Professional Documents
Culture Documents
CIS Controls v8 Mapping to ISACA COBIT 19_2-2023
CIS Controls v8 Mapping to ISACA COBIT 19_2-2023
Editors
Thomas Sager
Contributors
Larry Marks
License for Use
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-
are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
Mapping Methodology
Mapping Methodology
This page describes the methodology used to map the CIS Critical Security Controls to ISACA COBIT 19
Reference link for COBIT 19: https://www.isaca.org/resources/cobit
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item
For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. C
the relationship will often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
CIS Controls Navigator
Remember to download the CIS Controls Version 8 Guide where you can learn more about:
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
CIS Security
CIS Safeguard Asset Type
Control Function
1
2
2 2.1 Applications Identify
3
3 3.1 Data Identify
10
12
13
15
16
17
18
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including p
mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected t
infrastructure physically, virtually, remotely, and those within cloud environments, to accurately kn
totality of assets that need to be monitored and protected within the enterprise. This will also suppo
identifying unauthorized and unmanaged assets to remove or remediate.
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose
Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software
Separate Enterprise
Workspaces on Mobile End-
User Devices
Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
administrator accounts, as well as service accounts, to enterprise assets and software.
Centralize Account
Management
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
administrator, and service accounts for enterprise assets and software.
Establish an Access Granting
Process
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Remediate Detected
Vulnerabilities
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
attack.
Improve protections and detections of threats from email and web vectors, as these are opportunit
attackers to manipulate human behavior through direct engagement.
Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions
Implement DMARC
Block Unnecessary File Types
Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.
Enable Anti-Exploitation
Features
Network Infrastructure
Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure
Establish and Maintain
Dedicated Computing
Resources for All Administrative
Work
Network Monitoring and
Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and d
against security threats across the enterprise’s network infrastructure and user base.
Establish and maintain a security awareness program to influence behavior among the workforce t
conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
critical IT platforms or processes, to ensure these providers are protecting those platforms and dat
appropriately.
Securely Decommission
Service Providers
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
remediate security weaknesses before they can impact the enterprise.
Conduct Application
Penetration Testing
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, p
defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Designate Personnel to
Manage Incident Handling
Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
controls (people, processes, and technology), and simulating the objectives and actions of an attac
entory, track, and correct) all enterprise assets (end-user devices, including portable and
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to be monitored and protected within the enterprise. This will also support
zed and unmanaged assets to remove or remediate.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud environments. Additionally, it includes assets that are regularly connected
to the enterprise’s network infrastructure, even if they are not under control of the
enterprise. Review and update the inventory of all enterprise assets bi-annually, or
more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.
Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
must include both minimum and maximum timelines.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.
Log sensitive data access, including modification and disposal.
of Enterprise Assets and Software
in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
ools to assign and manage authorization to credentials for user accounts, including
ts, as well as service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using MFA and a 14-character
password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise
assets upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.
and retain audit logs of events that could help detect, understand, or recover from an
Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.
Standardize time synchronization. Configure at least two synchronized time sources
across enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit
logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include
collecting authentication and authorization events, data creation and disposal events,
and user management events.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through
the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.
To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
more frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through offline, cloud,
or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope
enterprise assets.
, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where
appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.
Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
training must include guidance to ensure that all users securely configure their home
network infrastructure.
evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and
eaknesses before they can impact the enterprise.
Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.
Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct
training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.
Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.
Conduct application penetration testing. For critical applications, authenticated
penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is
conducted through specially trained individuals who evaluate the application design
and gauge security risks for each entry point and access level. The goal is to map out
the application, architecture, and infrastructure in a structured way to understand its
weaknesses.
