
5
17-20
31
7
17
8.5.1 22
26
30

2
3
12
13
27

2
7 3
10

8.2.1 10-11
8.2.2 18-20
7
8.2.4 23
8.5.2 32-34
26

8.2.3
26
8.3.4

8.2.5
7 25
8.3.2
8.4.1 28

8.7.1 24

8.5.3
8.5.4
8.6.1

8.9.1
NSA Top 10 Canadian CSE Top 10

8
Application Whitelisting
10

2
Take Advantage of Software Improvements
8

3
Control Administrative Privileges
8
Set a Secure Baseline Configuration 4
Take Advantage of Software Improvements 8

Set a Secure Baseline Configuration

8
Take Advantage of Software Improvements
Use Anti-Virus File Reputation Services
8
Enable Anti-Exploitation Features

Limit Workstation-to-Workstation Communication 8

Set a Secure Baseline Configuration

Segregate Networks and Functions

1
Segregate Networks and Functions 5
9
5
7
9

5
Segregate Networks and Functions 7
9
6
GCHQ 10 Steps UK Cyber Essentials UK ICO Protecting Data

Inappropriate locations for

processing data

Decommissioning of software
or services

Patch Management Software Updates

Configuration of SSL and TLS

Monitoring Access Control
Default Credentials
Secure Configuration
Secure Configuration
Patch Management

Monitoring

Secure Configuration
Secure Configuration
Patch Management
Removable Media Controls
Malware Protection
Malware Protection

Decommissioning of software
Network Security or services
Unnecessary Services

Boundary firewalls and

Software Updates
Secure Configuration internet gateways
Inappropriate locations for
Network Security Secure Configuration
processing data
Patch Management

Home and Mobile Working Configuration of SSL and TLS

Boundary firewalls and
Monitoring Inappropriate locations for
internet gateways
Network Security processing data
Removable Media Controls

Managing User Privileges Inappropriate locations for

Access Control
Network Security processing data

Monitoring
Network Security

Managing User Privileges Access Control Configuration of SSL and TLS

User Education & Awareness

SQL Injection

Incident Management
PCI DSS 3.2 PCI DSS 3.1 PCI DSS 3.0

2.4 2.4 2.4

6.1 6.1 6.1

6.2 6.2 6.2
11.2 11.2 11.2

2.1 2.1 2.1

7.1 - 7.3 7.1 - 7.3 7.1 - 7.3
8.1 - 8.3 8.1 - 8.3 8.1 - 8.3
8.7 8.7 8.7
2.2 2.2 2.2
2.3 2.3 2.3
6.2 6.2 6.2
11.5 11.5 11.5

10.1 - 10.9 10.1 - 10.8 10.1 - 10.7

2.2 2.2 2.2

2.3 2.3 2.3
6.2 6.2 6.2
11.5 11.5 11.5
5.1 - 5.4 5.1 - 5.4 5.1 - 5.4

1.4 1.4 1.4

4.3 4.3 4.3

9.5 - 9.7 9.5 - 9.7 9.5 - 9.7

1.1 - 1.2 1.1 - 1.2 1.1 - 1.2

2.2 2.2 2.2
6.2 6.2 6.2

1.1 - 1.3 1.1 - 1.3 1.1 - 1.3

8.3 8.3 8.3
10.9 10.8 10.8
11.4 11.4 11.4
3.6 3.6 3.6
4.1 - 4.3 4.1 - 4.3 4.1 - 4.3

1.3 - 1.4 1.3 - 1.4 1.3 - 1.4

4.3 4.3 4.3
7.1 - 7.3 7.1 - 7.3 7.1 - 7.3
8.7 8.7 8.7

4.3 4.3 4.3

11.1 11.1 11.1

7.1 - 7.3 7.1 - 7.3 7.1 - 7.3

8.7 - 8.8 8.7 - 8.8 8.7 - 8.8
12.6 12.6 12.6

6.3 6.3 6.3

6.5 - 6.7 6.5 - 6.7 6.5 - 6.7

12.10 12.10 12.10

11.3 11.3 11.3

HIPAA

164.310(b): Workstation Use - R

164.310(c): Workstation Security - R

164.310(b): Workstation Use - R

164.310(c): Workstation Security - R

164.310(b): Workstation Use - R

164.310(c): Workstation Security - R

164.310(b): Workstation Use - R

164.310(c): Workstation Security - R
164.310(b): Workstation Use - R
164.310(c): Workstation Security - R

164.308(a)(1): Security Management Process - Information System Activity Review R

164.308(a)(5): Security Awareness and Training - Log-in Monitoring A

164.310(b): Workstation Use - R

164.310(c): Workstation Security - R
164.308(a)(5): Security Awareness and Training - Protection from Malicious Software A
164.310(d)(1): Device and Media Controls - Accountability A
164.310(b): Workstation Use - R
164.310(c): Workstation Security - R

164.310(b): Workstation Use - R

164.310(c): Workstation Security - R

164.308(a)(7): Contingency Plan - Data Backup Plan R

164.308(a)(7): Contingency Plan - Disaster Recovery Plan R
164.308(a)(7): Contingency Plan - Testing and Revision Procedure A
164.310(d)(1): Device and Media Controls - Data Backup and Storage A
164.308(a)(4): Information Access Management - Isolating Health care Clearinghouse Function R
164.310(d)(1): Device and Media Controls - Accountability A
164.312(a)(1): Access Control - Encryption and Decryption A
164.312(e)(1): Transmission Security - Integrity Controls A
164.312(e)(1): Transmission Security - Encryption A

164.308(a)(1): Security Management Process - Information System Activity Review R

164.308(a)(4): Information Access Management - Isolating Health care Clearinghouse Function R
164.308(a)(4): Information Access Management - Access Authorization A
164.312(a)(1): Access Control - Encryption and Decryption A
164.312(c)(1): Integrity - Mechanism to Authenticate Electronic Protected Health Information A
164.312(a)(1): Access Control - Automatic Logoff A
164.312(d): Person or Entity Authentication - R
164.312(e)(1): Transmission Security - Integrity Controls A
164.312(e)(1): Transmission Security - Encryption A

164.308(a)(1): Security Management Process - Information System Activity Review R

164.308(a)(4): Information Access Management - Access Authorization A
164.308(a)(4): Information Access Management - Access Establishment and Modification A
164.308(a)(5): Security Awareness and Training - Password Management A
164.312(a)(1): Access Control - Unique User Identification R
164.312(a)(1): Access Control - Automatic Logoff A
164.312(d): Person or Entity Authentication - R
164.312(e)(1): Transmission Security - Integrity Controls A
164.312(e)(1): Transmission Security - Encryption A
164.308(a)(5): Security Awareness and Training - Security Reminders A
164.308(a)(5): Security Awareness and Training - Protection from Malicious Software A
164.308(a)(5): Security Awareness and Training - Log-in Monitoring A
164.308(a)(5): Security Awareness and Training - Password Management A

164.308(a)(6): Security Incident Procedures - Response and Reporting R

FFIEC Information Security Booklet (2016)

II.C.5
II.C.22
II.C.12

II.C.9

II.C.21

II.C.9

II.C.6
II.C.9
II.C.16
II.C.9

II.C.7
II.C.9
II.C.13
II.C.15
II.C.19

II.C.9

II.C.7
II.C.11
II.C.17
II.C.18
II.C.19
FFIEC Examiners Handbook

Host Security
User Equipment Security (Workstation, Laptop, Handheld)

Authentication and Access Controls

Host Security
User Equipment Security (Workstation, Laptop, Handheld)

Security Monitoring

Host Security
User Equipment Security (Workstation, Laptop, Handheld)
Host Security
User Equipment Security (Workstation, Laptop, Handheld)

Network Security

Encryption

Network Security

Network Security
Security Monitoring
Encryption
Data Security

Authentication and Access Controls

Encryption
Data Security

Network Security
Encryption
Security Monitoring

Authentication and Access Controls

Personnel Security

Application Security
Software Development & Acquisition
FFIEC Cybersecurity Assessment Tool (CAT) COBIT 5

APO13: Manage Security

Domain 3: Cybersecurity Controls - Preventative Controls
DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls
BAI09: Manage Assets

Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security

Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services

Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security

Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services

Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security

Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services
APO13: Manage Security
Domain 3: Cybersecurity Controls - Preventative Controls
DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls
BAI10: Manage Configuration

Domain 2: Threat Intelligence & Collaboration - Monitoring

APO13: Manage Security
and Analyzing
DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls

APO13: Manage Security

Domain 3: Cybersecurity Controls - Preventative Controls
DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls
BAI10: Manage Configuration
Domain 2: Threat Intelligence & Collaboration - Monitoring
and Analyzing APO13: Manage Security
Domain 3: Cybersecurity Controls - Preventative Controls DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls

Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security

Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services

APO13: Manage Security

Domain 3: Cybersecurity Controls - Preventative Controls
DSS05: Manage Security Services

APO13: Manage Security

Domain 3: Cybersecurity Controls - Preventative Controls
DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls
BAI10: Manage Configuration

Domain 2: Threat Intelligence & Collaboration - Monitoring

and Analyzing APO13: Manage Security
Domain 3: Cybersecurity Controls - Preventative Controls DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls
Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security
Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services

Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security

Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services

Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security

Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services

Domain 3: Cybersecurity Controls - Preventative Controls APO13: Manage Security

Domain 3: Cybersecurity Controls - Detective Controls DSS05: Manage Security Services
Domain 1: Cyber Risk Management & Oversight - Training and
APO13: Manage Security
Culture
DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Preventative Controls

APO13: Manage Security

Domain 3: Cybersecurity Controls - Preventative Controls
DSS05: Manage Security Services

Domain 5: Cyber Incident Management and Resilience -

Incident Resilience Planning and Strategy APO13: Manage Security
Domain 5: Cyber Incident Management and Resilience - DSS05: Manage Security Services
Detection, Response, and Mitigation DSS02: Manage Service Requests
Domain 5: Cyber Incident Management and Resilience - and Incidents
Escalation and Reporting

APO13: Manage Security

DSS05: Manage Security Services
Domain 3: Cybersecurity Controls - Detective Controls MEA02: Monitor, Evaluate and
Assess the System of Internal
Control
AICPA SOC2/3 TSC 2017 AICPA SOC 2/3 TSPC AICPA's GAPP

7.2.2
CC 6.1 8.2.1
8.2.2

CC 6.1 7.2.2
CC 6.8 8.2.1

7.2.2
CC 7.1 CC 6.1
8.2.1

7.2.2
CC 6.1 - CC 6.3
CC 5.1 - CC 5.6 8.2.1
CC 6.6 - CC 6.7
8.2.2
7.2.2
CC 7.1
8.2.1

7.2.2
8.2.1

7.2.2
8.2.1
7.2.2
CC 6.8 CC 5.8
8.2.1

7.2.2
8.2.1

7.2.2
A 1.2
8.2.1

7.2.2
8.2.1

7.2.2
CC 6.1 8.2.1
8.2.2
7.2.2
8.2.1
CC 6.1
8.2.2
8.2.6

7.2.2
CC 6.1 - CC 6.3 CC 5.7 8.2.1
CC 6.6 - CC 6.7 C 1.2 - C 1.3 8.2.2
8.2.6

7.2.2
8.2.1
8.2.2

CC 6.1 - CC 6.3 7.2.2

CC 5.1 - CC 5.6
CC 6.6 - CC 6.7 8.2.1
1.2.9
1.2.10
CC 2.1 - CC 2.6
7.2.2
8.2.1

7.2.2
8.2.1

CC 7.4 7.2.2
CC 6.2
CC 7.5 8.2.1

7.2.2
8.2.1
8.2.7
IRS Pub1075 SWIFT SG MAS TRM

6 - Acquisition and Development

9.4.12
of Information Systems

6 - Acquisition and Development

9.4.12 1.1-opt
of Information Systems

2.2 9 - Operational Infrastructure

9.3.4
2.7a Security Management

1.2
9.3.7 11 - Access Controls
2.6a
9 - Operational Infrastructure
9.3.5 2.3
Security Management

9 - Operational Infrastructure
9.3.3 6.4
Security Management

9.3.17
9.4.3
9.4.16
9.4.17
9 - Operational Infrastructure
9.3.17 6.1
Security Management

8 - Systems Reliability,
9.3.6
Availability, and Recoverability

9.3.5
9.3.7
9.4.10

9.3.16 1.1 9 - Operational Infrastructure

9.4.10 6.5a Security Management
9.3.10
9 - Operational Infrastructure
9.4.10
Security Management

4.0
1.1
5.0 9 - Operational Infrastructure
2.1
6.1 Security Management
2.4a
9.3.1 11 - Access Controls
2.5a
9.3.16 12 - Online Financial Services
5.1
9.4.10

9 - Operational Infrastructure
9.4.18
Security Management

4.1
9.3.7
4.2 11 - Access Controls
9.3.13
5.2 12 - Online Financial Services
5.4a
6.1
7.2
9.3.2

6 - Acquisition and Development

6.2
of Information Systems
6.3
7 - IT Service Management

7.1
9.3.8 7 - IT Service Management
7.4a

9 - Operational Infrastructure
9.3.3 7.3a
Security Management
Saudi AMA NERC CIP v7 NERC CIP v6

CIP-002-5.1 R1 CIP-002-5.1 R1
3.3.3
CIP-002-5.1 R2 CIP-002-5.1 R2

3.3.3 CIP-010-3 R1 CIP-010-2 R1

CIP-007-6 R2 CIP-007-6 R2
3.3.17
CIP-010-3 R3 CIP-010-2 R3

CIP-004-6 R4 CIP-004-6 R4
3.3.5 CIP-004-6 R5 CIP-004-6 R5
CIP-007-6 R5 CIP-007-6 R5
CIP-007-6 R2 CIP-007-6 R2
3.3.6
CIP-010-3 R2 CIP-010-2 R2

