CIS Control 1: Inventory and Control of Enterprise Assets

CIS Safeguard

1.1

1.2

1.3

1.4

1.5

CIS Control 2: Inventory and Control of Software Assets

CIS Safeguard

2.1

2.2

2.3

2.4

2.5

2.6

2.7

CIS Control 3: Data Protection

CIS Safeguard

3.1

3.2

3.3
 3.4

3.5

3.6

3.7

3.8

3.9

3.1

3.11

3.12

3.13

3.14

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Safeguard

4.1

4.2

4.3

4.4

4.5

4.6

4.7

4.8

4.9

4.1
 4.11

4.12

CIS Control 5: Account Management

CIS Safeguard

5.1

5.2

5.3

5.4

5.5

5.6

CIS Control 6: Access Control Management

CIS Safeguard
6.1
6.2

6.3

6.4
6.5
6.6
6.7

6.8

CIS Control 7: Continuous Vulnerability Management

CIS Safeguard

7.1

7.2

7.3

7.4

7.5
 7.6

7.7

CIS Control 8: Audit Log Management

CIS Safeguard
8.1
8.2
8.3

8.4

8.5

8.6
8.7
8.8
8.9
8.1

8.11

8.12

CIS Control 9: Email and Web Browser Protections

CIS Safeguard

9.1

9.2

9.3

9.4

9.5

9.6

9.7

CIS Control 10: Malware Defenses

CIS Safeguard
10.1
10.2
 10.3
10.4
10.5
10.6
10.7

CIS Control 11: Data Recovery

CIS Safeguard

11.1

11.2

11.3
11.4
11.5

CIS Control 12: Network Infrastructure Management

CIS Safeguard

12.1

12.2

12.3

12.4

12.5
12.6

12.7

12.8

CIS Control 13: Network Monitoring and Defense

CIS Safeguard

13.1

13.2

13.3

13.4
 13.5

13.6

13.7

13.8

13.9

13.1
13.11

CIS Control 14: Security Awareness and Skills Training

CIS Safeguard
14.1

14.2

14.3

14.4

14.5
14.6
14.7

14.8

14.9

CIS Control 15: Service Provider Management

CIS Safeguard

15.1

15.2

15.3

15.4
 15.5

15.6

15.7

CIS Control 16: Application Software Security

CIS Safeguard

16.1

16.2

16.3

16.4

16.5

16.6

16.7

16.8

16.9

16.1

16.11

16.12

16.13

16.14
 CIS Control 17: Incident Response Management
CIS Safeguard

17.1

17.2

17.3

17.4

17.5

17.6

17.7

17.8

17.9

CIS Control 18: Penetration Testing

CIS Safeguard

18.1

18.2

18.3

18.4

18.5
 CIS Control 1: Inventory and Control of Enterprise Assets
Control Requirement
Establish and maintain a detailed and updated inventory of enterprise assets that store or
process data. The assets can be connected to the infrastructure remotely, physically, or
virtually.

Implement processes to remove, deny, or quarantine unauthorized assets.

Use an active discovery tool to identify assets connected to the network and configure it to
execute as often as needed.
Use Dynamic Host Configuration Protocol (DHCP) logging or Internet Protocol (IP) address
management tools to update the inventory.

Use a passive asset directory tool to identify assets connected to the network

CIS Control 2: Inventory and Control of Software Assets

Control Requirement

Establish and maintain a detailed inventory of software installed on assets

Ensure that only supported software is authorized in the inventory

Remove unauthorized software from the system or document its necessity

Automate the process of discovering and documenting installed software using software
inventory tools
Ensure that only authorized software can be accessed or executed using technical controls
like application allowlisting
Ensure that only authorized software libraries are loaded into system processes using
technical controls
Ensure that only authorized scripts can be executed using technical controls like digital
signatures and version control

CIS Control 3: Data Protection

Control Requirement
Establish and maintain a data management process detailing sensitivity, retention limits,
disposal requirements, and owners

Establish and maintain a data inventory based on the management process

Configure data access controls lists to file systems, databases, and applications
Retain data based on management processes including minimum and maximum timelines

Dispose of data securely aligned with the level of sensitivity

Encrypt data deployed on endpoint devices

Establish and maintain a data classification plan based on sensitive, public, or confidential
categories

Document data flows based on data management processes

Encrypt data on removable media

Encrypt data in transit using techniques like Transport Layer Security (TLS) or Open Secure
Shell (OpenSSH)
Encrypt sensitive data at rest deployed on servers, applications, or databases using
techniques like server-side encryption or application-layer encryption
Segment data processing and storage based on its sensitivity
Use automated tools like Data Loss Prevention (DLP) to identify sensitive data stored,
processed, or transmitted via enterprise assets
Maintain a log of sensitive data access that includes modification and disposal

