0003955
CIS Critical Security Controls, Version 8.1
The Center for Internet Security
Best Practice Guideline
Free
CIS Controls Version 8.1
CIS Critical Security Controls
2024-06-01
The document as a whole was last reviewed and released on 2024-08-01T00:00:00-0700.
0003955
Free
The Center for Internet Security
Best Practice Guideline
CIS Controls Version 8.1
CIS Critical Security Controls
2024-06-01
The document as a whole was last reviewed and released on 2024-08-01T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within CIS Critical Security Controls, Version 8.1 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for CIS Critical Security Controls, Version 8.1 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in system acquisition contracts. CC ID 01124 [{be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Establish/Maintain Documentation | Preventive | |
| Include operational requirements in system acquisition contracts. CC ID 00825 | Establish/Maintain Documentation | Preventive | |
| Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Establish/Maintain Documentation | Preventive | |
| Include required service levels in system acquisition contracts. CC ID 11652 | Establish/Maintain Documentation | Preventive | |
| Include security controls in system acquisition contracts. CC ID 01125 | Establish/Maintain Documentation | Preventive | |
| Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653 | Technical Security | Detective | |
| Obtain system documentation before acquiring products and services. CC ID 01445 | Establish/Maintain Documentation | Preventive | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Establish/Maintain Documentation | Preventive | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Communicate | Preventive | |
| Document attempts to obtain system documentation. CC ID 14284 | Process or Activity | Corrective | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition/Sale of Assets or Services | Preventive | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Establish/Maintain Documentation | Preventive | |
| Include security functions in the user documentation. CC ID 14313 | Establish/Maintain Documentation | Preventive | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Establish/Maintain Documentation | Preventive | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Establish/Maintain Documentation | Preventive | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Establish/Maintain Documentation | Preventive | |
| Provide a Configuration Management plan by the Information System developer for all newly acquired assets. CC ID 01446 | Testing | Detective | |
| Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets. CC ID 01447 | Testing | Detective | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [{monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components {monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components {be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components {be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Establish/Maintain Documentation | Preventive | |
| Install software that originates from approved third parties. CC ID 12184 | Technical Security | Preventive | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 | Establish/Maintain Documentation | Preventive | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Testing | Detective | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [{be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Testing | Detective | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [{monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components] | Audits and Risk Management | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Establish/Maintain Documentation | Preventive | |
| Train all new hires, as necessary. CC ID 06673 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Behavior | Preventive | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Establish/Maintain Documentation | Preventive | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 [Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. CIS Control 6: Safeguard 6.2 Establish an Access Revoking Process] | Technical Security | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [{user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. CIS Control 6: Safeguard 6.2 Establish an Access Revoking Process] | Technical Security | Corrective | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Establish Roles | Preventive | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Establish Roles | Detective | |
| Assign and staff all roles appropriately. CC ID 00784 | Testing | Detective | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Behavior | Preventive | |
| Implement a staff rotation plan. CC ID 12772 | Human Resources Management | Preventive | |
| Rotate duties amongst the critical roles and positions. CC ID 06554 | Establish Roles | Preventive | |
| Place Information Technology operations in a position to support the business model. CC ID 00766 | Business Processes | Preventive | |
| Review organizational personnel successes. CC ID 00767 | Business Processes | Preventive | |
| Implement personnel supervisory practices. CC ID 00773 | Behavior | Preventive | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 | Testing | Detective | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Technical Security | Preventive | |
| Evaluate the staffing requirements regularly. CC ID 00775 | Business Processes | Detective | |
| Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 | Behavior | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Business Processes | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program {annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Behavior | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Behavior | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. CIS Control 14: Security Awareness and Skills Training {annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program {annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Establish/Maintain Documentation | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Training | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Establish/Maintain Documentation | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Training | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Training | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 [Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. CIS Control 14: Safeguard 14.3 Train Workforce Members on Authentication Best Practices Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. CIS Control 14: Safeguard 14.4 Train Workforce on Data Handling Best Practices] | Establish/Maintain Documentation | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Training | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Training | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 [Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. CIS Control 14: Safeguard 14.4 Train Workforce on Data Handling Best Practices Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. CIS Control 14: Safeguard 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks] | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences. CIS Control 14: Safeguard 14.5 Train Workforce Members on Causes of Unintentional Data Exposure Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles. CIS Control 14: Safeguard 14.9 Conduct Role-Specific Security Awareness and Skills Training] | Establish/Maintain Documentation | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 [Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. CIS Control 14: Safeguard 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks] | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Train workforce members to be able to recognize a potential incident and be able to report such an incident. CIS Control 14: Safeguard 14.6 Train Workforce Members on Recognizing and Reporting Security Incidents Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating. CIS Control 14: Safeguard 14.2 Train Workforce Members to Recognize Social Engineering Attacks] | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 [Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. CIS Control 14: Safeguard 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. CIS Control 14: Safeguard 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates] | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
| Conduct secure coding and development training for developers. CC ID 06822 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Behavior | Corrective | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Communicate | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Actionable Reports or Measurements | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Business Processes | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Business Processes | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Communicate | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Communicate | Preventive | |
| Identify the material topics required to be reported on. CC ID 15654 | Business Processes | Preventive | |
| Check the list of material topics for completeness. CC ID 15692 | Investigate | Preventive | |
| Prioritize material topics used in reporting. CC ID 15678 | Communicate | Preventive | |
| Review and approve the material topics, as necessary. CC ID 15670 | Process or Activity | Preventive | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the external reporting program. CC ID 16566 | Communicate | Preventive | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Establish/Maintain Documentation | Preventive | |
| Submit certification letters to interested personnel and affected parties. CC ID 16969 | Communicate | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Communicate | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Process or Activity | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a data classification scheme. CC ID 11628 [{annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme {annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme] | Establish/Maintain Documentation | Preventive | |
| Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Data and Information Management | Preventive | |
| Approve the data classification scheme. CC ID 13858 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Communicate | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Monitor and Evaluate Occurrences | Detective | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. CIS Control 7: Continuous Vulnerability Management] | Technical Security | Detective | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Establish/Maintain Documentation | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [{unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Establish/Maintain Documentation | Preventive | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Establish/Maintain Documentation | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. CIS Control 8: Safeguard 8.2 Collect Audit Logs {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Log Management | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Process or Activity | Preventive | |
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Configuration | Preventive | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent. CIS Control 13: Safeguard 13.7 Deploy a Host-Based Intrusion Prevention Solution Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported. CIS Control 13: Safeguard 13.2 Deploy a Host-Based Intrusion Detection Solution Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. CIS Control 13: Safeguard 13.3 Deploy a Network Intrusion Detection Solution Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service. CIS Control 13: Safeguard 13.8 Deploy a Network Intrusion Prevention Solution] | Configuration | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitor and Evaluate Occurrences | Preventive | |
| Address operational anomalies within the incident management system. CC ID 11633 | Audits and Risk Management | Preventive | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitor and Evaluate Occurrences | Detective | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Human Resources Management | Detective | |
| Detect unauthorized access to systems. CC ID 06798 | Monitor and Evaluate Occurrences | Detective | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 | Audits and Risk Management | Preventive | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitor and Evaluate Occurrences | Detective | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitor and Evaluate Occurrences | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASHTM, and remote administrative terminals. CIS Control 8: Safeguard 8.8 Collect Command-Line Audit Logs Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events. CIS Control 8: Safeguard 8.12 Collect Service Provider Logs] | Log Management | Detective | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Data and Information Management | Preventive | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. CIS Control 8: Safeguard 8.2 Collect Audit Logs {weekly basis} Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. CIS Control 8: Safeguard 8.11 Conduct Audit Log Reviews] | Log Management | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Log Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Establish/Maintain Documentation | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. CIS Control 13: Safeguard 13.1 Centralize Security Event Alerting Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. CIS Control 13: Safeguard 13.1 Centralize Security Event Alerting Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources. CIS Control 8: Safeguard 8.9 Centralize Audit Logs] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Technical Security | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [{weekly basis} Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. CIS Control 8: Safeguard 8.11 Conduct Audit Log Reviews {weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Log Management | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Log Management | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 [Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. CIS Control 8: Audit Log Management] | Technical Security | Detective | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Investigate | Corrective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Log Management | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Log Management | Detective | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 [Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. CIS Control 13: Network Monitoring and Defense Collect network traffic flow logs and/or network traffic to review and alert upon from network devices. CIS Control 13: Safeguard 13.6 Collect Network Traffic Flow Logs] | Configuration | Preventive | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Log Management | Detective | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [{stipulated amount} Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. CIS Control 8: Safeguard 8.4 Standardize Time Synchronization {stipulated amount} Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. CIS Control 8: Safeguard 8.4 Standardize Time Synchronization] | Configuration | Preventive | |
| Centralize network time servers to as few as practical. CC ID 06308 | Configuration | Preventive | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Communicate | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Testing | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 [Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Establish/Maintain Documentation | Preventive | |
| Validate all testing assumptions in the test plans. CC ID 00663 [Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. CIS Control 18: Safeguard 18.4 Validate Security Measures] | Testing | Detective | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
| Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 [Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise. CIS Control 16: Safeguard 16.3 Perform Root Cause Analysis on Security Vulnerabilities] | Establish/Maintain Documentation | Preventive | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
| Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
| Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 [Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Establish/Maintain Documentation | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
| Scan organizational networks for rogue devices. CC ID 00536 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool] | Testing | Detective | |
| Scan the network for wireless access points. CC ID 00370 | Testing | Detective | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Establish/Maintain Documentation | Preventive | |
