The CIS (Center for Internet Security) Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks.
This control focuses on establishing and maintaining an inventory of enterprise assets, including hardware, software, and data. It also emphasizes the need for effective control and management of these assets to ensure their security and integrity.
The sub control requires organizations to establish and maintain a detailed inventory of their enterprise assets. This includes all hardware devices, software applications, network infrastructure components, and other technology assets that are part of the organization's IT ecosystem. By maintaining an accurate and up-to-date asset inventory, organizations can gain visibility into their technology landscape and implement appropriate security controls.
The "Address Unauthorized Assets" sub control (1.2) involves establishing robust measures to detect, track, and address unauthorized assets within an organization's network environment. Unauthorized assets refer to any devices or software that have not been approved, documented, or managed in accordance with the organization's security policies and procedures.
The "Utilize an Active Discovery Tool" sub control (1.3) involves the deployment and utilization of an active discovery tool to scan and assess the network infrastructure continuously. This tool helps organizations identify and track assets, network devices, servers, applications, and their associated vulnerabilities. By actively scanning the network, the tool enables organizations to have an up-to-date inventory of their assets and identify any potential security gaps or vulnerabilities that may require immediate attention.
The "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory" sub control (1.4) emphasizes the importance of incorporating DHCP logging as a valuable tool for maintaining an accurate and comprehensive enterprise asset inventory. DHCP logging allows organizations to track IP address allocations and dynamically update the asset inventory as devices join or leave the network.
The "Use a Passive Asset Discovery Tool" sub control (1.5) focuses on adopting and implementing passive asset discovery tools as a proactive approach to asset management. These tools enable organizations to identify and track assets on their network without actively sending traffic or initiating probes. By monitoring network traffic passively, organizations can gain insights into the presence, characteristics, and vulnerabilities of their assets while minimizing the risk of disrupting critical systems or applications.
The "Establish and Maintain a Software Inventory" sub control (2.1) emphasizes the need for organizations to establish and maintain an accurate and up-to-date inventory of software applications deployed across their IT infrastructure. This sub control provides a foundation for effective software asset management, ensuring organizations have visibility into their software assets, including applications, versions, and licensing information.
The "Ensure Authorized Software is Currently Supported" sub control (2.2) emphasizes the importance of maintaining up-to-date and supported software applications within an organization's environment. It recognizes that using outdated or unsupported software exposes systems and networks to security vulnerabilities that can be exploited by malicious actors. This sub control promotes the implementation of practices that enable organizations to monitor, track, and enforce the use of authorized software that is actively supported by vendors.
The "Address Unauthorized Software" sub control (2.3) addresses the challenge of unauthorized software installations, which can introduce security vulnerabilities, compliance risks, and operational issues. It emphasizes the importance of implementing proactive measures to prevent unauthorized software from being installed and taking prompt actions to remediate any unauthorized software already present within the organization's environment.
Accurate and comprehensive software asset management is essential for organizations to maintain control over their software inventory, optimize licensing costs, and mitigate security risks. The "Utilize Automated Software Inventory Tools" sub control (2.4) emphasizes the utilization of automated software inventory tools to streamline and enhance the management of software assets.
The "Allowlist Authorized Software" sub control focuses on establishing and maintaining strict controls over the software that is permitted to run within an organization's infrastructure. It involves implementing measures to prevent the execution of unauthorized or unapproved software, including malware, viruses, or potentially harmful applications. By creating an allowlist of authorized software, organizations can significantly reduce the risk of security breaches and unauthorized access to sensitive information.
The "Allowlist Authorized Scripts" sub control (2.7) emphasizes the importance of controlling the execution of scripts within an organization's computing environment. By implementing this sub control, our organization strives to mitigate the risks associated with unauthorized or malicious scripts that can potentially compromise system security, disrupt operations, or lead to data breaches.
Data protection involves implementing measures to safeguard sensitive and confidential information. This control includes activities such as data classification, encryption, access controls, and regular backups to protect data from unauthorized access, loss, or theft.
Effective data management is essential for organizations to maintain the confidentiality, integrity, and availability of data assets. The "Establish and Maintain a Data Management Process" sub control (3.1) emphasizes the importance of implementing a structured framework that governs the lifecycle of data, from its creation to its disposal. It involves defining policies, procedures, and guidelines to facilitate proper data handling, ensuring data quality, security, and compliance.
The establishment and maintenance of a data inventory is essential for organizations to have a complete picture of their data landscape. It involves identifying and documenting all types of data assets, including personal, sensitive, and business-critical information, as well as their respective locations, custodians, and associated processing activities.
Effective data access control is vital for maintaining the confidentiality, integrity, and availability of sensitive data. The "Configure Data Access Control Lists" sub control (3.3) emphasizes the implementation of appropriate access control lists to restrict access to data based on predefined permissions and user roles. By configuring these lists, organizations can enforce least privilege principles and prevent unauthorized access to sensitive data.
The proper retention of data is essential for maintaining data integrity, supporting business operations, and meeting legal obligations. The "Enforce Data Retention" sub control (3.4) focuses on establishing and enforcing policies and procedures to ensure that data is retained for the necessary period and disposed of securely when no longer required.
The secure disposal of data is a critical aspect of maintaining data security and privacy. At our organization, we recognize the significance of properly disposing of data to protect sensitive information and meet regulatory requirements. The "Securely Dispose of Data" sub control (3.5) encompasses policies, procedures, and practices that ensure data is securely destroyed, thereby reducing the risk of unauthorized access or potential breaches.
Encrypting data on end-user devices involves converting information into a secure format that can only be accessed with the appropriate decryption key. Encryption provides an added layer of security, safeguarding sensitive data even if the device is lost or stolen. The purpose of this sub-control is to establish encryption measures that protect data stored on end-user devices and mitigate the risk of unauthorized access.