3.3.14 CIP-007-6 R4 CIP-007-6 R4

3.3.6 CIP-007-6 R2 CIP-007-6 R2

3.3.8 CIP-010-3 R2 CIP-010-2 R2
3.3.8
CIP-007-6 R3 CIP-007-6 R3
3.3.16

CIP-007-6 R1 CIP-007-6 R1
CIP-010-3 R2 CIP-010-2 R2

3.3.6
CIP-009-6 R1 CIP-009-6 R1
3.3.8

CIP-005-5 R1 CIP-005-5 R1
3.3.8 CIP-007-6 R2 CIP-007-6 R2
CIP-010-3 R1 CIP-010-2 R1

CIP-005-5 R1 CIP-005-5 R1
3.3.10 CIP-005-5 R2 CIP-005-5 R2
CIP-007-6 R4 CIP-007-6 R4
3.3.8 CIP-011-2 R1 CIP-011-2 R1

CIP-005-5 R1 CIP-005-5 R1
CIP-005-5 R2 CIP-005-5 R2
3.3.5
CIP-007-6 R4 CIP-007-6 R4
CIP-011-2 R1 CIP-011-2 R1

CIP-007-6 R4 CIP-007-6 R4

CIP-005-5 R1 CIP-005-5 R1
3.3.5 CIP-005-5 R2 CIP-005-5 R2
CIP-007-6 R4 CIP-007-6 R4
3.1.6 CIP-004-6 R1 CIP-004-6 R1
3.1.7 CIP-004-6 R2 CIP-004-6 R2

3.3.6

CIP-008-5 R1 CIP-008-5 R1
3.3.15 CIP-008-5 R2 CIP-008-5 R2
CIP-008-5 R3 CIP-008-5 R3

3.2.4
3.2.5
NERC CIP v5 NERC CIP v4 NERC CIP v3

CIP-002-3 R1
CIP-002-4 R1
CIP-002-3 R2
CIP-002-4 R2
CIP-002-3 R3
CIP-002-4 R3
CIP-002-5.1 R1 CIP-002-3 R4
CIP-003-4 R5
CIP-002-5.1 R2 CIP-003-3 R5
CIP-004-4 R4
CIP-004-3 R4
CIP-005-4 R2
CIP-005-3 R2
CIP-006-4 R3
CIP-006-3 R3

CIP-010-1 R1

CIP-005-4 R4 CIP-005-3 R4
CIP-007-5 R2
CIP-007-4 R3 CIP-007-3 R3
CIP-010-1 R3
CIP-007-4 R8 CIP-007-3 R8

CIP-003-4 R5 CIP-003-3 R5
CIP-004-4 R4 CIP-004-3 R4
CIP-004-5 R4
CIP-005-4 R2 CIP-005-3 R2
CIP-004-5 R5
CIP-005-4 R3 CIP-005-3 R3
CIP-007-5 R5
CIP-006-4 R3 CIP-006-3 R3
CIP-007-4 R3 CIP-007-3 R3
CIP-007-5 R2 CIP-003-4 R6 CIP-003-3 R6
CIP-010-1 R2 CIP-007-4 R3 CIP-007-3 R3

CIP-005-4 R3 CIP-005-3 R3
CIP-007-5 R4
CIP-007-4 R6 CIP-007-3 R6

CIP-007-5 R2 CIP-003-4 R6 CIP-003-3 R6

CIP-010-1 R2 CIP-007-4 R3 CIP-007-3 R3
CIP-007-5 R3 CIP-007-4 R4 CIP-007-3 R4

CIP-007-5 R1
CIP-007-4 R2 CIP-007-3 R2
CIP-010-1 R2

CIP-009-4 R4 CIP-009-3 R4
CIP-009 -5 R1
CIP-009-4 R5 CIP-009-3 R5

CIP-003-4 R6 CIP-003-3 R6
CIP-005-5 R1 CIP-004-4 R4 CIP-004-3 R4
CIP-007-5 R2 CIP-005-4 R2 CIP-005-3 R2
CIP-010-1 R1 CIP-006-4 R3 CIP-006-3 R3
CIP-007-4 R3 CIP-007-3 R3

CIP-005-5 R1
CIP-005-4 R3 CIP-005-3 R3
CIP-005-5 R2
CIP-007-4 R6 CIP-007-3 R6
CIP-007-5 R4
CIP-011-1 R1

CIP-005-5 R1 CIP-003-4 R5 CIP-003-3 R5

CIP-005-5 R2 CIP-004-4 R4 CIP-004-3 R4
CIP-007-5 R4 CIP-005-4 R2 CIP-005-3 R2
CIP-011-1 R1 CIP-006-4 R3 CIP-006-3 R3

CIP-005-4 R3 CIP-005-3 R3
CIP-007-5 R4
CIP-007-4 R6 CIP-007-3 R6

CIP-005-5 R1 CIP-005-4 R3 CIP-005-3 R3

CIP-005-5 R2 CIP-007-4 R5 CIP-007-3 R5
CIP-007-5 R4 CIP-007-4 R6 CIP-007-3 R6
CIP-004-5 R1 CIP-004-4 R1 CIP-004-3 R1
CIP-004-5 R2 CIP-004-4 R2 CIP-004-3 R2

CIP-008-5 R1
CIP-008-4 R1 CIP-008-3 R1
CIP-008-5 R2
CIP-008-4 R2 CIP-008-3 R2
CIP-008-5 R3
Cloud Security Alliance SEC OCIE for AWS FY15 FISMA Metrics

DCS-01
1: System Inventory
MOS-09
2: Continuous Monitoring
MOS-15

CCC-04
MOS-3 1: System Inventory
MOS-04 2: Continuous Monitoring
MOS-15

IVS-05
MOS-15
2: Continuous Monitoring
MOS-19
TVM-02

IAM-09 - IAM-13
3: Identity Credential and
MOS-16
Access Management
MOS-20
IVS-07
MOS-15 Asset Configuration and
2: Continuous Monitoring
MOS-19 Management
TVM-02

IVS-01 Security Logging and

IVS-03 Monitoring

IVS-07
MOS-15
2: Continuous Monitoring
MOS-19
TVM-02
MOS-01
MOS-15 4: Anti Phishing and Malware
TVM-01 Defense
TVM-03

DSI-02
IVS-06
IPY-04

MOS-11 Disaster Recovery

DSI-02
IAM-03
IVS-06 Network Configuration and 3: Identity Credential and
IVS-09 Management Access Management
MOS-19
TVM-02

DSI-02
3: Identity Credential and
IVS-01
Network Configuration and Access Management
IVS-06
Management 6: Network Defense
IVS-09
7: Boundary Protection
MOS-16
DSI-02
DSI-05
Data Encryption 5: Data Protection
EKM-01 - EKM-04
MOS-11

DSI-02
IVS-09 Logical Access Control
MOS-11

IVS-01
IVS-06
IVS-12
MOS-11

IAM-02
IAM-09 - IAM-12
3: Identity Credential and
MOS-14
Access Management
MOS-16
MOS-20
HRS-10
8: Training and Education
MOS-05

AIS-01
AIS-03
AIS-04
CCC-01 - CCC-03
IVS-08

SEF-01 - SEF-05 Security Incident Response 9: Incident Response

ITIL 2011 KPIs NV Gaming MICS v7 2015 MA - CoM 201 CMR 17.00

Information Security
Management

Information Security
VI-02
Management

Information Security
VI-01
Management

Information Security
Management
Information Security
Management

Information Security
System Parameters VI-04
Management

Information Security
Management
Information Security
VI-02
Management

Information Security
Network Security and Data Protection
Management

Information Security
Backups
Management

Information Security
Network Security and Data Protection
Management

VI-01
Information Security Network Security and Data Protection
VI-04
Management Remote Access
VI-05
Information Security V-19
Network Security and Data Protection
Management VI-03

V-04
Information Security V-05
Network Security and Data Protection
Management V-06
VI-03

Information Security
Network Security and Data Protection
Management

V-05
V-06
System Parameters V-08
Information Security User Accounts V-09
Management Generic User Accounts V-10
Service & Default Accounts V-11
V-17
VI-05
IV-b
Information Security
IV-f
Management
V-02

Information Security In-House Software Development

Management Purchased Software Programs

Information Security
Management V-13
Incident Management

Information Security
Management
NY - NYCRR 500 Victorian PDSF v1.0 ANSSI - 40 Measures

1
34

16
17
18
20
23

2
Section 500.05 8-13
28-30

26
Section 500.12 Standard 4
27
6
16
17

Section 500.06
36

Section 500.12 8-13

4
5
Section 500.11
24
Section 500.12
25
31
15
Section 500.15 Standard 4
19

Section 500.07
Section 500.13 Standard 4 21
Section 500.15

Section 500.06
Section 500.07 Standard 4 8-13
Section 500.12
Section 500.10
Standard 6 39
Section 500.14

Section 500.08

Standard 7 37
Section 500.16
Standard 8 38

Section 500.05
CIS Controls

CIS Controls v7.1 mapped to NIST 800-53 (rev4)

ID # NIST Control Name

Access Control
AC-1 Access Control Policy and Procedures
AC-2 Account Management
AC-3 Access Enforcement
AC-4 Information Flow Enforcement
AC-5 Separation of Duties
AC-6 Least Privilege
AC-7 Unsuccessful Logon Attempts
AC-8 System Use Notification
AC-9 Previous Logon (Access) Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
AC-12 Session Termination
AC-13 Withdrawn
AC-14 Permitted Actions without Identification or Authentication
AC-15 Withdrawn
AC-16 Security Attributes
AC-17 Remote Access
AC-18 Wireless Access
AC-19 Access Control for Mobile Devices
AC-20 Use of External Information Systems
AC-21 Information Sharing
AC-22 Publicly Accessible Content
AC-23 Data Mining Protection
AC-24 Access Control Decisions
AC-25 Reference Monitor
Awareness and Training
AT-1 Security Awareness and Training Policy and Procedures
AT-2 Security Awareness Training
AT-3 Role-Based Security Training
AT-4 Security Training Records
AT-5 Withdrawn
Audit & Accountability
AU-1 Audit and Accountability Policy and Procedures
AU-2 Audit Events
AU-3 Content of Audit Records
AU-4 Audit Storage Capacity
AU-5 Response to Audit Processing Failures
AU-6 Audit Review, Analysis, and Reporting
AU-7 Audit Reduction and Report Generation
AU-8 Time Stamps
AU-9 Protection of Audit Information
AU-10 Non-repudiation
AU-11 Audit Record Retention
AU-12 Audit Generation
AU-13 Monitoring for Information Disclosure
AU-14 Session Audit
AU-15 Alternate Audit Capability
AU-16 Cross-Organizational Auditing
Security Assessment and Authorization
CA-1 Security Assessment and Authorization Policies and Procedures
CA-2 Security Assessments
CA-3 System Interconnections
CA-4 Withdrawn
CA-5 Plan of Action and Milestones
CA-6 Security Authorization
CA-7 Continuous Monitoring
CA-8 Penetration Testing
CA-9 Internal System Connections
Configuration Management
CM-1 Configuration Management Policy and Procedures
CM-2 Baseline Configuration
CM-3 Configuration Change Control
CM-4 Security Impact Analysis
CM-5 Access Restrictions for Change
CM-6 Configuration Settings
CM-7 Least Functionality
CM-8 Information System Component Inventory
CM-9 Configuration Management Plan
CM-10 Software Usage Restrictions
CM-11 User-Installed Software
Contingency Planning
CP-1 Contingency Planning Policy and Procedures
CP-2 Contingency Plan
CP-3 Contingency Training
CP-4 Contingency Plan Testing
CP-5 Withdrawn
CP-6 Alternate Storage Site
CP-7 Alternate Processing Site
CP-8 Telecommunications Services
CP-9 Information System Backup
CP-10 Information System Recovery and Reconstitution
CP-11 Alternate Communications Protocols
CP-12 Safe Mode
CP-13 Alternative Security Mechanisms
Identification and Authentication
IA-1 Identification and Authentication Policy and Procedures
IA-2 Identification and Authentication (Organizational Users)
IA-3 Device Identification and Authentication
IA-4 Identifier Management
IA-5 Authenticator Management
IA-6 Authenticator Feedback
IA-7 Cryptographic Module Authentication
IA-8 Identification and Authentication (Non- Organizational Users)
IA-9 Service Identification and Authentication
IA-10 Adaptive Identification and Authentication
IA-11 Re-authentication
Incident Response
IR-1 Incident Response Policy and Procedures
IR-2 Incident Response Training
IR-3 Incident Response Testing
IR-4 Incident Handling
IR-5 Incident Monitoring
IR-6 Incident Reporting
IR-7 Incident Response Assistance
IR-8 Incident Response Plan
IR-9 Information Spillage Response
IR-10 Integrated Information Security Analysis Team
Maintenance
MA-1 System Maintenance Policy and Procedures
MA-2 Controlled Maintenance
MA-3 Maintenance Tools
MA-4 Nonlocal Maintenance
MA-5 Maintenance Personnel
MA-6 Timely Maintenance
Media Protection
MP-1 Media Protection Policy and Procedures
MP-2 Media Access
MP-3 Media Marking
MP-4 Media Storage
MP-5 Media Transport
MP-6 Media Sanitization
MP-7 Media Use
MP-8 Media Downgrading
Physical and Environmental Protection
PE-1 Physical and Environmental Protection Policy and Procedures
PE-2 Physical Access Authorizations
PE-3 Physical Access Control
PE-4 Access Control for Transmission Medium
PE-5 Access Control for Output Devices
PE-6 Monitoring Physical Access
PE-7 Withdrawn
PE-8 Visitor Access Records
PE-9 Power Equipment and Cabling
PE-10 Emergency Shutoff
PE-11 Emergency Power
PE-12 Emergency Lighting
PE-13 Fire Protection
PE-14 Temperature and Humidity Controls
PE-15 Water Damage Protection
PE-16 Delivery and Removal
PE-17 Alternate Work Site
PE-18 Location of Information System Components
PE-19 Information Leakage
PE-20 Asset Monitoring and Tracking
Planning
PL-1 Security Planning Policy and Procedures
PL-2 System Security Plan
PL-3 Withdrawn
PL-4 Rules of Behavior
PL-5 Withdrawn
PL-6 Withdrawn
PL-7 Security Concept of Operations
PL-8 Information Security Architecture
PL-9 Central Management
Personnel Security
PS-1 Personnel Security Policy and Procedures
PS-2 Position Risk Designation
PS-3 Personnel Screening
PS-4 Personnel Termination
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-7 Third-Party Personnel Security
PS-8 Personnel Sanctions
Risk Assessment
RA-1 Risk Assessment Policy and Procedures
RA-2 Security Categorization
RA-3 Risk Assessment
RA-4 Withdrawn
RA-5 Vulnerability Scanning
RA-6 Technical Surveillance Countermeasures Survey
System and Services Acquisition
SA-1 System and Services Acquisition Policy and Procedures
SA-2 Allocation of Resources
SA-3 System Development Life Cycle
SA-4 Acquisition Process
SA-5 Information System Documentation
SA-6 Withdrawn
SA-7 Withdrawn
SA-8 Security Engineering Principles
SA-9 External Information System Services
SA-10 Developer Configuration Management
SA-11 Developer Security Testing and Evaluation
SA-12 Supply Chain Protection
SA-13 Trustworthiness
SA-14 Criticality Analysis
SA-15 Development Process, Standards, and Tools
SA-16 Developer-Provided Training
SA-17 Developer Security Architecture and Design
SA-18 Tamper Resistance and Detection
SA-19 Component Authenticity
SA-20 Customized Development of Critical Components
SA-21 Developer Screening
SA-22 Unsupported System Components
System and Communications Protection
SC-1 System and Communications Protection Policy and Procedures
SC-2 Application Partitioning
SC-3 Security Function Isolation
SC-4 Information in Shared Resources
SC-5 Denial of Service Protection
SC-6 Resource Availability
SC-7 Boundary Protection
SC-8 Transmission Confidentiality and Integrity
SC-9 Withdrawn
SC-10 Network Disconnect
SC-11 Trusted Path
SC-12 Cryptographic Key Establishment and Management
SC-13 Cryptographic Protection
SC-14 Withdrawn
SC-15 Collaborative Computing Devices
SC-16 Transmission of Security Attributes
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-19 Voice Over Internet Protocol
SC-20 Secure Name /Address Resolution Service (Authoritative Source)
SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver)
SC-22 Architecture and Provisioning for Name/Address Resolution Service
SC-23 Session Authenticity
SC-24 Fail in Known State
SC-25 Thin Nodes
SC-26 Honeypots
SC-27 Platform-Independent Applications
SC-28 Protection of Information at Rest
SC-29 Heterogeneity
SC-30 Concealment and Misdirection
SC-31 Covert Channel Analysis
SC-32 Information System Partitioning
SC-33 Withdrawn
SC-34 Non-Modifiable Executable Programs
SC-35 Honeyclients
SC-36 Distributed Processing and Storage
SC-37 Out-of-Band Channels
SC-38 Operations Security
SC-39 Process Isolation
SC-40 Wireless Link Protection
SC-41 Port and I/O Device Access
SC-42 Sensor Capability and Data
SC-43 Usage Restrictions
SC-44 Detonation Chambers
System and Information Integrity
SI-1 System and Information Integrity Policy and Procedures
SI-2 Flaw Remediation
SI-3 Malicious Code Protection
SI-4 Information System Monitoring
SI-5 Security Alerts, Advisories, and Directives
SI-6 Security Function Verification
SI-7 Software, Firmware, and Information Integrity
SI-8 Spam Protection
SI-9 Withdrawn
SI-10 Information Input Validation
SI-11 Error Handling
SI-12 Information Handling and Retention
SI-13 Predictable Failure Prevention
SI-14 Non-Persistence
SI-15 Information Output Filtering
SI-16 Memory Protection
SI-17 Fail-Safe Procedures
Program Management
PM-1 Information Security Program Plan
PM-2 Senior Information Security Officer
PM-3 Information Security Resources
PM-4 Plan of Action and Milestones Process
PM-5 Information System Inventory
PM-6 Information Security Measures of Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorization Process
PM-11 Mission/Business Process Definition
PM-12 Isider Threat Program
PM-13 Information Security Workforce
PM-14 Testing, Training, & Monitoring
PM-15 Contacts with Security Groups and Associations
PM-16 Threat Awareness Program
CIS Controls Master Mappings Tool (v7.1c)