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Control Requirement

Establish and maintain a secure configuration process for enterprise assets and software

Establish and maintain a secure configuration process for network devices

Configure automated session lockout after a defined period of inactivity. The recommended
period is 15 minutes for general operating systems and 2 minutes for mobile endpoint
devices.
Implement and manage firewalls on supported servers
Implement and manage a host based firewall or port filtering tool on endpoint devices.
Configure the settings to allow only whitelisted traffic
Securely manage enterprise assets and software using version-controlled infrastructure-as-
code and accessing administrative interfaces over secure network protocols like SSH and
HTTPS
Manage default accounts on assets like root, administrator, or pre-configured vendor
accounts by disabling or making them inaccessible
Implement and manage a host-based firewall or port filtering tool on endpoint devices.
Configure the settings to allow only whitelisted traffic
Configure trusted DNS servers. Use only enterprise controlled or trusted externally accessible
DNS servers
Configure automated device lockout following a predetermined number of failed
authentication attempts. The suggested number is 20 for laptops and 10 for tablets or
smartphones
Remotely delete data deployed in enterprise owned portable devices if the drive is lost or
the assigned owner has exited the org
Use separate workspaces on mobile and endpoint devices for enterprise and personal
application data

CIS Control 5: Account Management

Control Requirement
Use unique passwords for each asset. Passwords should have at least eight characters if MFA
is enabled and 14 characters if not enabled
Use unique passwords for each asset. Passwords should have at least 8 characters if MFA is
enabled and 14 characters if not enabled
Delete or disable dormant accounts after 45 days of inactivity
Restrict administrator privileges to administer accounts and conduct general activities from
user/non-privileged accounts
Establish and maintain an inventory of service accounts detailing department owner, review
date, and purpose
Centralize all account management activities using a directory or identity service

CIS Control 6: Access Control Management

Control Requirement
Establish a process to manage access privileges for new hires or role changes
Establish a process to manage access removal for role change or termination
Maintain role-based access control based on role-wise access rights to ensure each function
can carry out their assigned tasks
Enforce MFA for remote network access requests
Enforce MFA on all externally managed or third-party accessible applications
Establish and maintain an inventory of authentication and authorization systems
Centralize access control activities using a directory or SSO provider
Maintain a role-based access control based on role-wise access rights to ensure each
function can carry out their assigned tasks

CIS Control 7: Continuous Vulnerability Management

Control Requirement

Establish and maintain a documented process to manage vulnerabilities

Establish and maintain a documented risk remediation plan

Conduct automated vulnerability scans (authenticated and unauthenticated) on internal

assets using a SCAP-compliant scanning tool

Update applications using automated patch management tools

Conduct automated vulnerability scans (authenticated and unauthenticated) on internal

assets using a SCAP compliant scanning tool
Conduct automated vulnerability scans (authenticated and unauthenticated) on external
assets using a SCAP-compliant scanning tool

Remediate software vulnerabilities using tools and processes

CIS Control 8: Audit Log Management

Control Requirement
Establish and maintain a process to collect, review, and retain audit logs
Centralize audit log collection and retention processes
Ensure adequate storage capabilities in audit log destinations

Collect audit logs across assets aligned with the enterprise’s log management process

Collect detailed audit logs for sensitive data that includes event source, date, username,
timestamp, address and destination sources, and more to support forensic investigation

Collect DNS query audit logs

Collect URL request audit logs
Collect command line audit logs
Centralize audit log collect and retention processes
Retain audit logs for at least 90 days
Collect audit log reviews to detect anomalous behavior or abnormal events that could be a
security threat
Collect service provider logs

CIS Control 9: Email and Web Browser Protections

Control Requirement
Run only supported and authorized browsers or email clients. Use only the latest vendor
provided version

Use anti-malware systems like attachment scanning or sandboxing to secure email servers

Use anti-malware systems like attachment scanning or sandboxing to secure email servers

Use anti-malware systems like attachment scanning or sandboxing to secure email servers

Use DMARC (Domain-based Message Authentication) policy and verification to minimize

email spoofing and email modification
Block unnecessary files entering the email gateway

Us anti-malware systems like attachment scanning or sandboxing to secure email servers

CIS Control 10: Malware Defenses

Control Requirement
Deploy and maintain anti-malware software
Configure auto update for anti-malware signature files
Disable the autorun and autoplay functionality for removable media files
Enable anti-exploitation functions on assets and software
Centralize anti-malware software management
Use behavior-based anti-malware software
Use a behavior based anti malware software