A data classification scheme is a framework that categorizes data based on its sensitivity, value, and risk level. It helps organizations identify and prioritize their data protection efforts. This sub-control emphasizes the importance of establishing a data classification scheme and implementing appropriate controls to protect data in accordance with its classification.
Documenting data flows involves mapping the movement of data within an organization, including its origin, destination, and the systems or processes it traverses. By documenting data flows, organizations can gain insights into data handling practices, identify potential vulnerabilities, and implement appropriate security controls. This sub-control aims to establish a systematic approach for documenting data flows within the organization.
Encrypting data on removable media involves converting information into a secure format that can only be accessed with the appropriate decryption key. This sub-control emphasizes the need to encrypt data stored on removable media devices, such as USB drives, external hard drives, and optical discs, to protect sensitive data from unauthorized disclosure or loss.
Encrypting sensitive data in transit involves transforming the data into a secure format that can only be deciphered by authorized recipients. Encryption ensures that even if intercepted, the data remains protected and unreadable. This sub-control aims to establish encryption mechanisms that safeguard sensitive data while it is being transmitted over networks or communication channels.
Encrypting sensitive data at rest involves transforming the data into an unreadable format that can only be accessed with the appropriate decryption key. Encryption provides an additional layer of protection, ensuring that even if unauthorized individuals gain access to the storage media or databases, the data remains secure and inaccessible. This sub-control emphasizes the importance of implementing encryption mechanisms to safeguard sensitive data when it is not actively being accessed or transmitted.
Segmenting data processing and storage based on sensitivity involves classifying data into different categories and applying specific controls to each category. By segmenting data, organizations can tailor security measures and access controls based on the sensitivity level, thereby minimizing the risk of unauthorized access or compromise. This sub-control aims to establish a structured approach to data segmentation, ensuring that sensitive information is adequately protected.
Deploying a Data Loss Prevention solution involves the implementation of appropriate technologies, processes, and policies to identify, monitor, and protect sensitive data across the organization's network. This sub control focuses on the key aspects of deploying an effective DLP solution to minimize the risk of data breaches and ensure the confidentiality, integrity, and availability of sensitive information.
The Log Sensitive Data Access (3.14) sub-control entails the systematic monitoring and logging of all activities involving sensitive data access. This includes any interaction with databases, file systems, cloud storage, or other data repositories where sensitive information resides. The sub-control emphasizes the need for capturing relevant details such as user identities, timestamps, accessed data elements, and the nature of the access (e.g., read, write, modify).
This control emphasizes the importance of configuring enterprise assets, including hardware and software, in a secure manner. It involves applying security best practices, such as disabling unnecessary services, implementing strong passwords, and keeping software up to date, to reduce vulnerabilities and enhance overall security.
Sub control 4.1 of the CIS V8 framework addresses the establishment and maintenance of a secure configuration process. This involves defining and implementing procedures to ensure that systems are configured securely from the initial setup and throughout their lifecycle. A secure configuration process includes activities such as hardening systems, managing user privileges, and regularly reviewing and updating configurations to align with security best practices.
The secure configuration process for network infrastructure involves implementing appropriate security controls and best practices to protect the network from potential threats. It includes activities such as configuring network devices, establishing access control mechanisms, and maintaining up-to-date firmware and software versions.
Automatic session locking serves as a fundamental security measure that mitigates the risk of unauthorized access to enterprise assets. By enforcing policies and configurations that enable automatic session locking, organizations significantly reduce the likelihood of unauthorized access to sensitive data and minimize the impact of potential security breaches.
The "Implement and Manage a Firewall on Servers" sub control (4.4) emphasizes the importance of deploying firewalls on servers to create a secure barrier against external threats. It involves configuring and maintaining firewalls to control network traffic, filter incoming and outgoing connections, and enforce security policies specific to server environments. By implementing proper firewall measures, organizations can reduce the attack surface and fortify the overall security posture of their servers.
The "Implement and Manage a Firewall on End-User Devices" sub control (4.5) emphasizes the need for firewalls on end-user devices to establish secure boundaries and protect against external threats. It involves configuring and managing firewalls on devices such as workstations, laptops, and mobile devices to control network traffic, filter connections, and enforce security policies. By implementing robust firewall measures, organizations can enhance the security of end-user devices and mitigate potential risks.
The "Securely Manage Enterprise Assets and Software" sub control (4.6) emphasizes the need for robust management practices to secure enterprise assets and software. It involves implementing controls and processes to track, monitor, and maintain the integrity and security of physical and digital assets throughout their lifecycle. This sub control addresses various aspects, including asset inventory, vulnerability management, patch management, software licensing, and disposal practices.
The "Manage Default Accounts on Enterprise Assets and Software" sub control (4.7) emphasizes the importance of promptly addressing default accounts that may exist on enterprise assets and software. Default accounts often have well-known credentials and can pose significant security risks if left unmanaged. This sub control aims to ensure that default accounts are identified, properly managed, and either disabled, changed, or removed to mitigate potential vulnerabilities.
The "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software" sub control (4.8) emphasizes the importance of assessing and managing services running on enterprise assets and software. Services that are not essential to the functionality of the system can introduce security risks if left enabled. This sub control focuses on identifying, uninstalling, or disabling unnecessary services to reduce potential entry points for attackers.
The "Configure Trusted DNS Servers on Enterprise Assets" sub control (4.9) emphasizes the importance of using trusted DNS servers for name resolution on enterprise assets. DNS servers play a crucial role in translating domain names into IP addresses and facilitating network communication. This sub control aims to ensure that DNS servers used by enterprise assets are properly configured, reliable, and secure.
The "Enforce Automatic Device Lockout on Portable End-User Devices" sub control (4.10) emphasizes the importance of enabling automatic device lockout mechanisms on portable devices. Portable devices, such as laptops, smartphones, and tablets, are highly vulnerable to theft or loss. This sub control aims to ensure that automatic lockout features, such as screen timeouts or password-protected screensavers, are enabled to prevent unauthorized access in case of device loss or unauthorized possession.