| Scan wireless networks for rogue devices. CC ID 11623 | Technical Security | Detective | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Testing | Detective | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Technical Security | Corrective | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitor and Evaluate Occurrences | Corrective | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets] | Configuration | Preventive | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 [Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets {unauthorized asset} Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. CIS Control 1: Inventory and Control of Enterprise Assets] | Configuration | Corrective | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 [Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. CIS Control 18: Safeguard 18.4 Validate Security Measures Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Behavior | Preventive | |
| Align the penetration test program with industry standards. CC ID 12469 | Establish/Maintain Documentation | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Establish Roles | Preventive | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Testing | Preventive | |
| Retain penetration test results according to internal policy. CC ID 10049 | Records Management | Preventive | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Records Management | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 [Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker. CIS Control 18: Penetration Testing] | Testing | Detective | |
| Perform internal penetration tests, as necessary. CC ID 12471 [{annual basis} Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.5 Perform Periodic Internal Penetration Tests] | Technical Security | Detective | |
| Perform external penetration tests, as necessary. CC ID 12470 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests] | Technical Security | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests] | Testing | Detective | |
| Test the system for broken access controls. CC ID 01319 | Testing | Detective | |
| Test the system for broken authentication and session management. CC ID 01320 | Testing | Detective | |
| Test the system for insecure communications. CC ID 00535 | Testing | Detective | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Testing | Detective | |
| Test the system for buffer overflows. CC ID 01322 | Testing | Detective | |
| Test the system for injection flaws. CC ID 01323 | Testing | Detective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
| Test the system for Denial of Service. CC ID 01326 | Testing | Detective | |
| Test the system for insecure configuration management. CC ID 01327 | Testing | Detective | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Testing | Detective | |
| Test the system for cross-site request forgery. CC ID 06296 | Testing | Detective | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 [Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. CIS Control 16: Safeguard 16.13 Conduct Application Penetration Testing] | Technical Security | Detective | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Technical Security | Detective | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Audits and Risk Management | Detective | |
| Repeat penetration testing, as necessary. CC ID 06860 | Testing | Detective | |
| Test the system for covert channels. CC ID 10652 | Testing | Detective | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Technical Security | Preventive | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Technical Security | Detective | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Technical Security | Corrective | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Testing | Detective | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [{annual basis} Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 7: Safeguard 7.1 Establish and Maintain a Vulnerability Management Process {annual basis} Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 7: Safeguard 7.1 Establish and Maintain a Vulnerability Management Process Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. CIS Control 7: Continuous Vulnerability Management {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 [{quarterly basis} {authenticated vulnerability scan} {unauthenticated vulnerability scan} Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans. CIS Control 7: Safeguard 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets] | Technical Security | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Testing | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 [{monthly basis} Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets] | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{monthly basis} Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets] | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Technical Security | Detective | |
| Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
| Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding. CIS Control 18: Safeguard 18.3 Remediate Penetration Test Findings] | Technical Security | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [{monthly basis} Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. CIS Control 7: Safeguard 7.7 Remediate Detected Vulnerabilities {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding. CIS Control 18: Safeguard 18.3 Remediate Penetration Test Findings] | Technical Security | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
| Define the test frequency for each testing program. CC ID 13176 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 [{monthly basis} Tune security event alerting thresholds monthly, or more frequently. CIS Control 13: Safeguard 13.11 Tune Security Event Alerting Thresholds] | Log Management | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Business Processes | Preventive | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 [{annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Establish/Maintain Documentation | Preventive | |
| Include transfer procedures in the log management program. CC ID 17077 | Establish/Maintain Documentation | Preventive | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
| Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 | Log Management | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{monthly basis} Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process] | Monitor and Evaluate Occurrences | Detective | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Actionable Reports or Measurements | Preventive | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Establish/Maintain Documentation | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
| Include monitoring in the corrective action plan. CC ID 11645 [{monthly basis} Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process] | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Communicate | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. CIS Control 11: Data Recovery {annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process {annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Establish/Maintain Documentation | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Establish/Maintain Documentation | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Establish/Maintain Documentation | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [{quarterly basis} Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets. CIS Control 11: Safeguard 11.5 Test Data Recovery] | Testing | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 | Establish Roles | Preventive | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 [{annual basis} Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. CIS Control 17: Safeguard 17.2 Establish and Maintain Contact Information for Reporting Security Incidents] | Establish/Maintain Documentation | Detective | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Human Resources Management | Preventive | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Establish/Maintain Documentation | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Systems Continuity | Preventive | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [{weekly basis} Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. CIS Control 11: Safeguard 11.2 Perform Automated Backups] | Systems Continuity | Preventive | |
| Perform backup procedures for in scope systems. CC ID 11692 [{weekly basis} Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. CIS Control 11: Safeguard 11.2 Perform Automated Backups] | Process or Activity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Data and Information Management | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Data and Information Management | Preventive | |
| Back up all records. CC ID 11974 | Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Data and Information Management | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Establish/Maintain Documentation | Preventive | |
| Encrypt backup data. CC ID 00958 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Configuration | Preventive | |
| Log the execution of each backup. CC ID 00956 | Establish/Maintain Documentation | Preventive | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Testing | Detective | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Testing | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Testing | Detective | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Testing | Corrective | |
| Digitally sign disk images, as necessary. CC ID 06814 | Establish/Maintain Documentation | Preventive | |
| Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 | Systems Continuity | Preventive | |
| Protect backup systems and restoration systems at the alternate facility. CC ID 04883 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Systems Continuity | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Business Processes | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 [Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. CIS Control 4: Safeguard 4.7 Manage Default Accounts on Enterprise Assets and Software Centralize account management through a directory or identity service. CIS Control 5: Safeguard 5.6 Centralize Account Management] | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows {annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a network management program. CC ID 13123 [{monthly basis} Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. CIS Control 12: Safeguard 12.1 Ensure Network Infrastructure is Up-to-Date Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS. CIS Control 12: Safeguard 12.3 Securely Manage Network Infrastructure] | Establish/Maintain Documentation | Preventive | |
| Include quality of service requirements in the network management program. CC ID 16429 | Establish/Maintain Documentation | Preventive | |
| Document the network design in the network management program. CC ID 13135 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Communicate | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{unauthorized asset} Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. CIS Control 1: Inventory and Control of Enterprise Assets Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | Business Processes | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Establish/Maintain Documentation | Preventive | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Human Resources Management | Preventive | |
| Define the requirements for where assets can be located. CC ID 17051 | Business Processes | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Business Processes | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Establish/Maintain Documentation | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Establish/Maintain Documentation | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Establish/Maintain Documentation | Preventive | |
| Define confidentiality controls. CC ID 01908 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Establish/Maintain Documentation | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Process or Activity | Preventive | |
| Define integrity controls. CC ID 01909 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Establish/Maintain Documentation | Preventive | |
| Define availability controls. CC ID 01911 | Establish/Maintain Documentation | Preventive | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Establish Roles | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Establish/Maintain Documentation | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Establish Roles | Preventive | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Configuration | Preventive | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [{annual basis}{authentication system} Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. CIS Control 6: Safeguard 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory] | Business Processes | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Establish/Maintain Documentation | Preventive | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Systems Design, Build, and Implementation | Preventive | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Data and Information Management | Preventive | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Establish/Maintain Documentation | Preventive | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Establish/Maintain Documentation | Preventive | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Establish/Maintain Documentation | Preventive | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Establish/Maintain Documentation | Preventive | |
| Conduct environmental surveys. CC ID 00690 | Physical and Environmental Protection | Preventive | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Establish/Maintain Documentation | Preventive | |
| Include network equipment in the Information Technology inventory. CC ID 00693 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Establish/Maintain Documentation | Preventive | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Establish/Maintain Documentation | Preventive | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Process or Activity | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets {monthly basis} Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. CIS Control 12: Safeguard 12.1 Ensure Network Infrastructure is Up-to-Date {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Establish/Maintain Documentation | Preventive | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [{annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory {annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory. CIS Control 3: Safeguard 3.13 Deploy a Data Loss Prevention Solution] | Establish/Maintain Documentation | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Establish/Maintain Documentation | Preventive | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Monitor and Evaluate Occurrences | Corrective | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Monitor and Evaluate Occurrences | Corrective | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Establish/Maintain Documentation | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 [{daily basis} Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently. CIS Control 1: Safeguard 1.3 Utilize an Active Discovery Tool Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. CIS Control 2: Safeguard 2.4 Utilize Automated Software Inventory Tools] | Technical Security | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Human Resources Management | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Technical Security | Detective | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts] | Establish/Maintain Documentation | Preventive | |
| Record software license information for each asset in the asset inventory. CC ID 11736 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Data and Information Management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 [{annual basis}{authentication system} Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. CIS Control 6: Safeguard 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems] | Establish/Maintain Documentation | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Establish/Maintain Documentation | Preventive | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Establish/Maintain Documentation | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Establish/Maintain Documentation | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Establish/Maintain Documentation | Preventive | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Data and Information Management | Preventive | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Establish/Maintain Documentation | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Establish/Maintain Documentation | Preventive | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Establish/Maintain Documentation | Preventive | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Establish/Maintain Documentation | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Establish/Maintain Documentation | Preventive | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Establish/Maintain Documentation | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Establish/Maintain Documentation | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts] | Establish/Maintain Documentation | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Establish/Maintain Documentation | Preventive | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Establish/Maintain Documentation | Preventive | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | Establish/Maintain Documentation | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Establish/Maintain Documentation | Preventive | |