Inventory of Authorized Continuous

Inventory of Authorized Vulnerability
v4) & Unauthorized Devices and Unauthorized Assessment and
Software Remediation

Priority CSC #1 CSC #2 CSC #3

P1
P1
P1
P1
P1
P1
P2
P1
P0
P2
P3
P2
---
P1
---
P0
P1
P1
P1
P1
P2
P2
P0
P0
P0

P1
P1
P1
P3
---

P1
P1
P1
P1
P1
P1
P2
P1
P1
P1
P3
P1
P0
P0
P0
P0

P1
P2 X
P1
---
P3
P3
P3 X X X
P1
P2

P1
P1 X
P1
P2
P1
P1
P1
P1 X X
P1
P2 X
P1 X

P1
P1
P2
P2
---
P1
P1
P1
P1
P1
P0
P0
P0

P1
P1
P1 X
P1
P1
P1
P1
P1
P0
P0
P0

P1
P2
P2
P1
P1
P1
P3
P1
P0
P0

P1
P2
P2
P1
P1
P2

P1
P1
P2
P1
P1
P1
P1
P0

P1
P1
P1
P1
P2
P1
---
P3
P1
P1
P1
P1
P1
P1
P1
P2
P2
P3
P0
P0

P1
P1
---
P2
---
---
P0
P1
P0

P1
P1
P1
P1
P2
P3
P1
P3
P1
P1
P1
---
P1 X
P0

P1
P1
P1
P1 X X
P2
---
---
P1
P1
P1
P1
P1
P0
P0
P2
P2
P1
P0
P0
P0
P0
P0

P1
P1
P1
P1
P1
P0
P1
P1
---
P2
P0
P1
P1
---
P1
P0
P1 X
P2 X
P1
P1
P1
P1
P1
P1
P0
P0
P0
P1
P0
P0
P0
P0
---
P0 X X
P0
P0
P0
P0
P1
P0
P0
P0
P0
P0

P1
P1
P1
P1 X X X
P1
P1
P1 X
P2
---
P1
P2
P2
P0
P0
P0
P1
P0

P1
P1
P1
P1
P1 X X
P1
P1
P1
P1
P1
P1
P1
P1
P1
P1
P1
Secure Configurations
Controlled Use of for Hardware and Maintenance,
Software on Mobile
Administrative Devices, Laptops, Monitoring, and
Privileges Workstations, and Analysis of Audit Logs
Servers
CSC #4 CSC #5 CSC #6

X
X
X
X
X
X
X
X
X
X
X
X
X
X

X X X

X
X

X
X
X
X
X

X
X

X X X
Limitation and Control
Email and Web Browser
Protections Malware Defenses of Network Ports,
Protocols, and Services

CSC #7 CSC #8 CSC #9

X
X X

X X
X

X
X X
X
X X
X

X
X
X

X
X

X
X
X

X X
Secure Configuration
Data Recovery for Network Devices,
Capabilities such as Firewalls, Boundary Defense
Routers and Switches

CSC #10 CSC #11 CSC #12

X X

X
X X

X X

X X
X

X
X

X
X
X

X X
Controlled Access
Data Protection Based on the Need to Wireless Device Control
Know

CSC #13 CSC #14 CSC #15

X
X
X X
X

X
X

X
X
X

X X X

X
X

X
X
X

X X
X
X

X
X

X X X
Implement a Security
Account Monitoring Application Software
and Control Awareness and Training Security
Program

CSC #16 CSC #17 CSC #18

X
X

X
X
X
X
X
X

X
X

X
X X

X
X X
X

X
X
X

X
X
X
X

X
X

X
Incident Response and Penetration Tests and
Management Red Team Exercises

CSC #19 CSC #20

X
X

X
X
X
X
X
X
X
X
X

X
X
X
X

X
CIS Controls v7.1 mapped to the NIST Cyber Security Framework (v1.1)

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

System 1.7

System 1.8

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2

System 2.3

System 2.4

System 2.5
System 2.6

System 2.7

System 2.8

System 2.9

System 2.10

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

System 3.1

System 3.2

System 3.3

System 3.4

System 3.5

System 3.6

System 3.7

Critical Security Control #4: Controlled Use of Administrative Privileges

System 4.1

System 4.2

System 4.3

System 4.4
System 4.5

System 4.6

System 4.7

System 4.8

System 4.9

Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1

System 5.2

System 5.3

System 5.4

System 5.5

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1

System 6.2

System 6.3

System 6.4

System 6.5

System 6.6

System 6.7

System 6.8

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4

System 7.5

System 7.6

System 7.7

System 7.8

System 7.9

System 7.10

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3

System 8.4

System 8.5

System 8.6

System 8.7
System 8.8

Critical Security Control #9: Limitation and Control of Network Ports

System 9.1

System 9.2

System 9.3

System 9.4

System 9.5

Critical Security Control #10: Data Recovery Capabilities

System 10.1

System 10.2

System 10.3

System 10.4

System 10.5

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6
Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4

Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Network 12.11

Network 12.12

Critical Security Control #13: Data Protection

Network 13.1
Network 13.2

Network 13.3

Network 13.4

Network 13.5

Network 13.6

Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3

Application 14.4

Application 14.5

Application 14.6

Application 14.7

Application 14.8
Application 14.9

Critical Security Control #15: Wireless Access Control

Network 15.1

Network 15.2

Network 15.3

Network 15.4

Network 15.5

Network 15.6

Network 15.7

Network 15.8

Network 15.9

Network 15.10

Critical Security Control #16: Account Monitoring and Control

Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8

Application 16.9
Application 16.10

Application 16.11

Application 16.12

Application 16.13

Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1

Application 17.2

Application 17.3

Application 17.4

Application 17.5

Application 17.6

Application 17.7

Application 17.8

Application 17.9

Critical Security Control #18: Application Software Security

Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5

Application 18.6
Application 18.7

Application 18.8

Application 18.9

Application 18.10

Application 18.11

Critical Security Control #19: Incident Response and Management

Application 19.1

Application 19.2

Application 19.3

Application 19.4

Application 19.5

Application 19.6

Application 19.7

Application 19.8

Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1

Application 20.2
Application 20.3

Application 20.4

Application 20.5

Application 20.6

Application 20.7

Application 20.8
CIS Controls

ontrols v7.1 mapped to the NIST Cyber Security Framework (v1.1)

curity Control #1: Inventory of Authorized and Unauthorized Devices

Utilize an active discovery tool to identify devices connected to the organization's network and
update the hardware asset inventory.
Utilize a passive discovery tool to identify devices connected to the organization's network and
automatically update the organization's hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address
management tools to update the organization's hardware asset inventory.

Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or
process information. This inventory shall include all assets, whether connected to the organization's
network or not.

Ensure that the hardware asset inventory records the network address, hardware address, machine
name, data asset owner, and department for each asset and whether the hardware asset has been
approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory
is updated in a timely manner.

Ensure that only software applications or operating systems currently supported and receiving
vendor updates are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all
software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and
associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.

The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
curity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.

Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

curity Control #4: Controlled Use of Administrative Privileges

Use automated tools to inventory all administrative accounts, including domain and local accounts,
to ensure that only authorized individuals have elevated privileges.
Before deploying any new asset, change all default passwords to have values consistent with
administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary account for
elevated activities. This account should only be used for administrative activities and not Internet
browsing, email, or similar activities.
Where multi-factor authentication is not supported (such as local administrator, root, or service
accounts), accounts will use passwords that are unique to that system.
Use multi-factor authentication and encrypted channels for all administrative account access.

Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.

Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or
development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any
group assigned administrative privileges.

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
curity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.

Maintain secure images or templates for all systems in the enterprise based on the organization's
approved configuration standards. Any new system deployment or existing system that becomes
compromised should be imaged using one of those images or templates.

Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.

Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as an event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.

On a regular basis, review logs to identify anomalies or abnormal events.

On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
curity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Enforce network-based URL filters that limit a system's ability to connect to websites not approved
by the organization. This filtering shall be enforced for each of the organization's systems, whether
they are physically at an organization's facilities or not.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.

Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in
order to identify potentially malicious activity and assist incident handlers with identifying
potentially compromised systems.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

To lower the chance of spoofed or modified emails from valid domains, implement Domain-based
Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block all email attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.

Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.

Configure devices to not auto-run content from removable media.

Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.

Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
curity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.

Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Maintain documented security configuration standards for all authorized network devices.

All configuration rules that allow traffic to flow through network devices should be documented in a
configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configurations against approved security configurations defined for
each network device in use, and alert when any deviations are discovered.

Install the latest stable version of any security-related updates on all network devices.

Manage all network devices using multi-factor authentication and encrypted sessions.

Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.

Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.

Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.

Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.

Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.

Enable the collection of NetFlow and logging data on all network boundary devices.

Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection

Maintain an inventory of all sensitive information stored, processed, or transmitted by the

organization's technology systems, including those located on-site or at a remote service provider.
Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.

Only allow access to authorized cloud storage or email providers.

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.

Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

curity Control #14: Controlled Access Based on the Need to Know

Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.

Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally

and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.

Encrypt all sensitive information in transit.

Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted
by the organization's technology systems, including those located on-site or at a remote service
provider, and update the organization's sensitive information inventory.

Protect all information stored on systems with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their need to access the information as a
part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data
even when the data is copied off a system.

Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.

Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless
access points connected to the network.

Disable wireless access on devices that do not have a business purpose for wireless access.

Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.

Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.

Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
curity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.

Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.

Maintain an inventory of all accounts organized by authentication system.

Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor. Disabling
these accounts, instead of deleting accounts, allows preservation of audit trails.

Disable any account that cannot be associated with a business process or business owner.

Automatically disable dormant accounts after a set period of inactivity.

Ensure that all accounts have an expiration date that is monitored and enforced.

Automatically lock workstation sessions after a standard period of inactivity.

Monitor attempts to access deactivated accounts through audit logging.

Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.

Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.

Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive information.

Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
curity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.

Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.