The "Enforce Remote Wipe Capability on Portable End-User Devices" sub control (4.11) emphasizes the importance of enabling remote wipe capability on portable devices. Portable devices are prone to being lost or stolen, posing significant risks to the data they contain. This sub control aims to ensure that remote wipe features are available and properly configured, allowing organizations to remotely erase data from the device if it is lost or compromised.
The "Separate Enterprise Workspaces on Mobile End-User Devices" sub control (4.12) emphasizes the importance of creating distinct workspaces on mobile devices for enterprise-related activities. Mobile devices often contain a mix of personal and business data, posing risks to the security and privacy of enterprise information. This sub control aims to ensure that mobile devices have separate environments for personal use and enterprise operations, enabling organizations to protect sensitive data and enforce appropriate security measures.
Account management focuses on effectively managing user accounts and access privileges within the organization's systems and applications. This control includes activities such as user provisioning, password management, and disabling or removing inactive accounts to ensure proper access controls and minimize the risk of unauthorized access.
The "Establish and Maintain an Inventory of Accounts" sub control (5.1) emphasizes the importance of having a comprehensive inventory of user accounts. This includes both active and inactive accounts across various systems and applications used within the organization. The sub control aims to ensure that organizations have visibility into their account landscape and can manage access privileges effectively.
The "Use Unique Passwords" sub control (5.2) is a critical element of the framework. It emphasizes the importance of using unique passwords for user accounts across systems and applications. By enforcing the use of unique passwords, organizations can significantly enhance security, minimize the risk of password-related attacks, and protect sensitive information.
The "Disable Dormant Accounts" sub control (5.3) emphasizes the importance of regularly reviewing and disabling accounts that are no longer active or required. Dormant accounts pose security risks as they may be targeted by attackers or used for unauthorized access. This sub control aims to ensure that dormant accounts are identified and deactivated promptly.
The "Restrict Administrator Privileges to Dedicated Administrator Accounts" sub control (5.4) emphasizes the importance of segregating administrative privileges from standard user accounts. It promotes the use of dedicated accounts with administrative privileges solely for administrative tasks, reducing the likelihood of accidental or unauthorized access to critical systems and data.
The "Establish and Maintain an Inventory of Service Accounts" sub control (5.5) emphasizes the importance of having a comprehensive inventory of service accounts. Service accounts are often used by systems, applications, or processes to perform automated tasks without human intervention. This sub control aims to ensure that organizations have visibility into their service account landscape and can manage access privileges effectively.
The "Centralize Account Management" sub control (5.6) emphasizes the importance of consolidating and centralizing user account management processes. Instead of managing accounts separately for each system or application, centralizing account management streamlines administrative tasks and enables consistent application of access controls, user provisioning, and access revocation.
Access control management involves implementing appropriate controls and measures to restrict access to sensitive resources and ensure that only authorized individuals can access them. This control includes activities such as role-based access control, least privilege principle, and regular access reviews to maintain the integrity and confidentiality of data.
The "Establish an Access Granting Process" sub control (6.1) emphasizes the importance of having a well-defined process for granting access privileges to user accounts. This sub control aims to prevent unauthorized access, enforce the principle of least privilege, and ensure accountability for access decisions.
The "Establish an Access Revoking Process" sub control (6.2) emphasizes the importance of having a well-defined process for revoking access privileges from user accounts. This sub control aims to prevent unauthorized access, enforce the principle of least privilege, and maintain an up-to-date access control environment.
The "Require MFA for Externally-Exposed Applications" sub control (6.3) emphasizes the importance of implementing MFA as an additional layer of security for applications that are accessible from external networks. MFA adds an extra authentication factor beyond just a username and password, making it significantly more challenging for attackers to gain unauthorized access.
The "Require MFA for Remote Network Access" sub control (6.4) emphasizes the importance of implementing MFA as an additional layer of security for remote network access. Remote network access introduces additional risks, and requiring MFA provides an extra layer of protection against unauthorized access.
The "Require MFA for Administrative Access" sub control (6.5) emphasizes the importance of implementing MFA as an additional layer of security for administrative accounts. Administrative access holds significant control over systems and data, making it a prime target for attackers. Requiring MFA helps prevent unauthorized access to administrative accounts and adds an extra layer of protection.
The "Establish and Maintain an Inventory of Authentication and Authorization Systems" sub control (6.6) emphasizes the importance of having a comprehensive inventory of the systems and applications responsible for authentication and authorization. This includes identity providers, single sign-on services, and other related systems. The sub control aims to ensure that organizations have visibility into their authentication and authorization landscape and can manage access controls effectively.
The "Centralize Access Control" sub control (6.7) emphasizes the importance of consolidating and centralizing access control mechanisms across systems and applications. This sub control aims to streamline access management processes, enable consistent enforcement of access policies, and enhance overall security.
The "Define and Maintain Role-Based Access Control" sub control (6.8) emphasizes the importance of utilizing RBAC principles to manage access permissions. RBAC provides a structured approach to access management by associating permissions with specific roles, reducing the risk of granting excessive privileges and enforcing the principle of least privilege.
Continuous vulnerability management is an ongoing process of identifying, assessing, and addressing vulnerabilities within the organization's systems and infrastructure. This control involves activities such as vulnerability scanning, patch management, and vulnerability remediation to proactively mitigate potential security risks.
The "Establish and Maintain a Vulnerability Management Process" sub control (7.1) emphasizes the importance of having a well-defined process for managing vulnerabilities. This includes vulnerability scanning, assessment, prioritization, remediation, and continuous monitoring. The sub control aims to identify and address vulnerabilities promptly to maintain a secure environment.
The "Establish and Maintain a Remediation Process" sub control (7.2) emphasizes the importance of having a well-defined process for remediating identified vulnerabilities. This process includes planning, implementing, and verifying the effectiveness of remediation actions. The sub control aims to ensure that vulnerabilities are addressed promptly and effectively.
