Actively manage all enterprise assets (end-user devices including portable and mobile; network devices; non-computing/IoT devices; and servers) connected to the infrastructure physically virtually remotely and those within cloud environments to accurately know the totality of assets that need to be monitored and protected within the enterprise.

• Establish and Maintain a Detailed Enterprise Asset Inventory - 1.1

  Actively manage (inventory track and correct) all enterprise assets (end-user devices including portable and mobile; network devices; non-computing/IoT devices; and servers) connected to the infrastructure physically virtually remotely and those within cloud environments to accurately know the totality of assets that need to be monitored and protected within the enterprise.

• Address Unauthorized Assets - 1.2

  Implement a process to identify and manage assets that are not authorized.

Actively manage all enterprise software installed on enterprise assets to accurately know the totality of software that needs to be monitored and protected within the enterprise.

• Establish and Maintain a Detailed Enterprise Software Inventory - 2.1

  Actively manage (inventory track and correct) all enterprise software installed on enterprise assets to accurately know the totality of software that needs to be monitored and protected.

• Ensure Only Authorized and Managed Software is Installed - 2.2

  Only use software that is licensed and supported.

• Address Unauthorized Software - 2.3

  Implement a process to identify and manage software that is not authorized.

Establish and maintain processes to identify classify securely handle retain and dispose of data.

• Establish and Maintain a Data Management Process - 3.1

  Develop and document a data management process to identify classify handle retain and dispose of data.

• Establish and Maintain a Data Inventory - 3.2

  Maintain an inventory of sensitive data.

• Configure Data Access Control Lists - 3.3

  Configure access control lists based on the principle of least privilege.

• Enforce Data Retention According to the Data Management Process - 3.4

  Retain data as long as required and securely dispose of it afterward.

• Securely Dispose of Data - 3.5

  Use secure methods for data destruction.

• Encrypt Sensitive Data at Rest - 3.6

  Encrypt sensitive data stored on enterprise assets.

• Encrypt Sensitive Data in Transit - 3.7

  Encrypt sensitive data transmitted over networks.

Establish and maintain the secure configuration of enterprise assets (end-user devices including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems applications and firmware).

• Establish and Maintain Secure Configurations - 4.1

  Establish and maintain secure configuration standards for all enterprise assets and software.

• Establish and Maintain Secure Configurations for Network Infrastructure Devices - 4.2

  Establish and maintain secure configuration standards for network devices.

• Manage Default Accounts on Enterprise Assets and Software - 4.3

  Change default passwords and disable unnecessary default accounts.

• Disable or Remove Unnecessary Software or Services - 4.4

  Remove or disable any software or services that are not required.

• Configure Automatic Session Locking on Enterprise Assets - 4.5

  Configure automatic session locking after a period of inactivity.

• Implement and Manage a Firewall - 4.6

  Deploy and maintain a firewall on the network perimeter.

Use processes and tools to assign and manage authorization to enterprise assets and resources.

• Establish and Maintain an Inventory of Accounts - 5.1

  Maintain a list of all enterprise accounts.

• Use Unique Passwords - 5.2

  Require unique passwords for all accounts.

• Disable Inactive Accounts - 5.3

  Disable accounts that have been inactive for a defined period.

• Restrict the Use of Administrative Privileges - 5.4

  Limit administrative privileges to only those who require them.

• Establish and Maintain Group-Based Access Control - 5.5

  Use groups to manage access rights.

Use processes and tools to manage grant and revoke access to enterprise assets and resources.

• Establish and Maintain an Access Granting Process - 6.1

  Define a process for granting access to enterprise assets and data.

• Establish and Maintain an Access Revoking Process - 6.2

  Define a process for revoking access when it is no longer needed.

• Require Multi-Factor Authentication for All Enterprise Accounts - 6.3

  Implement MFA for all accounts.

• Require Multi-Factor Authentication for Externally Exposed Services - 6.4

  Implement MFA for all externally facing services.

• Manage Service Accounts - 6.5

  Securely manage service accounts.

Develop a process to identify report and manage vulnerabilities.

• Establish and Maintain a Vulnerability Management Process - 7.1

  Develop and maintain a process for identifying assessing and remediating vulnerabilities.

• Perform Automated Vulnerability Scans - 7.2

  Conduct regular automated vulnerability scans.

• Remediate Discovered Vulnerabilities - 7.3

  Address identified vulnerabilities in a timely manner.

• Perform Automated Application Patch Management - 7.4

  Automate the patching of applications.

Collect manage and analyze audit logs of events that could help detect understand or recover from a security incident.

• Establish and Maintain an Audit Log Management Process - 8.1

  Define a process for collecting reviewing and retaining audit logs.

• Collect Audit Logs - 8.2

  Ensure that audit logs are collected from relevant systems.

• Ensure Adequate Audit Log Storage - 8.3

  Retain audit logs for a sufficient period.

Minimize the attack surface and the interaction with dangerous websites and email.

• Deploy Email Filtering and Anti-Phishing Mechanisms - 9.1

  Implement measures to filter malicious emails and prevent phishing attacks.

• Implement Web Browser Protections - 9.2

  Use security features and extensions to protect web browsers.

Prevent or control the installation spread and execution of malicious software (malware) at multiple points in the enterprise.

• Deploy and Maintain Anti-Malware Software - 10.1

  Install and maintain anti-malware software on all enterprise assets.

• Configure Automatic Anti-Malware Signature Updates - 10.2

  Ensure that anti-malware signatures are updated automatically.

• Disable Autorun and Autoplay for Removable Media - 10.3

  Prevent automatic execution of programs from removable media.

Establish and maintain a process to perform data recovery in order to restore systems and data in a timely manner after an event.

• Establish and Maintain a Data Recovery Process - 11.1

  Develop and maintain a plan for recovering data in case of loss.

• Perform Automated Backups - 11.2

  Implement automated backups of critical data.

• Protect Recovery Data - 11.3

  Securely store backup data.

• Establish and Maintain Isolated Recovery Capabilities - 11.4

  Ensure that recovery capabilities are isolated from the primary environment.

Establish and maintain network infrastructure devices.

• Maintain Network Infrastructure Devices - 12.1

  Keep network devices updated and securely configured.

Implement a security awareness and training program to inform workforce members about threats and required behaviors.

• Establish and Maintain a Security Awareness Program - 14.1

  Implement a program to educate users about security threats and best practices.

• Train Workforce Members to Recognize Social Engineering Attacks - 14.2

  Provide training on identifying and avoiding social engineering tactics.

• Train Workforce Members on Authentication Best Practices - 14.3

  Educate users on creating strong passwords and using MFA.

• Train Workforce Members on Data Handling Best Practices - 14.4

  Instruct users on how to handle sensitive data securely.

Develop a process to manage service providers.

• Develop and Maintain an Inventory of Service Providers - 15.1

  Maintain a list of all third-party service providers.

Establish and maintain an incident response plan to prepare for detect contain eradicate and recover from incidents.

• Designate Personnel to Manage Incident Handling - 17.1

  Identify individuals responsible for managing security incidents.

• Establish and Maintain Contact Information for Reporting Security Incidents - 17.2

  Provide clear instructions and contact information for reporting incidents.

• Establish and Maintain an Enterprise Process for Reporting Incidents - 17.3

  Define a process for reporting and escalating security incidents.