0% found this document useful (0 votes)

771 views46 pages

CIS Controls Version 8.1!6!24 2024

Uploaded by

electrifyings

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

771 views46 pages

CIS Controls Version 8.1!6!24 2024

Uploaded by

electrifyings

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 46

Contact Information

CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editor
Josh Franklin

Contributors
Sarah Day
Charity Otwell
Robin Regnier
Thomas Sager
License for Use

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivatives 4.0 International Public
(the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode)

To further clarify the Creative Commons license related to the CIS Controls® content, you are authorized to copy an
redistribute the content as a framework for use by you, within your organization and outside of your organization for
commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided
Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Us
CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS C
order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subje
prior approval of CIS® (Center for Internet Security, Inc.).
Remember to download the CIS Controls Version 8.1 Guide where you can learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Control critical
- Procedures and tools
https://www.cisecurity.org/controls/v8-1/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/cis-controls-navigator

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
This Version of the CIS Controls

CIS Controls version 8.1 (v8.1) is an iterative update to version 8.0. As part of our process to evolve the CI
that guide us through any minor or major updates to the document. Our design principles for this revision a
enhances the scope and practical applicability of Safeguards by incorporating specific examples and addit
major security frameworks to the extent practical, while preserving the unique features of the CIS Controls
CIS Controls users, ensuring little to no change due to this update. Here are the broad changes we’ve mad

· Context
o We've updated the CIS Controls with new asset classes to better match the specific parts of an en
applies to. New classes require new definitions, so we've also enhanced the descriptions of several S
clarity.
· Coexistence
o The CIS Controls have always maintained alignment with evolving industry standards and framewo
users of the Controls and is a core principle of how the Controls operate. The release of NIST’s CSF 2
updated security functions.
· Consistency
o Traditionally any iterative update to the CIS Controls should minimize disruption to Controls users.
were modified in this update, and the spirit of any given Safeguard remains the same. Additionally, the
be consistently applied throughout the Controls, and in doing so some minor updates were added.

With these principles in mind, we’ve scoped the CIS Controls v8.1 to the following updates:

- Realigned NIST CSF security function mappings to match NIST CSF 2.0
- Included new and expanded glossary definitions for reserved words used throughout the Controls (e.g.
- Revised asset classes, alongside new mappings to Safeguards
- Fixed minor typos in Safeguard descriptions
- Added clarification to a few anemic Safeguard descriptions

One key improvement to CIS Controls v8.1 mapping is the addition of the “Governance” security function. E
needed to steer a cybersecurity program toward achieving their enterprise goals. The Controls were design
and defend cybersecurity programs for any size enterprise, while being prescriptive enough to ease implem
v8.1, governance topics are now specifically identified as recommendations that can be implemented to en
program. This will help our adopters better identify the governing pieces of the program as well as equip th
compliance.

The CIS Controls aim to streamline the process of designing, implementing, measuring, and managing ent
language to reduce duplication, focusing on measurable actions with defined metrics, and ensuring each S
to balance the need to address current cybersecurity challenges with maintaining a stable, foundational cy
complex or inaccessible technologies. Technology is constantly shifting, and the CIS Controls team is awa
augmented reality, and ambient computing working to reshape our enterprise infrastructure in subtle and ra
and already working on ideas for version 9 of the CIS Controls.
CIS CIS Security
Asset Type Title
Control Safeguard Function

Inventory and Control of

1
Enterprise Assets

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool

Use Dynamic Host Configuration

1 1.4 Devices Identify Protocol (DHCP) Logging to
Update Enterprise Asset Inventory

Use a Passive Asset Discovery

1 1.5 Devices Detect
Tool

Inventory and Control of

2
Software Assets

Establish and Maintain a Software

2 2.1 Software Identify
Inventory

Ensure Authorized Software is

2 2.2 Software Identify
Currently Supported
2 2.3 Software Respond Address Unauthorized Software
Utilize Automated Software
2 2.4 Software Detect
Inventory Tools
2 2.5 Software Protect Allowlist Authorized Software

2 2.6 Software Protect Allowlist Authorized Libraries

2 2.7 Software Protect Allowlist Authorized Scripts

3 Data Protection

Establish and Maintain a Data

3 3.1 Data Govern
Management Process

Establish and Maintain a Data

3 3.2 Data Identify
Inventory

Configure Data Access Control

3 3.3 Data Protect
Lists
3 3.4 Data Protect Enforce Data Retention

3 3.5 Data Protect Securely Dispose of Data

3 3.6 Data Protect Encrypt Data on End-User Devices

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

3 3.8 Data Identify Document Data Flows

3 3.9 Data Protect Encrypt Data on Removable Media

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.11 Data Protect Encrypt Sensitive Data at Rest

Segment Data Processing and
3 3.12 Data Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution
3 3.14 Data Detect Log Sensitive Data Access