The "Perform Automated Operating System Patch Management" sub control (7.3) emphasizes the importance of implementing automated processes to manage and apply security patches for operating systems. This sub control aims to ensure that security patches are promptly and consistently applied, reducing the window of vulnerability and protecting systems from known threats.
The "Perform Automated Application Patch Management" sub control (7.4) emphasizes the importance of implementing automated processes to manage and apply security patches for applications. This sub control aims to ensure that security patches are promptly and consistently applied to applications, reducing the window of vulnerability and protecting against known threats.
The "Perform Automated Vulnerability Scans of Internal Enterprise Assets" sub control (7.5) emphasizes the importance of implementing automated vulnerability scanning processes to identify potential weaknesses in internal systems, applications, and network devices. This sub control aims to proactively detect vulnerabilities, assess their severity, and prioritize remediation efforts to maintain a secure environment.
The "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets" sub control (7.6) emphasizes the importance of implementing automated vulnerability scanning processes to identify potential weaknesses in externally-exposed systems, applications, and network devices. This sub control aims to proactively detect vulnerabilities, assess their severity, and prioritize remediation efforts to maintain a secure external presence.
The "Remediate Detected Vulnerabilities" sub control (7.7) is a critical component of the framework. It focuses on promptly and effectively remediating detected vulnerabilities to reduce the risk of exploitation and protect systems and applications from potential security breaches. By remediating vulnerabilities, organizations can enhance their security posture and maintain a secure environment.
Audit log management focuses on establishing and maintaining an effective process for collecting, reviewing, and retaining audit logs. This control ensures that relevant events and activities are logged, enabling monitoring, detection, and investigation of security incidents and supporting compliance requirements.
The "Establish and Maintain an Audit Log Management Process" sub control (8.1) emphasizes the importance of managing and analyzing audit logs generated by systems, applications, and network devices. This sub control aims to ensure that audit logs are captured, protected, retained, and regularly reviewed to detect and respond to security incidents and comply with regulatory requirements.
The "Collect Audit Logs" sub control (8.2) focuses on the importance of actively collecting audit logs from various sources within the organization's infrastructure. This sub control aims to ensure that audit logs are captured in a timely and reliable manner, facilitating subsequent analysis, detection of security events, and compliance with regulatory requirements.
The "Ensure Adequate Audit Log Storage" sub control (8.3) emphasizes the need to establish and maintain sufficient storage capacity to accommodate the volume of generated audit logs and comply with retention requirements. This sub control aims to ensure that audit logs are securely stored and readily accessible for subsequent analysis, investigations, and compliance audits.
The "Standardize Time Synchronization" sub control (8.4) emphasizes the importance of aligning the time settings across all systems, applications, and network devices within the organization. This sub control aims to ensure that accurate and synchronized timestamps are used for event correlation, audit log analysis, and forensic investigations.
The "Collect Detailed Audit Logs" sub control (8.5) emphasizes the need to configure systems, applications, and network devices to generate comprehensive and granular audit logs. This sub control aims to ensure that audit logs capture sufficient details about events and activities for effective analysis, incident response, and compliance purposes.
The "Collect DNS Query Audit Logs" sub control (8.6) emphasizes the need to enable DNS query logging and capture the relevant audit logs. This sub control aims to ensure that DNS query audit logs are collected, retained, and analyzed to identify suspicious or malicious domain name resolution activities.
The "Collect URL Request Audit Logs" sub control (8.7) emphasizes the need to enable URL request logging and capture the relevant audit logs. This sub control aims to ensure that URL request audit logs are collected, retained, and analyzed to identify potentially harmful or unauthorized web browsing activities.
The "Collect Command-Line Audit Logs" sub control (8.8) emphasizes the need to enable command-line audit logging and capture relevant logs. This sub control aims to ensure that command-line audit logs are collected, retained, and analyzed to identify potentially malicious or unauthorized activities performed through command-line interfaces.
The "Centralize Audit Logs" sub control (8.9) emphasizes the need to establish a centralized repository for storing and managing audit logs generated by different systems, applications, and network devices. This sub control aims to ensure that audit logs are collected, consolidated, and securely stored in a centralized location to facilitate efficient log analysis and incident response.
The "Retain Audit Logs" sub control (8.10) focuses on defining and implementing retention periods for audit logs generated by systems, applications, and network devices. This sub control aims to ensure that audit logs are retained for a sufficient duration to meet legal, regulatory, and business requirements.
The "Conduct Audit Log Reviews" sub control (8.11) emphasizes the importance of establishing procedures for regular reviews and analysis of audit logs. This sub control aims to ensure that audit logs are systematically reviewed to detect security events, identify anomalies, and support incident response and compliance audits.
The "Collect Service Provider Logs" sub control (8.12) emphasizes the need to establish mechanisms for collecting and reviewing logs generated by service providers who handle critical systems or provide essential services to the organization. This sub control aims to ensure that the logs provided by service providers are collected, retained, and analyzed to monitor their activities and support incident response efforts.
This control involves implementing security measures to protect against email and web-based threats. It includes activities such as email filtering, web content filtering, and secure browsing practices to minimize the risk of phishing attacks, malware infections, and unauthorized access to sensitive information.
The "Ensure Use of Only Fully Supported Browsers and Email Clients" sub control (9.1) emphasizes the need to establish policies and procedures that require users to utilize browsers and email clients that are fully supported by the vendor and regularly updated. This sub control aims to minimize the security risks posed by outdated and unsupported software.
The "Use DNS Filtering Services" sub control (9.2) emphasizes the need to implement DNS filtering services that analyze and filter DNS requests based on defined policies. This sub control aims to mitigate the risks associated with accessing malicious or inappropriate websites by blocking or redirecting DNS requests to prohibited or malicious domains.
