CIS Controls v8 and Mapping To ISO27002

CIS CIS Security
Asset Type Title

Control Safeguard Function
Inventory and Control of

1
Enterprise Assets
Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory
1 1.2 Devices Respond Address Unauthorized Assets
1 1.3 Devices Detect Utilize an Active Discovery Tool
Use Dynamic Host Configuration

1 1.4 Devices Identify Protocol (DHCP) Logging to Update
Use a Passive Asset Discovery

1 1.5 Devices Detect
Tool
Inventory and Control of

2
Software Assets
Establish and Maintain a Software

2 2.1 Applications Identify
Inventory
Ensure Authorized Software is

Currently Supported
2 2.3 Applications Respond Address Unauthorized Software
Utilize Automated Software
2 2.4 Applications Detect
Inventory Tools
2 2.5 Applications Protect Allowlist Authorized Software
2 2.6 Applications Protect Allowlist Authorized Libraries
2 2.7 Applications Protect Allowlist Authorized Scripts
3 Data Protection
Establish and Maintain a Data

3 3.1 Data Identify
Management Process

3 3.2 Data Identify
Inventory
Configure Data Access Control

3 3.3 Data Protect
Lists
3 3.4 Data Protect Enforce Data Retention
3 3.5 Data Protect Securely Dispose of Data
3 3.6 Devices Protect Encrypt Data on End-User Devices

3 3.7 Data Identify
Classification Scheme
3 3.8 Data Identify Document Data Flows
3 3.9 Data Protect Encrypt Data on Removable Media
3 3.10 Data Protect Encrypt Sensitive Data in Transit
3 3.11 Data Protect Encrypt Sensitive Data at Rest

Segment Data Processing and
3 3.12 Network Protect
Storage Based on Sensitivity
Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution
3 3.14 Data Detect Log Sensitive Data Access
Secure Configuration of
4
Enterprise Assets and Software
Establish and Maintain a Secure

4 4.1 Applications Protect
Configuration Process

4 4.2 Network Protect Configuration Process for Network
Infrastructure
Configure Automatic Session

4 4.3 Users Protect
Locking on Enterprise Assets
Implement and Manage a Firewall

4 4.4 Devices Protect
on Servers
Implement and Manage a Firewall
on End-User Devices
Securely Manage Enterprise Assets

and Software
Manage Default Accounts on

4 4.7 Users Protect
Uninstall or Disable Unnecessary

4 4.8 Devices Protect Services on Enterprise Assets and
Software
Configure Trusted DNS Servers on
Enterprise Assets
Enforce Automatic Device Lockout

4 4.10 Devices Respond
on Portable End-User Devices
Enforce Remote Wipe Capability on

Portable End-User Devices
Separate Enterprise Workspaces
on Mobile End-User Devices
5 Account Management
Establish and Maintain an Inventory

5 5.1 Users Identify
of Accounts
5 5.2 Users Protect Use Unique Passwords
5 5.3 Users Respond Disable Dormant Accounts

Restrict Administrator Privileges to
5 5.4 Users Protect
Dedicated Administrator Accounts

of Service Accounts
5 5.6 Users Protect Centralize Account Management
6 Access Control Management
Establish an Access Granting
6 6.1 Users Protect
Process
Establish an Access Revoking

6 6.2 Users Protect
Process
Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications
Require MFA for Remote Network

6 6.4 Users Protect
Access
Require MFA for Administrative
6 6.5 Users Protect
Access
6 6.6 Users Identify of Authentication and Authorization
Systems
6 6.7 Users Protect Centralize Access Control
Define and Maintain Role-Based

6 6.8 Data Protect
Access Control
Continuous Vulnerability
7
Management
Establish and Maintain a

Vulnerability Management Process

7 7.2 Applications Respond
Remediation Process
Perform Automated Operating
System Patch Management
Perform Automated Application
Patch Management
Perform Automated Vulnerability

Scans of Internal Enterprise Assets
Perform Automated Vulnerability

7 7.6 Applications Identify Scans of Externally-Exposed
Enterprise Assets
7 7.7 Applications Respond Remediate Detected Vulnerabilities
8 Audit Log Management
Establish and Maintain an Audit

Log Management Process
8 8.2 Network Detect Collect Audit Logs

Ensure Adequate Audit Log
Storage
8 8.4 Network Protect Standardize Time Synchronization
8 8.5 Network Detect Collect Detailed Audit Logs
8 8.6 Network Detect Collect DNS Query Audit Logs

8 8.7 Network Detect Collect URL Request Audit Logs
8 8.8 Devices Detect Collect Command-Line Audit Logs
8 8.9 Network Detect Centralize Audit Logs

8 8.10 Network Protect Retain Audit Logs
8 8.11 Network Detect Conduct Audit Log Reviews
8 8.12 Data Detect Collect Service Provider Logs
Email and Web Browser

9
Protections
Ensure Use of Only Fully
9 9.1 Applications Protect Supported Browsers and Email
Clients
9 9.2 Network Protect Use DNS Filtering Services
Maintain and Enforce Network-
Based URL Filters
Restrict Unnecessary or
9 9.4 Applications Protect Unauthorized Browser and Email
Client Extensions
9 9.5 Network Protect Implement DMARC
9 9.6 Network Protect Block Unnecessary File Types

Deploy and Maintain Email Server
Anti-Malware Protections
10 Malware Defenses
Deploy and Maintain Anti-Malware
Software
Configure Automatic Anti-Malware
Signature Updates
Disable Autorun and Autoplay for
Removable Media
Configure Automatic Anti-Malware

Scanning of Removable Media
10 10.5 Devices Protect Enable Anti-Exploitation Features
Centrally Manage Anti-Malware

Software
Use Behavior-Based Anti-Malware
Software
11 Data Recovery

11 11.1 Data Recover
Recovery Process
11 11.2 Data Recover Perform Automated Backups
11 11.3 Data Protect Protect Recovery Data
Establish and Maintain an Isolated

Instance of Recovery Data
11 11.5 Data Recover Test Data Recovery
Network Infrastructure
12
Management
Ensure Network Infrastructure is

Up-to-Date

Network Architecture
Securely Manage Network
Infrastructure
Establish and Maintain Architecture

12 12.4 Network Identify
Diagram(s)
Centralize Network Authentication,

Authorization, and Auditing (AAA)
Use of Secure Network

12 12.6 Network Protect Management and Communication
Protocols
Ensure Remote Devices Utilize a
12 12.7 Devices Protect VPN and are Connecting to an
Enterprise’s AAA Infrastructure
Establish and Maintain Dedicated

