CIS_Controls_v.8

1. #01. Inventory and Control of Enterprise Assets
2.  
3. 1.1 Establish and Maintain Detailed Enterprise Asset Inventory
4. 1.2 Address Unauthorized Assets
5. 1.3 Utilize an Active Discovery Tool
6. 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
7. 1.5 Use a Passive Asset Discovery Tool
8.  
9. #02. Inventory and Control of Software Assets
10.  
11. 2.1 Establish and Maintain a Software Inventory
12. 2.2 Ensure Authorized Software is Currently Supported
13. 2.3 Address Unauthorized Software
14. 2.4 Utilize Automated Software Inventory Tools
15. 2.5 Allowlist Authorized Software
16. 2.6 Allowlist Authorized Libraries
17. 2.7 Allowlist Authorized Scripts
18.  
19. #03. Data Protection
20.  
21. 3.1 Establish and Maintain a Data Management Process
22. 3.2 Establish and Maintain a Data Inventory
23. 3.3 Configure Data Access Control Lists
24. 3.4 Enforce Data Retention
25. 3.5 Securely Dispose of Data
26. 3.6 Encrypt Data on End-User Devices
27. 3.7 Establish and Maintain a Data Classification Scheme
28. 3.8 Document Data Flows
29. 3.9 Encrypt Data on Removable Media
30. 3.10 Encrypt Sensitive Data in Transit
31. 3.11 Encrypt Sensitive Data at Rest
32. 3.12 Segment Data Processing and Storage Based on Sensitivity
33. 3.13 Deploy a Data Loss Prevention Solution
34. 3.14 Log Sensitive Data Access
35.  
36. #04. Secure Configuration of Enterprise Assets and Software
37.  
38. 4.1 Establish and Maintain a Secure Configuration Process
39. 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
40. 4.3 Configure Automatic Session Locking on Enterprise Assets
41. 4.4 Implement and Manage a Firewall on Servers
42. 4.5 Implement and Manage a Firewall on End-User Devices
43. 4.6 Securely Manage Enterprise Assets and Software
44. 4.7 Manage Default Accounts on Enterprise Assets and Software
45. 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
46. 4.9 Configure Trusted DNS Servers on Enterprise Assets
47. 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
48. 4.11 Enforce Remote Wipe Capability on Portable End-User Devices
49. 4.12 Separate Enterprise Workspaces on Mobile End-User Devices
50.  
51. #05. Account Management
52.  
53. 5.1 Establish and Maintain an Inventory of Accounts
54. 5.2 Use Unique Passwords
55. 5.3 Disable Dormant Accounts
56. 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
57. 5.5 Establish and Maintain an Inventory of Service Accounts
58. 5.6 Centralize Account Management
59.  
60. #06. Access Control Management
61.  
62. 6.1 Establish an Access Granting Process
63. 6.2 Establish an Access Revoking Process
64. 6.3 Require MFA for Externally-Exposed Applications
65. 6.4 Require MFA for Remote Network Access
66. 6.5 Require MFA for Administrative Access
67. 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems
68. 6.7 Centralize Access Control
69. 6.8 Define and Maintain Role-Based Access Control
70.  
71. #07. Continuous Vulnerability Management
72.  
73. 7.1 Establish and Maintain a Vulnerability Management Process
74. 7.2 Establish and Maintain a Remediation Process
75. 7.3 Perform Automated Operating System Patch Management
76. 7.4 Perform Automated Application Patch Management
77. 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
78. 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
79. 7.7 Remediate Detected Vulnerabilities
80.  
81. #08. Audit Log Management
82.  
83. 8.1 Establish and Maintain an Audit Log Management Process
84. 8.2 Collect Audit Logs
85. 8.3 Ensure Adequate Audit Log Storage
86. 8.4 Standardize Time Synchronization
87. 8.5 Collect Detailed Audit Logs
88. 8.6 Collect DNS Query Audit Logs
89. 8.7 Collect URL Request Audit Logs
90. 8.8 Collect Command-Line Audit Logs
91. 8.9 Centralize Audit Logs
92. 8.10 Retain Audit Logs
93. 8.11 Conduct Audit Log Reviews
94. 8.12 Collect Service Provider Logs
95.  
96. #09. Email and Web Browser Protections
97.  
98. 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients
99. 9.2 Use DNS Filtering Services
100. 9.3 Maintain and Enforce Network-Based URL Filters
101. 9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
102. 9.5 Implement DMARC
103. 9.6 Block Unnecessary File Types
104. 9.7 Deploy and Maintain Email Server Anti-Malware Protections
105.  
106. #10. Malware Defenses
107.  