CIS Control 11: Data Recovery

Control Requirement
Establish and maintain a data recovery process that includes the scope of activities,
prioritization details, and security of backed up data
Backup in scope assets automatically. The frequency should be based on the sensitivity of
the data
Protect recovery data using the same controls as the original data
Establish and maintain an isolated container of recovery data
Test the backup recovery system at frequent intervals

CIS Control 12: Network Infrastructure Management

Control Requirement
Keep network infrastructure updated by running the latest software version and using the
currently supported NaaS (network-as-a-service)
Establish and maintain a secure network architecture to ensure segmentation, implement
least privilege, and availability
Ensure network infrastructure security using version-controlled-infrastructure-as-code and
secure network protocols
Establish and maintain an architecture diagram and other necessary network system
documents
Centralize network AAA (Authentication, Authorization, and Auditing)
Use secure network management and communication protocols
Ensure that users authenticate via enterprise managed VPN to access enterprise resources
on endpoint devices

Establish and maintain computing resources segmented from the primary enterprise
network and internet connection to manage tasks that require administrative access

CIS Control 13: Network Monitoring and Defense

Control Requirement
Implement a host-based anti-intrusion solution like EDR (Endpoint Detection and Response)
systems or host-based IPS agents on supported or applicable assets
Implement a host-based anti-intrusion solution like EDR (Endpoint Detection and Response)
systems or host-based IPS agents on supported or applicable assets
Deploy network intrusion detection systems as applicable like NIDS (Network Intrusion
Detection System) or CSP (cloud service provider) service
Filter traffic between network segments as where applicable
Implement a host-based anti intrusion solution like EDR (Endpoint Detection and Response)
systems or host-based IPS agents on supported or applicable assets
Collect network traffic logs for reviewing and altering purposes
Implement anti-network intrusion systems like NIPS (Network Intrusion Prevention System)
on supported or applicable assets
Implement port-level access control (802.1x or equivalent access control protocols). User
and device authentication is recommended

Manage access control for remotely connected assets. Determine access requirements based
on the updated anti-malware solution, configuration compliance with the enterprise’s
configuration, and updating operating systems and applications

Filter application layers like proxy filtering, application layer firewall, or gateway
Tune security event alerting thresholds on a monthly basis or a higher frequency

CIS Control 14: Security Awareness and Skills Training

Control Requirement
Train employees to recognize and report threat incidents

Train employees to identify social engineering attacks like phishing, pretexting, and tailgating

Train employees on authentication practices like MFA, credential management, and

password composition
Train employees to identify, store, transfer, and archive sensitive data including clear screen
and desk best practices
Train employees on accidental data exposure causes
Conduct role-based security training and awareness programs
Conduct role-based security training and awareness programs
Train employees to understand the security consequences of connecting to and transmitting
data over insecure networks. Remote workers should securely configure their home network
infrastructure
Conduct role based security training and awareness programs

CIS Control 15: Service Provider Management

Control Requirement
Establish and maintain an inventory of service providers listing all vendors, their
classification, and a designated contact

Establish and maintain a service provider management policy that addresses classification,
inventory, assessment, monitoring, and decommissioning on each vendor

Classify service providers based on data sensitivity, data volume, data availability,
regulations, inherent risk, and mitigated risk
Ensure service providers contract include security clauses like breach notification, data
encryption, data disposal and others based on the security policy
Assess service providers based on your management policy to address compliance reports
like SOC 2, AoC (Attestation of Compliance) of PCI DSS, custom questionnaires, and others

Monitor service providers based on your management policy to address vendor compliance,
vendor release notes, and dark web monitoring.
Decommission service providers to address user and service account deactivation, data flow
termination, data disposal within providers systems

CIS Control 16: Application Software Security

Control Requirement

Analyze the root cause of vulnerabilities to evaluate underlying code issues

Establish and maintain a process to accept and address software vulnerability reports that
details the policies, responsible parties, assignment, intake process, remediation, and
remediation testing. Additionally, use a vulnerability tracking system

Analyze root cause of vulnerabilities to evaluate underlying code issues

Use industry-grade hardening configuration templates for application infrastructure

components like databases, web servers, as well as cloud containers, and PaaS or SaaS
components

Separate production environments for production and non-production systems

Create a severity rating system to address vulnerabilities in the order of its discovery

Use industry grade hardening configuration templates for application infrastructure

components like databases, web servers, as well as cloud containers, and PaaS or SaaS
components

Separate the environments for production and non-production systems

Train software developers to write secure code, general security principles and application
security practices