The "Maintain and Enforce Network-Based URL Filters" sub control (9.3) emphasizes the need to establish and maintain network-based URL filters that analyze and block or allow access to websites based on predefined policies. This sub control aims to mitigate the risks associated with accessing malicious or inappropriate websites by controlling web traffic at the network level.
The "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions" sub control (9.4) emphasizes the need to establish policies and controls that restrict the installation and use of extensions in browsers and email clients. This sub control aims to mitigate the risks associated with potentially malicious or unauthorized extensions that can compromise system security or user privacy.
The "Implement DMARC" sub control (9.5) emphasizes the need to adopt and configure DMARC for email domains to verify the authenticity of incoming emails and prevent email spoofing and phishing attacks. This sub control aims to enhance email security and protect organizations and their recipients from fraudulent email activities.
The "Block Unnecessary File Types" sub control (9.6) emphasizes the need to identify and block file types that are not essential for business operations or pose a high risk to system security. This sub control aims to prevent the execution or access of unnecessary file types that could introduce malware, exploit vulnerabilities, or compromise data integrity.
The "Deploy and Maintain Email Server Anti-Malware Protections" sub control (9.7) emphasizes the need to implement effective anti-malware solutions on email servers to detect and block malicious attachments, links, or content within incoming and outgoing emails. This sub control aims to enhance email security by preventing the distribution of malware through email channels.
Malware defenses involve implementing tools, technologies, and practices to detect, prevent, and mitigate the impact of malware on the organization's systems and networks. This control includes activities such as deploying antivirus software, conducting regular malware scans, and promoting safe browsing habits.
The "Deploy and Maintain Anti-Malware Software" sub control (10.1) emphasizes the need to install and regularly update anti-malware software on endpoint devices to detect, block, and remove malware threats. This sub control aims to enhance endpoint security by preventing the execution and spread of malicious code.
The "Configure Automatic Anti-Malware Signature Updates" sub control (10.2) emphasizes the need to enable automatic updates of malware signature databases within the organization's anti-malware software. This sub control aims to ensure that the anti-malware software is equipped with the latest threat intelligence and can effectively detect and block known malware.
The "Disable Autorun and Autoplay for Removable Media" sub control (10.3) emphasizes the need to configure systems to disable the autorun and autoplay functionality for removable media, such as USB drives or optical discs. This sub control aims to mitigate the risks associated with the automatic execution of potentially malicious code from removable media.
The "Configure Automatic Anti-Malware Scanning of Removable Media" sub control (10.4) emphasizes the need to configure anti-malware software to automatically scan removable media for malware upon connection. This sub control aims to enhance the security of systems by detecting and blocking malware that may be present on removable media.
The "Enable Anti-Exploitation Features" sub control (10.5) emphasizes the need to enable and configure anti-exploitation features within operating systems and applications. This sub control aims to mitigate the risks associated with software vulnerabilities by implementing protective measures that make it more challenging for attackers to exploit those vulnerabilities.
The "Centrally Manage Anti-Malware Software" sub control (10.6) emphasizes the need to implement a centralized management system for monitoring, updating, and configuring anti-malware software across the organization's systems. This sub control aims to enhance the efficiency, reliability, and consistency of anti-malware operations.
The "Use Behavior-Based Anti-Malware Software" sub control (10.7) emphasizes the need to adopt and configure behavior-based anti-malware software on endpoint devices. This sub control aims to detect and block malware based on behavioral patterns and anomalies, providing an additional layer of protection against unknown and zero-day threats.
Data recovery focuses on establishing and maintaining processes and mechanisms to recover data in the event of data loss or system failures. This control includes activities such as regular data backups, disaster recovery planning, and testing of recovery procedures to ensure the availability and integrity of critical data.
The "Establish and Maintain a Data Recovery Process" sub control (11.1) emphasizes the need to define and implement a comprehensive data recovery process. This process should include strategies, procedures, and technologies to recover data from backups or other sources in a timely and accurate manner.
The "Perform Automated Backups" sub control (11.2) emphasizes the need to implement automated backup processes to safeguard critical data. This sub control aims to streamline backup operations, eliminate human errors, and ensure the regular and consistent creation of backup copies.
The "Protect Recovery Data" sub control (11.3) emphasizes the need to implement security controls to safeguard recovery data from unauthorized access, modification, loss, or corruption. This sub control aims to ensure the availability and integrity of recovery data, enabling successful data restoration when needed.
The "Establish and Maintain an Isolated Instance of Recovery Data" sub control (11.4) emphasizes the need to create and maintain a dedicated and isolated environment for recovery data storage. This sub control aims to protect recovery data from unauthorized modifications or compromise, ensuring its availability and reliability during data restoration.
The "Test Data Recovery" sub control (11.5) emphasizes the need to conduct regular data recovery tests to validate the effectiveness of the data recovery process. This sub control aims to ensure that data can be successfully restored from backups or other sources, minimizing downtime and maximizing data integrity.
Network infrastructure management involves effectively managing and securing the organization's network infrastructure components, such as routers, switches, and firewalls. This control includes activities such as network configuration management, network segmentation, and regular monitoring to prevent unauthorized access and ensure network availability.
The "Ensure Network Infrastructure is Up-to-Date" sub control (12.1) emphasizes the need to establish processes for monitoring and applying updates to network infrastructure components. This sub control aims to ensure that network devices are running the latest firmware or software versions, which often include security patches and bug fixes.
The "Establish and Maintain a Secure Network Architecture" sub control (12.2) emphasizes the need to develop a network architecture that incorporates security principles and controls. This sub control aims to create a secure foundation for the organization's network infrastructure, ensuring that network components and configurations are aligned with established security standards.
The "Securely Manage Network Infrastructure" sub control (12.3) emphasizes the need to implement security controls and processes for the management of network infrastructure devices. This sub control aims to ensure that network devices are configured securely, access is restricted to authorized personnel, and changes to network configurations are carefully controlled and documented.