| Automate software license monitoring, as necessary. CC ID 07057 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Establish/Maintain Documentation | Preventive | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Testing | Detective | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Behavior | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Data and Information Management | Preventive | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Configuration | Preventive | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Acquisition/Sale of Assets or Services | Preventive | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Establish/Maintain Documentation | Preventive | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Establish/Maintain Documentation | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Business Processes | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Business Processes | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 | Establish/Maintain Documentation | Preventive | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Maintenance | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Maintenance | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Maintenance | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Maintenance | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 [Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise. CIS Control 16: Application Software Security] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Establish/Maintain Documentation | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Communicate | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Physical and Environmental Protection | Preventive | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Behavior | Preventive | |
| Use system components only when third party support is available. CC ID 10644 | Maintenance | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Process or Activity | Preventive | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Maintenance | Preventive | |
| Control and monitor all maintenance tools. CC ID 01432 | Physical and Environmental Protection | Detective | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Technical Security | Preventive | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Configuration | Preventive | |
| Approve all remote maintenance sessions. CC ID 10615 | Technical Security | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Technical Security | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Testing | Detective | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Behavior | Preventive | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Establish/Maintain Documentation | Preventive | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Acquisition/Sale of Assets or Services | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Behavior | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
| Employ dedicated systems during system maintenance. CC ID 12108 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work] | Technical Security | Preventive | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work] | Technical Security | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Testing | Detective | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Establish/Maintain Documentation | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Physical and Environmental Protection | Corrective | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Business Processes | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Communicate | Preventive | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Business Processes | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Business Processes | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Establish/Maintain Documentation | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Establish/Maintain Documentation | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Business Processes | Preventive | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Establish/Maintain Documentation | Preventive | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Testing | Detective | |
| Review each system's operational readiness. CC ID 06275 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an unauthorized software list. CC ID 10601 [{monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [{annual basis} Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.6 Define Mechanisms for Communicating During Incident Response] | Business Processes | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Communicate | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Human Resources Management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Establish/Maintain Documentation | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Establish/Maintain Documentation | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Establish/Maintain Documentation | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Business Processes | Detective | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds {annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Establish/Maintain Documentation | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Establish/Maintain Documentation | Preventive | |
| Test incident monitoring procedures. CC ID 13194 | Testing | Detective | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Establish/Maintain Documentation | Preventive | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Technical Security | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Establish/Maintain Documentation | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Process or Activity | Detective | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Investigate | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Investigate | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Investigate | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Investigate | Detective | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Establish/Maintain Documentation | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Data and Information Management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Records Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Log Management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Log Management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Establish/Maintain Documentation | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Establish/Maintain Documentation | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.6 Define Mechanisms for Communicating During Incident Response] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Communicate | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack. CIS Control 17: Incident Response Management] | Establish/Maintain Documentation | Preventive | |
| Create an incident response report. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Establish/Maintain Documentation | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Establish/Maintain Documentation | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Establish/Maintain Documentation | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Establish/Maintain Documentation | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Establish/Maintain Documentation | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Establish/Maintain Documentation | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Establish/Maintain Documentation | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Establish/Maintain Documentation | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Establish/Maintain Documentation | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Establish/Maintain Documentation | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Establish/Maintain Documentation | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Establish/Maintain Documentation | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Establish/Maintain Documentation | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Establish/Maintain Documentation | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Establish/Maintain Documentation | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Establish/Maintain Documentation | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Establish/Maintain Documentation | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Establish/Maintain Documentation | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Establish/Maintain Documentation | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Establish/Maintain Documentation | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Establish/Maintain Documentation | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Establish/Maintain Documentation | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Communicate | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Acquisition/Sale of Assets or Services | Preventive | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Establish/Maintain Documentation | Preventive | |
| Analyze and respond to security alerts. CC ID 12504 | Business Processes | Detective | |
| Mitigate reported incidents. CC ID 12973 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Establish/Maintain Documentation | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Establish/Maintain Documentation | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Establish/Maintain Documentation | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Establish/Maintain Documentation | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Establish/Maintain Documentation | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Establish/Maintain Documentation | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Establish/Maintain Documentation | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Establish/Maintain Documentation | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Establish/Maintain Documentation | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Establish/Maintain Documentation | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Communicate | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Establish Roles | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Testing | Corrective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Testing | Corrective | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Communicate | Corrective | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Establish Roles | Preventive | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Establish Roles | Preventive | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Establish Roles | Preventive | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Establish Roles | Preventive | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Establish Roles | Preventive | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Establish Roles | Preventive | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Establish Roles | Preventive | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Establish Roles | Preventive | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Establish Roles | Preventive | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Human Resources Management | Preventive | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 [{annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Investigate | Detective | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Establish/Maintain Documentation | Preventive | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Communicate | Preventive | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 [{annual basis} Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. CIS Control 17: Safeguard 17.2 Establish and Maintain Contact Information for Reporting Security Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Establish/Maintain Documentation | Preventive | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 | Establish/Maintain Documentation | Preventive | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Establish/Maintain Documentation | Preventive | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Establish/Maintain Documentation | Preventive | |
| Include log management procedures in the incident response program. CC ID 17081 | Establish/Maintain Documentation | Preventive | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 | Establish/Maintain Documentation | Preventive | |
| Prepare for incident response notifications. CC ID 00584 | Establish/Maintain Documentation | Preventive | |
| Include incident response team services in the Incident Response program. CC ID 11766 | Establish/Maintain Documentation | Preventive | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Establish/Maintain Documentation | Preventive | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Behavior | Preventive | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Behavior | Preventive | |
| Conduct incident response training. CC ID 11889 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Training | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the incident response policy. CC ID 14108 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the incident response policy. CC ID 14106 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the incident response policy. CC ID 14104 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the incident response policy. CC ID 14101 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Communicate | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process {annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Establish/Maintain Documentation | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Establish/Maintain Documentation | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Behavior | Preventive | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 | Establish/Maintain Documentation | Preventive | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 | Establish/Maintain Documentation | Preventive | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Systems Continuity | Preventive | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Business Processes | Preventive | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Testing | Detective | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Establish/Maintain Documentation | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Records Management | Preventive | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Investigate | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Investigate | Detective | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Establish/Maintain Documentation | Detective | |
| Include time information in the chain of custody. CC ID 17068 | Log Management | Preventive | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Log Management | Preventive | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Log Management | Preventive | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Establish/Maintain Documentation | Preventive | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Establish/Maintain Documentation | Preventive | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Investigate | Corrective | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Communicate | Detective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Investigate | Preventive | |
| Document the legal requirements for evidence collection. CC ID 08654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Records Management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Investigate | Detective | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Investigate | Detective | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Investigate | Detective | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Establish/Maintain Documentation | Detective | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Testing | Detective | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Investigate | Detective | |