Use secure principles to design application architectures like least privilege, validate user
operation input, check inputs for errors, and minimize the infrastructure attack surface

Use vetted modules or services for application security components like identity
management, encryption, logging, and auditing
Use static and dynamic tools to analyze the application life cycle and ensure secure coding
practices
Conduct application pen testings. Authenticated pen tests are recommended for critical
applications to identify business logic vulnerabilities over code scanning and automated
testing

Conduct threat modeling to identify and address application design security flaws
 CIS Control 17: Incident Response Management
Control Requirement
Assign one key role and a backup role to manage incidents. If it is handled by a third party
service, an internal person should oversee their work
Create and maintain a contact list of parties who should be informed in case a security
incident occurs

Establish and maintain a process for all employees to report security incidents that includes a
reporting timeframe, reporting personnel, processes, and information to report

Establish and maintain an incident response policy detailing the roles, accountabilities,
compliance requirements and accountability plan
Assign key roles and responsibilities to respond to incidents from departments like legal, IT,
information security, facilities, public relations human resources, analysts, and others as
applicable
Determine the primary and secondary measures to communicate and report security
incidents
Conduct incident response exercises based on real scenarios to prepare key roles to process
and respond to incidents
Conduct post incident reviews to avoid repeat occurrences

Establish and maintain incident thresholds to differentiate between incidents and events.

CIS Control 18: Penetration Testing

Control Requirement

Establish and maintain a pen testing program based on the enterprise’s sixe, complexity, and
maturity. Address scope, limitations, retrospective requirements, and remediation

Conduct external pen tests – clear box or opaque box at least once annually. Include
enterprise and environmental reconnaissance in the pen test
Remediate the vulnerabilities identified in the pen test based on enterprise scope and
prioritization
Validate secure measures after a pen test and make the necessary modifications and in
configurations and detection capabilities
Conduct internal pen tests – clear box or opaque box at least once annually, based on
requirements
Security Function Asset Type

Identify Devices

Respond Devices

Detect Devices

Identify Devices

Detect Devices

Security Function Asset Type

Identify Applications

Identify Applications

Respond Applications

Detect Applications

Protect Applications

Protect Applications

Protect Applications

Security Function Asset Type

Identify Data

Identify Data

Protect Data
 Protect Data

Protect Data

Protect Devices

Identify Data

Identify Data

Protect Data

Protect Data

Protect Data

Protect Network

Protect Data

Detect Data

e
Security Function Asset Type

Protect Applications

Protect Network

Protect Users

Protect Devices

Protect Devices

Protect Network

Protect Users

Protect Devices

Protect Devices

Respond Devices
 Protect Devices

Protect Devices

Security Function Asset Type

Identify Users

Protect Users

Respond Users

Protect Users

Identify Users

Protect Users

Security Function Asset Type

Protect Users
Protect Users

Protect Users

Protect Users
Protect Users
Identify Users
Protect Users

Protect Data

Security Function Asset Type

Protect Applications

Respond Applications

Protect Applications

Protect Applications

Identify Applications
 Identify Applications

Respond Applications

Security Function Asset Type

Protect Network
Detect Network
Protect Network

Protect Network

Detect Network

Detect Network
Detect Network
Detect Devices
Detect Network
Protect Network

Detect Network

Detect Data

Security Function Asset Type

Protect Applications

Protect Network

Protect Network

Protect Applications

Protect Network

Protect Network

Protect Network

Security Function Asset Type

Protect Devices
Protect Devices
 Protect Devices
Detect Devices
Protect Devices
Protect Devices
Detect Devices

Security Function Asset Type

Recover Data

Recover Data

Protect Data
Recover Data
Recover Data

Security Function Asset Type

Protect Network

Protect Network

Protect Network

Identify Network

Protect Network
Protect Network

Protect Devices

Protect Devices

Security Function Asset Type

Detect Network

Detect Devices

Detect Network

Protect Network
 Protect Devices

Detect Network

Protect Devices

Protect Network

Protect Devices

Protect Network
Detect Netw

Security Function Asset Type

Protect N/A

Protect N/A

Protect N/A

Protect N/A

Protect N/A
Protect N/A
Protect N/A

Protect N/A

Protect N/A

Security Function Asset Type

Identify N/A

Identify N/A

Identify N/A

Protect N/A
 Identify N/A

Detect Data

Protect Data

Security Function Asset Type

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications

Protect Applications
Security Function Asset Type

Respond N/A

Respond N/A

Respond N/A

Respond N/A

Respond N/A

Respond N/A

Recover N/A

Recover N/A

Recover N/A

Security Function Asset Type

Identify N/A

Identify Network

Protect Network

Protect Network

Identify N/A