Only use up-to-date and trusted third-party components for the software developed by the
organization.

Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.

Assign job titles and duties for handling computer and network incidents to specific individuals, and
ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.

Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.

Assemble and maintain information on third-party contact information to be used to report a

security incident, such as Law Enforcement, relevant government departments, vendors, and
Information Sharing and Analysis Center (ISAC) partners.

Plan and conduct routine incident response exercises and scenarios for the workforce involved in
the incident response to maintain awareness and comfort in responding to real-world threats.
Exercises should test communication channels, decision making, and incident responder’s technical
capabilities using tools and data available to them.

Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
curity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.

Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.

Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.

Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
Master Mappings Tool (v7.1c)

Physical devices and Software platforms and

Organizational
systems within the applications within the
communication and data
organization are organization are
flows are mapped
inventoried inventoried

ID.AM-1 ID.AM-2 ID.AM-3

X X
X X
X X

X X

X
X
X
X
X

X
X
s, Routers and Switches
Resources (e.g., hardware,
Cybersecurity roles and
devices, data, time,
responsibilities for the
personnel, and software)
External information entire workforce and third-
are prioritized based on
systems are catalogued party stakeholders (e.g.,
their classification,
suppliers, customers,
criticality, and business
partners) are established
value

ID.AM-4 ID.AM-5 ID.AM-6

X
X
X

X
The organization’s role in The organization’s place in Priorities for organizational
the supply chain is critical infrastructure and its mission, objectives, and
identified and industry sector is identified activities are established
communicated and communicated and communicated

ID.BE-1 ID.BE-2 ID.BE-3

Resilience requirements to
support delivery of critical
Dependencies and critical Organizational
services are established for
functions for delivery of cybersecurity policy is
all operating states (e.g.
critical services are established and
under duress/attack, during
established communicated
recovery, normal
operations)

ID.BE-4 ID.BE-5 ID.GV-1

Legal and regulatory
Cybersecurity roles and
requirements regarding
responsibilities are Governance and risk
cybersecurity, including
coordinated and aligned management processes
privacy and civil liberties
with internal roles and address cybersecurity risks
obligations, are understood
external partners
and managed

ID.GV-2 ID.GV-3 ID.GV-4

Cyber threat intelligence is Threats, both internal and
Asset vulnerabilities are
received from information external, are identified and
identified and documented
sharing forums and sources documented

ID.RA-1 ID.RA-2 ID.RA-3

X X

X X
X X
X X
X X
Potential business impacts Threats, vulnerabilities,
Risk responses are
and likelihoods are likelihoods, and impacts are
identified and prioritized
identified used to determine risk

ID.RA-4 ID.RA-5 ID.RA-6

The organization’s
Risk management processes determination of risk
Organizational risk
are established, managed, tolerance is informed by its
tolerance is determined and
and agreed to by role in critical infrastructure
clearly expressed
organizational stakeholders and sector specific risk
analysis

ID.RM-1 ID.RM-2 ID.RM-3

Contracts with suppliers
and third-party partners are
Suppliers and third party
Cyber supply chain risk used to implement
partners of information
management processes are appropriate measures
systems, components, and
identified, established, designed to meet the
services are identified,
assessed, managed, and objectives of an
prioritized, and assessed
agreed to by organizational organization’s cybersecurity
using a cyber supply chain
stakeholders program and Cyber Supply
risk assessment process
Chain Risk Management
Plan.
ID.SC-1 ID.SC-2 ID.SC-3
Suppliers and third-party
Identities and credentials
partners are routinely
Response and recovery are issued, managed,
assessed using audits, test
planning and testing are verified, revoked, and
results, or other forms of
conducted with suppliers audited for authorized
evaluations to confirm they
and third-party providers devices, users and
are meeting their
processes
contractual obligations.

ID.SC-4 ID-SC-5 PR.AC-1

X
X
X
X
X
X

X
X
X
X
X
X
Access permissions and
authorizations are
Physical access to assets is
Remote access is managed managed, incorporating the
managed and protected
principles of least privilege
and separation of duties

PR.AC-2 PR.AC-3 PR.AC-4

X
X

X
X
X

X
X
X
X

X
X

X
X
X
X
X
X

X
X
X
X
X
X
Users, devices, and other
assets are authenticated
Network integrity is (e.g., single-factor, multi-
Identities are proofed and
protected (e.g., network factor) commensurate with
bound to credentials and
segregation, network the risk of the transaction
asserted in interactions
segmentation) (e.g., individuals’ security
and privacy risks and other
organizational risks)
PR.AC-5 PR.AC-6 PR.AC-7
X
X
X
X
X

X
X
X

X
X

X
X
X
X

X
X

X X
X X
X X
X X
X X
X X

X X

X X
X X
X X
X X
X X
X X
Third-party stakeholders
Privileged users understand
All users are informed and (e.g., suppliers, customers,
their roles and
trained partners) understand their
responsibilities
roles and responsibilities

PR.AT-1 PR.AT-2 PR.AT-3

X
X

X
X
X

X
X
X
X X X
X X X

X X X

X X X
X X X
X X X

X X X

X X X
Senior executives Physical and cybersecurity
understand their roles and personnel understand their Data-at-rest is protected
responsibilities roles and responsibilities

PR.AT-4 PR.AT-5 PR.DS-1

X
X

X
X
X X
X X

X X

X X
X X
X X

X X

X X
Assets are formally
Adequate capacity to
managed throughout
Data-in-transit is protected ensure availability is
removal, transfers, and
maintained
disposition

PR.DS-2 PR.DS-3 PR.DS-4

X
X
X

X
X
X
X

X
X

X
X
Integrity checking The development and
Protections against data mechanisms are used to testing environment(s) are
leaks are implemented verify software, firmware, separate from the
and information integrity production environment

PR.DS-5 PR.DS-6 PR.DS-7

X
X
X
X
X

X
X
X
X

X
X
X
X
X
X

X
A baseline configuration of
information
technology/industrial
Integrity checking A System Development Life
control systems is created
mechanisms are used to Cycle to manage systems is
and maintained
verify hardware integrity implemented
incorporating security
principles (e.g. concept of
least functionality)
PR.DS-8 PR.IP-1 PR.IP-2
X

X
X

X
X
X

X
X
Policy and regulations
Configuration change Backups of information are regarding the physical
control processes are in conducted, maintained, and operating environment for
place tested organizational assets are
met

PR.IP-3 PR.IP-4 PR.IP-5

X
X
X

X
Data is destroyed according Protection processes are Effectiveness of protection
to policy improved technologies is shared

PR.IP-6 PR.IP-7 PR.IP-8

Response plans (Incident
Response and Business Cybersecurity is included in
Continuity) and recovery Response and recovery human resources practices
plans (Incident Recovery plans are tested (e.g., deprovisioning,
and Disaster Recovery) are personnel screening)
in place and managed

PR.IP-9 PR.IP-10 PR.IP-11

X
Remote maintenance of
Maintenance and repair of
A vulnerability organizational assets is
organizational assets are
management plan is approved, logged, and
performed and logged, with
developed and performed in a manner that
approved and controlled
implemented prevents unauthorized
tools
access

PR.IP-12 PR.MA-1 PR.MA-2

X
X
X
X

X
X

X
X
X

X
X
X
X

X
The principle of least
Audit/log records are Removable media is
functionality is
determined, documented, protected and its use
incorporated by configuring
implemented, and reviewed restricted according to
systems to provide only
in accordance with policy policy
essential capabilities

PR.PT-1 PR.PT-2 PR.PT-3

X
X

X
X
X

X
X
X
X
X
X
X
X
X

X
X
X
X
X
X
X

X
X
X
X

X
X

X X

X X
X X

X X

X X
X X

X
X
X
X
X
X

X
X
X
X
X
X
Mechanisms (e.g., failsafe,
A baseline of network
load balancing, hot swap)
Communications and operations and expected
are implemented to achieve
control networks are data flows for users and
resilience requirements in
protected systems is established and
normal and adverse
managed
situations

PR.PT-4 PR.PT-5 DE.AE-1

X
X
X
X
X

X
X
X

X
X

X
Event data are collected
Detected events are
and correlated from Impact of events is
analyzed to understand
multiple sources and determined
attack targets and methods
sensors

DE.AE-2 DE.AE-3 DE.AE-4

X
X
X
X
X
X
X
X
X X

X X

X X
The physical environment is
The network is monitored
Incident alert thresholds monitored to detect
to detect potential
are established potential cybersecurity
cybersecurity events
events

DE.AE-5 DE.CM-1 DE.CM-2

X X X

X X X
Personnel activity is
monitored to detect Unauthorized mobile code
Malicious code is detected
potential cybersecurity is detected
events

DE.CM-3 DE.CM-4 DE.CM-5

X X

X X
X X
X X
X X
X X
X X X

X X X

X X X
External service provider Monitoring for
activity is monitored to unauthorized personnel, Vulnerability scans are
detect potential connections, devices, and performed
cybersecurity events software is performed

DE.CM-6 DE.CM-7 DE.CM-8

X
X
X
X
X X

X X

X X
Roles and responsibilities
Detection activities comply
for detection are well Detection processes are
with all applicable
defined to ensure tested
requirements
accountability

DE.DP-1 DE.DP-2 DE.DP-3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Event detection information Detection processes are Response plan is executed
is communicated continuously improved during or after an incident

DE.DP-4 DE.DP-5 RS.RP-1

X X
X X
X X
X X
X X
X X
X X
X X
Personnel know their roles Incidents are reported Information is shared
and order of operations consistent with established consistent with response
when a response is needed criteria plans

RS.CO-1 RS.CO-2 RS.CO-3

Voluntary information
Coordination with
sharing occurs with external Notifications from
stakeholders occurs
stakeholders to achieve detection systems are
consistent with response
broader cybersecurity investigated
plans
situational awareness

RS.CO-4 RS.CO-5 RS.AN-1

Incidents are categorized
The impact of the incident
Forensics are performed consistent with response
is understood
plans

RS.AN-2 RS.AN-3 RS.AN-4

Processes are established to
receive, analyze and
respond to vulnerabilities
disclosed to the
organization from internal Incidents are contained Incidents are mitigated
and external sources (e.g.
internal testing, security
bulletins, or security
researchers)
RS.AN-5 RS.MI-1 RS.MI-2
X

X
X
X
X
Newly identified
vulnerabilities are mitigated Response plans incorporate Response strategies are
or documented as accepted lessons learned updated
risks

RS.MI-3 RS.IM-1 RS.IM-2

X
X
X
X
Recovery plan is executed
Recovery plans incorporate Recovery strategies are
during or after a
lessons learned updated
cybersecurity incident

RC.RP-1 RC.IM-1 RC.IM-2

X X X

X X X
Recovery activities are
communicated to internal
Public relations are Reputation is repaired after
and external stakeholders
managed an incident
as well as executive and
management teams

RC.CO-1 RC.CO-2 RC.CO-3

X X X

X X X
CIS Controls v7.1 mapped to the NIST Cyber Security Framework (v1.0)

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

System 1.7

System 1.8

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2

System 2.3

System 2.4

System 2.5
System 2.6

System 2.7

System 2.8

System 2.9

System 2.10

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

System 3.1

System 3.2

System 3.3

System 3.4

System 3.5

System 3.6

System 3.7
Critical Security Control #4: Controlled Use of Administrative Privileges
System 4.1

System 4.2

System 4.3

System 4.4

System 4.5
System 4.6

System 4.7

System 4.8

System 4.9

Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1

System 5.2

System 5.3

System 5.4

System 5.5

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1

System 6.2

System 6.3

System 6.4

System 6.5

System 6.6

System 6.7

System 6.8

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4

System 7.5

System 7.6

System 7.7

System 7.8

System 7.9

System 7.10

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3

System 8.4

System 8.5

System 8.6

System 8.7

System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1

System 9.2

System 9.3

System 9.4

System 9.5

Critical Security Control #10: Data Recovery Capabilities

System 10.1

System 10.2

System 10.3

System 10.4

System 10.5

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6

Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4

Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Network 12.11

Network 12.12

Critical Security Control #13: Data Protection

Network 13.1

Network 13.2

Network 13.3

Network 13.4

Network 13.5

Network 13.6
Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3

Application 14.4

Application 14.5

Application 14.6

Application 14.7

Application 14.8

Application 14.9

Critical Security Control #15: Wireless Access Control

Network 15.1

Network 15.2

Network 15.3

Network 15.4
Network 15.5

Network 15.6

Network 15.7

Network 15.8

Network 15.9

Network 15.10

Critical Security Control #16: Account Monitoring and Control

Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8

Application 16.9

Application 16.10

Application 16.11

Application 16.12

Application 16.13

Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1

Application 17.2
Application 17.3

Application 17.4

Application 17.5

Application 17.6

Application 17.7

Application 17.8

Application 17.9

Critical Security Control #18: Application Software Security

Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5

Application 18.6

Application 18.7

Application 18.8

Application 18.9

Application 18.10
Application 18.11

Critical Security Control #19: Incident Response and Management

Application 19.1

Application 19.2

Application 19.3

Application 19.4

Application 19.5

Application 19.6

Application 19.7

Application 19.8

Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1

Application 20.2

Application 20.3

Application 20.4

Application 20.5

Application 20.6
Application 20.7

Application 20.8
CIS Controls

ontrols v7.1 mapped to the NIST Cyber Security Framework (v1.0)

curity Control #1: Inventory of Authorized and Unauthorized Devices

Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.

Deploy automated software update tools in order to ensure that the operating systems are running
the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems
is running the most recent security updates provided by the software vendor.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have
been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
curity Control #4: Controlled Use of Administrative Privileges
Use automated tools to inventory all administrative accounts, including domain and local accounts,
to ensure that only authorized individuals have elevated privileges.
Before deploying any new asset, change all default passwords to have values consistent with
administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary account for
elevated activities. This account should only be used for administrative activities and not Internet
browsing, email, or similar activities.
Where multi-factor authentication is not supported (such as local administrator, root, or service
accounts), accounts will use passwords that are unique to that system.

Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network and
not be allowed Internet access. This machine will not be used for reading email, composing
documents, or browsing the Internet.