| Collect evidence from the incident scene. CC ID 02236 | Business Processes | Corrective | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Establish/Maintain Documentation | Detective | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Establish/Maintain Documentation | Detective | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Establish/Maintain Documentation | Detective | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Establish/Maintain Documentation | Detective | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Establish/Maintain Documentation | Detective | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Investigate | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Investigate | Detective | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Investigate | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Investigate | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Investigate | Detective | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Investigate | Detective | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Investigate | Detective | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Investigate | Detective | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Investigate | Detective | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Investigate | Detective | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 | Actionable Reports or Measurements | Preventive | |
| Test the incident response procedures. CC ID 01216 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Testing | Detective | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Configuration | Corrective | |
| Patch software. CC ID 11825 [{monthly basis} Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.4 Perform Automated Application Patch Management] | Technical Security | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 [{monthly basis} Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.3 Perform Operating System Patch Management] | Technical Security | Corrective | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Data and Information Management | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 [Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services. CIS Control 11: Safeguard 11.4 Establish and Maintain an Isolated Instance of Recovery Data] | Records Management | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 [{be appropriate} Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. CIS Control 4: Safeguard 4.11 Enforce Remote Wipe Capability on Portable End-User Devices] | Process or Activity | Corrective | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Establish/Maintain Documentation | Preventive | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Process or Activity | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Establish/Maintain Documentation | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Establish/Maintain Documentation | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Establish/Maintain Documentation | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Establish/Maintain Documentation | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and Environmental Protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and Environmental Protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Data and Information Management | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Data and Information Management | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Communicate | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Establish/Maintain Documentation | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
| Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an information management program. CC ID 14315 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Establish/Maintain Documentation | Preventive | |
| Ensure data sets have the appropriate characteristics. CC ID 15000 | Data and Information Management | Detective | |
| Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 | Data and Information Management | Detective | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines. CIS Control 3: Safeguard 3.4 Enforce Data Retention] | Establish/Maintain Documentation | Detective | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Data and Information Management | Preventive | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Process or Activity | Preventive | |
| Select the appropriate format for archived data and records. CC ID 06320 | Data and Information Management | Preventive | |
| Archive appropriate records, logs, and database tables. CC ID 06321 | Records Management | Preventive | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 | Testing | Detective | |
| Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Data and Information Management | Preventive | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Data and Information Management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines. CIS Control 3: Safeguard 3.4 Enforce Data Retention {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. CIS Control 8: Audit Log Management {stipulated time frame} Retain audit logs across enterprise assets for a minimum of 90 days. CIS Control 8: Safeguard 8.10 Retain Audit Logs] | Records Management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Process or Activity | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection {disposal method} Securely dispose of data as outlined in the enterprise's documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity. CIS Control 3: Safeguard 3.5 Securely Dispose of Data] | Establish/Maintain Documentation | Preventive | |
| Manage the disposition status for all records. CC ID 00972 [{disposal method} Securely dispose of data as outlined in the enterprise's documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity. CIS Control 3: Safeguard 3.5 Securely Dispose of Data] | Records Management | Preventive | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Data and Information Management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records Management | Preventive | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Physical and Environmental Protection | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Physical and Environmental Protection | Preventive | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Data and Information Management | Preventive | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Establish/Maintain Documentation | Preventive | |
| Maintain disposal records or redeployment records. CC ID 01644 | Establish/Maintain Documentation | Preventive | |
| Include the sanitization method in the disposal record. CC ID 17073 | Log Management | Preventive | |
| Include time information in the disposal record. CC ID 17072 | Log Management | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Communicate | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection] | Records Management | Detective | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Establish/Maintain Documentation | Preventive | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Establish/Maintain Documentation | Preventive | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Establish/Maintain Documentation | Preventive | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection] | Data and Information Management | Detective | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Data and Information Management | Preventive | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Data and Information Management | Preventive | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records Management | Preventive | |
| Display required information automatically in electronic health records. CC ID 14442 | Process or Activity | Preventive | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Establish/Maintain Documentation | Preventive | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Actionable Reports or Measurements | Preventive | |
| Create export summaries, as necessary. CC ID 14446 | Process or Activity | Preventive | |
| Import data files into a patient's electronic health record. CC ID 14448 | Data and Information Management | Preventive | |
| Export requested sections of the electronic health record. CC ID 14447 | Data and Information Management | Preventive | |
| Identify patient-specific education resources. CC ID 14439 | Process or Activity | Detective | |
| Establish and maintain an implantable device list. CC ID 14444 | Records Management | Preventive | |
| Display the implantable device list to authorized users. CC ID 14445 | Data and Information Management | Preventive | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Business Processes | Preventive | |
| Include attributes in the decision support intervention. CC ID 16766 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records Management | Preventive | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records Management | Preventive | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records Management | Preventive | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records Management | Preventive | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Log Management | Preventive | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Log Management | Preventive | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Establish/Maintain Documentation | Preventive | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Log Management | Preventive | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Log Management | Preventive | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Log Management | Preventive | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Log Management | Preventive | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Log Management | Preventive | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Log Management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Log Management | Preventive | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Log Management | Preventive | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Log Management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Log Management | Preventive | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Log Management | Preventive | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Log Management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records Management | Preventive | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Log Management | Preventive | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Log Management | Preventive | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Log Management | Preventive | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Log Management | Preventive | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records Management | Preventive | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Log Management | Preventive | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Log Management | Preventive | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Log Management | Preventive | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 [{annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Data and Information Management | Detective | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [Encrypt data on removable media. CIS Control 3: Safeguard 3.9 Encrypt Data on Removable Media] | Technical Security | Preventive | |
| Assign ownership for all electronic records. CC ID 14814 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Establish/Maintain Documentation | Preventive | |
| Attribute electronic records, as necessary. CC ID 14820 | Establish/Maintain Documentation | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{annual basis} Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.1 Establish and Maintain a Secure Configuration Process {annual basis} Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | Business Processes | Preventive | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | Establish/Maintain Documentation | Preventive | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | Establish/Maintain Documentation | Preventive | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | Establish/Maintain Documentation | Preventive | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | Configuration | Preventive | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | Communicate | Preventive | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the configuration management policy. CC ID 14070 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the configuration management policy. CC ID 14068 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the configuration management policy. CC ID 14067 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | Communicate | Preventive | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 [{annual basis} Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.1 Establish and Maintain a Secure Configuration Process {annual basis} Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | Establish/Maintain Documentation | Preventive | |
| Approve the configuration management plan. CC ID 14717 | Business Processes | Preventive | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | Establish/Maintain Documentation | Preventive | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | Establish/Maintain Documentation | Preventive | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the system tracking documentation. CC ID 15280 | Establish/Maintain Documentation | Preventive | |
| Include the username in the system tracking documentation. CC ID 15278 | Establish/Maintain Documentation | Preventive | |
| Include a problem description in the system tracking documentation. CC ID 15276 | Establish/Maintain Documentation | Preventive | |
| Include affected systems in the system tracking documentation. CC ID 15275 | Establish/Maintain Documentation | Preventive | |
| Include root causes in the system tracking documentation. CC ID 15274 | Establish/Maintain Documentation | Preventive | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | Establish/Maintain Documentation | Preventive | |
| Include current status in the system tracking documentation. CC ID 15272 | Establish/Maintain Documentation | Preventive | |
| Employ the Configuration Management program. CC ID 11904 | Configuration | Preventive | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | Establish/Maintain Documentation | Preventive | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | Testing | Detective | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 | Communicate | Preventive | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | Establish/Maintain Documentation | Preventive | |
| Document external connections for all systems. CC ID 06415 | Configuration | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). CIS Control 4: Secure Configuration of Enterprise Assets and Software] | Establish/Maintain Documentation | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | Establish/Maintain Documentation | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | Establish/Maintain Documentation | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | Establish/Maintain Documentation | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | Establish/Maintain Documentation | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 [Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | Establish/Maintain Documentation | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | Establish/Maintain Documentation | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | Establish/Maintain Documentation | Preventive | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration standards. CC ID 11953 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | Configuration | Preventive | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | Establish/Maintain Documentation | Preventive | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 [{daily basis} Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently. CIS Control 1: Safeguard 1.3 Utilize an Active Discovery Tool Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | Configuration | Preventive | |
| Document and justify system hardening standard exceptions. CC ID 06845 | Configuration | Preventive | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | Technical Security | Preventive | |
| Provide documentation verifying devices are not susceptible to known exploits. CC ID 11987 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Configure session timeout and reauthentication settings according to organizational standards. CC ID 12460 [{stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets {stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets] | Technical Security | Preventive | |
| Terminate all dependent sessions upon session termination. CC ID 16984 | Technical Security | Preventive | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [{stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets] | Configuration | Preventive | |
| Display an explicit logout message when disconnecting an authenticated communications session. CC ID 10093 | Configuration | Preventive | |
| Invalidate session identifiers upon session termination. CC ID 10649 | Technical Security | Preventive | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets {monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries] | Configuration | Preventive | |