The "Establish and Maintain Architecture Diagram(s)" sub control (12.4) emphasizes the need to create and update architecture diagrams that depict the organization's network infrastructure. This sub control aims to provide a visual representation of the network environment, enabling effective planning, management, and documentation of network configurations and changes.
The "Centralize Network Authentication, Authorization, and Auditing (AAA)" sub control (12.5) emphasizes the need to establish a centralized system or infrastructure for managing network authentication, authorization, and auditing functions. This sub control aims to streamline user management, enforce access controls, and facilitate the monitoring and reporting of network activities.
The "Use of Secure Network Management and Communication Protocols" sub control (12.6) emphasizes the need to adopt secure protocols and mechanisms for network management and communication activities. This sub control aims to ensure that sensitive management information, such as configuration changes or monitoring data, is transmitted securely and protected from unauthorized interception or modification.
The "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure" sub control (12.7) emphasizes the need to establish secure connections for remote devices accessing the organization's network. This sub control aims to ensure that remote devices, such as laptops or mobile devices, connect through encrypted VPN tunnels and authenticate against the organization's centralized AAA infrastructure.
The "Establish and Maintain Dedicated Computing Resources for All Administrative Work" sub control (12.8) emphasizes the need to separate administrative tasks from other activities by dedicating specific computing resources. This sub control aims to ensure that administrative work is conducted in controlled environments that are isolated from general-purpose systems or user devices.
Network monitoring and defense focus on implementing measures to detect and respond to network security incidents. This control includes activities such as intrusion detection and prevention, log monitoring, and incident response planning to ensure timely identification and mitigation of network threats.
The "Centralize Security Event Alerting" sub control (13.1) emphasizes the need to implement a centralized system or platform for receiving, analyzing, and responding to security event alerts. This sub control aims to ensure that security events from various sources are consolidated, correlated, and effectively monitored for timely incident detection and response.
The "Deploy a Host-Based Intrusion Detection Solution" sub control (13.2) emphasizes the need to install and configure host-based intrusion detection systems on critical systems. This sub control aims to monitor system activities, detect potential intrusions or security breaches, and provide early warning of unauthorized access or malicious activities.
The "Deploy a Network Intrusion Detection Solution" sub control (13.3) emphasizes the need to install and configure network intrusion detection systems to monitor network traffic. This sub control aims to analyze network packets, identify potential intrusions or security breaches, and provide early detection of network-based attacks.
The "Perform Traffic Filtering Between Network Segments" sub control (13.4) emphasizes the need to establish traffic filtering mechanisms, such as firewalls or access control lists (ACLs), to regulate network traffic flows between segments. This sub control aims to enforce network segmentation, control communication paths, and allow only authorized traffic between segments.
The "Manage Access Control for Remote Assets" sub control (13.5) emphasizes the need to establish and maintain access controls specifically tailored for remote assets. This sub control aims to protect remote assets from unauthorized access, enforce authentication and authorization mechanisms, and enable secure remote connectivity.
The "Collect Network Traffic Flow Logs" sub control (13.6) emphasizes the need to collect and analyze network traffic flow logs from various network devices and infrastructure components. This sub control aims to provide insights into network traffic patterns, identify abnormal behavior, and facilitate the detection and investigation of security incidents.
The "Deploy a Host-Based Intrusion Prevention Solution" sub control (13.7) emphasizes the need to install and configure host-based IPS solutions on endpoints, such as servers, workstations, or mobile devices. This sub control aims to detect and prevent intrusions, malicious code execution, or unauthorized activities at the endpoint level.
The "Deploy a Network Intrusion Prevention Solution" sub control (13.8) emphasizes the need to implement network IPS solutions to monitor and analyze network traffic in real-time. This sub control aims to detect and block malicious activities, intrusions, or exploits at the network level, enhancing overall network security.
The "Deploy Port-Level Access Control" sub control (13.9) emphasizes the need to configure port-level access controls on network devices, such as switches or routers, to regulate traffic based on specific ports, protocols, or services. This sub control aims to prevent unauthorized access, enforce segmentation, and limit exposure to potential threats.
The "Perform Application Layer Filtering" sub control (13.10) emphasizes the need to deploy application layer filtering mechanisms, such as application-aware firewalls or web application firewalls (WAFs), to analyze and control network traffic based on specific application protocols or characteristics. This sub control aims to enhance network security by filtering and blocking malicious or unauthorized activities at the application layer.
The "Tune Security Event Alerting Thresholds" sub control (13.11) is an important aspect of the framework. It focuses on fine-tuning security event alerting thresholds to ensure that security events are effectively captured and meaningful alerts are generated. By tuning security event alerting thresholds, organizations can optimize their incident detection capabilities, reduce false positives, and enable efficient incident response.
Security awareness and skills training involve educating employees about security best practices, policies, and procedures to enhance their understanding of potential risks and their role in maintaining a secure environment. This control includes activities such as security awareness programs, training sessions, and phishing awareness campaigns.
The "Establish and Maintain a Security Awareness Program" sub control (14.1) emphasizes the importance of developing and implementing a security awareness program to educate employees on security threats, policies, procedures, and good security practices. This sub control aims to promote a security-conscious workforce and empower employees to make informed security decisions.
The "Train Workforce Members to Recognize Social Engineering Attacks" sub control (14.2) emphasizes the need to educate employees about the techniques used in social engineering attacks and empower them to identify and report suspicious activities. This sub control aims to raise awareness, improve incident response, and promote a vigilant workforce.
The "Train Workforce Members on Authentication Best Practices" sub control (14.3) emphasizes the importance of educating employees on the proper use of authentication mechanisms to ensure secure access to systems and data. This sub control aims to raise awareness, promote good authentication hygiene, and mitigate the risk of unauthorized access.
The "Train Workforce on Data Handling Best Practices" sub control (14.4) emphasizes the importance of educating employees on how to handle data securely throughout its lifecycle. This sub control aims to raise awareness, promote responsible data handling, and mitigate the risk of data loss or unauthorized disclosure.