Secure Configuration of
4
Enterprise Assets and Software

Establish and Maintain a Secure

4 4.1 Documentation Govern
Configuration Process

Establish and Maintain a Secure

4 4.2 Documentation Govern Configuration Process for Network
Infrastructure

Configure Automatic Session

4 4.3 Devices Protect
Locking on Enterprise Assets

Implement and Manage a Firewall

4 4.4 Devices Protect
on Servers
Implement and Manage a Firewall
4 4.5 Devices Protect
on End-User Devices

Securely Manage Enterprise

4 4.6 Devices Protect
Assets and Software

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable Unnecessary

4 4.8 Devices Protect Services on Enterprise Assets and
Software

Configure Trusted DNS Servers on

4 4.9 Devices Protect
Enterprise Assets

Enforce Automatic Device Lockout

4 4.10 Devices Protect
on Portable End-User Devices

Enforce Remote Wipe Capability on

4 4.11 Data Protect
Portable End-User Devices
Separate Enterprise Workspaces
4 4.12 Data Protect
on Mobile End-User Devices

5 Account Management

Establish and Maintain an Inventory

5 5.1 Users Identify
of Accounts

5 5.2 Users Protect Use Unique Passwords

5 5.3 Users Protect Disable Dormant Accounts

Restrict Administrator Privileges to
5 5.4 Users Protect
Dedicated Administrator Accounts

Establish and Maintain an Inventory

5 5.5 Users Identify
of Service Accounts
5 5.6 Users Govern Centralize Account Management
6 Access Control Management
Establish an Access Granting
6 6.1 Documentation Govern
Process

Establish an Access Revoking

6 6.2 Documentation Govern
Process

Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications

6 6.7 Users Protect Centralize Access Control

Define and Maintain Role-Based

6 6.8 Users Govern
Access Control
Continuous Vulnerability
7
Management

Establish and Maintain a

7 7.1 Documentation Govern
Vulnerability Management Process

Establish and Maintain a

7 7.2 Documentation Govern
Remediation Process
Perform Automated Operating
7 7.3 Software Protect
System Patch Management
Perform Automated Application
7 7.4 Software Protect
Patch Management

Perform Automated Vulnerability

7 7.5 Software Identify
Scans of Internal Enterprise Assets

Perform Automated Vulnerability

7 7.6 Software Identify Scans of Externally-Exposed
Enterprise Assets

7 7.7 Software Respond Remediate Detected Vulnerabilities

8 Audit Log Management

Establish and Maintain an Audit

8 8.1 Documentation Govern
Log Management Process

8 8.2 Data Detect Collect Audit Logs

Ensure Adequate Audit Log
8 8.3 Data Protect
Storage
8 8.4 Data Protect Standardize Time Synchronization

8 8.5 Data Detect Collect Detailed Audit Logs

8 8.6 Data Detect Collect DNS Query Audit Logs

8 8.7 Data Detect Collect URL Request Audit Logs

8 8.8 Data Detect Collect Command-Line Audit Logs

8 8.9 Data Detect Centralize Audit Logs

8 8.10 Data Protect Retain Audit Logs

8 8.11 Data Detect Conduct Audit Log Reviews

8 8.12 Data Detect Collect Service Provider Logs

Email and Web Browser

9
Protections
Ensure Use of Only Fully
9 9.1 Software Protect Supported Browsers and Email
Clients

9 9.2 Devices Protect Use DNS Filtering Services

Maintain and Enforce Network-

9 9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9 9.4 Software Protect Unauthorized Browser and Email
Client Extensions

9 9.5 Network Protect Implement DMARC

Configure Automatic Anti-Malware

10 10.4 Devices Detect
Scanning of Removable Media

10 10.5 Devices Protect Enable Anti-Exploitation Features

Centrally Manage Anti-Malware

10 10.6 Devices Protect
Software
Use Behavior-Based Anti-Malware
10 10.7 Devices Detect
Software
11 Data Recovery
Establish and Maintain a Data
11 11.1 Documentation Govern
Recovery Process

11 11.2 Data Recover Perform Automated Backups

11 11.3 Data Protect Protect Recovery Data

Establish and Maintain an Isolated

11 11.4 Data Recover
Instance of Recovery Data
11 11.5 Data Recover Test Data Recovery
Network Infrastructure
12
Management

Ensure Network Infrastructure is

12 12.1 Network Protect
Up-to-Date

Establish and Maintain a Secure

12 12.2 Network Protect
Network Architecture
Securely Manage Network
12 12.3 Network Protect
Infrastructure

Establish and Maintain Architecture

12 12.4 Documentation Govern
Diagram(s)

Centralize Network Authentication,

12 12.5 Network Protect
Authorization, and Auditing (AAA)

Use of Secure Network

12 12.6 Network Protect Management and Communication
Protocols
Ensure Remote Devices Utilize a
12 12.7 Devices Protect VPN and are Connecting to an
Enterprise’s AAA Infrastructure