| Use the latest approved version of all assets. CC ID 00897 [Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. CIS Control 9: Safeguard 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients] | Technical Security | Preventive | |
| Install the most current Windows Service Pack. CC ID 01695 | Configuration | Preventive | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [{blacklist website} Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. CIS Control 9: Safeguard 9.3 Maintain and Enforce Network-Based URL Filters] | Configuration | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | Communicate | Preventive | |
| Configure virtual networks in accordance with the information security policy. CC ID 13165 [Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. CIS Control 12: Safeguard 12.7 Ensue Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure] | Configuration | Preventive | |
| Remove all unnecessary functionality. CC ID 00882 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Configuration | Preventive | |
| Document that all enabled functions support secure configurations. CC ID 11985 | Establish/Maintain Documentation | Preventive | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | Configuration | Preventive | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | Configuration | Preventive | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | Configuration | Preventive | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | Configuration | Preventive | |
| Disable logon prompts on serial ports. CC ID 01553 | Configuration | Preventive | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | Configuration | Preventive | |
| Disable all unnecessary interfaces. CC ID 04826 | Configuration | Preventive | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | Configuration | Preventive | |
| Disable all user-mounted removable file systems. CC ID 01536 | Configuration | Preventive | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | Configuration | Preventive | |
| Secure the Bluetooth headset connections. CC ID 00593 | Configuration | Preventive | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | Testing | Detective | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | Configuration | Preventive | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | Configuration | Preventive | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | Configuration | Preventive | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | Configuration | Preventive | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | Configuration | Preventive | |
| Disable Autorun. CC ID 01790 [Disable autorun and autoplay auto-execute functionality for removable media. CIS Control 10: Safeguard 10.3 Disable Autorun and Autoplay for Removable Media] | Configuration | Preventive | |
| Disable USB devices (aka hotplugger). CC ID 01545 | Configuration | Preventive | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | Configuration | Preventive | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | Configuration | Preventive | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | Configuration | Preventive | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | Configuration | Preventive | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | Configuration | Preventive | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | Configuration | Preventive | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | Configuration | Preventive | |
| Remove all compilers and assemblers from the system. CC ID 01594 | Configuration | Preventive | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 [{refrain from authorizing}{refrain from requiring} Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. CIS Control 9: Safeguard 9.4 Restrict Unnecessary or Unauthorized and Email Client Extensions] | Configuration | Preventive | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | Technical Security | Preventive | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | Configuration | Preventive | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | Configuration | Preventive | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | Configuration | Preventive | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | Configuration | Preventive | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | Configuration | Preventive | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | Configuration | Preventive | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | Configuration | Preventive | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | Configuration | Preventive | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | Configuration | Preventive | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | Configuration | Preventive | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | Configuration | Preventive | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | Configuration | Preventive | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | Configuration | Preventive | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | Configuration | Preventive | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | Configuration | Preventive | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | Configuration | Preventive | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | Configuration | Preventive | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | Configuration | Preventive | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | Configuration | Preventive | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | Configuration | Preventive | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | Configuration | Preventive | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | Configuration | Preventive | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | Configuration | Preventive | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | Configuration | Preventive | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | Configuration | Preventive | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | Configuration | Preventive | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | Configuration | Preventive | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | Configuration | Preventive | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | Configuration | Preventive | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | Configuration | Preventive | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | Configuration | Preventive | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | Configuration | Preventive | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | Configuration | Preventive | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | Configuration | Preventive | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | Configuration | Preventive | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | Configuration | Preventive | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | Configuration | Preventive | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | Configuration | Preventive | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | Configuration | Preventive | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | Configuration | Preventive | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | Configuration | Preventive | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | Configuration | Preventive | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | Configuration | Preventive | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | Configuration | Preventive | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | Establish/Maintain Documentation | Preventive | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | Configuration | Preventive | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | Data and Information Management | Preventive | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | Configuration | Preventive | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | Configuration | Preventive | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | Configuration | Preventive | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | Configuration | Preventive | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | Configuration | Preventive | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | Configuration | Preventive | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | Configuration | Preventive | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | Configuration | Preventive | |
| Install and enable samba, as necessary. CC ID 02175 | Configuration | Preventive | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | Configuration | Preventive | |
| Configure the samba security option option as appropriate. CC ID 05986 | Configuration | Preventive | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | Configuration | Preventive | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | Configuration | Preventive | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | Configuration | Preventive | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | Configuration | Preventive | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | Configuration | Preventive | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | Configuration | Preventive | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | Configuration | Preventive | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | Configuration | Preventive | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | Configuration | Preventive | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | Configuration | Preventive | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | Configuration | Preventive | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | Configuration | Preventive | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | Configuration | Preventive | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | Configuration | Preventive | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | Configuration | Preventive | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | Configuration | Preventive | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | Configuration | Preventive | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | Configuration | Preventive | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | Configuration | Preventive | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | Configuration | Preventive | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | Configuration | Preventive | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | Configuration | Preventive | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | Configuration | Preventive | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | Configuration | Preventive | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | Configuration | Preventive | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | Configuration | Preventive | |
| Configure Avahi properly. CC ID 05109 | Configuration | Preventive | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | Configuration | Preventive | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | Configuration | Preventive | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | Configuration | Preventive | |
| Configure the apache web service properly. CC ID 05113 | Configuration | Preventive | |
| Configure the vlock package properly. CC ID 05114 | Configuration | Preventive | |
| Establish, implement, and maintain service accounts. CC ID 13861 | Technical Security | Preventive | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | Technical Security | Detective | |
| Manage access credentials for service accounts. CC ID 13862 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management] | Technical Security | Preventive | |
| Configure the daemon account properly. CC ID 05115 | Configuration | Preventive | |
| Configure the bin account properly. CC ID 05116 | Configuration | Preventive | |
| Configure the nuucp account properly. CC ID 05117 | Configuration | Preventive | |
| Configure the smmsp account properly. CC ID 05118 | Configuration | Preventive | |
| Configure the listen account properly. CC ID 05119 | Configuration | Preventive | |
| Configure the gdm account properly. CC ID 05120 | Configuration | Preventive | |
| Configure the webservd account properly. CC ID 05121 | Configuration | Preventive | |
| Configure the nobody account properly. CC ID 05122 | Configuration | Preventive | |
| Configure the noaccess account properly. CC ID 05123 | Configuration | Preventive | |
| Configure the nobody4 account properly. CC ID 05124 | Configuration | Preventive | |
| Configure the sys account properly. CC ID 05125 | Configuration | Preventive | |
| Configure the adm account properly. CC ID 05126 | Configuration | Preventive | |
| Configure the lp account properly. CC ID 05127 | Configuration | Preventive | |
| Configure the uucp account properly. CC ID 05128 | Configuration | Preventive | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | Configuration | Preventive | |
| Enable the web console as necessary. CC ID 05131 | Configuration | Preventive | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | Configuration | Preventive | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | Configuration | Preventive | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | Configuration | Preventive | |
| Configure Squid properly. CC ID 05135 | Configuration | Preventive | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | Establish/Maintain Documentation | Preventive | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | Establish/Maintain Documentation | Preventive | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | Establish/Maintain Documentation | Preventive | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | Establish/Maintain Documentation | Preventive | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | Establish/Maintain Documentation | Preventive | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | Establish/Maintain Documentation | Preventive | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | Establish/Maintain Documentation | Preventive | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | Establish/Maintain Documentation | Preventive | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | Establish/Maintain Documentation | Preventive | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | Establish/Maintain Documentation | Preventive | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | Establish/Maintain Documentation | Preventive | |
| Configure the "talk" package to organizational standards. CC ID 08746 | Establish/Maintain Documentation | Preventive | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | Establish/Maintain Documentation | Preventive | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | Configuration | Preventive | |
| Configure the LDAP package to organizational standards. CC ID 09937 | Configuration | Preventive | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | Configuration | Preventive | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | Configuration | Preventive | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | Configuration | Preventive | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | Configuration | Preventive | |
| Configure the "time" setting to organizational standards. CC ID 11381 | Configuration | Preventive | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | Configuration | Preventive | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | Configuration | Preventive | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | Configuration | Preventive | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | Configuration | Preventive | |
| Prevent users from installing printer drivers. CC ID 01730 | Configuration | Preventive | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | Configuration | Preventive | |
| Configure the unsigned driver installation behavior. CC ID 01733 | Configuration | Preventive | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | Configuration | Preventive | |
| Remove all demonstration applications on the system. CC ID 01875 | Configuration | Preventive | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | Configuration | Preventive | |