The "Train Workforce Members on Causes of Unintentional Data Exposure" sub control (14.5) highlights the need to educate employees about the factors that contribute to unintentional data exposure and the potential impact on data security. This sub control aims to raise awareness, promote responsible data handling practices, and mitigate the risk of inadvertent data breaches.
The "Train Workforce Members on Recognizing and Reporting Security Incidents" sub control (14.6) emphasizes the importance of educating employees about the signs of a security incident and the appropriate steps to report such incidents. This sub control aims to raise awareness, promote a proactive security posture, and enable efficient incident response.
The "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates" sub control (14.7) emphasizes the significance of educating employees about the importance of keeping enterprise assets up to date with security updates. This sub control aims to raise awareness, promote a proactive approach to patch management, and minimize the risk of exploitation due to outdated software or firmware.
The "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks" sub control (14.8) emphasizes the importance of educating employees about the potential risks and consequences of connecting to and transmitting enterprise data over insecure networks. This sub control aims to instill a sense of responsibility, encourage cautious network usage, and protect sensitive data from unauthorized access.
The "Conduct Role-Specific Security Awareness and Skills Training" sub control (14.9) emphasizes the need to tailor security training to address the unique responsibilities and challenges associated with different roles within the organization. This sub control aims to improve security knowledge and skills, foster a sense of ownership in security practices, and strengthen the overall security posture.
Service provider management involves establishing and maintaining processes to manage the security risks associated with third-party service providers. This control includes activities such as assessing service provider security controls, defining security requirements in contracts, and monitoring the performance of service providers to ensure the confidentiality and integrity of data.
The "Establish and Maintain an Inventory of Service Providers" sub control (15.1) emphasizes the need for organizations to have visibility into the service providers they engage with and the level of access they have to sensitive data or critical systems. This sub control aims to establish a comprehensive record of service providers and their associated security obligations, facilitating effective risk management and oversight.
The "Establish and Maintain a Service Provider Management Policy" sub control (15.2) highlights the need for organizations to have a formal policy that governs their interactions with service providers. This sub control aims to establish a framework for managing service provider relationships, setting expectations, and ensuring adherence to security standards and contractual obligations.
The "Classify Service Providers" sub control (15.3) highlights the need for organizations to categorize their service providers based on the sensitivity and criticality of the data or systems they have access to. This sub control aims to establish a framework for risk assessment, security controls, and tailored oversight based on the classification of service providers.
The "Ensure Service Provider Contracts Include Security Requirements" sub control (15.4) emphasizes the importance of incorporating security considerations into contracts with service providers. This sub control aims to establish a framework for defining security obligations, data protection measures, incident response protocols, and compliance requirements within service provider relationships.
The "Assess Service Providers" sub control (15.5) emphasizes the need for organizations to regularly assess the security posture of their service providers. This sub control aims to establish a systematic process for evaluating service providers' security capabilities, identifying vulnerabilities or deficiencies, and taking appropriate actions to mitigate risks.
The "Monitor Service Providers" sub control (15.6) emphasizes the need for organizations to establish a robust monitoring program for their service providers. This sub control aims to provide continuous visibility into service provider activities, security controls, and compliance, facilitating proactive risk management and ensuring adherence to established security requirements.
The "Securely Decommission Service Providers" sub control (15.7) highlights the need for organizations to have proper procedures in place when terminating relationships with service providers. This sub control aims to ensure that sensitive data is appropriately transferred or securely destroyed, access privileges are revoked, and contractual obligations are fulfilled upon service provider decommissioning.
Application software security focuses on ensuring the security of the organization's software applications. This control includes activities such as secure coding practices, vulnerability assessments, and regular application security testing to identify and remediate software vulnerabilities.
The "Establish and Maintain a Secure Application Development Process" sub control (16.1) emphasizes the importance of incorporating security practices into the application development lifecycle. This sub control aims to establish a systematic approach to building secure applications, including security requirements, secure coding practices, testing, and ongoing vulnerability management.
The "Establish and Maintain a Process to Accept and Address Software Vulnerabilities" sub control (16.2) highlights the need for organizations to have a structured approach to handle software vulnerabilities. This sub control aims to ensure that vulnerabilities are appropriately addressed through proper assessment, prioritization, and remediation activities.
The "Perform Root Cause Analysis on Security Vulnerabilities" sub control (16.3) emphasizes the need for organizations to investigate and understand the root causes of security vulnerabilities. This sub control aims to identify the underlying factors, such as coding practices, design flaws, or configuration errors, and implement corrective actions to enhance the security posture of software applications.
The "Establish and Manage an Inventory of Third-Party Software Components" sub control (16.4) emphasizes the need for organizations to track and manage third-party software components used in their applications. This sub control aims to establish processes for inventory management, vulnerability tracking, and timely patching or remediation of third-party components.
The "Use Up-to-Date and Trusted Third-Party Software Components" sub control (16.5) highlights the need for organizations to prioritize the use of current and reputable third-party software components. This sub control aims to establish processes for assessing the trustworthiness of components, monitoring for updates or security advisories, and promptly applying patches or updates.
The "Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities" sub control (16.6) emphasizes the need for organizations to categorize and prioritize application vulnerabilities based on their severity. This sub control aims to establish a consistent rating system and a corresponding process for evaluating vulnerabilities and guiding remediation efforts.
The "Use Standard Hardening Configuration Templates for Application Infrastructure" sub control (16.7) is a crucial aspect of the framework. It emphasizes the use of standardized hardening configurations for application infrastructure components to enhance their security and reduce the attack surface. By utilizing standard hardening configuration templates, organizations can establish a baseline security posture and minimize the risks associated with misconfigurations.
The "Separate Production and Non-Production Systems" sub control (16.8) highlights the importance of segregating production and non-production environments. This sub control aims to prevent unauthorized access or accidental changes to critical systems, protect sensitive data, and maintain the integrity and availability of production systems.