Establish and Maintain Dedicated

12 12.8 Devices Protect Computing Resources for All
Administrative Work

13 Network Monitoring and Defense

13 13.1 Network Detect Centralize Security Event Alerting

Deploy a Host-Based Intrusion
13 13.2 Devices Detect
Detection Solution

Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution

Perform Traffic Filtering Between

13 13.4 Network Protect
Network Segments

Manage Access Control for Remote

13 13.5 Devices Protect
Assets

13 13.6 Network Detect Collect Network Traffic Flow Logs

Deploy a Host-Based Intrusion

13 13.7 Devices Protect
Prevention Solution

Deploy a Network Intrusion

13 13.8 Network Protect
Prevention Solution
13 13.9 Network Protect Deploy Port-Level Access Control

13 13.10 Network Protect Perform Application Layer Filtering

Tune Security Event Alerting
13 13.11 Network Detect
Thresholds

Security Awareness and Skills

14
Training

Establish and Maintain a Security

14 14.1 Documentation Govern
Awareness Program

Train Workforce Members to

14 14.2 Users Protect Recognize Social Engineering
Attacks
Train Workforce Members on
14 14.3 Users Protect
Authentication Best Practices

Train Workforce on Data Handling

14 14.4 Users Protect
Best Practices

Train Workforce Members on

14 14.5 Users Protect Causes of Unintentional Data
Exposure
Train Workforce Members on
14 14.6 Users Protect Recognizing and Reporting
Security Incidents
Train Workforce on How to Identify
and Report if Their Enterprise
14 14.7 Users Protect
Assets are Missing Security
Updates
Train Workforce on the Dangers of
Connecting to and Transmitting
14 14.8 Users Protect
Enterprise Data Over Insecure
Networks

Conduct Role-Specific Security

14 14.9 Users Protect
Awareness and Skills Training

15 Service Provider Management

Establish and Maintain an Inventory

15 15.1 Users Identify
of Service Providers

Establish and Maintain a Service

15 15.2 Documentation Govern
Provider Management Policy

15 15.3 Users Govern Classify Service Providers

Ensure Service Provider Contracts

15 15.4 Documentation Govern
Include Security Requirements

15 15.5 Users Govern Assess Service Providers

15 15.6 Data Govern Monitor Service Providers

Securely Decommission Service
15 15.7 Data Protect
Providers

16 Application Software Security

Establish and Maintain a Secure

16 16.1 Documentation Govern
Application Development Process

Establish and Maintain a Process

16 16.2 Documentation Govern to Accept and Address Software
Vulnerabilities

Perform Root Cause Analysis on

16 16.3 Software Protect
Security Vulnerabilities

Establish and Manage an Inventory

16 16.4 Software Identify of Third-Party Software
Components

Use Up-to-Date and Trusted Third-

16 16.5 Software Protect
Party Software Components

Establish and Maintain a Severity

16 16.6 Documentation Govern Rating System and Process for
Application Vulnerabilities

Use Standard Hardening

16 16.7 Software Protect Configuration Templates for
Application Infrastructure

Separate Production and Non-

16 16.8 Network Protect
Production Systems

Train Developers in Application

16 16.9 Users Protect Security Concepts and Secure
Coding
Apply Secure Design Principles in
16 16.10 Software Protect
Application Architectures

Leverage Vetted Modules or

16 16.11 Software Identify Services for Application Security
Components

Implement Code-Level Security

16 16.12 Software Protect
Checks

Conduct Application Penetration

16 16.13 Software Govern
Testing

16 16.14 Software Protect Conduct Threat Modeling

17 Incident Response Management

Designate Personnel to Manage

17 17.1 Users Respond
Incident Handling

Establish and Maintain Contact

17 17.2 Documentation Govern Information for Reporting Security
Incidents

Establish and Maintain an

17 17.3 Documentation Govern Enterprise Process for Reporting
Incidents

Establish and Maintain an Incident

17 17.4 Documentation Govern
Response Process
Assign Key Roles and
17 17.5 Users Respond
Responsibilities

Define Mechanisms for

17 17.6 Users Respond Communicating During Incident
Response

Conduct Routine Incident

17 17.7 Users Recover
Response Exercises

17 17.8 Users Recover Conduct Post-Incident Reviews

Establish and Maintain Security

17 17.9 Documentation Recover
Incident Thresholds

18 Penetration Testing

Establish and Maintain a

18 18.1 Documentation Govern
Penetration Testing Program

Perform Periodic External

18 18.2 Network Detect
Penetration Tests

Remediate Penetration Test

18 18.3 Network Protect
Findings

18 18.4 Network Protect Validate Security Measures

Perform Periodic Internal
18 18.5 Network Detect
Penetration Tests
Description

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including
portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers
connected to the infrastructure physically, virtually, remotely, and those within cloud environments
accurately know the totality of assets that need to be monitored and protected within the enterprise
This will also support identifying unauthorized and unmanaged assets to remove or remediate.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the
potential to store or process data, to include: end-user devices (including portable and mobile), network
devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if sta
hardware address, machine name, enterprise asset owner, department for each asset, and whether the as
has been approved to connect to the network. For mobile end-user devices, MDM type tools can support t
process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtu
remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected
the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and upd
the inventory of all enterprise assets bi-annually, or more frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choos
remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine
asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the activ
discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the
enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or mo
frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use sca
to update the enterprise’s asset inventory at least weekly, or more frequently.