| Configure the "Remove Security tab" setting. CC ID 04380 | Configuration | Preventive | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. CIS Control 4: Safeguard 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software {insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | Configuration | Preventive | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | Configuration | Preventive | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | Configuration | Preventive | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | Configuration | Preventive | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | Configuration | Preventive | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | Configuration | Preventive | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | Configuration | Preventive | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | Configuration | Preventive | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | Configuration | Preventive | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | Configuration | Preventive | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | Configuration | Preventive | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | Configuration | Preventive | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | Configuration | Preventive | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | Configuration | Preventive | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | Configuration | Preventive | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | Configuration | Preventive | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | Configuration | Preventive | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | Configuration | Preventive | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | Configuration | Preventive | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | Configuration | Preventive | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | Configuration | Preventive | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | Configuration | Preventive | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | Configuration | Preventive | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | Configuration | Preventive | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | Configuration | Preventive | |
| Disable File Service Protocol. CC ID 02167 | Configuration | Preventive | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | Configuration | Preventive | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | Configuration | Preventive | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | Configuration | Preventive | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | Configuration | Preventive | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | Configuration | Preventive | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | Configuration | Preventive | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | Configuration | Preventive | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | Configuration | Preventive | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | Configuration | Preventive | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | Configuration | Preventive | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | Configuration | Preventive | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | Configuration | Preventive | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | Configuration | Preventive | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | Configuration | Preventive | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | Configuration | Preventive | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | Configuration | Preventive | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | Configuration | Preventive | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | Configuration | Preventive | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | Configuration | Preventive | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | Configuration | Preventive | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | Configuration | Preventive | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | Configuration | Preventive | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | Configuration | Preventive | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | Configuration | Preventive | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | Configuration | Preventive | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | Configuration | Preventive | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | Configuration | Preventive | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | Configuration | Preventive | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | Configuration | Preventive | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | Configuration | Preventive | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | Configuration | Preventive | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | Configuration | Preventive | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | Configuration | Preventive | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | Configuration | Preventive | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | Configuration | Preventive | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | Configuration | Preventive | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | Configuration | Preventive | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | Configuration | Preventive | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | Configuration | Preventive | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | Configuration | Preventive | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | Configuration | Preventive | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | Configuration | Preventive | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | Configuration | Preventive | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | Configuration | Preventive | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | Configuration | Preventive | |
| Enable NFS insecure locks as necessary. CC ID 04939 | Configuration | Preventive | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | Configuration | Preventive | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | Configuration | Preventive | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | Configuration | Preventive | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | Configuration | Preventive | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | Configuration | Preventive | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | Configuration | Preventive | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | Configuration | Preventive | |
| Enable the rhnsd service as necessary. CC ID 04944 | Configuration | Preventive | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | Configuration | Preventive | |
| Enable the autofs service as necessary. CC ID 04946 | Configuration | Preventive | |
| Enable the ip6tables service as necessary. CC ID 04947 | Configuration | Preventive | |
| Configure syslog to organizational standards. CC ID 04949 | Configuration | Preventive | |
| Enable the auditd service as necessary. CC ID 04950 | Configuration | Preventive | |
| Enable the logwatch service as necessary. CC ID 04951 | Configuration | Preventive | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | Configuration | Preventive | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | Configuration | Preventive | |
| Enable the ypbind service as necessary. CC ID 04954 | Configuration | Preventive | |
| Enable the ypserv service as necessary. CC ID 04955 | Configuration | Preventive | |
| Enable the firstboot service as necessary. CC ID 04956 | Configuration | Preventive | |
| Enable the gpm service as necessary. CC ID 04957 | Configuration | Preventive | |
| Enable the irqbalance service as necessary. CC ID 04958 | Configuration | Preventive | |
| Enable the isdn service as necessary. CC ID 04959 | Configuration | Preventive | |
| Enable the kdump service as necessary. CC ID 04960 | Configuration | Preventive | |
| Enable the mdmonitor service as necessary. CC ID 04961 | Configuration | Preventive | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | Configuration | Preventive | |
| Enable the pcscd service as necessary. CC ID 04963 | Configuration | Preventive | |
| Enable the smartd service as necessary. CC ID 04964 | Configuration | Preventive | |
| Enable the readahead_early service as necessary. CC ID 04965 | Configuration | Preventive | |
| Enable the readahead_later service as necessary. CC ID 04966 | Configuration | Preventive | |
| Enable the messagebus service as necessary. CC ID 04967 | Configuration | Preventive | |
| Enable the haldaemon service as necessary. CC ID 04968 | Configuration | Preventive | |
| Enable the apmd service as necessary. CC ID 04969 | Configuration | Preventive | |
| Enable the acpid service as necessary. CC ID 04970 | Configuration | Preventive | |
| Enable the cpuspeed service as necessary. CC ID 04971 | Configuration | Preventive | |
| Enable the network service as necessary. CC ID 04972 | Configuration | Preventive | |
| Enable the hidd service as necessary. CC ID 04973 | Configuration | Preventive | |
| Enable the crond service as necessary. CC ID 04974 | Configuration | Preventive | |
| Install and enable the anacron service as necessary. CC ID 04975 | Configuration | Preventive | |
| Enable the xfs service as necessary. CC ID 04976 | Configuration | Preventive | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | Configuration | Preventive | |
| Enable the CUPS service, as necessary. CC ID 04978 | Configuration | Preventive | |
| Enable the hplip service as necessary. CC ID 04979 | Configuration | Preventive | |
| Enable the dhcpd service as necessary. CC ID 04980 | Configuration | Preventive | |
| Enable the nfslock service as necessary. CC ID 04981 | Configuration | Preventive | |
| Enable the rpcgssd service as necessary. CC ID 04982 | Configuration | Preventive | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | Configuration | Preventive | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | Configuration | Preventive | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | Configuration | Preventive | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | Configuration | Preventive | |
| Configure the named service, as appropriate. CC ID 04988 | Configuration | Preventive | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | Configuration | Preventive | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | Configuration | Preventive | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | Configuration | Preventive | |
| Enable the snmpd service as necessary. CC ID 04992 | Configuration | Preventive | |
| Enable the calendar manager as necessary. CC ID 04993 | Configuration | Preventive | |
| Enable the GNOME logon service as necessary. CC ID 04994 | Configuration | Preventive | |
| Enable the WBEM services as necessary. CC ID 04995 | Configuration | Preventive | |
| Enable the keyserv service as necessary. CC ID 04996 | Configuration | Preventive | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | Configuration | Preventive | |
| Enable the volfs service as necessary. CC ID 04998 | Configuration | Preventive | |
| Enable the smserver service as necessary. CC ID 04999 | Configuration | Preventive | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | Configuration | Preventive | |
| Enable the metainit service as necessary. CC ID 05001 | Configuration | Preventive | |
| Enable the meta service as necessary. CC ID 05003 | Configuration | Preventive | |
| Enable the metaed service as necessary. CC ID 05004 | Configuration | Preventive | |
| Enable the metamh service as necessary. CC ID 05005 | Configuration | Preventive | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | Configuration | Preventive | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | Configuration | Preventive | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | Configuration | Preventive | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | Configuration | Preventive | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | Configuration | Preventive | |
| Enable the sadmin service as necessary. CC ID 05011 | Configuration | Preventive | |
| Enable the IPP listener as necessary. CC ID 05012 | Configuration | Preventive | |
| Enable the serial port listener as necessary. CC ID 05013 | Configuration | Preventive | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | Configuration | Preventive | |
| Enable the Application Management service as necessary. CC ID 05015 | Configuration | Preventive | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | Configuration | Preventive | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | Configuration | Preventive | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | Configuration | Preventive | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | Configuration | Preventive | |
| Enable the RARP service as necessary. CC ID 05020 | Configuration | Preventive | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | Configuration | Preventive | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | Configuration | Preventive | |
| Enable the Certificate Services service as necessary. CC ID 05023 | Configuration | Preventive | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | Configuration | Preventive | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | Configuration | Preventive | |
| Configure the Cluster Service service properly. CC ID 05026 | Configuration | Preventive | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | Configuration | Preventive | |
| Configure the IAS service properly. CC ID 05028 | Configuration | Preventive | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | Configuration | Preventive | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | Configuration | Preventive | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | Configuration | Preventive | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | Configuration | Preventive | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | Configuration | Preventive | |
| Configure the Utility Manager service properly. CC ID 05035 | Configuration | Preventive | |
| Configure the secondary logon service properly. CC ID 05036 | Configuration | Preventive | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | Configuration | Preventive | |
| Configure the Workstation service properly. CC ID 05038 | Configuration | Preventive | |
| Configure the Windows Installer service properly. CC ID 05039 | Configuration | Preventive | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | Configuration | Preventive | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | Configuration | Preventive | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | Configuration | Preventive | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | Configuration | Preventive | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | Configuration | Preventive | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | Configuration | Preventive | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | Configuration | Preventive | |
| Configure the Windows Media Services service properly. CC ID 05047 | Configuration | Preventive | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | Configuration | Preventive | |
| Configure the Web Element Manager service properly. CC ID 05049 | Configuration | Preventive | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | Configuration | Preventive | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | Configuration | Preventive | |
| Configure the COM+ Event System service properly. CC ID 05052 | Configuration | Preventive | |
| Configure the Event Log service properly. CC ID 05053 | Configuration | Preventive | |
| Configure the Infrared Monitor service properly. CC ID 05054 | Configuration | Preventive | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | Configuration | Preventive | |
| Configure the System Event Notification Service properly. CC ID 05056 | Configuration | Preventive | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | Configuration | Preventive | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | Configuration | Preventive | |
| Configure the Protected Storage service properly. CC ID 05059 | Configuration | Preventive | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | Configuration | Preventive | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | Configuration | Preventive | |
| Configure the Removable Storage service properly. CC ID 05062 | Configuration | Preventive | |
| Configure the Server service properly. CC ID 05063 | Configuration | Preventive | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | Configuration | Preventive | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | Configuration | Preventive | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | Configuration | Preventive | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | Configuration | Preventive | |
| Configure the File Replication service properly. CC ID 05068 | Configuration | Preventive | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | Configuration | Preventive | |
| Configure the Intersite Messaging service properly. CC ID 05070 | Configuration | Preventive | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | Configuration | Preventive | |
| Configure the Distributed File System service properly. CC ID 05072 | Configuration | Preventive | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | Configuration | Preventive | |
| Configure the FTP Publishing Service properly. CC ID 05074 | Configuration | Preventive | |