On a regular basis, review logs to identify anomalies or abnormal events.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Use sandboxing to analyze and block inbound email attachments with malicious behavior.
curity Control #8: Malware Defenses
Utilize centrally managed anti-malware software to continuously monitor and defend each of the
organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.

Configure devices to not auto-run content from removable media.

Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
curity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.

Ensure that backups are properly protected via physical security or encryption when they are stored,
as well as when they are moved across the network. This includes remote backups and cloud
services.
Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
curity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Maintain documented security configuration standards for all authorized network devices.

Install the latest stable version of any security-related updates on all network devices.

Manage all network devices using multi-factor authentication and encrypted sessions.

Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
curity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.

Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.

Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only
authorized protocols are allowed to cross the network boundary in or out of the network at each of
the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each
of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application
layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However,
the organization may use whitelists of allowed sites that can be accessed through the proxy without
decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing the
network to ensure that each of the organization's security policies has been enforced in the same
manner as local network devices.
curity Control #13: Data Protection

Maintain an inventory of all sensitive information stored, processed, or transmitted by the

organization's technology systems, including those located on-site or at a remote service provider.

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.

Only allow access to authorized cloud storage or email providers.

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.

Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

curity Control #14: Controlled Access Based on the Need to Know

Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally

and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.

Encrypt all sensitive information in transit.

Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.

Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to
allow access only to authorized wireless networks and to restrict access to other wireless networks.

Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.

Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.

Maintain an inventory of all accounts organized by authentication system.

Disable any account that cannot be associated with a business process or business owner.

Automatically disable dormant accounts after a set period of inactivity.

Ensure that all accounts have an expiration date that is monitored and enforced.

Automatically lock workstation sessions after a standard period of inactivity.

Monitor attempts to access deactivated accounts through audit logging.

Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and
duration.
curity Control #17: Implement a Security Awareness and Training Program
Perform a skills gap analysis to understand the skills and behaviors workforce members are not
adhering to, using this information to build a baseline education roadmap.
Deliver training to address the skills gap identified to positively impact workforce members' security
behavior.
Create a security awareness program for all workforce members to complete on a regular basis to
ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of
the organization. The organization's security awareness program should be communicated in a
continuous and engaging manner.

Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.

Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.

Only use up-to-date and trusted third-party components for the software developed by the
organization.

Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
curity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.

Assemble and maintain information on third-party contact information to be used to report a

security incident, such as Law Enforcement, relevant government departments, vendors, and
Information Sharing and Analysis Center (ISAC) partners.

Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration testing
efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so
that results can be compared over time.

Physical devices and Software platforms and

Organizational
systems within the applications within the
communication and data
organization are organization are
flows are mapped
inventoried inventoried

ID.AM-1 ID.AM-2 ID.AM-3

X X
X X
X X

X X

X
X
X
X
X

X
X
s, Routers and Switches
Resources (e.g., hardware, Cybersecurity roles and
devices, data, and software) responsibilities for the
External information are prioritized based on entire workforce and third-
systems are catalogued their classification, party stakeholders (e.g.,
criticality, and business suppliers, customers,
value partners) are established

ID.AM-4 ID.AM-5 ID.AM-6

X
X
X

ID.BE-1 ID.BE-2 ID.BE-3

Dependencies and critical
Resilience requirements to Organizational information
functions for delivery of
support delivery of critical security policy is
critical services are
services are established established
established

ID.BE-4 ID.BE-5 ID.GV-1

Legal and regulatory
Information security roles &
requirements regarding
responsibilities are Governance and risk
cybersecurity, including
coordinated and aligned management processes
privacy and civil liberties
with internal roles and address cybersecurity risks
obligations, are understood
external partners
and managed

ID.GV-2 ID.GV-3 ID.GV-4

Threat and vulnerability
Threats, both internal and
Asset vulnerabilities are information is received
external, are identified and
identified and documented from information sharing
documented
forums and sources

ID.RA-1 ID.RA-2 ID.RA-3

X X

X X
X X
X X
X X
Potential business impacts Threats, vulnerabilities,
Risk responses are
and likelihoods are likelihoods, and impacts are
identified and prioritized
identified used to determine risk

ID.RA-4 ID.RA-5 ID.RA-6

ID.RM-1 ID.RM-2 ID.RM-3

Identities and credentials
Physical access to assets is
are managed for authorized Remote access is managed
managed and protected
devices and users

PR.AC-1 PR.AC-2 PR.AC-3

X
X

X
X
X

X
X
X
X
X
X
X

X
X
X
X
X
X
Access permissions are Network integrity is
managed, incorporating the protected, incorporating All users are informed and
principles of least privilege network segregation where trained
and separation of duties appropriate

PR.AC-4 PR.AC-5 PR.AT-1

X
X

X
X
X

X
X
X
X
X
X
X
X

X
X
X

X
X
X
X
X

X
X

X X

X X
X X

X X

X X
X
X
X
X
X
X

X
X
X
X
X
X

X
X
X

X
Third-party stakeholders
Senior executives
Privileged users understand (e.g., suppliers, customers,
understand roles &
roles & responsibilities partners) understand roles
responsibilities
& responsibilities

PR.AT-2 PR.AT-3 PR.AT-4

X
X

X
X
X

X
X
X
X X X
X X X
X X X

X X X

X X X
X X X
X X X

X X X

X X X
Physical and information
security personnel
Data-at-rest is protected Data-in-transit is protected
understand roles &
responsibilities

PR.AT-5 PR.DS-1 PR.DS-2

X
X
X
X
X

X
X

X X

X X
X X

X X

X X
X
X
X

X
X
X

X
Assets are formally
Adequate capacity to
managed throughout Protections against data
ensure availability is
removal, transfers, and leaks are implemented
maintained
disposition

PR.DS-3 PR.DS-4 PR.DS-5

X
X
X

X
X

X
X
X
X
X

X
X
A baseline configuration of
Integrity checking The development and
information
mechanisms are used to testing environment(s) are
technology/industrial
verify software, firmware, separate from the
control systems is created
and information integrity production environment
and maintained

PR.DS-6 PR.DS-7 PR.IP-1

X
X
X
X
X

X
X
X

X
X

X
X
X

X
X
X
X
X
X

X
X
A System Development Life Configuration change Backups of information are
Cycle to manage systems is control processes are in conducted, maintained, and
implemented place tested periodically

PR.IP-2 PR.IP-3 PR.IP-4

X
X
X

X
Policy and regulations
regarding the physical
Data is destroyed according Protection processes are
operating environment for
to policy continuously improved
organizational assets are
met

PR.IP-5 PR.IP-6 PR.IP-7

Response plans (Incident
Response and Business
Effectiveness of protection
Continuity) and recovery Response and recovery
technologies is shared with
plans (Incident Recovery plans are tested
appropriate parties
and Disaster Recovery) are
in place and managed

PR.IP-8 PR.IP-9 PR.IP-10

X
Maintenance and repair of
Cybersecurity is included in A vulnerability organizational assets is
human resources practices management plan is performed and logged in a
(e.g., deprovisioning, developed and timely manner, with
personnel screening) implemented approved and controlled
tools

PR.IP-11 PR.IP-12 PR.MA-1

X
X
X
X
Remote maintenance of
organizational assets is Audit/log records are Removable media is
approved, logged, and determined, documented, protected and its use
performed in a manner that implemented, and reviewed restricted according to
prevents unauthorized in accordance with policy policy
access

PR.MA-2 PR.PT-1 PR.PT-2

X
X

X
X
X

X
X
X
X
X
X
X
X
X
X

X
X
X
X
X
X
X

X
X
X

X
X
X
X
X

X
X

X
A baseline of network
Access to systems and
Communications and operations and expected
assets is controlled,
control networks are data flows for users and
incorporating the principle
protected systems is established and
of least functionality
managed

PR.PT-3 PR.PT-4 DE.AE-1

X
X

X
X
X

X
X
X
X
X
X
X
X

X
X
X

X
X

X
X
X
X
X
X
X

X
X
X
X
X
X
Event data are aggregated
Detected events are
and correlated from Impact of events is
analyzed to understand
multiple sources and determined
attack targets and methods
sensors

DE.AE-2 DE.AE-3 DE.AE-4

X
X
X
X
X
X
X
X
X X

X X

X X
The physical environment is
The network is monitored
Incident alert thresholds monitored to detect
to detect potential
are established potential cybersecurity
cybersecurity events
events

DE.AE-5 DE.CM-1 DE.CM-2

X X X

X X X
Personnel activity is
monitored to detect Unauthorized mobile code
Malicious code is detected
potential cybersecurity is detected
events

DE.CM-3 DE.CM-4 DE.CM-5

X X
X X

X X

X X
X X
X X
X X
X X
X X X

X X X

DE.CM-6 DE.CM-7 DE.CM-8

X
X
X
X
X X

X X

X X
Roles and responsibilities
Detection activities comply
for detection are well Detection processes are
with all applicable
defined to ensure tested
requirements
accountability

DE.DP-1 DE.DP-2 DE.DP-3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Event detection information
Detection processes are Response plan is executed
is communicated to
continuously improved during or after an event
appropriate parties

DE.DP-4 DE.DP-5 RS.RP-1

X X
X X
X X
X X
X X
X X
X X
X X
Personnel know their roles Events are reported Information is shared
and order of operations consistent with established consistent with response
when a response is needed criteria plans

RS.CO-1 RS.CO-2 RS.CO-3

RS.CO-4 RS.CO-5 RS.AN-1

Incidents are categorized
The impact of the incident
Forensics are performed consistent with response
is understood
plans

RS.AN-2 RS.AN-3 RS.AN-4

Newly identified
vulnerabilities are mitigated
Incidents are contained Incidents are mitigated
or documented as accepted
risks

RS.MI-1 RS.MI-2 RS.MI-3

X
X
X
X
Response plans incorporate Response strategies are Recovery plan is executed
lessons learned updated during or after an event

RS.IM-1 RS.IM-2 RC.RP-1

X
Recovery plans incorporate Recovery strategies are Public relations are
lessons learned updated managed

RC.IM-1 RC.IM-2 RC.CO-1

X X X

X X X
Recovery activities are
Reputation after an event is communicated to internal
repaired stakeholders and executive
and management teams

RC.CO-2 RC.CO-3
X X

X X

X X
CIS Controls v7.1 mapped to NIST 800-82 rev2

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

System 1.7

System 1.8

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2

System 2.3

System 2.4

System 2.5
System 2.6

System 2.7

System 2.8

System 2.9

System 2.10

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

System 3.1

System 3.2

System 3.3

System 3.4

System 3.5

System 3.6

System 3.7

Critical Security Control #4: Controlled Use of Administrative Privileges

System 4.1

System 4.2

System 4.3

System 4.4
System 4.5

System 4.6

System 4.7

System 4.8

System 4.9

Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1

System 5.2

System 5.3

System 5.4

System 5.5

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1

System 6.2

System 6.3

System 6.4

System 6.5

System 6.6

System 6.7

System 6.8

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4

System 7.5

System 7.6

System 7.7

System 7.8

System 7.9

System 7.10

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3

System 8.4

System 8.5

System 8.6

System 8.7
System 8.8

Critical Security Control #9: Limitation and Control of Network Ports

System 9.1

System 9.2

System 9.3

System 9.4

System 9.5

Critical Security Control #10: Data Recovery Capabilities

System 10.1

System 10.2

System 10.3

System 10.4

System 10.5

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6
Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4

Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Network 12.11

Network 12.12

Critical Security Control #13: Data Protection

Network 13.1
Network 13.2

Network 13.3

Network 13.4

Network 13.5

Network 13.6

Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3

Application 14.4

Application 14.5

Application 14.6

Application 14.7

Application 14.8
Application 14.9

Critical Security Control #15: Wireless Access Control

Network 15.1

Network 15.2

Network 15.3

Network 15.4

Network 15.5

Network 15.6

Network 15.7

Network 15.8

Network 15.9

Network 15.10

Critical Security Control #16: Account Monitoring and Control

Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8

Application 16.9
Application 16.10

Application 16.11

Application 16.12

Application 16.13

Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1

Application 17.2

Application 17.3

Application 17.4

Application 17.5

Application 17.6

Application 17.7

Application 17.8

Application 17.9

Critical Security Control #18: Application Software Security

Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5

Application 18.6
Application 18.7

Application 18.8

Application 18.9

Application 18.10

Application 18.11

Critical Security Control #19: Incident Response and Management

Application 19.1

Application 19.2

Application 19.3

Application 19.4

Application 19.5

Application 19.6

Application 19.7

Application 19.8

Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1

Application 20.2
Application 20.3

Application 20.4

Application 20.5

Application 20.6

Application 20.7

Application 20.8
CIS Controls

CIS Controls v7.1 mapped to NIST 800-82 rev2

curity Control #1: Inventory of Authorized and Unauthorized Devices

Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

curity Control #4: Controlled Use of Administrative Privileges

On a regular basis, review logs to identify anomalies or abnormal events.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.

Configure devices to not auto-run content from removable media.

Maintain documented security configuration standards for all authorized network devices.

Install the latest stable version of any security-related updates on all network devices.

Manage all network devices using multi-factor authentication and encrypted sessions.

Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.

Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.

Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.

Enable the collection of NetFlow and logging data on all network boundary devices.

Maintain an inventory of all sensitive information stored, processed, or transmitted by the

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.

Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

curity Control #14: Controlled Access Based on the Need to Know

Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally

and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.

Encrypt all sensitive information in transit.

Disable wireless access on devices that do not have a business purpose for wireless access.

Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.

Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.

Maintain an inventory of all accounts organized by authentication system.

Disable any account that cannot be associated with a business process or business owner.

Automatically disable dormant accounts after a set period of inactivity.

Ensure that all accounts have an expiration date that is monitored and enforced.

Automatically lock workstation sessions after a standard period of inactivity.

Monitor attempts to access deactivated accounts through audit logging.

Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.

Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.

Only use up-to-date and trusted third-party components for the software developed by the
organization.

Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

Assemble and maintain information on third-party contact information to be used to report a

security incident, such as Law Enforcement, relevant government departments, vendors, and
Information Sharing and Analysis Center (ISAC) partners.