Actively manage (inventory, track, and correct) all software (operating systems and applications) o
the network so that only authorized software is installed and can execute, and that unauthorized an
unmanaged software is found and prevented from installation or execution.

Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The
software inventory must document the title, publisher, initial install/use date, and business purpose for eac
entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployme
mechanism, and decommission date. Review and update the software inventory bi-annually, or more
frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for
enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission,
document an exception detailing mitigating controls and residual risk acceptance. For any unsupported
software without an exception documentation, designate as unauthorized. Review the software list to verify
software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documen
exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and
documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software can execut
be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so
files, are allowed to load into a system process. Block unauthorized libraries from loading into a system
process. Reassess bi-annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts
such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing.
Reassess bi-annually, or more frequently.
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose
data.
Establish and maintain a documented data management process. In the process, address data sensitivity,
data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and
retention standards for the enterprise. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory based on the enterprise’s data management process. Inventory
sensitive data annually, at a minimum. Review and update inventory annually, at a minimum, with a priority
sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also
known as access permissions, to local and remote file systems, databases, and applications.
Retain data according to the enterprise’s documented data management process. Data retention must incl
both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure th
disposal process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windo
BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels
such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review a
update the classification scheme annually, or when significant enterprise changes occur that could impact
Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be based
the enterprise’s data management process. Review and update documentation annually, or when significa
enterprise changes occur that could impact this Safeguard.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) an
Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also know
as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption metho
may include application-layer encryption, also known as client-side encryption, where access to the data
storage device(s) does not permit access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data o
enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitiv
data stored, processed, or transmitted through enterprise assets, including those located onsite or at a rem
service provider, and update the enterprise's data inventory.
Log sensitive data access, including modification and disposal.
Establish and maintain the secure configuration of enterprise assets (end-user devices, including
portable and mobile; network devices; non-computing/IoT devices; and servers) and software
(operating systems and applications).
Establish and maintain a documented secure configuration process for enterprise assets (end-user device
including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems a
applications). Review and update documentation annually, or when significant enterprise changes occur th
could impact this Safeguard.

Establish and maintain a documented secure configuration process for network devices. Review and upda
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general
purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the peri
must not exceed two (2) minutes.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual
firewall, operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny
that drops all traffic except those services and ports that are explicitly allowed.

Securely manage enterprise assets and software. Example implementations include managing configuratio
through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secur
network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not u
insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essen
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can include: disabling default accounts or making
them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharin
service, web application module, or service function.

Configure trusted DNS servers on network infrastructure. Example implementations include configuring
network devices to use enterprise-controlled DNS servers and/or reputable externally accessible DNS serv
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempt
on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authenticatio
attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example
implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile
maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriat
such as lost or stolen devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example
implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate
enterprise applications and data from personal applications and data.

Use processes and tools to assign and manage authorization to credentials for user accounts,
including administrator accounts, as well as service accounts, to enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a
minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should
contain the person’s name, username, start/stop dates, and department. Validate that all active accounts a
authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8
character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for
accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct genera
computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, n
privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain
department owner, review date, and purpose. Perform service account reviews to validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
user, administrator, and service accounts for enterprise assets and software.
Establish and follow a documented process, preferably automated, for granting access to enterprise assets
upon new hire or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling
accounts, instead of deleting accounts, may be necessary to preserve audit trails.

Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported.
Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safegua

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether
managed on-site or through a service provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including
those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum,
annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where
supported.
Define and maintain role-based access control, through determining and documenting the access rights
necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access
control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at
minimum annually, or more frequently.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the
enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for
attackers. Monitor public and private industry sources for new threat and vulnerability information.

Establish and maintain a documented vulnerability management process for enterprise assets. Review and
update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with mont
or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch management on a mont
or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a monthly, or
more frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis
Conduct both authenticated and unauthenticated scans.

Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a month
or more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more freque
basis, based on the remediation process.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
from an attack.
Establish and maintain a documented audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise asse
Review and update documentation annually, or when significant enterprise changes occur that could impa
this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log
management process.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise ass
where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date
username, timestamp, source addresses, destination addresses, and other useful elements that could ass
in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell ®
BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance
with the documented audit log management process. Example implementations include leveraging a SIEM
tool to centralize multiple log sources.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat
Conduct reviews on a weekly, or more frequent, basis.