anagement
to develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using
a third-party vendor, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate
and report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security incident. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel
involved in the incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows. Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence
through identifying lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum,
differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
X X X Subset BAI09
X X X
X X Subset BAI09
X X
X
X X X Subset BAI09
X X X
X X X
X X Subset BAI09
X X
X X
X
Subset APO14
X X X
Subset DSS06
X X X Subset APO14
X X X Subset DSS05
X X X Subset DSS06
X X X Subset APO14
X X X
X X Subset APO14
X X Subset DSS06
X X Subset DSS06
X X Subset DSS05
X X Subset DSS05
X X Subset DSS06
X X
X
Subset APO13
Subset BAI06
X X X
Subset BAI10
X X X Subset BAI10
X X X
X X X Subset APO13
X X X
X X X Subset BAI09
X X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X X Subset DSS05
Subset EDM03
X X X
Subset APO12
X X X
X X X
X X Subset DSS05
X X Subset DSS05
X X
X X X
X X X Subset DSS03
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X X Subset APO10
X X X Subset DSS05
X X
X X
X X
X X Subset DSS05
X Subset DSS05
Subset APO13
X X X
Subset DSS05
X X X Subset DSS05
X X X
X X
X X
X X Subset DSS05
X X
X X X Subset APO14
X X X
X X X
X X X
X X
X X X
Subset APO01
X X
Subset APO03
X X Subset APO01
X X Subset APO03
X X Subset APO13
X X
X X
X X
X X
X X
X X
X X
X X
X X
X Subset DSS05
X X X Subset BAI08
X X X Subset DSS05
X X X
X X X
X X X Subset DSS06
X X X
X X X
X X X
X X Subset APO01
X X X
Subset APO09
X X
X X
Subset APO10
X X Subset EDM03
X X Subset APO09
X X Subset DSS06
X Subset APO10
Subset APO09
X
X
Subset APO10
Subset BAI01
X X
Subset BAI11
X X Subset DSS03
X X Subset DSS03
X X Subset EDM03
X X
Subset EDM03
X X
Subset APO12
X X
X X
X X
X X
X X
X Subset EDM03
X X X Subset APO13
X X X
X X X
X X Subset DSS04
X X
X X
X X
X X
X X
X X Subset DSS05
X X
X
Management Objective
Managed Assets
Managed Assets
Managed Assets
Managed Assets
Managed Data
Managed Data
Managed Data
Managed Data
Managed Business Process Controls
Managed IT Changes
Managed Configuration
Managed Configuration
Managed Security
Managed Assets
Managed Security Services
Ensured Risk Optimization
Managed Risk
Managed Problems
Managed Vendors
Managed Security
Managed Security
Managed Security Services
Managed Knowledge
Managed Vendors
Managed Programs
Managed Projects
Managed Problems
Managed Problems
Ensured Risk Optimization
Managed Risk
Ensured Risk Optimization
Managed Security
Managed Continuity
Provide a holistic view of the current business and I&T environment, the future direction, and the initiatives required
desired level of digitization is integral to the future direction and the I&T strategy. Assess the organization’s current d
the business, rethink internal operations as well as customer-facing activities. Ensure focus on the transformation jo
building blocks, governance components and the organization’s ecosystem, including externally provided services a
response to strategic objectives.
Maintain an awareness of I&T and related service trends and monitor emerging technology trends. Proactively ident
innovation in relation to business needs and the defined I&T strategy. Analyze what opportunities for business innov
services or I&T-enabled business innovation; through existing established technologies; and by business and IT pro
architecture decisions.
Execute the strategic direction set for investments in line with the enterprise architecture vision and I&T road map. C
and funding constraints. Evaluate, prioritize and balance programs and services, managing demand within resource
objectives, enterprise worth and risk. Move selected programs into
the active products or services portfolio for execution. Monitor the performance of the overall portfolio of products an
response to program, product or service performance or changing enterprise priorities.
Manage the I&T-related financial activities in both the business and IT functions, covering budget, cost and benefit m
formal budgeting practices and a fair and equitable system of allocating costs to the enterprise. Consult stakeholder
context of the I&T strategic and tactical plans. Initiate corrective action where needed.
Provide a structured approach to ensure optimal recruitment/acquisition, planning, evaluation and development of hu
Manage relationships with business stakeholders in a formalized and transparent way that ensures mutual trust and
constraints of budgets and risk tolerance. Base relationships on open and transparent communication, a common la
for key decisions on both sides. Business and IT must work together to create successful enterprise outcomes in su
Define and communicate quality requirements in all processes, procedures and related enterprise outcomes. Enable
and standards in continuous improvement and efficiency efforts.
Identify solutions and analyze requirements before acquisition or creation to ensure that they align with enterprise st
information/data, infrastructure and services. Coordinate the review of feasible options with affected stakeholders, in
requirements and proposed solutions.
Establish and maintain identified products and services (technology, business processes and workflows) in line with
procurement/sourcing and partnering with vendors. Manage configuration, test preparation, testing, requirements ma
information/data, infrastructure and services.
Balance current and future needs for availability, performance and capacity with cost-effective service provision. Inc
needs based on business requirements, analysis of business impacts, and assessment of risk to plan and implemen
Maximize the likelihood of successfully implementing sustainable enterprisewide organizational change quickly and
all affected stakeholders in the business and IT.
Formally accept and make operational new solutions. Include implementation planning, system and data conversion
promotion to production of new or changed business processes and I&T services, early production support, and a po
Coordinate and execute the activities and operational procedures required to deliver internal and outsourced I&T ser
procedures and the required monitoring activities.
Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal servic
diagnose, escalate and resolve incidents.
Collect, validate and evaluate enterprise and alignment goals and metrics. Monitor that processes and practices are
and metrics. Provide reporting that is systematic and timely.
Continuously monitor and evaluate the control environment, including self-assessments and self-awareness. Enable
and to initiate improvement actions. Plan, organize and maintain standards for internal control assessment and proc
Evaluate that I&T processes and I&T-supported business processes are compliant with laws, regulations and contra
been identified and complied with; integrate IT compliance with overall enterprise compliance.