Business Case for Build and Train a Cross

Risk Management Security Functional Team

3.1 4.1 4.2

s, Routers and Switches
Define ICS Specific Implement an ICS
Define Charter and Security Risk
Scope Security Policies and Management
Procedures Framework

4.3 4.4 4.5

Network Segmentation
and Segregation Boundary Protection Firewalls

5.1 5.2 5.3

X X X

X X X
X

X
X

X
X
Recommended
Logically Separated
Control Network Network Segregation Defense-in-Depth
Architecture

5.4 5.5 5.6

X X X

X X X
X X

X X

X X
X X

X X

X X
X X
Recommended Firewall
General Firewall Network Address
Policies for ICS Rules for Specific Translation (NAT)
Services

5.7 5.8 5.9

X X X

X X X
Specific ICS Firewall Unidirectional
Issues Gateways Single Points of Failure

5.1 5.11 5.12

X X

X X
Redundancy and Fault Preventing Man-in-the- Authentication and
Tolerance Middle Attacks Authorization

5.13 5.14 5.15

X
X

X
X
X

X
X
X
X

X
X
X

X
X
X
X
X
X
X
X

X
X
X
X
X
X
Incident Detection,
Monitoring, Logging,
and Auditing Response, and System Access Control
Recovery

5.16 5.17 6.2.1

X
X
X
X
X
X
X
X
X

X
X

X
X
X

X
Audit and Security Assessment
Awareness and Training Accountability and Authorization

6.2.2 6.2.3 6.2.4

X
X

X
X
X

X
X X
X X
X X

X X

X X
Configuration Identification and
Management Contingency Planning Authentication

6.2.5 6.2.6 6.2.7

X
X

X
X
X

X
X
X
X

X
X
X

X
X
X
X
X
X
X
X

X
X
X
X
X
X
Incident Response Maintenance Media Protection

6.2.8 6.2.9 6.2.10

X
Physical and
Environmental Planning Personnel Security
Protection

6.2.11 6.2.12 6.2.13

System and
System and Services
Risk Assessment Acquisition Communications
Protection

6.2.14 6.2.15 6.2.16

X
X
X

X
X
X
X
X

X
X

X
X
X
X

X
X

X
X
X

X
X
X
X
X
X
X
X
X

X
X

X
X
X
X
X

X
X
X

X
System and Information
Integrity Program Management Privacy Controls

6.2.17 6.2.18 6.2.19

X
X
X

X
X
X
X
X

X
X

X
X
X
X

X
X

X
X
X

X
X
X
X
X
X
X
X
X

X
X

X
X
X
X
X

X
X
X

X
CIS Controls v7.1 mapped to NISTIR 7621 (rev 1): Small Business
Information Security

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

System 1.7

System 1.8

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2

System 2.3

System 2.4
System 2.5

System 2.6

System 2.7

System 2.8

System 2.9

System 2.10

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

System 3.1

System 3.2

System 3.3

System 3.4

System 3.5

System 3.6

System 3.7

Critical Security Control #4: Controlled Use of Administrative Privileges

System 4.1

System 4.2

System 4.3
System 4.4

System 4.5

System 4.6

System 4.7

System 4.8

System 4.9

Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1

System 5.2

System 5.3

System 5.4

System 5.5

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1

System 6.2

System 6.3

System 6.4

System 6.5

System 6.6

System 6.7
System 6.8

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4

System 7.5

System 7.6

System 7.7

System 7.8

System 7.9

System 7.10

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3

System 8.4

System 8.5

System 8.6
System 8.7

System 8.8

Critical Security Control #9: Limitation and Control of Network Ports

System 9.1

System 9.2

System 9.3

System 9.4

System 9.5

Critical Security Control #10: Data Recovery Capabilities

System 10.1

System 10.2

System 10.3

System 10.4

System 10.5

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6
Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4

Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Network 12.11

Network 12.12

Critical Security Control #13: Data Protection

Network 13.1
Network 13.2

Network 13.3

Network 13.4

Network 13.5

Network 13.6

Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3

Application 14.4

Application 14.5

Application 14.6

Application 14.7

Application 14.8
Application 14.9

Critical Security Control #15: Wireless Access Control

Network 15.1

Network 15.2

Network 15.3

Network 15.4

Network 15.5

Network 15.6

Network 15.7

Network 15.8

Network 15.9

Network 15.10

Critical Security Control #16: Account Monitoring and Control

Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8
Application 16.9

Application 16.10

Application 16.11

Application 16.12

Application 16.13

Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1

Application 17.2

Application 17.3

Application 17.4

Application 17.5

Application 17.6

Application 17.7

Application 17.8

Application 17.9

Critical Security Control #18: Application Software Security

Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5
Application 18.6

Application 18.7

Application 18.8

Application 18.9

Application 18.10

Application 18.11

Critical Security Control #19: Incident Response and Management

Application 19.1

Application 19.2

Application 19.3

Application 19.4

Application 19.5

Application 19.6

Application 19.7

Application 19.8

Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2

Application 20.3

Application 20.4

Application 20.5

Application 20.6

Application 20.7

Application 20.8
CIS Controls

S Controls v7.1 mapped to NISTIR 7621 (rev 1): Small Business

Information Security

urity Control #1: Inventory of Authorized and Unauthorized Devices

Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.

The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.

Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

urity Control #4: Controlled Use of Administrative Privileges

Use multi-factor authentication and encrypted channels for all administrative account access.

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
urity Control #5: Secure Configurations for Hardware and Software
Maintain documented security configuration standards for all authorized operating systems and
software.

On a regular basis, review logs to identify anomalies or abnormal events.

On a regular basis, tune your SIEM system to better identify actionable events and decrease event
noise.
urity Control #7: Email and Web Browser Protections
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by the
vendor.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.

Configure devices to not auto-run content from removable media.

Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.

Ensure that only network ports, protocols, and services listening on a system with validated business
needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports
are detected on a system.
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops
all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized traffic should be blocked and logged.
urity Control #10: Data Recovery Capabilities
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to
ensure that the backup is properly working.

Ensure that all backups have at least one offline (i.e., not accessible via a network connection)
backup destination.
urity Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Maintain documented security configuration standards for all authorized network devices.

Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.

Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring
elevated access. This machine shall be segmented from the organization's primary network and not
be allowed Internet access. This machine shall not be used for reading email, composing documents,
or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different physical
connectivity for management sessions for network devices.
urity Control #12: Boundary Defense
Maintain an up-to-date inventory of all of the organization's network boundaries.

Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.

Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.

Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.

Enable the collection of NetFlow and logging data on all network boundary devices.

Maintain an inventory of all sensitive information stored, processed, or transmitted by the

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.

Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

urity Control #14: Controlled Access Based on the Need to Know

Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally

and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.

Encrypt all sensitive information in transit.

Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
urity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.

Disable wireless access on devices that do not have a business purpose for wireless access.

Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.

Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication
(NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from this
network should be treated as untrusted and filtered and audited accordingly.
urity Control #16: Account Monitoring and Control
Maintain an inventory of each of the organization's authentication systems, including those located
on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as possible,
including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-site
or by a third-party provider.

Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.

Maintain an inventory of all accounts organized by authentication system.

Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.

Ensure that all accounts have an expiration date that is monitored and enforced.

Automatically lock workstation sessions after a standard period of inactivity.

Monitor attempts to access deactivated accounts through audit logging.

Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and
duration.
urity Control #17: Implement a Security Awareness and Training Program
Perform a skills gap analysis to understand the skills and behaviors workforce members are not
adhering to, using this information to build a baseline education roadmap.
Deliver training to address the skills gap identified to positively impact workforce members' security
behavior.

Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.

Train workforce members to be aware of causes for unintentional data exposures, such as losing
their mobile devices or emailing the wrong person due to autocomplete in email.
Train workforce members to be able to identify the most common indicators of an incident and be
able to report such an incident.
urity Control #18: Application Software Security
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats.

Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.

Only use up-to-date and trusted third-party components for the software developed by the
organization.

Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.

For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
urity Control #19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.

Assemble and maintain information on third-party contact information to be used to report a

security incident, such as Law Enforcement, relevant government departments, vendors, and
Information Sharing and Analysis Center (ISAC) partners.

Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
urity Control #20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors
that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or
to respond quickly and effectively.

Identify and control Conduct Background Require individual user

who has access to your accounts for each
business information Checks employee

3.1a 3.1b 3.1c

, Routers and Switches
X X
X X
X X
X X
X X
X X

X X

X X
X X
X X
X X
X X
X X
Create policies and Limit employee access Install Surge Protectors
procedures for and Uninterruptible
information security to data and information Power Supplies (UPS)

3.1d 3.2a 3.2b

X
X
X
X
X
X

X
X
X
X
X
X
Install and activate
Patch your operating software and hardware Secure your wireless
systems and access point and
applications firewalls on all your networks
business networks

3.2c 3.2d 3.2e

X
X
X
X
X

X
X
X

X
X
Set up web and email Use encryption for Dispose of old
sensitive business computers and media
filters information safely

3.2f 3.2g 3.2h

X
X

X
X
X

X
X

X
X
Install and update anti-
virus, -spyware, and Maintain and monitor
Train your employees
other –malware logs
programs

3.2i 3.3a 3.3b

X
X
X
X
X
X
X
X

X
X
X
X
X
X
X

X
X
X

X
Develop a plan for Make incremental
disasters and Make full backups of backups of important
important business
information security data/information business
incidents data/information

3.4a 3.5a 3.5b

X X
X X
X X

X X

X X
X

X
Make improvements to
Consider cyber processes / Pay attention to the
people you work with
insurance procedures / and around
technologies

3.5c 3.5d 4.0a

Do not connect
Use separate personal personal or untrusted
Be careful of email and business storage devices or
attachments and web
links computers, mobile hardware into your
devices, and accounts computer, mobile
device, or network

4.0b 4.0c 4.0d

X
X
X

X
X X

X X
X X

X X

X X
X X
Be careful downloading Do not give out Watch for harmful pop-
personal or business
software information ups

4.0e 4.0f 4.0g

X X

X X
X X

X X

X X
X X
Conduct online business
Use strong passwords
more securely

4.0h 4.0i
X

X
X

X
X
X
X
X
X
X
X

X
X
X
X
X
X
CIS Controls v7.1 mapped to the DHS CDM Program

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

System 1.7

System 1.8

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2

System 2.3

System 2.4

System 2.5
System 2.6

System 2.7

System 2.8

System 2.9

System 2.10

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

System 3.1

System 3.2

System 3.3

System 3.4

System 3.5

System 3.6

System 3.7

Critical Security Control #4: Controlled Use of Administrative Privileges

System 4.1

System 4.2

System 4.3

System 4.4
System 4.5

System 4.6

System 4.7

System 4.8

System 4.9

Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1

System 5.2

System 5.3

System 5.4

System 5.5

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1

System 6.2

System 6.3

System 6.4

System 6.5

System 6.6

System 6.7

System 6.8

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4

System 7.5

System 7.6

System 7.7

System 7.8

System 7.9

System 7.10

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3

System 8.4

System 8.5

System 8.6

System 8.7

System 8.8
Critical Security Control #9: Limitation and Control of Network Ports
System 9.1

System 9.2

System 9.3

System 9.4

System 9.5

Critical Security Control #10: Data Recovery Capabilities

System 10.1

System 10.2

System 10.3

System 10.4

System 10.5

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6

Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4

Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Network 12.11

Network 12.12

Critical Security Control #13: Data Protection

Network 13.1

Network 13.2
Network 13.3

Network 13.4

Network 13.5

Network 13.6

Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3

Application 14.4

Application 14.5

Application 14.6

Application 14.7

Application 14.8

Application 14.9

Critical Security Control #15: Wireless Access Control

Network 15.1
Network 15.2

Network 15.3

Network 15.4

Network 15.5

Network 15.6

Network 15.7

Network 15.8

Network 15.9

Network 15.10

Critical Security Control #16: Account Monitoring and Control

Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8

Application 16.9

Application 16.10

Application 16.11

Application 16.12
Application 16.13

Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1

Application 17.2

Application 17.3

Application 17.4

Application 17.5

Application 17.6

Application 17.7

Application 17.8

Application 17.9

Critical Security Control #18: Application Software Security

Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5

Application 18.6

Application 18.7

Application 18.8

Application 18.9
Application 18.10

Application 18.11

Critical Security Control #19: Incident Response and Management

Application 19.1

Application 19.2

Application 19.3

Application 19.4

Application 19.5

Application 19.6

Application 19.7

Application 19.8

Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1

Application 20.2

Application 20.3

Application 20.4
Application 20.5

Application 20.6

Application 20.7

Application 20.8
CIS Controls

CIS Controls v7.1 mapped to the DHS CDM Program

curity Control #1: Inventory of Authorized and Unauthorized Devices

Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

curity Control #4: Controlled Use of Administrative Privileges

On a regular basis, review logs to identify anomalies or abnormal events.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.

Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that
can be configured to apply protection to a broader set of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of removable media
when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.

Maintain documented security configuration standards for all authorized network devices.

Install the latest stable version of any security-related updates on all network devices.

Manage all network devices using multi-factor authentication and encrypted sessions.

Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.

Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.

Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.

Enable the collection of NetFlow and logging data on all network boundary devices.

Maintain an inventory of all sensitive information stored, processed, or transmitted by the

organization's technology systems, including those located on-site or at a remote service provider.

Remove sensitive data or systems not regularly accessed by the organization from the network.
These systems shall only be used as stand-alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely virtualized and powered off until
needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.

Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

curity Control #14: Controlled Access Based on the Need to Know

Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally

and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.

Encrypt all sensitive information in transit.

Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.

Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools
such as File Integrity Monitoring or Security Information and Event Monitoring).
curity Control #15: Wireless Access Control
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access
points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless
access points connected to the network.

Disable wireless access on devices that do not have a business purpose for wireless access.

Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.

Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.

Maintain an inventory of all accounts organized by authentication system.

Disable any account that cannot be associated with a business process or business owner.

Automatically disable dormant accounts after a set period of inactivity.

Ensure that all accounts have an expiration date that is monitored and enforced.