Collect service provider logs, where supported. Example implementations include collecting authentication
and authorization events, data creation and disposal events, and user management events.

Improve protections and detections of threats from email and web vectors, as these are opportunit
for attackers to manipulate human behavior through direct engagement.

Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using
latest version of browsers and email clients provided through the vendor.

Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block acc
to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially
malicious or unapproved websites. Example implementations include category-based filtering, reputation-
based filtering, or through the use of block lists. Enforce filters for all enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client
plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and
verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified
Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxi
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.
Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® D
Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity
Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
pre-incident and trusted state.
Establish and maintain a documented data recovery process. In the process, address the scope of data
recovery activities, recovery prioritization, and the security of backup data. Review and update documenta
annually, or when significant enterprise changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based
the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation
based on requirements.

Establish and maintain an isolated instance of recovery data. Example implementations include, version
controlling backup destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.
Ensure network infrastructure is kept up to date. Example implementations include running the latest stable
release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review softwa
versions monthly, or more frequently, to verify software support.
Design and maintain a secure network architecture. A secure network architecture must address segmentation, leas
privilege, and availability, at a minimum. Example implementations will not solely include documentation, but also po
and design components.
Securely manage network infrastructure. Example implementations include version-controlled Infrastructur
as-Code (IaC) and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and
update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2
(WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing
enterprise resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically separated, for all
administrative tasks or tasks requiring administrative access. The computing resources should be segmen
from the enterprise's primary network and not be allowed internet access.

Operate processes and tooling to establish and maintain comprehensive network monitoring and
defense against security threats across the enterprise’s network infrastructure and user base.

Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log
analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported

Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example
implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud servi
provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources. Determine amount of acce
to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance wit
the enterprise’s secure configuration process, and ensuring the operating system and applications are up t
date.

Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supporte
Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based
agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the u
of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access contro
protocols, such as certificates, and may incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firew
or gateway.
Tune security event alerting thresholds monthly, or more frequently.

Establish and maintain a security awareness program to influence behavior among the workforce t
security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Establish and maintain a security awareness program. The purpose of a security awareness program is to
educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner.
Conduct training at hire and, at a minimum, annually. Review and update content annually, or when signific
enterprise changes occur that could impact this Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing, business email
compromise (BEC), pretexting, and tailgating.

Train workforce members on authentication best practices. Example topics include MFA, password
composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive da
This also includes training workforce members on clear screen and desk best practices, such as locking th
screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the en
meetings, and storing data and assets securely.

Train workforce members to be aware of causes for unintentional data exposure. Example topics include m
delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an inciden

Train workforce to understand how to verify and report out-of-date software patches or any failures in
automated processes and tools. Part of this training should include notifying IT personnel of any failures in
automated processes and tools.

Train workforce members on the dangers of connecting to and transmitting data over insecure networks fo
enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all
users securely configure their home network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations include secure syst
administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention train
for web application developers, and advanced social engineering awareness training for high-profile roles.

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
enterprise’s critical IT platforms or processes, to ensure these providers are protecting those
platforms and data appropriately.

Establish and maintain an inventory of service providers. The inventory is to list all known service providers
include classification(s), and designate an enterprise contact for each service provider. Review and update
inventory annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the policy addresses the classificati
inventory, assessment, monitoring, and decommissioning of service providers. Review and update the poli
annually, or when significant enterprise changes occur that could impact this Safeguard.

Classify service providers. Classification consideration may include one or more characteristics, such as d
sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk.
Update and review classifications annually, or when significant enterprise changes occur that could impact
Safeguard.
Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts annually to ensure
contracts are not missing security requirements.
Assess service providers consistent with the enterprise’s service provider management policy. Assessmen
scope may vary based on classification(s) and may include review of standardized assessment reports, su
as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (A
customized questionnaires, or other appropriately rigorous processes. Reassess service providers annuall
a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring
include periodic reassessment of service provider compliance, monitoring service provider release notes, a
dark web monitoring.
Securely decommission service providers. Example considerations include user and service account
deactivation, termination of data flows, and secure disposal of enterprise data within service provider syste

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
and remediate security weaknesses before they can impact the enterprise.

Establish and maintain a secure application development process. In the process, address such items as:
secure application design standards, secure coding practices, developer training, vulnerability managemen
security of third-party code, and application security testing procedures. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities, including provid
a means for external entities to report. The process is to include such items as: a vulnerability handling pol
that identifies reporting process, responsible party for handling vulnerability reports, and a process for intak
assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking syste
that includes severity ratings and metrics for measuring timing for identification, analysis, and remediation
vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur t
could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to set
expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis
the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams
move beyond just fixing individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often referred
as a “bill of materials,” as well as components slated for future use. This inventory is to include any risks th
each third-party component could pose. Evaluate the list at least monthly to identify any changes or update
these components, and validate that the component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose established and prov
frameworks and libraries that provide adequate security. Acquire these components from trusted sources o
evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates
prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum
level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of
triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed fir
Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure
components. This includes underlying servers, databases, and web servers, and applies to cloud containe
Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed softw
to weaken configuration hardening.

Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code for their specific
development environment and responsibilities. Training can include general security principles and applica
security standard practices. Conduct training at least annually and design in a way to promote security with
the development team, and build a culture of security among the developers.
Apply secure design principles in application architectures. Secure design principles include the concept o
least privilege and enforcing mediation to validate every operation that the user makes, promoting the conc
of "never trust user input." Examples include ensuring that explicit error checking is performed and
documented for all input, including for size, data type, and acceptable ranges or formats. Secure design al
means minimizing the application infrastructure attack surface, such as turning off unprotected ports and
services, removing unnecessary programs and files, and renaming or removing default accounts.

Leverage vetted modules or services for application security components, such as identity management,
encryption, and auditing and logging. Using platform features in critical security functions will reduce
developers’ workload and minimize the likelihood of design or implementation errors. Modern operating
systems provide effective mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewe
encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit lo

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practice
are being followed.
Conduct application penetration testing. For critical applications, authenticated penetration testing is better
suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetra
testing relies on the skill of the tester to manually manipulate an application as an authenticated and
unauthenticated user.

Conduct threat modeling. Threat modeling is the process of identifying and addressing application security
design flaws within a design, before code is created. It is conducted through specially trained individuals w
evaluate the application design and gauge security risks for each entry point and access level. The goal is
map out the application, architecture, and infrastructure in a structured way to understand its weaknesses.

Establish a program to develop and maintain an incident response capability (e.g., policies, plans,
procedures, defined roles, training, and communications) to prepare, detect, and quickly respond t
attack.
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling
process. Management personnel are responsible for the coordination and documentation of incident respo
and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid
approach. If using a service provider, designate at least one person internal to the enterprise to oversee an
third-party work. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents. Conta
may include internal staff, service vendors, law enforcement, cyber insurance providers, relevant governm
agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up to date.
Establish and maintain a documented enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum
information to be reported. Ensure the process is publicly available to all of the workforce. Review annually
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a documented incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant enterprise
changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information securi
facilities, public relations, human resources, incident responders, and analysts. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report during a
security incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in
mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually
when significant enterprise changes occur that could impact this Safeguard.

Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incid
response process to prepare for responding to real-world incidents. Exercises need to test communication
channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum.

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying
lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an
incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, d
breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could imp
this Safeguard.
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting
weaknesses in controls (people, processes, and technology), and simulating the objectives and
actions of an attacker.

Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and
maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web
application, Application Programming Interface (API), hosted services, and physical premise controls;
frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information;
remediation, such as how findings will be routed internally; and retrospective requirements.

Perform periodic external penetration tests based on program requirements, no less than annually. Externa
penetration testing must include enterprise and environmental reconnaissance to detect exploitable
information. Penetration testing requires specialized skills and experience and must be conducted through
qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s documented vulnerability remediation proce
This should include determining a timeline and level of effort based on the impact and prioritization of each
identified finding.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilit
to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The tes
may be clear box or opaque box.
IG1 IG2 IG3

