Actively manage all enterprise assets (end-user devices including portable and mobile; network devices; non-computing/IoT devices; and servers) connected to the infrastructure physically; virtually; remotely; and those within cloud environments to accurately know the totality of assets that need to be monitored and protected within the enterprise.

• Establish and Maintain a Detailed Enterprise Asset Inventory - 1.1

  Actively manage (inventory; track; and correct) all enterprise assets (end-user devices including portable and mobile; network devices; non-computing/IoT devices; and servers) connected to the infrastructure physically; virtually; remotely; and those within cloud environments to accurately know the totality of assets that need to be monitored and protected within the enterprise.

• Address Unauthorized Assets - 1.2

  Implement a process to identify and manage assets that are not authorized.

• Manage Enterprise Assets Remotely - 1.3

  Establish and maintain a secure method for remotely accessing and managing enterprise assets.

Actively manage all enterprise software installed on enterprise assets to accurately know the totality of software that needs to be monitored and protected within the enterprise.

• Establish and Maintain a Detailed Enterprise Software Inventory - 2.1

  Actively manage (inventory; track; and correct) all enterprise software installed on enterprise assets to accurately know the totality of software that needs to be monitored and protected.

• Ensure Only Authorized and Managed Software is Installed - 2.2

  Only use software that is licensed and supported.

• Address Unauthorized Software - 2.3

  Implement a process to identify and manage software that is not authorized.

• Automate Software Inventory Collection - 2.4

  Utilize automated tools to collect and maintain the software inventory.

• Integrate Software Inventory Tools with Asset Inventory Tools - 2.5

  Integrate software inventory data with the broader enterprise asset inventory.

• Monitor Software Licenses - 2.6

  Track and manage software licenses to ensure compliance.

Establish and maintain processes to identify; classify; securely handle; retain; and dispose of data.

• Establish and Maintain a Data Management Process - 3.1

  Develop and document a data management process to identify; classify; handle; retain; and dispose of data.

• Establish and Maintain a Data Inventory - 3.2

  Maintain an inventory of sensitive data.

• Configure Data Access Control Lists - 3.3

  Configure access control lists based on the principle of least privilege.

• Enforce Data Retention According to the Data Management Process - 3.4

  Retain data as long as required and securely dispose of it afterward.

• Securely Dispose of Data - 3.5

  Use secure methods for data destruction.

• Encrypt Sensitive Data at Rest - 3.6

  Encrypt sensitive data stored on enterprise assets.

• Encrypt Sensitive Data in Transit - 3.7

  Encrypt sensitive data transmitted over networks.

• Prevent Data Loss - 3.8

  Implement controls to prevent the loss of sensitive data.

• Monitor and Alert on Data Access - 3.9

  Implement monitoring and alerting for access to sensitive data.

• Restrict Data Access to Removable Media - 3.10

  Implement controls to restrict the copying or transfer of sensitive data to removable media.

Establish and maintain the secure configuration of enterprise assets (end-user devices including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems; applications; and firmware).

• Establish and Maintain Secure Configurations - 4.1

  Establish and maintain secure configuration standards for all enterprise assets and software.

• Establish and Maintain Secure Configurations for Network Infrastructure Devices - 4.2

  Establish and maintain secure configuration standards for network devices.

• Manage Default Accounts on Enterprise Assets and Software - 4.3

  Change default passwords and disable unnecessary default accounts.

• Disable or Remove Unnecessary Software or Services - 4.4

  Remove or disable any software or services that are not required.

• Configure Automatic Session Locking on Enterprise Assets - 4.5

  Configure automatic session locking after a period of inactivity.

• Implement and Manage a Firewall - 4.6

  Deploy and maintain a firewall on the network perimeter.

• Harden Standard Builds for Enterprise Assets - 4.7

  Develop and deploy hardened standard builds for all types of enterprise assets.

• Securely Manage Network Devices - 4.8

  Implement strong authentication and access controls for network device management interfaces.

• Securely Manage Cloud Infrastructure - 4.9

  Establish and maintain secure configurations for cloud infrastructure services.