The "Train Developers in Application Security Concepts and Secure Coding" sub control (16.9) emphasizes the importance of educating developers on application security principles and secure coding practices. This sub control aims to establish training programs that cover topics such as threat modeling, secure coding guidelines, input validation, authentication, and other relevant security concepts.
The "Apply Secure Design Principles in Application Architectures" sub control (16.10) highlights the significance of incorporating secure design principles during the architectural phase of software development. This sub control aims to establish a foundation for secure application design by considering security requirements, threat modeling, secure communication channels, and data protection mechanisms.
The "Leverage Vetted Modules or Services for Application Security Components" sub control (16.11) focuses on selecting and incorporating pre-existing security modules or services into software applications. This sub control aims to promote the use of proven security solutions and reduce the likelihood of introducing vulnerabilities through the development of custom security components.
The "Implement Code-Level Security Checks" sub control (16.12) emphasizes the importance of integrating security checks into the development process to detect and remediate code-level vulnerabilities. This sub control aims to establish practices that enable the identification of common coding errors, security flaws, and adherence to secure coding standards.
The "Conduct Application Penetration Testing" sub control (16.13) emphasizes the importance of simulating real-world attacks on software applications to identify vulnerabilities and validate the effectiveness of security controls. This sub control aims to identify vulnerabilities that automated tools may miss and uncover potential weaknesses in the application's architecture, configuration, or business logic.
The "Conduct Threat Modeling" sub control (16.14) emphasizes the importance of systematically analyzing potential threats and vulnerabilities to software applications. This sub control aims to provide organizations with a structured approach to identify and address security risks throughout the application development lifecycle.
Incident response management involves establishing and maintaining processes and procedures to effectively respond to and manage security incidents. This control includes activities such as incident detection, containment, investigation, and recovery to minimize the impact of security breaches and restore normal operations.
The "Designate Personnel to Manage Incident Handling" sub control (17.1) emphasizes the importance of establishing a designated incident response team or personnel to handle security incidents. This sub control aims to ensure that incidents are promptly and effectively addressed, minimizing the potential damage caused by security breaches.
The "Establish and Maintain Contact Information for Reporting Security Incidents" sub control (17.2) highlights the significance of maintaining a reliable and readily accessible means to report security incidents. This sub control aims to streamline the incident reporting process, enabling swift incident response and resolution.
The "Establish and Maintain an Enterprise Process for Reporting Incidents" sub control (17.3) emphasizes the importance of having a well-defined process for reporting security incidents. This sub control aims to establish clear guidelines and procedures that enable employees and stakeholders to report incidents promptly and effectively.
The "Establish and Maintain an Incident Response Process" sub control (17.4) emphasizes the importance of having a formal incident response process in place. This sub control aims to establish clear guidelines and procedures that enable organizations to detect, respond to, contain, eradicate, and recover from security incidents.
The "Assign Key Roles and Responsibilities" sub control (17.5) emphasizes the importance of identifying and assigning specific roles and responsibilities to individuals or teams involved in the incident response process. This sub control aims to ensure that everyone knows their roles, understands their responsibilities, and can act swiftly and efficiently during security incidents.
The "Define Mechanisms for Communicating During Incident Response" sub control (17.6) emphasizes the importance of establishing communication mechanisms and channels that enable effective communication among incident response team members and other stakeholders. This sub control aims to ensure that accurate and timely information is shared during incident response, facilitating a coordinated and efficient response effort.
The "Conduct Routine Incident Response Exercises" sub control (17.7) emphasizes the importance of regularly simulating security incidents to evaluate the organization's preparedness and response capabilities. This sub control aims to ensure that incident response teams are trained, procedures are validated, and improvements are made based on lessons learned from these exercises.
The "Conduct Post-Incident Reviews" sub control (17.8) emphasizes the importance of conducting comprehensive reviews and analyses of security incidents. This sub control aims to identify the underlying causes of incidents, evaluate the effectiveness of the incident response process, and drive continuous improvement in incident response capabilities.
The "Establish and Maintain Security Incident Thresholds" sub control (17.9) emphasizes the importance of setting clear thresholds to determine the severity and response level for different types of security incidents. This sub control aims to ensure that incidents are classified and prioritized based on their impact and potential risks, enabling organizations to allocate appropriate resources for incident response.
Penetration testing involves conducting authorized simulated attacks on the organization's systems and networks to identify vulnerabilities and weaknesses. This control includes activities such as vulnerability assessments, exploit testing, and reporting to assess the security of the organization's infrastructure and applications.
The "Establish and Maintain a Penetration Testing Program" sub control (18.1) emphasizes the importance of conducting regular penetration testing activities to assess the security of the organization's systems and infrastructure. This sub control aims to identify vulnerabilities that may be exploited by attackers and provide recommendations for improving the organization's overall security posture.
The "Perform Periodic External Penetration Tests" sub control (18.2) emphasizes the importance of regularly assessing the security of the organization's systems and assets from an external perspective. This sub control aims to simulate real-world attacks and identify vulnerabilities that may be exploited by external adversaries.
The "Remediate Penetration Test Findings" sub control (18.3) highlights the significance of addressing vulnerabilities and weaknesses identified during penetration testing exercises. This sub control aims to ensure that the necessary actions are taken to mitigate the identified risks and enhance the overall security of the organization's systems and assets.
The "Validate Security Measures" sub control (18.4) emphasizes the importance of verifying and validating the effectiveness of implemented security measures and controls. This sub control aims to ensure that the implemented security controls are working as intended, providing the necessary protection against potential threats and vulnerabilities.
The "Perform Periodic Internal Penetration Tests" sub control (18.5) highlights the significance of assessing the security of internal systems and networks. This sub control aims to identify potential vulnerabilities and weaknesses that may be exploited by internal threats and ensure that appropriate measures are in place to mitigate those risks.