x x x

x x

x x x

x x x
x x x

x x

x x x

x x

x x
x x

x x x

x x

x x
x

x x x

x x

x x x

x x

x
x x x

x x x

x x

x x x

x x

x x
x x

x x

x x
x x

x x x

x x

x x x

x x

x x
x x x

x x x

x x

x x x

x x

x x
x x

x x

x x x

x x x
x x x

x x x

x x

x x x

x x

x
x

x x

x x
x x

x x

x x x

x x
x x

x x

DORA Compliance Tracker - ISO 27001 - 2022 Mapping
No ratings yet
DORA Compliance Tracker - ISO 27001 - 2022 Mapping
4 pages
CIS Controls v8.1 Mapping To NIST CSF v2.0 6-24-2024 Final 1
No ratings yet
CIS Controls v8.1 Mapping To NIST CSF v2.0 6-24-2024 Final 1
92 pages
CIS v.8.1
No ratings yet
CIS v.8.1
1 page
Gap Assessment For 27017
No ratings yet
Gap Assessment For 27017
9 pages
CIS Controls and Sub-Controls Mapping To ISO
No ratings yet
CIS Controls and Sub-Controls Mapping To ISO
47 pages
CIS Controls v8 Mapping To SOC2 Final 08-19-2021
No ratings yet
CIS Controls v8 Mapping To SOC2 Final 08-19-2021
105 pages
Introduction Recursive Programming
No ratings yet
Introduction Recursive Programming
303 pages
Talakunchi - Scoping Questionnaires (Combined)
No ratings yet
Talakunchi - Scoping Questionnaires (Combined)
7 pages
How ManageEngine Can Help You in Complying With The ISO 20000 Standard
No ratings yet
How ManageEngine Can Help You in Complying With The ISO 20000 Standard
75 pages
ISMS Implementation. Using COBIT For Inspiration: Cobit (By Isaca) : Core Books
No ratings yet
ISMS Implementation. Using COBIT For Inspiration: Cobit (By Isaca) : Core Books
5 pages
10 - Risk RASC
No ratings yet
10 - Risk RASC
2 pages
Nist SP 800-161
100% (1)
Nist SP 800-161
283 pages
Materi Soal US
No ratings yet
Materi Soal US
4 pages
Acceptable Usage Policy - v.2.0
No ratings yet
Acceptable Usage Policy - v.2.0
6 pages
DataGuard ISO27001 Implementation Roadmap UK
No ratings yet
DataGuard ISO27001 Implementation Roadmap UK
10 pages
Unit 3 - Threat Modelling
No ratings yet
Unit 3 - Threat Modelling
13 pages
Azure Cost Management
No ratings yet
Azure Cost Management
1 page
Lecture - IsPDM
No ratings yet
Lecture - IsPDM
105 pages
NIST CSF Auditor Checklist: Function Category Identify (Id)
No ratings yet
NIST CSF Auditor Checklist: Function Category Identify (Id)
21 pages
NIST CSF Vs ISO
No ratings yet
NIST CSF Vs ISO
31 pages
Secure Development Lifecycle (4th Copy)
No ratings yet
Secure Development Lifecycle (4th Copy)
16 pages
CDI2 COBIT-2019-Design-Toolkit TKT Eng 1218
No ratings yet
CDI2 COBIT-2019-Design-Toolkit TKT Eng 1218
59 pages
It Audit Execution Tools Book 3
100% (1)
It Audit Execution Tools Book 3
65 pages
ISO 27001 Checklist A Step by Step Guide Hicomply v2
No ratings yet
ISO 27001 Checklist A Step by Step Guide Hicomply v2
12 pages
Info Security Policy
No ratings yet
Info Security Policy
21 pages
Cybersecurity and Cyber Resilience Framework (CSCRF) For SEBI Regulated Entities (REs)
No ratings yet
Cybersecurity and Cyber Resilience Framework (CSCRF) For SEBI Regulated Entities (REs)
205 pages
Integration of ITIL V3 ISO 20000 and ISO
No ratings yet
Integration of ITIL V3 ISO 20000 and ISO
18 pages
CyBOk Mapping Reference v1.1
No ratings yet
CyBOk Mapping Reference v1.1
39 pages
Gamma Ray Log - Schlumberger
No ratings yet
Gamma Ray Log - Schlumberger
2 pages
Clock Synchronization Procedure
100% (1)
Clock Synchronization Procedure
12 pages
Isms Policy List
No ratings yet
Isms Policy List
6 pages
Secure Data in The Age of AI With Microsoft Purview - L100 Pitch Deck
No ratings yet
Secure Data in The Age of AI With Microsoft Purview - L100 Pitch Deck
52 pages
Day 5 Software Development Security
No ratings yet
Day 5 Software Development Security
98 pages
ISO27001 2022 Self Assessment Checklist V1
No ratings yet
ISO27001 2022 Self Assessment Checklist V1
10 pages
CIS Benchmark
No ratings yet
CIS Benchmark
39 pages
Information Security Classification Policy: 1. Strategic Plan Theme and Compliance Obligation Supported 2. Purpose
No ratings yet
Information Security Classification Policy: 1. Strategic Plan Theme and Compliance Obligation Supported 2. Purpose
3 pages
Isms Implementation Iso 27003
No ratings yet
Isms Implementation Iso 27003
5 pages
NIST SP 800-53r5 PDF
No ratings yet
NIST SP 800-53r5 PDF
483 pages
Secure Development and Managing Technical Debt
No ratings yet
Secure Development and Managing Technical Debt
66 pages
CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0
No ratings yet
CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0
106 pages
CISO Brochure Download 1
No ratings yet
CISO Brochure Download 1
12 pages
Network Security Audit Checklist
