Professional Documents
Culture Documents
CIS Controls Only
CIS Controls Only
CIS Safeguard
1.1
1.2
1.3
1.4
1.5
CIS Safeguard
2.1
2.2
2.3
2.4
2.5
2.6
2.7
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.1
3.11
3.12
3.13
3.14
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.1
4.11
4.12
5.1
5.2
5.3
5.4
5.5
5.6
6.3
6.4
6.5
6.6
6.7
6.8
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.4
8.5
8.6
8.7
8.8
8.9
8.1
8.11
8.12
9.1
9.2
9.3
9.4
9.5
9.6
9.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
12.8
13.1
13.2
13.3
13.4
13.5
13.6
13.7
13.8
13.9
13.1
13.11
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
15.5
15.6
15.7
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.1
16.11
16.12
16.13
16.14
CIS Control 17: Incident Response Management
CIS Safeguard
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
CIS Control 1: Inventory and Control of Enterprise Assets
Control Requirement
Establish and maintain a detailed and updated inventory of enterprise assets that store or
process data. The assets can be connected to the infrastructure remotely, physically, or
virtually.
Use an active discovery tool to identify assets connected to the network and configure it to
execute as often as needed.
Use Dynamic Host Configuration Protocol (DHCP) logging or Internet Protocol (IP) address
management tools to update the inventory.
Use a passive asset directory tool to identify assets connected to the network
Automate the process of discovering and documenting installed software using software
inventory tools
Ensure that only authorized software can be accessed or executed using technical controls
like application allowlisting
Ensure that only authorized software libraries are loaded into system processes using
technical controls
Ensure that only authorized scripts can be executed using technical controls like digital
signatures and version control
Configure data access controls lists to file systems, databases, and applications
Retain data based on management processes including minimum and maximum timelines
Encrypt data in transit using techniques like Transport Layer Security (TLS) or Open Secure
Shell (OpenSSH)
Encrypt sensitive data at rest deployed on servers, applications, or databases using
techniques like server-side encryption or application-layer encryption
Segment data processing and storage based on its sensitivity
Use automated tools like Data Loss Prevention (DLP) to identify sensitive data stored,
processed, or transmitted via enterprise assets
Maintain a log of sensitive data access that includes modification and disposal
Establish and maintain a secure configuration process for enterprise assets and software
Collect audit logs across assets aligned with the enterprise’s log management process
Collect detailed audit logs for sensitive data that includes event source, date, username,
timestamp, address and destination sources, and more to support forensic investigation
Use anti-malware systems like attachment scanning or sandboxing to secure email servers
Use anti-malware systems like attachment scanning or sandboxing to secure email servers
Use anti-malware systems like attachment scanning or sandboxing to secure email servers
Establish and maintain computing resources segmented from the primary enterprise
network and internet connection to manage tasks that require administrative access
Manage access control for remotely connected assets. Determine access requirements based
on the updated anti-malware solution, configuration compliance with the enterprise’s
configuration, and updating operating systems and applications
Filter application layers like proxy filtering, application layer firewall, or gateway
Tune security event alerting thresholds on a monthly basis or a higher frequency
Train employees to identify social engineering attacks like phishing, pretexting, and tailgating
Establish and maintain a service provider management policy that addresses classification,
inventory, assessment, monitoring, and decommissioning on each vendor
Classify service providers based on data sensitivity, data volume, data availability,
regulations, inherent risk, and mitigated risk
Ensure service providers contract include security clauses like breach notification, data
encryption, data disposal and others based on the security policy
Assess service providers based on your management policy to address compliance reports
like SOC 2, AoC (Attestation of Compliance) of PCI DSS, custom questionnaires, and others
Monitor service providers based on your management policy to address vendor compliance,
vendor release notes, and dark web monitoring.