Use processes and tools to assign and manage authorization to enterprise assets and resources.

• Establish and Maintain an Inventory of Accounts - 5.1

  Maintain a list of all enterprise accounts.

• Use Unique Passwords - 5.2

  Require unique passwords for all accounts.

• Disable Inactive Accounts - 5.3

  Disable accounts that have been inactive for a defined period.

• Restrict the Use of Administrative Privileges - 5.4

  Limit administrative privileges to only those who require them.

• Establish and Maintain Group-Based Access Control - 5.5

  Use groups to manage access rights.

• Enforce Password Complexity and Length Requirements - 5.6

  Mandate strong password complexity and minimum length requirements.

• Enforce Account Lockout - 5.7

  Implement account lockout mechanisms after a specified number of failed login attempts.

• Manage Service Account Credentials Securely - 5.8

  Ensure that service accounts have strong; unique credentials that are managed securely.

• Manage Privileged Accounts - 5.9

  Establish specific controls and monitoring for privileged accounts.

• Utilize Dedicated Administrator Accounts - 5.10

  Require the use of separate accounts for administrative tasks.

Use processes and tools to manage; grant; and revoke access to enterprise assets and resources.

• Establish and Maintain an Access Granting Process - 6.1

  Define a process for granting access to enterprise assets and data.

• Establish and Maintain an Access Revoking Process - 6.2

  Define a process for revoking access when it is no longer needed.

• Require Multi-Factor Authentication for All Enterprise Accounts - 6.3

  Implement MFA for all accounts.

• Require Multi-Factor Authentication for Externally Exposed Services - 6.4

  Implement MFA for all externally facing services.

• Manage Service Accounts - 6.5

  Securely manage service accounts.

• Centrally Manage Access Control - 6.6

  Utilize a centralized system for managing access rights and permissions.

• Implement Role-Based Access Control - 6.7

  Assign access rights based on roles and responsibilities.

• Manage Access to Cloud Resources - 6.8

  Implement specific access controls for cloud-based resources and services.

Develop a process to identify; report; and manage vulnerabilities.

• Establish and Maintain a Vulnerability Management Process - 7.1

  Develop and maintain a process for identifying; assessing; and remediating vulnerabilities.

• Perform Automated Vulnerability Scans - 7.2

  Conduct regular automated vulnerability scans.

• Remediate Discovered Vulnerabilities - 7.3

  Address identified vulnerabilities in a timely manner.

• Perform Automated Application Patch Management - 7.4

  Automate the patching of applications.

• Perform Vulnerability Scanning of Internally Developed Software - 7.5

  Integrate vulnerability scanning into the software development lifecycle for internally developed applications.

• Perform Vulnerability Scanning of External Websites and Applications - 7.6

  Regularly scan externally facing websites and applications for vulnerabilities.

Collect; manage; and analyze audit logs of events that could help detect; understand; or recover from a security incident.

• Establish and Maintain an Audit Log Management Process - 8.1

  Define a process for collecting; reviewing; and retaining audit logs.

• Collect Audit Logs - 8.2

  Ensure that audit logs are collected from relevant systems.

• Ensure Adequate Audit Log Storage - 8.3

  Retain audit logs for a sufficient period.

• Centralize Audit Logs - 8.4

  Consolidate audit logs from various systems into a central repository.

• Analyze Audit Logs - 8.5

  Regularly review and analyze audit logs for suspicious activity or security incidents.

• Retain Audit Logs - 8.6

  Ensure that audit logs are retained for the defined retention period.

Minimize the attack surface and the interaction with dangerous websites and email.

• Deploy Email Filtering and Anti-Phishing Mechanisms - 9.1

  Implement measures to filter malicious emails and prevent phishing attacks.

• Implement Web Browser Protections - 9.2

  Use security features and extensions to protect web browsers.

• Implement and Enforce DNS Filtering Services - 9.3

  Utilize DNS filtering services to block access to malicious or inappropriate websites.

• Implement and Enforce Sender Policy Framework (SPF) - 9.4

  Configure SPF records to prevent email spoofing.