12 12.8 Devices Protect Computing Resources for All
Administrative Work
13 Network Monitoring and Defense
13 13.1 Network Detect Centralize Security Event Alerting
Deploy a Host-Based Intrusion

Detection Solution
Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution
Perform Traffic Filtering Between
Network Segments
Manage Access Control for Remote

Assets
13 13.6 Network Detect Collect Network Traffic Flow Logs

Prevention Solution

Prevention Solution
13 13.9 Devices Protect Deploy Port-Level Access Control
13 13.10 Network Protect Perform Application Layer Filtering

Tune Security Event Alerting
Thresholds
Security Awareness and Skills

14
Training
Establish and Maintain a Security

14 14.1 N/A Protect
Awareness Program
Train Workforce Members to

14 14.2 N/A Protect Recognize Social Engineering
Attacks
Train Workforce Members on
14 14.3 N/A Protect
Authentication Best Practices
Train Workforce on Data Handling

14 14.4 N/A Protect
Best Practices

14 14.5 N/A Protect Causes of Unintentional Data
Exposure
14 14.6 N/A Protect Recognizing and Reporting
Security Incidents
Train Workforce on How to Identify
and Report if Their Enterprise
14 14.7 N/A Protect
Assets are Missing Security
Updates
Train Workforce on the Dangers of
Connecting to and Transmitting
14 14.8 N/A Protect
Enterprise Data Over Insecure
Networks
Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training
15 Service Provider Management

15 15.1 N/A Identify
of Service Providers
Establish and Maintain a Service

Provider Management Policy
15 15.3 N/A Identify Classify Service Providers
Ensure Service Provider Contracts

15 15.4 N/A Protect
Include Security Requirements
15 15.5 N/A Identify Assess Service Providers
15 15.6 Data Detect Monitor Service Providers
Securely Decommission Service

15 15.7 Data Protect
Providers
16 Application Software Security

Application Development Process
Establish and Maintain a Process to

16 16.2 Applications Protect Accept and Address Software
Vulnerabilities
Perform Root Cause Analysis on

Security Vulnerabilities
Establish and Manage an Inventory

16 16.4 Applications Protect of Third-Party Software
Components
Use Up-to-Date and Trusted Third-

Party Software Components
Establish and Maintain a Severity

16 16.6 Applications Protect Rating System and Process for
Application Vulnerabilities
Use Standard Hardening

16 16.7 Applications Protect Configuration Templates for
Application Infrastructure
Separate Production and Non-

Production Systems
Train Developers in Application

16 16.9 Applications Protect Security Concepts and Secure
Coding
Apply Secure Design Principles in
Application Architectures
Leverage Vetted Modules or

16 16.11 Applications Protect Services for Application Security
Components
Implement Code-Level Security

Checks
Conduct Application Penetration

Testing
16 16.14 Applications Protect Conduct Threat Modeling
17 Incident Response Management
Designate Personnel to Manage

17 17.1 N/A Respond
Incident Handling
Establish and Maintain Contact

17 17.2 N/A Respond Information for Reporting Security
Incidents
Establish and Maintain an

17 17.3 N/A Respond Enterprise Process for Reporting
Incidents
Establish and Maintain an Incident

17 17.4 N/A Respond
Response Process
Assign Key Roles and
17 17.5 N/A Respond
Responsibilities
Define Mechanisms for

17 17.6 N/A Respond Communicating During Incident
Response
Conduct Routine Incident

17 17.7 N/A Recover
Response Exercises
17 17.8 N/A Recover Conduct Post-Incident Reviews
Establish and Maintain Security

17 17.9 N/A Recover
Incident Thresholds
18 Penetration Testing

Penetration Testing Program
Perform Periodic External

Penetration Tests
Remediate Penetration Test

Findings
18 18.4 Network Protect Validate Security Measures
Perform Periodic Internal
Penetration Tests
Description
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including
portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers
connected to the infrastructure physically, virtually, remotely, and those within cloud environments
accurately know the totality of assets that need to be monitored and protected within the enterprise
This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the
potential to store or process data, to include: end-user devices (including portable and mobile), network
devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if sta
hardware address, machine name, data asset owner, department for each asset, and whether the asset ha
been approved to connect to the network. For mobile end-user devices, MDM type tools can support this
process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtu
remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected
the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and upd
the inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choos
remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine
asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the activ
discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the
enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or mo
frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use sca
to update the enterprise’s asset inventory at least weekly, or more frequently.
Actively manage (inventory, track, and correct) all software (operating systems and applications) o
the network so that only authorized software is installed and can execute, and that unauthorized an
unmanaged software is found and prevented from installation or execution.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The
software inventory must document the title, publisher, initial install/use date, and business purpose for eac
entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployme
mechanism, and decommission date. Review and update the software inventory bi-annually, or more
frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for
enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission,
document an exception detailing mitigating controls and residual risk acceptance. For any unsupported
software without an exception documentation, designate as unauthorized. Review the software list to verify
software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documen
exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and
documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software can execut
be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc.
files, are allowed to load into a system process. Block unauthorized libraries from loading into a system
process. Reassess bi-annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts
such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing.
Reassess bi-annually, or more frequently.
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose
data.
Establish and maintain a data management process. In the process, address data sensitivity, data owner,
handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standa
for the enterprise. Review and update documentation annually, or when significant enterprise changes occ
that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory
sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sens
data.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also
known as access permissions, to local and remote file systems, databases, and applications.
Retain data according to the enterprise’s data management process. Data retention must include both
minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal
process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windo
BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels
such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review a
update the classification scheme annually, or when significant enterprise changes occur that could impact
Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be based
the enterprise’s data management process. Review and update documentation annually, or when significa
enterprise changes occur that could impact this Safeguard.
Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) an
Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-la
encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard.
Additional encryption methods may include application-layer encryption, also known as client-side encrypti
where access to the data storage device(s) does not permit access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data o
enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitiv
data stored, processed, or transmitted through enterprise assets, including those located onsite or at a rem
service provider, and update the enterprise's sensitive data inventory.
Log sensitive data access, including modification and disposal.
Establish and maintain the secure configuration of enterprise assets (end-user devices, including
portable and mobile; network devices; non-computing/IoT devices; and servers) and software
(operating systems and applications).
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including
portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and
applications). Review and update documentation annually, or when significant enterprise changes occur th
could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review and update documenta
annually, or when significant enterprise changes occur that could impact this Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general
purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the peri
must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual
firewall, operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny
that drops all traffic except those services and ports that are explicitly allowed.
Securely manage enterprise assets and software. Example implementations include managing configuratio
through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure netw
protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insec
management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can include: disabling default accounts or making
them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharin
service, web application module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets
use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempt
on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authenticatio
attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example
implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile
maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriat
such as lost or stolen devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example
implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate
enterprise applications and data from personal applications and data.
Use processes and tools to assign and manage authorization to credentials for user accounts,
including administrator accounts, as well as service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include
both user and administrator accounts. The inventory, at a minimum, should contain the person’s name,
username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurrin
schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8
character password for accounts using MFA and a 14-character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct genera
computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, n
privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain
department owner, review date, and purpose. Perform service account reviews to validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
user, administrator, and service accounts for enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h
rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling
accounts, instead of deleting accounts, may be necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported.
Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safegua
Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether
managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including
those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum,
annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where
supported.
Define and maintain role-based access control, through determining and documenting the access rights
necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access
control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at
minimum annually, or more frequently.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the
enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for
attackers. Monitor public and private industry sources for new threat and vulnerability information.
Establish and maintain a documented vulnerability management process for enterprise assets. Review and
update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with mont
or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch management on a mont
or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a monthly, or
more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis
Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning to
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant

vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more freque
basis, based on the remediation process.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
from an attack.
Establish and maintain an audit log management process that defines the enterprise’s logging requiremen
At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and
Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enab
across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log
management process.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise ass
where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date
username, timestamp, source addresses, destination addresses, and other useful elements that could ass
in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell ®
BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat
Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting authentication
and authorization events, data creation and disposal events, and user management events.
Improve protections and detections of threats from email and web vectors, as these are opportunit
for attackers to manipulate human behavior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using
latest version of browsers and email clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially
malicious or unapproved websites. Example implementations include category-based filtering, reputation-
based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client
plugins, extensions, and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and
verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified
Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxi
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.
Deploy and maintain anti-malware software on all enterprise assets.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® D
Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity
Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
pre-incident and trusted state.
Establish and maintain a data recovery process. In the process, address the scope of data recovery activit
recovery prioritization, and the security of backup data. Review and update documentation annually, or wh
significant enterprise changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based
the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation
based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations include, version
controlling backup destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stabl
release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review softwa
versions monthly, or more frequently, to verify software support.
Establish and maintain a secure network architecture. A secure network architecture must address
segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-controlled-infrastructur
as-code, and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and
Safeguard.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2
(WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing
enterprise resources on end-user devices.
Establish and maintain dedicated computing resources, either physically or logically separated, for all
administrative tasks or tasks requiring administrative access. The computing resources should be segmen
from the enterprise's primary network and not be allowed internet access.
Operate processes and tooling to establish and maintain comprehensive network monitoring and
defense against security threats across the enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log
analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example
implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud servi
provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources. Determine amount of acce
to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance wit
the enterprise’s secure configuration process, and ensuring the operating system and applications are up-t
date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or support
Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based
agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the u
of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access contro
protocols, such as certificates, and may incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firew
or gateway.
Tune security event alerting thresholds monthly, or more frequently.
Establish and maintain a security awareness program to influence behavior among the workforce t
security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Establish and maintain a security awareness program. The purpose of a security awareness program is to
educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner.
Conduct training at hire and, at a minimum, annually. Review and update content annually, or when signific
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and
tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password
composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive da
This also includes training workforce members on clear screen and desk best practices, such as locking th
screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the en
meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics include m
delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an inciden
Train workforce to understand how to verify and report out-of-date software patches or any failures in
automated processes and tools. Part of this training should include notifying IT personnel of any failures in
automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks f
enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all
users securely configure their home network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations include secure syst
administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention train
for web application developers, and advanced social engineering awareness training for high-profile roles.
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
enterprise’s critical IT platforms or processes, to ensure these providers are protecting those
platforms and data appropriately.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers
include classification(s), and designate an enterprise contact for each service provider. Review and update
inventory annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the classificati
inventory, assessment, monitoring, and decommissioning of service providers. Review and update the poli
Classify service providers. Classification consideration may include one or more characteristics, such as d
sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk.
Update and review classifications annually, or when significant enterprise changes occur that could impact
Safeguard.
Ensure service provider contracts include security requirements. Example requirements may include minim
security program requirements, security incident and/or data breach notification and response, data encryp
requirements, and data disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts annually to ensure
contracts are not missing security requirements.
Assess service providers consistent with the enterprise’s service provider management policy. Assessmen
scope may vary based on classification(s), and may include review of standardized assessment reports, su
as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (A
customized questionnaires, or other appropriately rigorous processes. Reassess service providers annuall
a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring
include periodic reassessment of service provider compliance, monitoring service provider release notes, a
dark web monitoring.
Securely decommission service providers. Example considerations include user and service account
deactivation, termination of data flows, and secure disposal of enterprise data within service provider syste
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
and remediate security weaknesses before they can impact the enterprise.
Establish and maintain a secure application development process. In the process, address such items as:
secure application design standards, secure coding practices, developer training, vulnerability managemen
security of third-party code, and application security testing procedures. Review and update documentation
Establish and maintain a process to accept and address reports of software vulnerabilities, including provid
a means for external entities to report. The process is to include such items as: a vulnerability handling pol
that identifies reporting process, responsible party for handling vulnerability reports, and a process for intak
assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking syste
that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation
vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur t
Third-party application developers need to consider this an externally-facing policy that helps to set
expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis
the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams
move beyond just fixing individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often referred
as a “bill of materials,” as well as components slated for future use. This inventory is to include any risks th
each third-party component could pose. Evaluate the list at least monthly to identify any changes or update
these components, and validate that the component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose established and prov
frameworks and libraries that provide adequate security. Acquire these components from trusted sources o
evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates
prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum
level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of
triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed fir
Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure
components. This includes underlying servers, databases, and web servers, and applies to cloud containe
Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed softw
to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific
development environment and responsibilities. Training can include general security principles and applica
security standard practices. Conduct training at least annually and design in a way to promote security with
the development team, and build a culture of security among the developers.
Apply secure design principles in application architectures. Secure design principles include the concept o
least privilege and enforcing mediation to validate every operation that the user makes, promoting the conc
of "never trust user input." Examples include ensuring that explicit error checking is performed and
documented for all input, including for size, data type, and acceptable ranges or formats. Secure design al
means minimizing the application infrastructure attack surface, such as turning off unprotected ports and
services, removing unnecessary programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity management,
encryption, and auditing and logging. Using platform features in critical security functions will reduce
developers’ workload and minimize the likelihood of design or implementation errors. Modern operating
systems provide effective mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewe
encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit lo
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practice
are being followed.
Conduct application penetration testing. For critical applications, authenticated penetration testing is better
suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetra
testing relies on the skill of the tester to manually manipulate an application as an authenticated and
unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security
design flaws within a design, before code is created. It is conducted through specially trained individuals w
evaluate the application design and gauge security risks for each entry point and access level. The goal is
map out the application, architecture, and infrastructure in a structured way to understand its weaknesses.
Establish a program to develop and maintain an incident response capability (e.g., policies, plans,
procedures, defined roles, training, and communications) to prepare, detect, and quickly respond t
attack.
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling
process. Management personnel are responsible for the coordination and documentation of incident respo
and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybri
approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee
third-party work. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents. Conta
may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant
government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Ve
contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process
includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum informatio
be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when
Establish and maintain an incident response process that addresses roles and responsibilities, compliance
requirements, and a communication plan. Review annually, or when significant enterprise changes occur t
Assign key roles and responsibilities for incident response, including staff from legal, IT, information securi
facilities, public relations, human resources, incident responders, and analysts, as applicable. Review
Determine which primary and secondary mechanisms will be used to communicate and report during a
security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain
mechanisms, such as emails, can be affected during a security incident. Review annually, or when signific
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incid
response process to prepare for responding to real-world incidents. Exercises need to test communication
channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying
lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an
incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, d
breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could imp
this Safeguard.
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting
weaknesses in controls (people, processes, and technology), and simulating the objectives and
actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of th
enterprise. Penetration testing program characteristics include scope, such as network, web application,
Application Programming Interface (API), hosted services, and physical premise controls; frequency;
limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation
such as how findings will be routed internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than annually. Externa
penetration testing must include enterprise and environmental reconnaissance to detect exploitable
information. Penetration testing requires specialized skills and experience and must be conducted through
qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritizatio
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilit
to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The tes
may be clear box or opaque box.
IG1 IG2 IG3
x x x
x x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x x
x x
x
x x x
x x x
x x x
x x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x
x x x
x x x
x x x
x x x
x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x
x x x
x x x
x x
x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x x
x x
x x
x x
x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x
CIS Security
CIS Safeguard Asset Type
Control Function
1