Automatically lock workstation sessions after a standard period of inactivity.

Monitor attempts to access deactivated accounts through audit logging.

Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.

Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.

Only use up-to-date and trusted third-party components for the software developed by the
organization.

Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to
for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers should not
have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if such tools are available for the given
application type. If the traffic is encrypted, the device should either sit behind the encryption or be
capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web
application firewall should be deployed.

Assemble and maintain information on third-party contact information to be used to report a

security incident, such as Law Enforcement, relevant government departments, vendors, and
Information Sharing and Analysis Center (ISAC) partners.

Include tests for the presence of unprotected system information and artifacts that would be useful
to attackers, including network diagrams, configuration files, older penetration test reports, emails
or documents containing passwords or other information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against
supervisory control and data acquisition and other control systems.

Hardware Asset Software Asset Configuration Settings

Management Management Management

HWAM SWAM CSM

X
X
X

X X

X X
X X
X X
X X
X X

X X

X X
X X
X

X
X

X
X
s, Routers and Switches
X

X
X
X

X
Vulnerability Access Control Security-Related
Management Management Behavior Management

VUL TRUST BEHV

X
X
X
X
X

X
X

X
X
X

X
X

X
X
X
X
X
X
X

X
Credentials &
Authentication Privileges Boundary Protection
Management

CRED PRIV
X
X
X
X
X

X
X
X

X
X

X
X
X
X
X
X
X

X
X
X
X
X
X
Generic Audit
Plan for Events Respond to Events Monitoring
X
X
X
X
X
X
X
X
X X

X X

X X
Document
Requirements Quality Management Risk Management
CIS Controls v7.1 mapped to ISO 27002:2013

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

System 1.7

System 1.8

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2

System 2.3

System 2.4

System 2.5
System 2.6

System 2.7

System 2.8

System 2.9

System 2.10

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

System 3.1

System 3.2

System 3.3

System 3.4

System 3.5

System 3.6

System 3.7

Critical Security Control #4: Controlled Use of Administrative Privileges

System 4.1

System 4.2

System 4.3

System 4.4
System 4.5

System 4.6

System 4.7

System 4.8

System 4.9

Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1

System 5.2

System 5.3

System 5.4

System 5.5

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1

System 6.2

System 6.3

System 6.4

System 6.5

System 6.6

System 6.7

System 6.8

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4

System 7.5

System 7.6

System 7.7

System 7.8

System 7.9

System 7.10

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3

System 8.4

System 8.5

System 8.6

System 8.7
System 8.8

Critical Security Control #9: Limitation and Control of Network Ports

System 9.1

System 9.2

System 9.3

System 9.4

System 9.5

Critical Security Control #10: Data Recovery Capabilities

System 10.1

System 10.2

System 10.3

System 10.4

System 10.5

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6
Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4

Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Network 12.11

Network 12.12

Critical Security Control #13: Data Protection

Network 13.1
Network 13.2

Network 13.3

Network 13.4

Network 13.5

Network 13.6

Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3

Application 14.4

Application 14.5

Application 14.6

Application 14.7

Application 14.8
Application 14.9

Critical Security Control #15: Wireless Access Control

Network 15.1

Network 15.2

Network 15.3

Network 15.4

Network 15.5

Network 15.6

Network 15.7

Network 15.8

Network 15.9

Network 15.10

Critical Security Control #16: Account Monitoring and Control

Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8
Application 16.9

Application 16.10

Application 16.11

Application 16.12

Application 16.13

Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1

Application 17.2

Application 17.3

Application 17.4

Application 17.5

Application 17.6

Application 17.7

Application 17.8

Application 17.9

Critical Security Control #18: Application Software Security

Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5
Application 18.6

Application 18.7

Application 18.8

Application 18.9

Application 18.10

Application 18.11

Critical Security Control #19: Incident Response and Management

Application 19.1

Application 19.2

Application 19.3

Application 19.4

Application 19.5

Application 19.6

Application 19.7

Application 19.8

Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2

Application 20.3

Application 20.4

Application 20.5

Application 20.6

Application 20.7

Application 20.8
CIS Controls

CIS Controls v7.1 mapped to ISO 27002:2013

curity Control #1: Inventory of Authorized and Unauthorized Devices

Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

curity Control #4: Controlled Use of Administrative Privileges

On a regular basis, review logs to identify anomalies or abnormal events.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.

Configure devices to not auto-run content from removable media.

Maintain documented security configuration standards for all authorized network devices.

Install the latest stable version of any security-related updates on all network devices.

Manage all network devices using multi-factor authentication and encrypted sessions.

Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.

Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.

Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.

Enable the collection of NetFlow and logging data on all network boundary devices.

Maintain an inventory of all sensitive information stored, processed, or transmitted by the

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.

Only allow access to authorized cloud storage or email providers.

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.

Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

curity Control #14: Controlled Access Based on the Need to Know

Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally

and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.

Encrypt all sensitive information in transit.

Disable wireless access on devices that do not have a business purpose for wireless access.

Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.

Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.

Maintain an inventory of all accounts organized by authentication system.

Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.

Ensure that all accounts have an expiration date that is monitored and enforced.

Automatically lock workstation sessions after a standard period of inactivity.

Monitor attempts to access deactivated accounts through audit logging.

Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.

Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.

Only use up-to-date and trusted third-party components for the software developed by the
organization.

Assemble and maintain information on third-party contact information to be used to report a

security incident, such as Law Enforcement, relevant government departments, vendors, and
Information Sharing and Analysis Center (ISAC) partners.

Information security
Policies for information Review of the policies
security for information security roles and
responsibilities

A.5.1.1 A.5.1.2 A.6.1.1

s, Routers and Switches
Contact with Contact with special
Segregation of duties authorities interest groups

A.6.1.2 A.6.1.3 A.6.1.4

X
Information security in
project management Mobile device policy Teleworking

A.6.1.5 A.6.2.1 A.6.2.2

Terms and conditions of Management
Screening employment responsibilities

A.7.1.1 A.7.1.2 A.7.2.1

X
Information security Termination or change
awareness, education Disciplinary process of employment
and training responsibilities

A.7.2.2 A.7.2.3 A.7.3.1

X
X

X
X
X

X
Acceptable use of
Inventory of assets Ownership of assets assets

A.8.1.1 A.8.1.2 A.8.1.3

X
X
X

X
Classification of
Return of assets information Labelling of information

A.8.1.4 A.8.2.1 A.8.2.2

Management of
Handling of assets removable media Disposal of media

A.8.2.3 A.8.3.1 A.8.3.2

X
X
X
X
X
X
X

X
X
X
X

X
X

X
X
Access to networks and
Physical media transfer Access control policy netwok services

A.8.3.3 A.9.1.1 A.9.1.2

X
X
X

X
X
X
X
X
X
X
X

X
X
X

X
X

X
X
X
X
X
X

X
X
X
X
X
X
User registration and User access
de-registration provisioning Privilege management

A.9.2.1 A.9.2.2 A.9.2.3

X X
X X

X X
X X
X X

X X

X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X

X X X

X X X
X X X
X X X
X X X
X X X
X X X
Management of secret
Review of user access Removal or adjustment
authentication rights of access rights
information of users

A.9.2.4 A.9.2.5 A.9.2.6

X X X
X X X

X X X
X X X
X X X

X X X

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X

X X X

X X X
X X X
X X X
X X X
X X X
X X X
Use of secret Use of secret
Secure log-on
authentication authentication procedures
information information

A.9.3.1 A.9.4.1 A.9.4.2

X X X
X X X

X X X
X X X
X X X

X X X

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X

X X X

X X X
X X X
X X X
X X X
X X X
X X X
Password management Use of privileged utility Access control to
system programs program source code

A.9.4.3 A.9.4.4 A.9.4.5

X X
X X

X X
X X
X X

X X

X X
X X
X X
X
X
X
X
X
X

X
X
X
X
X
X

X
X

X
X
X
X
X
X

X
Policy on the use of Physical security
cryptographic controls Key management perimeter

A.10.1.1 A.10.1.2 A.11.1.1

X
X
X

X
X X
X X

X X
X X
X X
X X

X X

X X
X X

X
X

X
X
X
X

X
X
X

X
X
Protecting against
Securing office, rooms
Physical entry controls and facilities external end
environmental threats

A.11.1.2 A.11.1.3 A.11.1.4

Delivery and loading Equipment siting and
Working in secure areas areas protection

A.11.1.5 A.11.1.6 A.11.2.1

Equipment
Supporting utilities Cabling security maintenance

A.11.2.2 A.11.2.3 A.11.2.4

Security of equipment Security disposal or re-
Removal of assets and assets off-premises use of equipment

A.11.2.5 A.11.2.6 A.11.2.7

Unattended user Clear desk and clear Documented operating
equipment screen policy procedures

A.11.2.8 A.11.2.9 A.12.1.1

X
X
X
X
X
X

X
X
X
X
X
X
Separation of
development, test and
Change management Capacity management operational
environments

A.12.1.2 A.12.1.3 A.12.1.4

X
X

X
X
X
X
X
X

X
Controls against
malware Information backup Event logging

A.12.2.1 A.12.3.1 A.12.4.1

X
X
X
X
X
X
X
X
X

X
X
X
X
X

X
X
X

X
X

X
X
X
X
X

X
X
X

X
X
Protection of log Administrator and
information operator logs Clock synchronisation

A.12.4.2 A.12.4.3 A.12.4.4

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Installation of software Management of Restrictions on
on operational systems technical vulnerabilities software installation

A.12.5.1 A.12.6.1 A.12.6.2

X X

X X
X X
X X
X X
X X

X X

X X
X X

X
X
X
X
Information systems Security of network
audit controls Network controls services

A.12.7.1 A.13.1.1 A.13.1.2

X
X
X

X
X
X
X
X
X
X
X
X
X

X
X
X

X
X

X X

X X
X
X
X
X

X
X
X

X
X
Segregation in Information transfer Agreements on
networks policies and procedures information transfer

A.13.1.3 A.13.2.1 A.13.2.2

X X
X X
X X
X X
X X

X
X
X

X
X

X
Security requirements
Confidentiality or non-
Electronic messaging disclosure agreements analysis and
specification

A.13.2.3 A.13.2.4 A.14.1.1

X
X

X
X
X
X
X
X

X
X

X
X
X
X

X
X
Securing applications
Protecting application Secure development
services on public services transactions policy
networks

A.14.1.2 A.14.1.3 A.14.2.1

X
X
X
X
X
X
X

X
X
X
X
X
X

X
Technical review of
System change control applications after Restrictions on changes
procedures operating platform to software packages
changes

A.14.2.2 A.14.2.3 A.14.2.4

X
X

X
X
Secure system Secure development Outsourced
engineering principles environment development

A.14.2.5 A.14.2.6 A.14.2.7

X X
X X

X X

X X
X X
X X
X X
X X
X X

X X

X X
System acceptance
System security testing testing Protection of test data

A.14.2.8 A.14.2.9 A.14.3.1

X
X
X
X
X

X
X

X
X
X
X

X
X
X
X
X
X

X
X
X

X
Information security Addressing security Information and
policy for supplier within supplier communication
relationships agreements technology supply chain

A.15.1.1 A.15.1.2 A.15.1.3

Monitoring and review Managing changes to Responsibilities and
of supplier services supplier services procedures

A.15.2.1 A.15.2.2 A.16.1.1

Assessment and
Reporting information Reporting information
security events security weaknesses decision on information
security events

A.16.1.2 A.16.1.3 A.16.1.4

X X

X X
Response to Learning from
information security information security Collection of evidence
incidents incidents

A.16.1.5 A.16.1.6 A.16.1.7

X X X

X X X
Implementing Verify, review and
Planning information
security continuity information security evaluate information
continuity security continuity

A.17.1.1 A.17.1.2 A.17.1.3

Availability of Identification of
applicable legislation Intellectual property
information processing and contractual rights (IPR)
facilities requirements

A.17.2.1 A.18.1.1 A.18.1.2

Privacy and protection
Regulation of
Protection of records of personally cryptographic controls
identifiable information

A.18.1.3 A.18.1.4 A.18.1.5

X
X

X
X
X
X

X
X
Compliance with
Independent review of Technical compliance
information security security policies and review
standards

A.18.2.1 A.18.2.2 A.18.2.3

X
X

X
X
X X
X X
X X

X X

X X
CIS Controls v7.1 mapped to ISO 27002:2005

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

System 1.7

System 1.8

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2

System 2.3

System 2.4

System 2.5
System 2.6

System 2.7

System 2.8

System 2.9

System 2.10

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

System 3.1

System 3.2

System 3.3

System 3.4

System 3.5

System 3.6

System 3.7

Critical Security Control #4: Controlled Use of Administrative Privileges

System 4.1

System 4.2

System 4.3

System 4.4
System 4.5

System 4.6

System 4.7

System 4.8

System 4.9

Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1

System 5.2

System 5.3

System 5.4

System 5.5

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1

System 6.2

System 6.3

System 6.4

System 6.5

System 6.6

System 6.7

System 6.8

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4

System 7.5

System 7.6

System 7.7

System 7.8

System 7.9

System 7.10

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3

System 8.4

System 8.5

System 8.6

System 8.7
System 8.8

Critical Security Control #9: Limitation and Control of Network Ports

System 9.1

System 9.2

System 9.3

System 9.4

System 9.5

Critical Security Control #10: Data Recovery Capabilities

System 10.1

System 10.2

System 10.3

System 10.4

System 10.5

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6
Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4

Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Network 12.11

Network 12.12

Critical Security Control #13: Data Protection

Network 13.1
Network 13.2

Network 13.3

Network 13.4

Network 13.5

Network 13.6

Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3

Application 14.4

Application 14.5

Application 14.6

Application 14.7

Application 14.8
Application 14.9

Critical Security Control #15: Wireless Access Control

Network 15.1

Network 15.2

Network 15.3

Network 15.4

Network 15.5

Network 15.6

Network 15.7

Network 15.8

Network 15.9

Network 15.10

Critical Security Control #16: Account Monitoring and Control

Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8

Application 16.9
Application 16.10

Application 16.11

Application 16.12

Application 16.13

Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1

Application 17.2

Application 17.3

Application 17.4

Application 17.5

Application 17.6

Application 17.7

Application 17.8

Application 17.9

Critical Security Control #18: Application Software Security

Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5

Application 18.6
Application 18.7

Application 18.8

Application 18.9

Application 18.10

Application 18.11

Critical Security Control #19: Incident Response and Management

Application 19.1

Application 19.2

Application 19.3

Application 19.4

Application 19.5

Application 19.6

Application 19.7

Application 19.8

Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1

Application 20.2
Application 20.3

Application 20.4

Application 20.5

Application 20.6

Application 20.7

Application 20.8
CIS Controls

CIS Controls v7.1 mapped to ISO 27002:2005

curity Control #1: Inventory of Authorized and Unauthorized Devices

Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

curity Control #4: Controlled Use of Administrative Privileges

On a regular basis, review logs to identify anomalies or abnormal events.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.