No ratings yet
Network Security Audit Checklist
1 page
Am Admin Guide en 4.0.7.1
No ratings yet
Am Admin Guide en 4.0.7.1
70 pages
CIS Google Chrome Benchmark v1.2.0
No ratings yet
CIS Google Chrome Benchmark v1.2.0
48 pages
Unlocking Technology Iveco
No ratings yet
Unlocking Technology Iveco
14 pages
NIS 2 Requirements - ENG
No ratings yet
NIS 2 Requirements - ENG
6 pages
Security Policies
No ratings yet
Security Policies
10 pages
PCI DSS v3.2 Vs ISO 27001 2013 - 160729
No ratings yet
PCI DSS v3.2 Vs ISO 27001 2013 - 160729
99 pages
Security Audit - IsO 27001 2022, CSDI Based Framework - Harpreet Singh ISO 27001-2022 - LA
No ratings yet
Security Audit - IsO 27001 2022, CSDI Based Framework - Harpreet Singh ISO 27001-2022 - LA
44 pages
Iso 27000
100% (1)
Iso 27000
10 pages
Hap PDF
No ratings yet
Hap PDF
51 pages
ISMSLA PPT Handouts
No ratings yet
ISMSLA PPT Handouts
144 pages
Blueprint For Ransomware Defense - 0523
100% (1)
Blueprint For Ransomware Defense - 0523
22 pages
Linear Programming - Graphical Method
No ratings yet
Linear Programming - Graphical Method
17 pages
Ug471 7series SelectIO PDF
No ratings yet
Ug471 7series SelectIO PDF
188 pages
Mequannint Munye
No ratings yet
Mequannint Munye
121 pages
Final - Advanced OS Presentation GroupE
No ratings yet
Final - Advanced OS Presentation GroupE
21 pages
Cis Controls V7.1: Center For Internet Security
No ratings yet
Cis Controls V7.1: Center For Internet Security
5 pages
G H Raisoni Institute of Engineering & Technology: Instructions To Paper Setter/Moderator
No ratings yet
G H Raisoni Institute of Engineering & Technology: Instructions To Paper Setter/Moderator
3 pages
Incident Response Playbook
No ratings yet
Incident Response Playbook
17 pages
Fuji FRENIC RS485 Manual
No ratings yet
Fuji FRENIC RS485 Manual
1 page
Pengelolaan Keamanan Informasi 2024 Juli
No ratings yet
Pengelolaan Keamanan Informasi 2024 Juli
101 pages
NIST SP 800-53r5-Draft
No ratings yet
NIST SP 800-53r5-Draft
481 pages
IT-Grundschutz-catalogues 15th Version - 2015 Draft
No ratings yet
IT-Grundschutz-catalogues 15th Version - 2015 Draft
4,727 pages
The State of Marketing Attribution: Shane Murphy
No ratings yet
The State of Marketing Attribution: Shane Murphy
44 pages
Linear Block Code Matlab
No ratings yet
Linear Block Code Matlab
1 page
Information Security Vs Cybersecurity
No ratings yet
Information Security Vs Cybersecurity
1 page
Business Consulting - Risk Consulting - Tech Risk - JD
No ratings yet
Business Consulting - Risk Consulting - Tech Risk - JD
3 pages
Penetration Testing Guidance v1 - 1
No ratings yet
Penetration Testing Guidance v1 - 1
44 pages
BT-PON BT-221XR XPON ONU ONT Datasheet
No ratings yet
BT-PON BT-221XR XPON ONU ONT Datasheet
5 pages
World Fip Protocol
No ratings yet
World Fip Protocol
47 pages
Adwea Ims It MGMT PLC v1.0
No ratings yet
Adwea Ims It MGMT PLC v1.0
93 pages
Dealer Inventory List: Latest As of November 13, 2023
No ratings yet
Dealer Inventory List: Latest As of November 13, 2023
5 pages
Athena InfoSec - Data Masking Policy Template
No ratings yet
Athena InfoSec - Data Masking Policy Template
4 pages
Training Schedule
No ratings yet
Training Schedule
2 pages
Project
No ratings yet
Project
3 pages
Class Work
No ratings yet
Class Work
4 pages
Critique On A Film Director's Approach To Managing Creativity
No ratings yet
Critique On A Film Director's Approach To Managing Creativity
2 pages
Answers of Assembly Question
No ratings yet
Answers of Assembly Question
3 pages
Assignment 1
No ratings yet
Assignment 1
4 pages
Eric Sia Siew Wei - 19000760 - Case Study - 7.1
No ratings yet
Eric Sia Siew Wei - 19000760 - Case Study - 7.1
5 pages
Digital Signal Processing Tutorial Questions
No ratings yet
Digital Signal Processing Tutorial Questions
1 page
Trendy Number
No ratings yet
Trendy Number
3 pages
MOS - IsO 27001 2022 Mandatory Documents List
No ratings yet
MOS - IsO 27001 2022 Mandatory Documents List
11 pages
ROPS Remove&install
No ratings yet
ROPS Remove&install
3 pages
BT131 8D Haopin
No ratings yet
BT131 8D Haopin
5 pages
Product Info C 1 ULO A Laboratory Oven AX en
No ratings yet
Product Info C 1 ULO A Laboratory Oven AX en
3 pages
ISO 38500 Complete Self-Assessment Guide
From Everand
ISO 38500 Complete Self-Assessment Guide
Gerardus Blokdyk
2/5 (1)
ISO 20000 Second Edition
From Everand
ISO 20000 Second Edition
Gerardus Blokdyk
No ratings yet
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
From Everand
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
Lewis Heuermann
No ratings yet