2
2 2.4 Applications Detect
3 3.1 Data Identify

3 3.1 Data Identify
3 3.1 Data Identify
3 3.2 Data Identify
3 3.3 Data Protect
3 3.3 Data Protect
3 3.3 Data Protect
3 3.3 Data Protect
3 3.4 Data Protect
3 3.5 Data Protect
3 3.5 Data Protect
3 3.5 Data Protect

3 3.7 Data Identify
3 3.7 Data Identify
3 3.7 Data Identify
3 3.7 Data Identify
3 3.7 Data Identify
3 3.8 Data Identify
3 3.9 Data Protect
3 3.9 Data Protect
3 3.10 Data Protect
3 3.11 Data Protect

3 3.13 Data Protect
3 3.13 Data Protect
3 3.14 Data Detect

4
4 4.3 Users Protect
4 4.3 Users Protect

4 4.7 Users Protect
4 4.7 Users Protect
5
5 5.2 Users Protect
5 5.3 Users Respond
5 5.4 Users Protect
5 5.4 Users Protect
5 5.6 Users Protect

6
6 6.1 Users Protect
6 6.1 Users Protect
6 6.1 Users Protect
6 6.2 Users Protect

6 6.2 Users Protect
6 6.2 Users Protect
6 6.3 Users Protect
6 6.4 Users Protect
6 6.5 Users Protect
6 6.7 Users Protect
6 6.8 Data Protect
6 6.8 Data Protect
6 6.8 Data Protect
6 6.8 Data Protect

6 6.8 Data Protect

8


8 8.12 Data Detect

10

11

12

13


14
14 14.1 N/A Protect
14 14.2 N/A Protect
14 14.3 N/A Protect

14 14.4 N/A Protect
14 14.5 N/A Protect
14 14.6 N/A Protect
14 14.7 N/A Protect
14 14.8 N/A Protect
14 14.9 N/A Protect
15

15 15.4 N/A Protect
15 15.4 N/A Protect
15 15.4 N/A Protect
15 15.4 N/A Protect

15 15.6 Data Detect
15 15.6 Data Detect
15 15.6 Data Detect
15 15.6 Data Detect
16



17
17 17.1 N/A Respond
17 17.2 N/A Respond
17 17.2 N/A Respond
17 17.2 N/A Respond
17 17.2 N/A Respond
17 17.3 N/A Respond

17 17.4 N/A Respond
17 17.4 N/A Respond
17 17.5 N/A Respond
17 17.5 N/A Respond
17 17.6 N/A Respond
17 17.7 N/A Recover
17 17.8 N/A Recover
17 17.8 N/A Recover
17 17.9 N/A Recover
17 17.9 N/A Recover
18

Title
Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including p
mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected t
infrastructure physically, virtually, remotely, and those within cloud environments, to accurately kn
totality of assets that need to be monitored and protected within the enterprise. This will also suppo
identifying unauthorized and unmanaged assets to remove or remediate.


Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host

Configuration Protocol (DHCP)
Logging to Update Enterprise
Asset Inventory
Use a Passive Asset Discovery

Tool
Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) o
network so that only authorized software is installed and can execute, and that unauthorized and u
software is found and prevented from installation or execution.

Software Inventory
Ensure Authorized Software is

Currently Supported
Address Unauthorized Software

Utilize Automated Software
Inventory Tools
Allowlist Authorized Software
Allowlist Authorized Software
Allowlist Authorized Libraries
Allowlist Authorized Scripts
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose

Management Process
Management Process

Management Process

Inventory

Lists

Lists

Lists

Lists
Enforce Data Retention
Securely Dispose of Data
Encrypt Data on End-User

Devices

Devices

Devices




Document Data Flows
Encrypt Data on Removable

Media
Encrypt Data on Removable
Media
Encrypt Sensitive Data in
Transit
Encrypt Sensitive Data at Rest


Solution

Solution
Log Sensitive Data Access

Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including p
mobile; network devices; non-computing/IoT devices; and servers) and software (operating system
applications).