| Configure the Windows Search service properly. CC ID 05075 | Configuration | Preventive | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | Configuration | Preventive | |
| Configure the Remote Shell service properly. CC ID 05077 | Configuration | Preventive | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | Configuration | Preventive | |
| Configure the Print Services for Unix service properly. CC ID 05079 | Configuration | Preventive | |
| Configure the File Shares service to organizational standards. CC ID 05080 | Configuration | Preventive | |
| Configure the NetMeeting service properly. CC ID 05081 | Configuration | Preventive | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | Configuration | Preventive | |
| Configure the Cryptographic Services service properly. CC ID 05083 | Configuration | Preventive | |
| Configure the Help and Support Service properly. CC ID 05084 | Configuration | Preventive | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | Configuration | Preventive | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | Configuration | Preventive | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | Configuration | Preventive | |
| Configure the Network Location Awareness service properly. CC ID 05088 | Configuration | Preventive | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | Configuration | Preventive | |
| Configure the System Restore Service service properly. CC ID 05090 | Configuration | Preventive | |
| Configure the Themes service properly. CC ID 05091 | Configuration | Preventive | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | Configuration | Preventive | |
| Configure the Upload Manager service properly. CC ID 05093 | Configuration | Preventive | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | Configuration | Preventive | |
| Configure the WebClient service properly. CC ID 05095 | Configuration | Preventive | |
| Configure the Windows Audio service properly. CC ID 05096 | Configuration | Preventive | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | Configuration | Preventive | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | Configuration | Preventive | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | Configuration | Preventive | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | Configuration | Preventive | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | Configuration | Preventive | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | Configuration | Preventive | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | Configuration | Preventive | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | Configuration | Preventive | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | Configuration | Preventive | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | Configuration | Preventive | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | Configuration | Preventive | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | Configuration | Preventive | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | Configuration | Preventive | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | Configuration | Preventive | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | Configuration | Preventive | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | Configuration | Preventive | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | Configuration | Preventive | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | Configuration | Preventive | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | Configuration | Preventive | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | Configuration | Preventive | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | Configuration | Preventive | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | Configuration | Preventive | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | Configuration | Preventive | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | Configuration | Preventive | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | Configuration | Preventive | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | Configuration | Preventive | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | Configuration | Preventive | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | Configuration | Preventive | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | Configuration | Preventive | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | Configuration | Preventive | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | Configuration | Preventive | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | Configuration | Preventive | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | Configuration | Preventive | |
| Store state information from applications and software separately. CC ID 14767 | Configuration | Preventive | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | Configuration | Preventive | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | Configuration | Preventive | |
| Configure the "device" argument to organizational standards. CC ID 14536 | Configuration | Preventive | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | Configuration | Preventive | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | Configuration | Preventive | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | Configuration | Preventive | |
| Configure the system to restrict Core dumps to a protected directory. CC ID 01513 | Configuration | Preventive | |
| Configure the system to enable Stack protection. CC ID 01514 | Configuration | Preventive | |
| Configure the system to restrict NFS client requests to privileged ports. CC ID 01515 | Configuration | Preventive | |
| Configure the system to use better TCP Sequence Numbers. CC ID 01516 | Configuration | Preventive | |
| Configure the system to a default secure level. CC ID 01519 | Configuration | Preventive | |
| Configure the system to block users from viewing un-owned processes. CC ID 01520 | Configuration | Preventive | |
| Configure the system to block users from viewing processes in other groups. CC ID 01521 | Configuration | Preventive | |
| Add the "nosuid" option to /etc/rmmount.conf. CC ID 01532 | Configuration | Preventive | |
| Configure the system to block non-privileged mountd requests. CC ID 01533 | Configuration | Preventive | |
| Use host-based or Internet Protocol-based export lists for mountd. CC ID 06887 | Configuration | Preventive | |
| Add the "nodev" option to the appropriate partitions in /etc/fstab. CC ID 01534 | Configuration | Preventive | |
| Add the "nosuid" option and "nodev" option for removable storage media in the /etc/fstab file. CC ID 01535 | Configuration | Preventive | |
| Configure the sticky bit on world-writable directories. CC ID 01540 | Configuration | Preventive | |
| Verify system files are not world-writable. CC ID 01546 | Technical Security | Preventive | |
| Verify backup directories containing patches are not accessible. CC ID 01547 | Technical Security | Preventive | |
| Run hp_checkperms. CC ID 01548 | Configuration | Preventive | |
| Run fix-modes. CC ID 01549 | Configuration | Preventive | |
| Convert the system to "Trusted Mode", if possible. CC ID 01550 | Configuration | Preventive | |
| Configure the sadmind service to a higher Security level. CC ID 01551 | Configuration | Preventive | |
| Use host-based or Internet Protocol-based export lists for sadmind. CC ID 06886 | Configuration | Preventive | |
| Find files and directories with extended attributes. CC ID 01552 | Technical Security | Detective | |
| Configure all.rhosts files to be readable only by their owners. CC ID 01557 | Configuration | Preventive | |
| Set the symlink /etc/hosts.equiv file to /dev/null. CC ID 01558 | Configuration | Preventive | |
| Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 | Configuration | Preventive | |
| Configure the Security Center (Domain PCs only). CC ID 01967 | Configuration | Preventive | |
| Configure the system to immediately protect the computer after the Screen saver is activated by setting the time before the Screen saver grace period expires to a predefined amount. CC ID 04276 | Configuration | Preventive | |
| Configure the system to require a password before it unlocks the Screen saver software. CC ID 04443 | Configuration | Preventive | |
| Enable the safe DLL search mode. CC ID 04273 | Configuration | Preventive | |
| Configure the computer to stop generating 8.3 filename formats. CC ID 04274 | Configuration | Preventive | |
| Configure the system to use certificate rules for software restriction policies. CC ID 04266 | Configuration | Preventive | |
| Configure the "Do not allow drive redirection" setting. CC ID 04316 | Configuration | Preventive | |
| Configure the "Turn off the 'Publish to Web' task for files and folders" setting. CC ID 04328 | Configuration | Preventive | |
| Configure the "Turn off Internet download for Web publishing and online ordering wizards" setting. CC ID 04329 | Configuration | Preventive | |
| Configure the "Turn off Search Companion content file updates" setting. CC ID 04331 | Configuration | Preventive | |
| Configure the "Turn off printing over HTTP" setting. CC ID 04332 | Configuration | Preventive | |
| Configure the "Turn off downloading of print drivers over HTTP" setting. CC ID 04333 | Configuration | Preventive | |
| Configure the "Turn off Windows Update device driver searching" setting. CC ID 04334 | Configuration | Preventive | |
| Configure the "Display Error Notification" setting to organizational standards. CC ID 04335 | Configuration | Preventive | |
| Configure the "Turn off Windows error reporting" setting to organizational standards. CC ID 04336 | Configuration | Preventive | |
| Configure the "Disable software update shell notifications on program launch" setting. CC ID 04339 | Configuration | Preventive | |
| Configure the "Make proxy settings per-machine (rather than per-user)" setting. CC ID 04341 | Configuration | Preventive | |
| Configure the "Security Zones: Do not allow users to add/delete sites" setting. CC ID 04342 | Configuration | Preventive | |
| Configure the "Security Zones: Do not allow users to change policies" setting. CC ID 04343 | Configuration | Preventive | |
| Configure the "Security Zones: Use only machine settings" setting. CC ID 04344 | Configuration | Preventive | |
| Configure the "Allow software to run or install even if the signature is invalid" setting. CC ID 04346 | Configuration | Preventive | |
| Configure the "internet explorer processes (scripted window security restrictions)" setting. CC ID 04350 | Configuration | Preventive | |
| Configure the "internet explorer processes (zone elevation protection)" setting. CC ID 04351 | Configuration | Preventive | |
| Configure the "Prevent access to registry editing tools" setting. CC ID 04355 | Configuration | Preventive | |
| Configure the "Do not preserve zone information in file attachments" setting. CC ID 04357 | Configuration | Preventive | |
| Configure the "Hide mechanisms to remove zone information" setting. CC ID 04358 | Configuration | Preventive | |
| Configure the "Notify antivirus programs when opening attachments" setting. CC ID 04359 | Configuration | Preventive | |
| Configure the "Configure Outlook Express" setting. CC ID 04360 | Configuration | Preventive | |
| Configure the "Disable Changing Automatic Configuration settings" setting. CC ID 04361 | Configuration | Preventive | |
| Configure the "Disable changing certificate settings" setting. CC ID 04362 | Configuration | Preventive | |
| Configure the "Disable changing connection settings" setting. CC ID 04363 | Configuration | Preventive | |
| Configure the "Disable changing proxy settings" setting. CC ID 04364 | Configuration | Preventive | |
| Configure the "Turn on the auto-complete feature for user names and passwords on forms" setting. CC ID 04365 | Configuration | Preventive | |
| Configure the NetWare bindery contexts. CC ID 04444 | Configuration | Preventive | |
| Configure the NetWare console's SECURE.NCF settings. CC ID 04445 | Configuration | Preventive | |
| Configure the CPU Hog Timeout setting. CC ID 04446 | Configuration | Preventive | |
| Configure the "Check Equivalent to Me" setting. CC ID 04463 | Configuration | Preventive | |
| Configure the /etc/sshd_config file. CC ID 04475 | Configuration | Preventive | |
| Configure the .Mac preferences. CC ID 04484 | Configuration | Preventive | |
| Configure the Fast User Switching setting. CC ID 04485 | Configuration | Preventive | |
| Configure the Recent Items List (servers, applications, documents) setting. CC ID 04486 | Configuration | Preventive | |
| Configure Apple's Dock preferences. CC ID 04487 | Configuration | Preventive | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | Configuration | Preventive | |
| Configure the Energy Saver preferences. CC ID 04488 | Configuration | Preventive | |
| Configure the local system search preferences to directories that do not contain restricted data or restricted information. CC ID 04492 | Configuration | Preventive | |
| Digitally sign and encrypt e-mail, as necessary. CC ID 04493 | Technical Security | Preventive | |
| Manage temporary files, as necessary. CC ID 04847 | Technical Security | Preventive | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | Configuration | Preventive | |
| Enable or disable the ability of users to perform interactive startups, as appropriate. CC ID 05283 | Configuration | Preventive | |
| Set the /etc/passwd file's NIS file inclusions properly. CC ID 05284 | Configuration | Preventive | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | Configuration | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | Configuration | Preventive | |
| Configure the "Additional restrictions for anonymous connections" policy properly. CC ID 05287 | Configuration | Preventive | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | Configuration | Preventive | |
| Configure the File System Checker and Popups setting. CC ID 05289 | Configuration | Preventive | |
| Configure the System File Checker setting. CC ID 05290 | Configuration | Preventive | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | Configuration | Preventive | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | Configuration | Preventive | |
| Configure the "Deleted Cached Copies of Roaming Profiles" policy properly. CC ID 05293 | Configuration | Preventive | |
| Verify that the X*.hosts file lists all authorized X-clients. CC ID 05294 | Configuration | Preventive | |
| Verify all files are owned by an existing account and group. CC ID 05295 | Configuration | Preventive | |
| Verify programs executed through the aliases file are owned by an appropriate user or group. CC ID 05296 | Configuration | Preventive | |
| Verify programs executed through the aliases file are stored in a directory with an appropriate owner. CC ID 05297 | Configuration | Preventive | |
| Verify the at directory is owned by an appropriate user or group. CC ID 05298 | Configuration | Preventive | |
| Verify the at.allow file is owned by an appropriate user or group. CC ID 05299 | Configuration | Preventive | |
| Verify the at.deny file is owned by an appropriate user or group. CC ID 05300 | Configuration | Preventive | |
| Verify the crontab directories are owned by an appropriate user or group. CC ID 05302 | Configuration | Preventive | |
| Verify the cron.allow file is owned by an appropriate user or group. CC ID 05303 | Configuration | Preventive | |
| Verify the cron.deny file is owned by an appropriate user or group. CC ID 05304 | Configuration | Preventive | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | Configuration | Preventive | |
| Verify the /etc/resolv.conf file is owned by an appropriate user or group. CC ID 05306 | Configuration | Preventive | |
| Verify the /etc/named.boot file is owned by an appropriate user or group. CC ID 05307 | Configuration | Preventive | |
| Verify the /etc/named.conf file is owned by an appropriate user or group. CC ID 05308 | Configuration | Preventive | |
| Verify the /var/named/chroot/etc/named.conf file is owned by an appropriate user or group. CC ID 05309 | Configuration | Preventive | |
| Verify home directories are owned by an appropriate user or group. CC ID 05310 | Configuration | Preventive | |
| Verify the inetd.conf file is owned by an appropriate user or group. CC ID 05311 | Configuration | Preventive | |
| Verify /etc/exports are owned by an appropriate user or group. CC ID 05312 | Configuration | Preventive | |
| Verify exported files and exported directories are owned by an appropriate user or group. CC ID 05313 | Configuration | Preventive | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | Technical Security | Preventive | |
| Verify the /etc/services file is owned by an appropriate user or group. CC ID 05314 | Configuration | Preventive | |
| Verify the /etc/notrouter file is owned by an appropriate user or group. CC ID 05315 | Configuration | Preventive | |
| Verify the /etc/samba/smb.conf file is owned by an appropriate user or group. CC ID 05316 | Configuration | Preventive | |