Decommission service providers to address user and service account deactivation, data flow
termination, data disposal within providers systems
Establish and maintain a process to accept and address software vulnerability reports that
details the policies, responsible parties, assignment, intake process, remediation, and
remediation testing. Additionally, use a vulnerability tracking system
Create a severity rating system to address vulnerabilities in the order of its discovery
Train software developers to write secure code, general security principles and application
security practices
Use secure principles to design application architectures like least privilege, validate user
operation input, check inputs for errors, and minimize the infrastructure attack surface
Use vetted modules or services for application security components like identity
management, encryption, logging, and auditing
Use static and dynamic tools to analyze the application life cycle and ensure secure coding
practices
Conduct application pen testings. Authenticated pen tests are recommended for critical
applications to identify business logic vulnerabilities over code scanning and automated
testing
Conduct threat modeling to identify and address application design security flaws
CIS Control 17: Incident Response Management
Control Requirement
Assign one key role and a backup role to manage incidents. If it is handled by a third party
service, an internal person should oversee their work
Create and maintain a contact list of parties who should be informed in case a security
incident occurs
Establish and maintain a process for all employees to report security incidents that includes a
reporting timeframe, reporting personnel, processes, and information to report
Establish and maintain an incident response policy detailing the roles, accountabilities,
compliance requirements and accountability plan
Assign key roles and responsibilities to respond to incidents from departments like legal, IT,
information security, facilities, public relations human resources, analysts, and others as
applicable
Determine the primary and secondary measures to communicate and report security
incidents
Conduct incident response exercises based on real scenarios to prepare key roles to process
and respond to incidents
Conduct post incident reviews to avoid repeat occurrences
Establish and maintain incident thresholds to differentiate between incidents and events.
Establish and maintain a pen testing program based on the enterprise’s sixe, complexity, and
maturity. Address scope, limitations, retrospective requirements, and remediation
Conduct external pen tests – clear box or opaque box at least once annually. Include
enterprise and environmental reconnaissance in the pen test
Remediate the vulnerabilities identified in the pen test based on enterprise scope and
prioritization
Validate secure measures after a pen test and make the necessary modifications and in
configurations and detection capabilities
Conduct internal pen tests – clear box or opaque box at least once annually, based on
requirements
Security Function Asset Type
Identify Devices
Respond Devices
Detect Devices
Identify Devices
Detect Devices
Identify Applications
Identify Applications
Respond Applications
Detect Applications
Protect Applications
Protect Applications
Protect Applications
Identify Data
Identify Data
Protect Data
Protect Data
Protect Data
Protect Devices
Identify Data
Identify Data
Protect Data
Protect Data
Protect Data
Protect Network
Protect Data
Detect Data
e
Security Function Asset Type
Protect Applications
Protect Network
Protect Users
Protect Devices
Protect Devices
Protect Network
Protect Users
Protect Devices
Protect Devices
Respond Devices
Protect Devices
Protect Devices
Identify Users
Protect Users
Respond Users
Protect Users
Identify Users
Protect Users
Protect Users
Protect Users
Protect Users
Identify Users
Protect Users
Protect Data
Protect Applications
Respond Applications
Protect Applications
Protect Applications
Identify Applications
Identify Applications
Respond Applications
Protect Network
Detect Network
Detect Network
Detect Network
Detect Devices
Detect Network
Protect Network
Detect Network
Detect Data
Protect Applications
Protect Network
Protect Network
Protect Applications
Protect Network
Protect Network
Protect Network
Recover Data
Recover Data
Protect Data
Recover Data
Recover Data
Protect Network
Protect Network
Protect Network
Identify Network
Protect Network
Protect Network
Protect Devices
Protect Devices
Detect Network
Detect Devices
Detect Network
Protect Network
Protect Devices
Detect Network
Protect Devices
Protect Network
Protect Devices
Protect Network
Detect Netw
Protect N/A
Protect N/A
Protect N/A
Protect N/A
Protect N/A
Protect N/A
Protect N/A
Protect N/A
Identify N/A
Identify N/A
Identify N/A
Protect N/A
Identify N/A
Detect Data
Protect Data
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Protect Applications
Security Function Asset Type
Respond N/A
Respond N/A
Respond N/A
Respond N/A
Respond N/A
Respond N/A
Recover N/A
Recover N/A
Recover N/A
Identify N/A
Identify Network
Protect Network
Protect Network
Identify N/A