Secure Configuration Process


for Network Infrastructure


Implement and Manage a

Firewall on Servers

Firewall on End-User Devices
Firewall on End-User Devices
Securely Manage Enterprise

Assets and Software


Uninstall or Disable
Unnecessary Services on
Configure Trusted DNS Servers

on Enterprise Assets
Enforce Automatic Device

Lockout on Portable End-User
Devices
Enforce Remote Wipe

Capability on Portable End-
User Devices
Enforce Remote Wipe
Capability on Portable End-
User Devices
Separate Enterprise
Workspaces on Mobile End-
User Devices
Separate Enterprise
Workspaces on Mobile End-
User Devices
Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
administrator accounts, as well as service accounts, to enterprise assets and software.

Inventory of Accounts
Use Unique Passwords
Disable Dormant Accounts
Restrict Administrator Privileges

to Dedicated Administrator
Accounts
Restrict Administrator Privileges

to Dedicated Administrator
Accounts

Inventory of Service Accounts

Inventory of Service Accounts
Centralize Account
Management
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
administrator, and service accounts for enterprise assets and software.
Process
Process
Process

Process
Process

Process
Require MFA for Externally-

Exposed Applications
Require MFA for Remote

Network Access
Require MFA for Administrative
Access

Inventory of Authentication and
Authorization Systems
Centralize Access Control
Define and Maintain Role-

Based Access Control



Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the e
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monito
private industry sources for new threat and vulnerability information.
Vulnerability Management
Process
Remediation Process
Perform Automated Operating

System Patch Management
Perform Automated Application

Patch Management
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Remediate Detected
Vulnerabilities
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
attack.
Establish and Maintain an Audit

Log Management Process
Collect Audit Logs
Collect Audit Logs

Ensure Adequate Audit Log
Storage
Standardize Time
Synchronization
Collect Detailed Audit Logs
Collect Detailed Audit Logs
Collect DNS Query Audit Logs

Collect URL Request Audit
Logs
Collect Command-Line Audit
Logs
Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews
Collect Service Provider Logs
Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunit
attackers to manipulate human behavior through direct engagement.
Ensure Use of Only Fully

Supported Browsers and Email
Clients
Use DNS Filtering Services

Based URL Filters

Based URL Filters
Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions
Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email

Server Anti-Malware
Protections
Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.
Deploy and Maintain Anti-
Malware Software
Deploy and Maintain Anti-
Malware Software
Configure Automatic Anti-
Malware Signature Updates
Disable Autorun and Autoplay

for Removable Media

Malware Scanning of
Removable Media
Malware Scanning of
Removable Media
Enable Anti-Exploitation
Features
Centrally Manage Anti-Malware

Software
Use Behavior-Based Anti-
Malware Software
Use Behavior-Based Anti-
Malware Software
Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
and trusted state.

Recovery Process
Perform Automated Backups
Protect Recovery Data
Protect Recovery Data

Isolated Instance of Recovery
Data
Test Data Recovery
Network Infrastructure
Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.
Ensure Network Infrastructure is

Up-to-Date

Secure Network Architecture

Secure Network Architecture
Securely Manage Network

Infrastructure
Establish and Maintain

Architecture Diagram(s)
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
Management and
Communication Protocols
Ensure Remote Devices Utilize

a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure
Infrastructure

Infrastructure

Dedicated Computing
Resources for All Administrative
Work
Dedicated Computing
Resources for All Administrative
Work
Network Monitoring and
Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and d
against security threats across the enterprise’s network infrastructure and user base.
Centralize Security Event

Alerting

Detection Solution

Detection Solution

Detection Solution
Perform Traffic Filtering

Between Network Segments
Perform Traffic Filtering
Between Network Segments
Manage Access Control for

Remote Assets
Remote Assets

Remote Assets
Collect Network Traffic Flow

Logs
Collect Network Traffic Flow
Logs

Prevention Solution

Prevention Solution
Deploy Port-Level Access

Control
Perform Application Layer

Filtering
Tune Security Event Alerting
Thresholds
Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce t
security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Security Awareness Program
Train Workforce Members to

Recognize Social Engineering
Attacks

Authentication Best Practices
Train Workforce on Data
Handling Best Practices

Causes of Unintentional Data
Exposure
Recognizing and Reporting
Security Incidents
Train Workforce on How to
Identify and Report if Their
Enterprise Assets are Missing
Security Updates
Train Workforce on the Dangers
of Connecting to and
Transmitting Enterprise Data
Over Insecure Networks
Conduct Role-Specific Security

Awareness and Skills Training
Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
critical IT platforms or processes, to ensure these providers are protecting those platforms and dat
appropriately.

Inventory of Service Providers

Policy

Policy
Policy

Policy

Policy
Classify Service Providers
Ensure Service Provider

Contracts Include Security
Requirements

Requirements

Requirements

Requirements
Assess Service Providers
Monitor Service Providers
Securely Decommission
Service Providers
Securely Decommission
Service Providers
Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
remediate security weaknesses before they can impact the enterprise.

Secure Application
Development Process

Secure Application
Development Process

Secure Application
Development Process

Secure Application
Development Process

Process to Accept and Address
Software Vulnerabilities
Perform Root Cause Analysis

on Security Vulnerabilities
Establish and Manage an
Inventory of Third-Party
Software Components
Establish and Manage an

Inventory of Third-Party
Software Components
Use Up-to-Date and Trusted

Third-Party Software
Components

Severity Rating System and
Process for Application
Vulnerabilities
Use Standard Hardening

Configuration Templates for
Application Infrastructure
Separate Production and Non-

Production Systems
Train Developers in Application

Security Concepts and Secure
Coding
Apply Secure Design Principles
in Application Architectures

Services for Application
Security Components

Services for Application
Security Components

Checks
Checks

Checks
Conduct Application
Penetration Testing
Conduct Application
Penetration Testing
Conduct Threat Modeling
Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, p
defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Designate Personnel to
Manage Incident Handling

Information for Reporting
Security Incidents

Security Incidents

Security Incidents

Security Incidents

Enterprise Process for
Reporting Incidents
Incident Response Process

Incident Response Process

Responsibilities

Responsibilities
Define Mechanisms for

Communicating During Incident
Response
Conduct Routine Incident

Response Exercises
Conduct Post-Incident Reviews
Conduct Post-Incident Reviews

Incident Thresholds

Incident Thresholds
Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
controls (people, processes, and technology), and simulating the objectives and actions of an attac
Penetration Testing Program
Perform Periodic External

Penetration Tests
Remediate Penetration Test

Findings
Validate Security Measures
Perform Periodic Internal
Penetration Tests
Description IG1
l of Enterprise Assets
entory, track, and correct) all enterprise assets (end-user devices, including portable and
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to be monitored and protected within the enterprise. This will also support
zed and unmanaged assets to remove or remediate.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
X
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
X
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from X
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.
Establish and maintain a detailed inventory of all licensed software installed on

enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
X
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or
more frequently.
Ensure that only currently supported software is designated as authorized in the

software inventory for enterprise assets. If software is unsupported, yet necessary for
the fulfillment of the enterprise’s mission, document an exception detailing mitigating
X
controls and residual risk acceptance. For any unsupported software without an
exception documentation, designate as unauthorized. Review the software list to verify
software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or
X
receives a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review X
and update documentation annually, or when significant enterprise changes occur that
Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory X
annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems, X
databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
X
must include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process.