Plan, scope and execute assurance initiatives to comply with internal requirements, laws, regulations and strategic o
sustainable assurance in the enterprise by performing independent assurance reviews and activities.
The following CIS Control Safeguards are NOT mapped to COBIT 19
1.2
1.4
1.5
2.2
2.3
2.5
2.6
2.7
3.6
3.12
3.13
3.14
4.3
4.5
4.7
4.8
4.9
4.10
4.11
4.12
5.1
5.2
5.3
5.4
5.5
5.6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
7.3
7.4
7.7
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
9.3
9.4
9.5
10.3
10.4
10.5
10.7
11.2
11.3
11.4
11.5
12.1
12.5
12.6
12.7
12.8
13.1
13.2
13.3
13.4
13.5
13.6
13.8
13.9
13.10
13.11
14.3
14.4
14.6
14.7
14.8
15.1
15.7
16.5
16.7
16.8
16.9
16.10
16.11
16.12
16.13
17.2
17.3
17.5
17.6
17.7
17.8
17.9
18.1
18.3
18.4
18.5
The following CIS Control Safeguards are NOT mapped to COBIT 19
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Implement DMARC
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media
Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
Establish and Maintain Dedicated Computing Resources for All Administrative Work
Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are
into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or mo
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as
specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annuall
frequently.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLoc
FileVault®, Linux® dm-crypt.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterpr
intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data sto
or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update
sensitive data inventory.
Log sensitive data access, including modification and disposal.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose op
the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that d
except those services and ports that are explicitly allowed.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured v
Example implementations can include: disabling default accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service
module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
controlled DNS servers and/or reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on porta
devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and sma
more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and
Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as
devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implemen
using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from p
applications and data.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user
administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates
department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or mor
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-characte
accounts using MFA and a 14-character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computin
as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department own
and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring sch
minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights
change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling ac
immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting ac
necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MF
directory service or SSO provider is a satisfactory implementation of this Safeguard.
Require MFA for remote network access.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on
a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those ho
a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Define and maintain role-based access control, through determining and documenting the access rights necessary f
within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise asse
all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
Perform operating system updates on enterprise assets through automated patch management on a monthly, or mo
basis.
Perform application updates on enterprise assets through automated patch management on a monthly, or more freq
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis,
remediation process.
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a m
the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually,
significant enterprise changes occur that could impact this Safeguard.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, usernam
source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct
weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
data creation and disposal events, and user management events.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious o
websites. Example implementations include category-based filtering, reputation-based filtering, or through the use o
Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, ex
add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, st
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execu
(DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™
Use behavior-based anti-malware software.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the s
data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based o
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling b
destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more
verify software support.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) En
greater).
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise
end-user devices.
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative
requiring administrative access. The computing resources should be segmented from the enterprise's primary netwo
allowed internet access.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementa
use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with secur
correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations inc
Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to ente
based on: up-to-date anti-malware software installed, configuration compliance with the enterprise’s secure configur
and ensuring the operating system and applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Ne
Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocol
certificates, and may incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or ga
Tune security event alerting thresholds monthly, or more frequently.
Train workforce members on authentication best practices. Example topics include MFA, password composition, and
management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This al
training workforce members on clear screen and desk best practices, such as locking their screen when they step aw
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets secur
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterpr
the enterprise has remote workers, training must include guidance to ensure that all users securely configure their h
infrastructure.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
and designate an enterprise contact for each service provider. Review and update the inventory annually, or when s
enterprise changes occur that could impact this Safeguard.
Securely decommission service providers. Example considerations include user and service account deactivation, te
flows, and secure disposal of enterprise data within service provider systems.
Use up-to-date and trusted third-party software components. When possible, choose established and proven framew
libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software fo
before use.
Use standard, industry-recommended hardening configuration templates for application infrastructure components. T
underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) com
SaaS components. Do not allow in-house developed software to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific developmen
and responsibilities. Training can include general security principles and application security standard practices. Con
least annually and design in a way to promote security within the development team, and build a culture of security a
developers.
Apply secure design principles in application architectures. Secure design principles include the concept of least priv
enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user inpu
include ensuring that explicit error checking is performed and documented for all input, including for size, data type,
ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turnin
ports and services, removing unnecessary programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity management, encryption
logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelih
implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, an
and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively r
encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are bein
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to
logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the t
manipulate an application as an authenticated and unauthenticated user.
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may in
staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information S
Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-d
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes rep
personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is
to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safegua
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilitie
relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant e
changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected d
incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident respo
prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, an
Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons le
up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and
Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterpr
testing program characteristics include scope, such as network, web application, Application Programming Interface
services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types
information; remediation, such as how findings will be routed internally; and retrospective requirements.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to dete
techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may b
opaque box.