Configure devices to not auto-run content from removable media.

Maintain documented security configuration standards for all authorized network devices.

Install the latest stable version of any security-related updates on all network devices.

Manage all network devices using multi-factor authentication and encrypted sessions.

Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.

Deny communications with known malicious or unused Internet IP addresses and limit access only to
trusted and necessary IP address ranges at each of the organization's network boundaries.

Configure monitoring systems to record network packets passing through the boundary at each of
the organization's network boundaries.

Enable the collection of NetFlow and logging data on all network boundary devices.

Maintain an inventory of all sensitive information stored, processed, or transmitted by the

Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security professionals.

Only allow access to authorized cloud storage or email providers.

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

If USB storage devices are required, enterprise software should be used that can configure systems
to allow the use of specific devices. An inventory of such devices should be maintained.

Configure systems not to write data to external removable media, if there is no business need for
supporting such devices.

If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

curity Control #14: Controlled Access Based on the Need to Know

Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally

and compromise neighboring systems, through technologies such as private VLANs or micro
segmentation.

Encrypt all sensitive information in transit.

Disable wireless access on devices that do not have a business purpose for wireless access.

Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.

Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks
using encrypted channels.

Maintain an inventory of all accounts organized by authentication system.

Disable any account that cannot be associated with a business process or business owner.

Automatically disable dormant accounts after a set period of inactivity.

Ensure that all accounts have an expiration date that is monitored and enforced.

Automatically lock workstation sessions after a standard period of inactivity.

Monitor attempts to access deactivated accounts through audit logging.

Ensure that the organization's security awareness program is updated frequently (at least annually)
to address new technologies, threats, standards, and business requirements.

Verify that the version of all software acquired from outside your organization is still supported by
the developer or appropriately hardened based on developer security recommendations.

Only use up-to-date and trusted third-party components for the software developed by the
organization.

Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

Assemble and maintain information on third-party contact information to be used to report a

security incident, such as Law Enforcement, relevant government departments, vendors, and
Information Sharing and Analysis Center (ISAC) partners.

Review of the Management

Information security
policy document information security commitment to
policy information security

A.5.1.1 A.5.1.2 A.6.1.1

s, Routers and Switches
Allocation of Authorization process
Information security co-
ordination information security for information
responsibilities processing facilities

A.6.1.2 A.6.1.3 A.6.1.4

Confidentiality Contact with Contact with special
agreements authorities interest groups

A.6.1.5 A.6.1.6 A.6.1.7

X
Identification of risks Addressing security
Independent review of
information security related to external when dealing with
parties customers

A.6.1.8 A.6.2.1 A.6.2.2

X
X
X

X
Addressing security in
third party agreements Inventory of assets Ownership of assets

A.6.2.3 A.7.1.1 A.7.1.2

X
X
X

X
Acceptable use of Information labelling
assets Classification guidelines and handling

A.7.1.3 A.7.2.1 A.7.2.2

Roles and Terms and conditions of
responsibilities Screening employment

A.8.1.1 A.8.1.2 A.8.1.3

Information security
Management
responsibilities awareness, education Disciplinary process
and training

A.8.2.1 A.8.2.2 A.8.2.3

X
X

X
X
X

X
X

X
Termination Removal of access
responsibilities Return of assets rights

A.8.3.1 A.8.3.2 A.8.3.3

X
X
X
X
X
X

X
X
X
X
X
X
Physical security Securing offices, rooms
perimeter Physical entry controls and facilities

A.9.1.1 A.9.1.2 A.9.1.3

Protecting against
Public access, delivery
external and Working in secure areas and loading areas
environmental threats

A.9.1.4 A.9.1.5 A.9.1.6

Equipment siting and
protection Supporting utilities Cabling security

A.9.2.1 A.9.2.2 A.9.2.3

Equipment Security of equipment Secure disposal or re-
maintenance off- premises use of equipment

A.9.2.4 A.9.2.5 A.9.2.6

Documented operating
Removal of property procedures Change management

A.9.2.7 A.10.1.1 A.10.1.2

Separation of
Segregation of duties development, test and Service delivery
operational facilities

A.10.1.3 A.10.1.4 A.10.2.1

X
X

X
X
X
X
X
X

X
Monitoring and review Managing changes to
of third party services third party services Capacity management

A.10.2.2 A.10.2.3 A.10.3.1

Controls against Controls against mobile
System acceptance malicious code code

A.10.3.2 A.10.4.1 A.10.4.2

X X

X X
X X
X X
X X
X X
Security of network
Information back-up Network controls services

A.10.5.1 A.10.6.1 A.10.6.2

X X
X X
X X

X X

X X
X X
X X
X X
X X
X X

X
X
X

X X

X X
X X
X X

X X
X X

X X

X X
Management of Information handling
removable media Disposal of media procedures

A.10.7.1 A.10.7.2 A.10.7.3

X
X
X
X
X
X
X

X
X
X
X

X
X

X
X
Security of system Information exchange
documentation policies and procedures Exchange agreements

A.10.7.4 A.10.8.1 A.10.8.2

Physical media in Business information
transit Electronic messaging systems

A.10.8.3 A.10.8.4 A.10.8.5

X
X
X

X
Publicly available
Electronic commerce On-line transactions information

A.10.9.1 A.10.9.2 A.10.9.3

Protection of log
Audit logging Monitoring system use information

A.10.10.1 A.10.10.2 A.10.10.3

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X

X
X X X

X X X

X X X
X X X

X X X

X X X
X X X
Administrator and
operator logs Fault logging Clock synchronization

A.10.10.4 A.10.10.5 A.10.10.6

X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
Access control policy User registration Privilege management

A.11.1.1 A.11.2.1 A.11.2.2

X
X
X
X
X
X

X
X
X
X
X
X
User password Review of user access
management rights Password use

A.11.2.3 A.11.2.4 A.11.3.1

X X X
X X X
X X X
X X X
X X X
X X X

X X X

X X X
X X X
X X X
X X X
X X X
X X X
Unattended user Clear desk and clear Policy on use of
equipment screen policy network services

A.11.3.2 A.11.3.3 A.11.4.1

X X
X X
X X
X X
X X
X X

X X

X X
X X
X X
X X
X X
X X
Equipment Remote diagnostic and
User authentication for
external connections identification in configuration port
networks protection

A.11.4.2 A.11.4.3 A.11.4.4

X
X
X
X
X
X

X
Segregation in Network connection Network routing
networks control control

A.11.4.5 A.11.4.6 A.11.4.7

X
X
X

X
X X

X X

X X
X X
X X

X X
X X

X X

X X
X X

X X

X X
X X

X X

X X
X X
Secure log-on User identification and Password management
procedures authentication system

A.11.5.1 A.11.5.2 A.11.5.3

X X X
X X X

X X X
X X X
X X X

X X X

X X X
X X X
X X X
X X X

X X X

X X X
X X X
X X X

X X X
X X X

X X X

X X X
X X X
X X X
X X X
X X X
X X X
X X X

X X X

X X X
X X X
X X X
X X X
X X X
X X X
Limitation of
Use of system utilities Session time-out connection time

A.11.5.4 A.11.5.5 A.11.5.6

Information access Sensitive system Mobile computing and
restriction isolation communications

A.11.6.1 A.11.6.2 A.11.7.1

X
X X

X X

X X
X X

X X

X X
X X
Security requirements
Teleworking analysis and Input data validation
specification

A.11.7.2 A.12.1.1 A.12.2.1

X
X
X

X
X
X
X
X
X

X
Control of internal
processing Message integrity Output data validation

A.12.2.2 A.12.2.3 A.12.2.4

X
X

X
X
X
X
X
X

X
Policy on the use of Control of operational
cryptographic controls Key management software

A.12.3.1 A.12.3.2 A.12.4.1

X X
X X

X X
X X
X X
X X

X X

X X
X X
Protection of system Access control to Change control
test data program source code procedures

A.12.4.2 A.12.4.3 A.12.5.1

Technical review of
applications after Restrictions on changes
operating system to software packages Information leakage
changes

A.12.5.2 A.12.5.3 A.12.5.4

X
X

X
X
X
X

X
X

X
X
X
X

X
X
X
X
X
X

X
Outsourced software Control of technical Reporting information
development vulnerabilities security events

A.12.5.5 A.12.6.1 A.13.1.1

X
X
X
X
X
X

X
Learning from
Reporting security Responsibilities and
weaknesses procedures information security
incidents

A.13.1.2 A.13.2.1 A.13.2.2

X
X
X
X
X X

X X

X X
Including information
security in the business Business continuity and
Collection of evidence continuity management risk assessment
process

A.13.2.3 A.14.1.1 A.14.1.2

Developing and
implementing Testing, maintaining
Business continuity and re- assessing
continuity plans planning framework business continuity
including information plans
security

A.14.1.3 A.14.1.4 A.14.1.5

Identification of Intellectual property Protection of
applicable legislation rights (IPR) organizational records

A.15.1.1 A.15.1.2 A.15.1.3

Data protection and Prevention of misuse of
Regulation of
privacy of personal information processing cryptographic controls
information facilities

A.15.1.4 A.15.1.5 A.15.1.6

X
X

X
X
X
X

X
X
Compliance with
Technical compliance Information systems
security policies and checking audit controls
standards

A.15.2.1 A.15.2.2 A.15.3.1

X
X
X
X
X

X
X

X
X
X X
X X
X X

X X

X X
Protection of
information systems
audit tools

A.15.3.2
CIS Controls v7.1 mapped to IEC 62443-3-3:2013

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

System 1.7

System 1.8

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2

System 2.3

System 2.4

System 2.5
System 2.6

System 2.7

System 2.8

System 2.9

System 2.10

Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

System 3.1

System 3.2

System 3.3

System 3.4

System 3.5

System 3.6

System 3.7

Critical Security Control #4: Controlled Use of Administrative Privileges

System 4.1

System 4.2

System 4.3

System 4.4
System 4.5

System 4.6

System 4.7

System 4.8

System 4.9

Critical Security Control #5: Secure Configurations for Hardware and Software
System 5.1

System 5.2

System 5.3

System 5.4

System 5.5

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
System 6.1

System 6.2

System 6.3

System 6.4

System 6.5

System 6.6

System 6.7

System 6.8

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4

System 7.5

System 7.6

System 7.7

System 7.8

System 7.9

System 7.10

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3

System 8.4

System 8.5

System 8.6

System 8.7
System 8.8

Critical Security Control #9: Limitation and Control of Network Ports

System 9.1

System 9.2

System 9.3

System 9.4

System 9.5

Critical Security Control #10: Data Recovery Capabilities

System 10.1

System 10.2

System 10.3

System 10.4

System 10.5

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Router
Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6
Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4

Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Network 12.11

Network 12.12

Critical Security Control #13: Data Protection

Network 13.1
Network 13.2

Network 13.3

Network 13.4

Network 13.5

Network 13.6

Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3

Application 14.4

Application 14.5

Application 14.6

Application 14.7

Application 14.8
Application 14.9

Critical Security Control #15: Wireless Access Control

Network 15.1

Network 15.2

Network 15.3

Network 15.4

Network 15.5

Network 15.6

Network 15.7

Network 15.8

Network 15.9

Network 15.10

Critical Security Control #16: Account Monitoring and Control

Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8
Application 16.9

Application 16.10

Application 16.11

Application 16.12

Application 16.13

Critical Security Control #17: Implement a Security Awareness and Training Program
Application 17.1

Application 17.2

Application 17.3

Application 17.4

Application 17.5

Application 17.6

Application 17.7

Application 17.8

Application 17.9

Critical Security Control #18: Application Software Security

Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5
Application 18.6

Application 18.7

Application 18.8

Application 18.9

Application 18.10

Application 18.11

Critical Security Control #19: Incident Response and Management

Application 19.1

Application 19.2

Application 19.3

Application 19.4

Application 19.5

Application 19.6

Application 19.7

Application 19.8

Critical Security Control #20: Penetration Tests and Red Team Exercises
Application 20.1
Application 20.2

Application 20.3

Application 20.4

Application 20.5

Application 20.6

Application 20.7

Application 20.8
CIS Controls

CIS Controls v7.1 mapped to IEC 62443-3-3:2013

urity Control #1: Inventory of Authorized and Unauthorized Devices

The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required
for business operations but incurs higher risk for the organization.
urity Control #3: Continuous Vulnerability Assessment and Remediation
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning
tool to automatically scan all systems on the network on a weekly or more frequent basis to identify
all potential vulnerabilities on the organization's systems.

Perform authenticated vulnerability scanning with agents running locally on each system or with
remote scanners that are configured with elevated rights on the system being tested.

Use a dedicated account for authenticated vulnerability scans, which should not be used for any
other administrative activities and should be tied to specific machines at specific IP addresses.

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

urity Control #4: Controlled Use of Administrative Privileges

On a regular basis, review logs to identify anomalies or abnormal events.

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default.

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Ensure that the organization's anti-malware software updates its scanning engine and signature
database on a regular basis.

Configure devices to not auto-run content from removable media.

Send all malware detection events to enterprise anti-malware administration tools and event log
servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious
domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.
urity Control #9: Limitation and Control of Network Ports
Associate active ports, services, and protocols to the hardware assets in the asset inventory.