• Implement and Enforce DomainKeys Identified Mail (DKIM) - 9.5

  Implement DKIM to add a digital signature to outgoing emails.

• Implement and Enforce Domain-based Message Authentication; Reporting & Conformance (DMARC) - 9.6

  Implement DMARC to define how recipient email servers should handle emails that fail SPF and DKIM checks.

Prevent or control the installation; spread; and execution of malicious software (malware) at multiple points in the enterprise.

• Deploy and Maintain Anti-Malware Software - 10.1

  Install and maintain anti-malware software on all enterprise assets.

• Configure Automatic Anti-Malware Signature Updates - 10.2

  Ensure that anti-malware signatures are updated automatically.

• Disable Autorun and Autoplay for Removable Media - 10.3

  Prevent automatic execution of programs from removable media.

• Implement Anti-Malware on Email Gateways - 10.4

  Deploy anti-malware solutions at email gateways to scan incoming and outgoing emails.

• Implement Anti-Malware on Web Gateways - 10.5

  Deploy anti-malware solutions at web gateways to scan web traffic for malicious content.

Establish and maintain a process to perform data recovery in order to restore systems and data in a timely manner after an event.

• Establish and Maintain a Data Recovery Process - 11.1

  Develop and maintain a plan for recovering data in case of loss.

• Perform Automated Backups - 11.2

  Implement automated backups of critical data.

• Protect Recovery Data - 11.3

  Securely store backup data.

• Establish and Maintain Isolated Recovery Capabilities - 11.4

  Ensure that recovery capabilities are isolated from the primary environment.

• Regularly Test Data Recovery Capabilities - 11.5

  Conduct periodic testing of data recovery processes.

Establish and maintain network infrastructure devices.

• Maintain Network Infrastructure Devices - 12.1

  Keep network devices updated and securely configured.

• Segment the Network - 12.2

  Divide the network into logical segments to limit the impact of security incidents.

• Implement and Maintain Network Access Control (NAC) - 12.3

  Control access to the network based on device and user identity.

• Secure Wireless Access Points - 12.4

  Ensure that wireless access points are securely configured and protected.

• Monitor Network Traffic - 12.5

  Implement monitoring of network traffic for suspicious activity.

Implement a security awareness and training program to inform workforce members about threats and required behaviors.

• Establish and Maintain a Security Awareness Program - 14.1

  Implement a program to educate users about security threats and best practices.

• Train Workforce Members to Recognize Social Engineering Attacks - 14.2

  Provide training on identifying and avoiding social engineering tactics.

• Train Workforce Members on Authentication Best Practices - 14.3

  Educate users on creating strong passwords and using MFA.

• Train Workforce Members on Data Handling Best Practices - 14.4

  Instruct users on how to handle sensitive data securely.

• Conduct Regular Security Awareness Training - 14.5

  Perform security awareness training on an ongoing basis.

• Train Workforce Members on Incident Reporting - 14.6

  Educate users on how to identify and report security incidents.

Develop a process to manage service providers.

• Develop and Maintain an Inventory of Service Providers - 15.1

  Maintain a list of all third-party service providers.

• Establish and Maintain Agreements with Service Providers - 15.2

  Ensure that security requirements are included in agreements with service providers.

• Monitor Service Provider Security Practices - 15.3

  Regularly assess the security practices of service providers.

Establish and maintain an incident response plan to prepare for; detect; contain; eradicate; and recover from incidents.

• Designate Personnel to Manage Incident Handling - 17.1

  Identify individuals responsible for managing security incidents.

• Establish and Maintain Contact Information for Reporting Security Incidents - 17.2

  Provide clear instructions and contact information for reporting incidents.

• Establish and Maintain an Enterprise Process for Reporting Incidents - 17.3

  Define a process for reporting and escalating security incidents.

• Develop and Implement an Incident Response Plan - 17.4

  Create a comprehensive plan for responding to security incidents.

• Establish and Maintain a Security Incident Response Team (SIRT) - 17.5

  Form a dedicated team responsible for handling security incidents.

• Test the Incident Response Plan - 17.6

  Regularly test the incident response plan through simulations and exercises.