X
Ensure the disposal process and method are commensurate with the data sensitivity.

X

X
Encrypt data on end-user devices containing sensitive data. Example implementations

X
can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

X

X
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Safeguard.
Safeguard.
Safeguard.
Safeguard.
Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that

Encrypt sensitive data in transit. Example implementations can include: Transport
Layer Security (TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.
Log sensitive data access, including modification and disposal.
of Enterprise Assets and Software
in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation X
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation X
Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that X
Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15 X
minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15 X
minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example
implementations include a virtual firewall, operating system firewall, or a third-party X
firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices,
with a default-deny rule that drops all traffic except those services and ports that are X
explicitly allowed.
Implement and manage a host-based firewall or port-filtering tool on end-user devices,
with a default-deny rule that drops all traffic except those services and ports that are X
explicitly allowed.
Securely manage enterprise assets and software. Example implementations include
managing configuration through version-controlled-infrastructure-as-code and
accessing administrative interfaces over secure network protocols, such as Secure
X
Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless
operationally essential.
Manage default accounts on enterprise assets and software, such as root,

administrator, and other pre-configured vendor accounts. Example implementations X
can include: disabling default accounts or making them unusable.
Manage default accounts on enterprise assets and software, such as root,

administrator, and other pre-configured vendor accounts. Example implementations X
can include: disabling default accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as

an unused file sharing service, web application module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations

include: configuring assets to use enterprise-controlled DNS servers and/or reputable
externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed

authentication attempts on portable end-user devices, where supported. For laptops,
do not allow more than 20 failed authentication attempts; for tablets and smartphones,
no more than 10 failed authentication attempts. Example implementations include
Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
ools to assign and manage authorization to credentials for user accounts, including
ts, as well as service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and X
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using MFA and a 14-character X
password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
X
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise

assets. Conduct general computing activities, such as internet browsing, email, and X
productivity suite use, from the user’s primary, non-privileged account.
Restrict administrator privileges to dedicated administrator accounts on enterprise

assets. Conduct general computing activities, such as internet browsing, email, and X
productivity suite use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum,

must contain department owner, review date, and purpose. Perform service account
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Establish and maintain an inventory of service accounts. The inventory, at a minimum,
must contain department owner, review date, and purpose. Perform service account
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise
X
assets upon new hire, rights grant, or role change of a user.
X
X
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
X
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
X
X
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a X
satisfactory implementation of this Safeguard.
Require MFA for remote network access. X

Require MFA for all administrative access accounts, where supported, on all enterprise
X
assets, whether managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization

systems, including those hosted on-site or at a remote service provider. Review and
update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
frequently.
frequently.
frequently.
frequently.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.
Establish and maintain a documented vulnerability management process for enterprise
assets. Review and update documentation annually, or when significant enterprise X
changes occur that could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation
X
process, with monthly, or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch

X
management on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch

X
management on a monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or

more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a

SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a

monthly, or more frequent, basis, based on the remediation process.
and retain audit logs of events that could help detect, understand, or recover from an
Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
X
audit logs for enterprise assets. Review and update documentation annually, or when
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
X
process, has been enabled across enterprise assets.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
X
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
X
enterprise’s audit log management process.
Standardize time synchronization. Configure at least two synchronized time sources
across enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit
logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include

collecting authentication and authorization events, data creation and disposal events,
and user management events.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through X
the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
X
domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary

browser or email client plugins, extensions, and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Deploy and maintain email server anti-malware protections, such as attachment

scanning and/or sandboxing.
e installation, spread, and execution of malicious applications, code, or scripts on
Deploy and maintain anti-malware software on all enterprise assets. X
Deploy and maintain anti-malware software on all enterprise assets. X
Configure automatic updates for anti-malware signature files on all enterprise assets. X
Disable autorun and autoplay auto-execute functionality for removable media. X
Enable anti-exploitation features on enterprise assets and software, where possible,

such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit
Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident
Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data.
X
Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
X
more frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference
X
encryption or data separation, based on requirements.
Protect recovery data with equivalent controls to the original data. Reference
X
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through offline, cloud, X
or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope
enterprise assets.
, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include

running the latest stable release of software and/or using currently supported network-
X
as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
to verify software support.
Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.
Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-

controlled-infrastructure-as-code, and the use of secure network protocols, such as
SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system
documentation. Review and update documentation annually, or when significant
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically

separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.
Establish and maintain dedicated computing resources, either physically or logically
separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.
nd tooling to establish and maintain comprehensive network monitoring and defense

ats across the enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where
appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.
Manage access control for assets remotely connecting to enterprise resources.

Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
date.
date.
Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.
Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where
appropriate and/or supported. Example implementations include use of an Endpoint
Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example
implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user
and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy,
application layer firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.
and Skills Training
in a security awareness program to influence behavior among the workforce to be
nd properly skilled to reduce cybersecurity risks to the enterprise.
Establish and maintain a security awareness program. The purpose of a security
awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a X
minimum, annually. Review and update content annually, or when significant
Train workforce members to recognize social engineering attacks, such as phishing,

X
pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include

X
MFA, password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
and desk best practices, such as locking their screen when they step away from their X
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure.
Example topics include mis-delivery of sensitive data, losing a portable end-user X
device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to

X
report such an incident.
Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include X
notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
X
training must include guidance to ensure that all users securely configure their home
network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations

include secure system administration courses for IT professionals, (OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.
evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
X
for each service provider. Review and update the inventory annually, or when
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
Classify service providers. Classification consideration may include one or more
characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could impact
this Safeguard.
Ensure service provider contracts include security requirements. Example

requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.



Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider

management policy. Monitoring may include periodic reassessment of service provider
compliance, monitoring service provider release notes, and dark web monitoring.



Securely decommission service providers. Example considerations include user and

service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.
Securely decommission service providers. Example considerations include user and
service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.
Security
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and
eaknesses before they can impact the enterprise.
Establish and maintain a secure application development process. In the process,

address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.