108. 10.1 Deploy and Maintain Anti-Malware Software
109. 10.2 Configure Automatic Anti-Malware Signature Updates
110. 10.3 Disable Autorun and Autoplay for Removable Media
111. 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
112. 10.5 Enable Anti-Exploitation Features
113. 10.6 Centrally Manage Anti-Malware Software
114. 10.7 Use Behavior-Based Anti-Malware Software
115.  
116. #11. Data Recovery
117.  
118. 11.1 Establish and Maintain a Data Recovery Process
119. 11.2 Perform Automated Backups
120. 11.3 Protect Recovery Data
121. 11.4 Establish and Maintain an Isolated Instance of Recovery Data
122. 11.5 Test Data Recovery
123.  
124. #12. Network Infrastructure Management
125.  
126. 12.1 Ensure Network Infrastructure is Up-to-Date
127. 12.2 Establish and Maintain a Secure Network Architecture
128. 12.3 Securely Manage Network Infrastructure
129. 12.4 Establish and Maintain Architecture Diagram(s)
130. 12.5 Centralize Network Authentication, Authorization, and Auditing (AAA)
131. 12.6 Use of Secure Network Management and Communication Protocols
132. 12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
133. 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work
134.  
135. #13. Network Monitoring and Defense
136.  
137. 13.1 Centralize Security Event Alerting
138. 13.2 Deploy a Host-Based Intrusion Detection Solution
139. 13.3 Deploy a Network Intrusion Detection Solution
140. 13.4 Perform Traffic Filtering Between Network Segments
141. 13.5 Manage Access Control for Remote Assets
142. 13.6 Collect Network Traffic Flow Logs
143. 13.7 Deploy a Host-Based Intrusion Prevention Solution
144. 13.8 Deploy a Network Intrusion Prevention Solution
145. 13.9 Deploy Port-Level Access Control
146. 13.10 Perform Application Layer Filtering
147. 13.11 Tune Security Event Alerting Thresholds
148.  
149. #14. Security Awareness and Skills Training
150.  
151. 14.1 Establish and Maintain a Security Awareness Program
152. 14.2 Train Workforce Members to Recognize Social Engineering Attacks
153. 14.3 Train Workforce Members on Authentication Best Practices
154. 14.4 Train Workforce on Data Handling Best Practices
155. 14.5 Train Workforce Members on Causes of Unintentional Data Exposure
156. 14.6 Train Workforce Members on Recognizing and Reporting Security Incidents
157. 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
158. 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
159. 14.9 Conduct Role-Specific Security Awareness and Skills Training
160.  
161. #15. Service Provider Management
162.  
163. 15.1 Establish and Maintain an Inventory of Service Providers
164. 15.2 Establish and Maintain a Service Provider Management Policy
165. 15.3 Classify Service Providers
166. 15.4 Ensure Service Provider Contracts Include Security Requirements
167. 15.5 Assess Service Providers
168. 15.6 Monitor Service Providers
169. 15.7 Securely Decommission Service Providers
170.  
171. #16. Application Software Security
172.  
173. 16.1 Establish and Maintain a Secure Application Development Process
174. 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
175. 16.3 Perform Root Cause Analysis on Security Vulnerabilities
176. 16.4 Establish and Manage an Inventory of Third-Party Software Components
177. 16.5 Use Up-to-Date and Trusted Third-Party Software Components
178. 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
179. 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
180. 16.8 Separate Production and Non-Production Systems
181. 16.9 Train Developers in Application Security Concepts and Secure Coding
182. 16.10 Apply Secure Design Principles in Application Architectures
183. 16.11 Leverage Vetted Modules or Services for Application Security Components
184. 16.12 Implement Code-Level Security Checks
185. 16.13 Conduct Application Penetration Testing
186. 16.14 Conduct Threat Modeling
187.  
188. #17. Incident Response Management
189.  
190. 17.1 Designate Personnel to Manage Incident Handling
191. 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
192. 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
193. 17.4 Establish and Maintain an Incident Response Process
194. 17.5 Assign Key Roles and Responsibilities
195. 17.6 Define Mechanisms for Communicating During Incident Response
196. 17.7 Conduct Routine Incident Response Exercises
197. 17.8 Conduct Post-Incident Reviews
198. 17.9 Establish and Maintain Security Incident Thresholds
199.  
200. #18. Penetration Testing
201.  
202. 18.1 Establish and Maintain a Penetration Testing Program
203. 18.2 Perform Periodic External Penetration Tests
204. 18.3 Remediate Penetration Test Findings
205. 18.4 Validate Security Measures
206. 18.5 Perform Periodic Internal Penetration Tests
207.