Establish and maintain a process to accept and address reports of software

vulnerabilities, including providing a means for external entities to report. The process
is to include such items as: a vulnerability handling policy that identifies reporting
process, responsible party for handling vulnerability reports, and a process for intake,
assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that

helps to set expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities,

root cause analysis is the task of evaluating underlying issues that create
vulnerabilities in code, and allows development teams to move beyond just fixing
individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in
development, often referred to as a “bill of materials,” as well as components slated for
future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported.
Establish and manage an updated inventory of third-party components used in

development, often referred to as a “bill of materials,” as well as components slated for
future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.
Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for

application infrastructure components. This includes underlying servers, databases,
and web servers, and applies to cloud containers, Platform as a Service (PaaS)
components, and SaaS components. Do not allow in-house developed software to
weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct
training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.
Apply secure design principles in application architectures. Secure design principles
include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
turning off unprotected ports and services, removing unnecessary programs and files,
and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as

identity management, encryption, and auditing and logging. Using platform features in
critical security functions will reduce developers’ workload and minimize the likelihood
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.
Leverage vetted modules or services for application security components, such as

identity management, encryption, and auditing and logging. Using platform features in
critical security functions will reduce developers’ workload and minimize the likelihood
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
Conduct application penetration testing. For critical applications, authenticated

penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.
Conduct application penetration testing. For critical applications, authenticated
penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is
conducted through specially trained individuals who evaluate the application design
and gauge security risks for each entry point and access level. The goal is to map out
the application, architecture, and infrastructure in a structured way to understand its
weaknesses.
anagement
to develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using X
a third-party vendor, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information X
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the X
process is publicly available to all of the workforce. Review annually, or when
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
Determine which primary and secondary mechanisms will be used to communicate
and report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security incident. Review annually, or when significant enterprise changes occur that
Plan and conduct routine incident response exercises and scenarios for key personnel
involved in the incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows. Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence

through identifying lessons learned and follow-up action.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence

through identifying lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum,
differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain security incident thresholds, including, at a minimum,
differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
s and resiliency of enterprise assets through identifying and exploiting weaknesses in

cesses, and technology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size,
complexity, and maturity of the enterprise. Penetration testing program characteristics
include scope, such as network, web application, Application Programming Interface
(API), hosted services, and physical premise controls; frequency; limitations, such as
acceptable hours, and excluded attack types; point of contact information; remediation,
such as how findings will be routed internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less

than annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires
specialized skills and experience and must be conducted through a qualified party. The
testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation
scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify
rulesets and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less
than annually. The testing may be clear box or opaque box.
IG2 IG3 Relationship Control # Control Title
Inventory of information and

X X Subset 5.9
other associated assets
Management of technical
X X Subset 8.8
vulnerabilities
X X
X X
X X
X
X X Subset 5.9

X X Subset 5.9
X X Subset 8.7 Protection against malware
X X
Installation of software on
X X Subset 8.19
operational systems
Installation of software on
X X Subset 8.19
operational systems
Acceptable use of
X X Subset 5.10 information and other
associated assets
X X Subset 5.9
X X Subset 8.1 User endpoint devices

X X Subset 5.9
Acceptable use of
associated assets
X X Subset 5.15 Access control
X X Subset 8.3 Information access restriction
X X Subset 8.4 Access to source code
X X Subset 5.33 Protection of records
Acceptable use of
associated assets
X X Subset 7.10 Storage media
Secure disposal or re-use of

X X Subset 7.14
equipment
X X Subset 6.7 Remote working

X X Subset 5.9
X X Subset 5.12 Classification of information
X X Subset 5.13 Labelling of information
X X Subset 8.12 Data leakage prevention
X X Subset 5.14 Information transfer
X X Subset 8.20 Networks security

X X Subset 8.22 Segregation of networks
X Subset 5.14 Information transfer
X Subset 8.12 Data leakage prevention
X Subset 8.15 Logging
X X Subset 8.9 Configuration management
X X Subset 8.5 Secure authentication
X X

X X
X X Subset 8.2 Privileged access rights
X X
X X Subset 8.10 Information Deletion
X Subset 6.7 Remote working
X Subset 8.1 User endpoint devices

X X Subset 5.16 Identity management
X X Subset 5.17 Authentication information
X X Subset
Use of privileged utility

X X Subset 8.18
programs
X X Subset 5.15 Access Control
X X Subset 5.18 Access rights

Responsibilities after
X X Subset 6.5 termination or change of
employment
X X Subset 5.15 Access Control
X Superset 5.3 Segregation of duties
X Subset 5.15 Access control
X Subset 8.2 Privileged access rights
X Subset 8.3 Information access restriction

X Subset 5.18 Access rights
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
X X Equivalent 8.15 Logging
X X Subset 8.15 Logging
X X Subset 8.20 Networks security
X X Subset 8.6 Capacity management

X X Equivalent 8.17 Clock synchronization
X X Subset 5.28 Collection of evidence
X X Subset
X X Subset
X X
X X Subset 5.28 Collection of evidence
Assessment and decision on
X X Subset 5.25
information security events
X Subset
X X Subset 8.23 Web filtering
X X Subset 8.23 Web filtering
X X
X X
X X
X Subset 8.7 Protection against malware
X X Subset 8.13 Information backup

X X Subset 8.12 Data leakage prevention
X X
Secure system architecture

X X Subset 8.27
and engineering principles
X X Subset 8.21 Security of network services
X X
X X

X Subset 8.2 Privileged access rights
X Subset 8.22 Segregation of networks
X X Subset 8.16 Monitoring activities

X X Subset 8.3 Information access restriction
Management of Technical
X Subset 8.8
Vulnerabilities
X Subset 8.8
Vulnerabilities
X Subset 8.8
Vulnerabilities
X Subset 8.8
Vulnerabilities
X Subset 5.7 Threat intellgigence
Information security
X X Equivalent 6.3 awareness, education and
training
X X Subset 6.3 awareness, education and
training
Acceptable use of
associated assets
training
Information security event

X X Subset 6.8
reporting
X X subset 6.3 awareness, education and
training
training
training
Information security in
X X Subset 5.19
supplier relationships
Policies for information

X X Subset 5.1
security
Acceptable use of
associated assets
X X Subset 5.19
Addressing information
X X Subset 5.20 security within supplier
agreements
Information security for use

X X Subset 5.23
of cloud services
X X Subset 5.19
agreements
Managing information
X X Subset 5.21 security in the ICT supply
chain

X X Subset 5.23
of cloud services
X Subset 5.19
Monitoring, review and

X Subset 5.22 change management of
supplier services

X Subset 5.23
of cloud services
X Subset 5.19
X Subset 5.20 security within supplier
agreements
Managing information
X Subset 5.21 security in the ICT supply
chain
Monitoring, review and

X Subset 5.22 change management of
supplier services
X Subset 5.19
X Subset 5.20 security within supplier
agreements
Information security in project
X X Subset 5.8
management
X X Superset 8.4 Access to source code
Secure development life

X X Superset 8.25
cycle
X X Superset 8.28 Secure coding
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
Application security
X X Subset 8.26
requirements
X X Subset 8.30 Outsourced development
X X Subset 8.26
requirements
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
Separation of development,
X X Equivalent 8.31 test and production
environments
X X Subset 8.28 Secure coding

Secure system architecture
X X Subset 8.27
and engineering principles

X X Subset 8.25
cycle
X X Subset 8.26
requirements

X Subset 8.25
cycle
X Subset 8.28 Secure coding
Security testing in
X Subset 8.29
development and acceptance
X Subset 8.8
vulnerabilities
Security testing in
X Subset 8.29
Security testing in
X Subset 8.29
Information security incident

X X Subset 5.24 management planning and
preparation
X X Superset 5.5 Contact with authorities
Contact with special interest

X X Subset 5.6
groups
agreements

preparation
Information security event

X X Equivalent 6.8
reporting
preparation
Response to information
X X Subset 5.26
security incidents
Information security roles

X X Subset 5.2
and responsibilities

preparation

preparation
ICT readiness for business

X X Subset 5.30
continuity

preparation
Learning from information
X X Subset 5.27
security incidents

X Subset 5.24 management planning and
preparation
Assessment and decision on

X Subset 5.25
information security events
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
X X Subset 8.8
vulnerabilities
X Subset 8.8
vulnerabilities
X Subset 8.8
vulnerabilities
ISO/IEC
Control Title
Control #
5.4 Management responsibilities
5.7 Threat intelligence
5.29 Information security during disruption
5.31 Legislation, regulations and statutory and contractual requirements
5.32 Intellectual property rights
5.34 Privacy and protection of PII
5.35 Independent review of information security
5.36 Conformance with policies, rules and standards for information security
5.37 Documented operating procedures
6.1 Screening
6.2 Terms and conditions of employment
6.4 Disciplinary process
6.6 Confidentiality or non-disclosure agreements
7.1 Physical security perimeters
7.2 Physical entry
7.3 Securing offices, rooms and facilities
7.4 Physical security monitoring
7.5 Protecting against physical and environmental threats
7.6 Working in secure areas
7.7 Clear desk and clear screen
7.8 Equipment siting and protection
7.9 Security of assets off-premises
7.11 Supporting utilities
7.12 Cabling security
7.13 Equipment maintenance
7.14 Secure disposal or re-use of equipment
8.11 Data masking
8.14 Redundancy of information processing facilities
8.24 Use of cryptography
8.32 Change management
8.33 Test information
8.34 Protection of information systems during audit testing
The following CIS Controls Safeguards are NOT mapped to ISO 27002
1.2
1.3
1.4
1.5
2.4
2.7
4.4
4.9
8.9
9.4
9.5
9.6
12.1
12.4
12.5
The following CIS Controls Safeguards are NOT mapped to ISO 27002
Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Use a Passive Asset Discovery Tool
Utilize Automated Software Inventory Tools
Allowlist Authorized Scripts
Implement and Manage a Firewall on Servers
Configure Trusted DNS Servers on Enterprise Assets

Centralize Audit Logs
Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
Implement DMARC
Block Unnecessary File Types
Ensure Network Infrastructure is Up-to-Date
Establish and Maintain Architecture Diagram(s)

Centralize Network Authentication, Authorization, and Auditing (AAA)
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to
remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the
asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active
discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the
enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more
frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to
update the enterprise’s asset inventory at least weekly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and
documentation of installed software.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such
as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-
annually, or more frequently.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall,
operating system firewall, or a third-party firewall agent.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use
enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins,
extensions, and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification,
starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable
release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software
versions monthly, or more frequently, to verify software support.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

CIS Controls v8 and Mapping To ISO27002

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Controls v8 and Mapping To ISO27002

Uploaded by

Copyright:

Available Formats

CIS CIS Security

Asset Type Title

Inventory and Control of

Establish and Maintain Detailed

1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool

Use Dynamic Host Configuration

Use a Passive Asset Discovery

Inventory and Control of

Establish and Maintain a Software

Ensure Authorized Software is

2 2.6 Applications Protect Allowlist Authorized Libraries

2 2.7 Applications Protect Allowlist Authorized Scripts

Establish and Maintain a Data

Establish and Maintain a Data

Configure Data Access Control

3 3.5 Data Protect Securely Dispose of Data

3 3.6 Devices Protect Encrypt Data on End-User Devices

Establish and Maintain a Data

3 3.8 Data Identify Document Data Flows

3 3.9 Data Protect Encrypt Data on Removable Media

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.11 Data Protect Encrypt Sensitive Data at Rest

Deploy a Data Loss Prevention

Establish and Maintain a Secure

Establish and Maintain a Secure

Configure Automatic Session

Implement and Manage a Firewall

Securely Manage Enterprise Assets

Manage Default Accounts on

Uninstall or Disable Unnecessary

Enforce Automatic Device Lockout

Enforce Remote Wipe Capability on

Establish and Maintain an Inventory

5 5.2 Users Protect Use Unique Passwords

5 5.3 Users Respond Disable Dormant Accounts

Establish and Maintain an Inventory

Establish an Access Revoking

Require MFA for Externally-

Require MFA for Remote Network

6 6.7 Users Protect Centralize Access Control

Define and Maintain Role-Based

Establish and Maintain a

Establish and Maintain a

Perform Automated Vulnerability

Perform Automated Vulnerability

7 7.7 Applications Respond Remediate Detected Vulnerabilities

8 Audit Log Management

Establish and Maintain an Audit

8 8.2 Network Detect Collect Audit Logs

8 8.5 Network Detect Collect Detailed Audit Logs

8 8.6 Network Detect Collect DNS Query Audit Logs

8 8.8 Devices Detect Collect Command-Line Audit Logs

8 8.9 Network Detect Centralize Audit Logs

Email and Web Browser

9 9.5 Network Protect Implement DMARC

9 9.6 Network Protect Block Unnecessary File Types

Configure Automatic Anti-Malware

10 10.5 Devices Protect Enable Anti-Exploitation Features

Centrally Manage Anti-Malware

Establish and Maintain a Data

11 11.3 Data Protect Protect Recovery Data

Establish and Maintain an Isolated