| Verify the smbpasswd file and smbpasswd executable are owned by an appropriate user or group. CC ID 05317 | Configuration | Preventive | |
| Verify the aliases file is owned by an appropriate user or group. CC ID 05318 | Configuration | Preventive | |
| Verify the log file configured to capture critical sendmail messages is owned by an appropriate user or group. CC ID 05319 | Log Management | Preventive | |
| Verify Shell files are owned by an appropriate user or group. CC ID 05320 | Configuration | Preventive | |
| Verify the snmpd.conf file is owned by an appropriate user or group. CC ID 05321 | Configuration | Preventive | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | Configuration | Preventive | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | Configuration | Preventive | |
| Verify the /usr/lib/sendmail file is owned by an appropriate user or group. CC ID 05324 | Technical Security | Preventive | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | Configuration | Preventive | |
| Verify the /etc/shadow file is owned by an appropriate user or group. CC ID 05326 | Configuration | Preventive | |
| Verify the /etc/security/audit/config file is owned by an appropriate user or group. CC ID 05327 | Configuration | Preventive | |
| Verify the /etc/securit/audit/events file is owned by an appropriate user or group. CC ID 05328 | Configuration | Preventive | |
| Verify the /etc/security/audit/objects file is owned by an appropriate user or group. CC ID 05329 | Configuration | Preventive | |
| Verify the /usr/lib/trcload file is owned by an appropriate user or group. CC ID 05330 | Configuration | Preventive | |
| Verify the /usr/lib/semutil file is owned by an appropriate user or group. CC ID 05331 | Configuration | Preventive | |
| Verify system files are owned by an appropriate user or group. CC ID 05332 | Configuration | Preventive | |
| Verify the default/skeleton dot files are owned by an appropriate user or group. CC ID 05333 | Configuration | Preventive | |
| Verify the global initialization files are owned by an appropriate user or group. CC ID 05334 | Configuration | Preventive | |
| Verify the /etc/rc.config.d/auditing file is owned by an appropriate user or group. CC ID 05335 | Configuration | Preventive | |
| Verify the /etc/init.d file is owned by an appropriate user or group. CC ID 05336 | Configuration | Preventive | |
| Verify the /etc/hosts.lpd file is owned by an appropriate user or group. CC ID 05337 | Configuration | Preventive | |
| Verify the /etc/auto.master file is owned by an appropriate user or group. CC ID 05338 | Configuration | Preventive | |
| Verify the /etc/auto.misc file is owned by an appropriate user or group. CC ID 05339 | Configuration | Preventive | |
| Verify the /etc/auto.net file is owned by an appropriate user or group. CC ID 05340 | Configuration | Preventive | |
| Verify the boot/grub/grub.conf file is owned by an appropriate user or group. CC ID 05341 | Configuration | Preventive | |
| Verify the /etc/lilo.conf file is owned by an appropriate user or group. CC ID 05342 | Configuration | Preventive | |
| Verify the /etc/login.access file is owned by an appropriate user or group. CC ID 05343 | Configuration | Preventive | |
| Verify the /etc/security/access.conf file is owned by an appropriate user or group. CC ID 05344 | Configuration | Preventive | |
| Verify the /etc/sysctl.conf file is owned by an appropriate user or group. CC ID 05345 | Configuration | Preventive | |
| Configure the "secure_redirects" setting to organizational standards. CC ID 09941 | Configuration | Preventive | |
| Configure the "icmp_ignore_bogus_error_responses" setting to organizational standards. CC ID 09942 | Configuration | Preventive | |
| Configure the "rp_filter" setting to organizational standards. CC ID 09943 | Configuration | Preventive | |
| Verify the /etc/securetty file is owned by an appropriate user or group. CC ID 05346 | Configuration | Preventive | |
| Verify the /etc/audit/auditd.conf file is owned by an appropriate user or group. CC ID 05347 | Configuration | Preventive | |
| Verify the audit.rules file is owned by an appropriate user or group. CC ID 05348 | Configuration | Preventive | |
| Verify the /etc/group file is owned by an appropriate user or group. CC ID 05349 | Configuration | Preventive | |
| Verify the /etc/gshadow file is owned by an appropriate user or group. CC ID 05350 | Configuration | Preventive | |
| Verify the /usr/sbin/userhelper file is owned by an appropriate user or group. CC ID 05351 | Configuration | Preventive | |
| Verify all syslog log files are owned by an appropriate user or group. CC ID 05352 | Configuration | Preventive | |
| Verify the /etc/anacrontab file is owned by an appropriate user or group. CC ID 05353 | Configuration | Preventive | |
| Verify the /etc/pki/tls/ldap file is owned by an appropriate user or group. CC ID 05354 | Configuration | Preventive | |
| Verify the /etc/pki/tls/ldap/serverkey.pem file is owned by an appropriate user or group. CC ID 05355 | Configuration | Preventive | |
| Verify the /etc/pki/tls/CA/cacert.pem file is owned by an appropriate user or group. CC ID 05356 | Configuration | Preventive | |
| Verify the /etc/pki/tls/ldap/servercert.pem file is owned by an appropriate user or group. CC ID 05357 | Configuration | Preventive | |
| Verify the var/lib/ldap/* files are owned by an appropriate user or group. CC ID 05358 | Configuration | Preventive | |
| Verify the /etc/httpd/conf/* files are owned by an appropriate user or group. CC ID 05359 | Configuration | Preventive | |
| Verify the /etc/auto_* file is owned by an appropriate user. CC ID 05360 | Configuration | Preventive | |
| Verify the /etc/rmmount.conf file is owned by an appropriate user or group. CC ID 05361 | Configuration | Preventive | |
| Verify the /var/log/pamlog log is owned by an appropriate user or group. CC ID 05362 | Configuration | Preventive | |
| Verify the /etc/security/audit_control file is owned by an appropriate user or group. CC ID 05363 | Configuration | Preventive | |
| Verify the /etc/security/audit_class file is owned by an appropriate user or group. CC ID 05364 | Configuration | Preventive | |
| Verify the /etc/security/audit_event file is owned by an appropriate user or group. CC ID 05365 | Configuration | Preventive | |
| Verify the ASET userlist file is owned by an appropriate user or group. CC ID 05366 | Configuration | Preventive | |
| Verify the /var directory is owned by an appropriate user. CC ID 05367 | Configuration | Preventive | |
| Verify the /var/log directory is owned by an appropriate user. CC ID 05368 | Configuration | Preventive | |
| Verify the /var/adm directory is owned by an appropriate user. CC ID 05369 | Configuration | Preventive | |
| Restrict the debug level daemon logging file owner and daemon debug group owner. CC ID 05370 | Configuration | Preventive | |
| Restrict the Cron log file owner and Cron group owner. CC ID 05371 | Configuration | Preventive | |
| Restrict the system accounting file owner and system accounting group owner. CC ID 05372 | Configuration | Preventive | |
| Restrict audit log file ownership and audit group ownership. CC ID 05373 | Configuration | Preventive | |
| Set the X server timeout properly. CC ID 05374 | Configuration | Preventive | |
| Configure each user's authentication mechanism (system attribute) properly. CC ID 05375 | Configuration | Preventive | |
| Enable or disable SeLinux, as appropriate. CC ID 05376 | Configuration | Preventive | |
| Set the SELinux state properly. CC ID 05377 | Configuration | Preventive | |
| Set the SELinux policy properly. CC ID 05378 | Configuration | Preventive | |
| Configure Dovecot properly. CC ID 05379 | Configuration | Preventive | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | Configuration | Preventive | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | Configuration | Preventive | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | Configuration | Preventive | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | Configuration | Preventive | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | Configuration | Preventive | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | Configuration | Preventive | |
| Configure "Turn Off Handwriting Recognition Error Reporting" to organizational standards. CC ID 05386 | Configuration | Preventive | |
| Configure the "Turn off Help and Support Center 'Did You Know?' content" setting. CC ID 05387 | Configuration | Preventive | |
| Configure the "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting. CC ID 05388 | Configuration | Preventive | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | Configuration | Preventive | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | Configuration | Preventive | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | Configuration | Preventive | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | Configuration | Preventive | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | Configuration | Preventive | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | Configuration | Preventive | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | Configuration | Preventive | |
| Configure the "Allow only Vista or later connections" setting. CC ID 05396 | Configuration | Preventive | |
| Configure the "Turn on bandwidth optimization" setting. CC ID 05397 | Configuration | Preventive | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | Configuration | Preventive | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | Configuration | Preventive | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | Configuration | Preventive | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | Configuration | Preventive | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | Configuration | Preventive | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | Configuration | Preventive | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | Configuration | Preventive | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | Configuration | Preventive | |
| Configure the "Turn off Heap termination on corruption" setting to organizational standards. CC ID 05406 | Configuration | Preventive | |
| Configure the "Turn off shell protocol protected mode" setting to organizational standards. CC ID 05407 | Configuration | Preventive | |
| Configure the "Prohibit non-administrators from applying vendor signed updates" setting. CC ID 05408 | Configuration | Preventive | |
| Configure the "Report when logon server was not available during user logon" setting. CC ID 05409 | Configuration | Preventive | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | Configuration | Preventive | |
| Configure the "Turn off Windows Mail application" setting. CC ID 05411 | Configuration | Preventive | |
| Configure the "Prevent Windows Media DRM Internet Access" setting. CC ID 05412 | Configuration | Preventive | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | Configuration | Preventive | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | Configuration | Preventive | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | Configuration | Preventive | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | Configuration | Preventive | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | Configuration | Preventive | |
| Configure the "Do not allow Digital Locker to run" setting. CC ID 05418 | Configuration | Preventive | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | Configuration | Preventive | |
| Configure "Turn on Responder (RSPNDR) driver" to organizational standards. CC ID 05420 | Configuration | Preventive | |
| Verify ExecShield has been randomly placed in Virtual Memory regions. CC ID 05436 | Configuration | Preventive | |
| Enable the ExecShield, as appropriate. CC ID 05421 | Configuration | Preventive | |
| Configure Kernel support for the XD/NX processor feature, as appropriate. CC ID 05422 | Configuration | Preventive | |
| Configure the XD/NX processor feature in the BIOS, as appropriate. CC ID 05423 | Configuration | Preventive | |
| Configure the Shell for the bin account properly. CC ID 05424 | Configuration | Preventive | |
| Configure the Shell for the nuucp account properly. CC ID 05425 | Configuration | Preventive | |
| Configure the Shell for the smmsp account properly. CC ID 05426 | Configuration | Preventive | |
| Configure the Shell for the listen account properly. CC ID 05427 | Configuration | Preventive | |
| Configure the Shell for the gdm account properly. CC ID 05428 | Configuration | Preventive | |
| Configure the Shell for the webservd account properly. CC ID 05429 | Configuration | Preventive | |
| Configure the Shell for the nobody account properly. CC ID 05430 | Configuration | Preventive | |
| Configure the Shell for the noaccess account properly. CC ID 05431 | Configuration | Preventive | |
| Configure the Shell for the nobody4 account properly. CC ID 05432 | Configuration | Preventive | |
| Configure the Shell for the adm account properly. CC ID 05433 | Configuration | Preventive | |
| Configure the Shell for the lp account properly. CC ID 05434 | Configuration | Preventive | |
| Configure the Shell for the uucp account properly. CC ID 05435 | Configuration | Preventive | |
| Set the noexec_user_stack parameter properly. CC ID 05437 | Configuration | Preventive | |
| Set the no_exec_user_stack_log parameter properly. CC ID 05438 | Configuration | Preventive | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | Configuration | Preventive | |
| Set the TCP max connection limit properly. CC ID 05440 | Configuration | Preventive | |
| Set the TCP abort interval properly. CC ID 05441 | Configuration | Preventive | |
| Enable or disable the GNOME screenlock, as appropriate. CC ID 05442 | Configuration | Preventive | |
| Set the ARP cache cleanup interval properly. CC ID 05443 | Configuration | Preventive | |
| Set the ARP IRE scan rate properly. CC ID 05444 | Configuration | Preventive | |
| Disable The "proxy ARP" configurable item on all interfaces. CC ID 06570 | Configuration | Preventive | |
| Set the FileSpaceSwitch variable to an appropriate value. CC ID 05445 | Configuration | Preventive | |
| Set the wakeup switchpoint frequency to an appropriate time interval. CC ID 05446 | Configuration | Preventive | |
| Enable or disable the setuid option on removable storage media, as appropriate. CC ID 05447 | Configuration | Preventive | |
| Configure TCP/IP PMTU Discovery, as appropriate. CC ID 05991 | Configuration | Preventive | |
| Configure Secure Shell to enable or disable empty passwords, as appropriate. CC ID 06016 | Configuration | Preventive | |
| Configure each user's Screen Saver Executable Name. CC ID 06027 | Configuration | Preventive | |
| Configure the NIS+ server to operate at an appropriate security level. CC ID 06038 | Configuration | Preventive | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | Configuration | Preventive | |
| Configure the "Block saving of Open XML file types" setting, as appropriate. CC ID 06048 | Configuration | Preventive | |
| Enable or disable user-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence for keyboards. CC ID 06051 | Configuration | Preventive | |
| Configure the "Syskey mode" to organizational standards. CC ID 06052 | Configuration | Preventive | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | Configuration | Preventive | |
| Configure the "Allow Remote Shell Access" setting, as appropriate. CC ID 06057 | Configuration | Preventive | |
| Configure the "Prevent the computer from joining a homegroup" setting, as appropriate. CC ID 06058 | Configuration | Preventive | |
| Enable or disable the authenticator requirement after waking, as appropriate. CC ID 06059 | Configuration | Preventive | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | Configuration | Preventive | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | Configuration | Preventive | |
| Configure the system to purge Policy Caches. CC ID 06569 | Configuration | Preventive | |
| Separate authenticator files and application system data on different file systems. CC ID 06790 | Configuration | Preventive | |
| Configure Application Programming Interfaces to limit or shut down interactivity based upon a rate limit. CC ID 06811 | Configuration | Preventive | |
| Configure the "all world-writable directories" user ownership to organizational standards. CC ID 08714 | Establish/Maintain Documentation | Preventive | |
| Configure the "all rsyslog log" files group ownership to organizational standards. CC ID 08715 | Establish/Maintain Documentation | Preventive | |
| Configure the "all rsyslog log" files user ownership to organizational standards. CC ID 08716 | Establish/Maintain Documentation | Preventive | |
| Configure the "Executable stack" setting to organizational standards. CC ID 08969 | Configuration | Preventive | |
| Configure the "smbpasswd executable" user ownership to organizational standards. CC ID 08975 | Configuration | Preventive | |
| Configure the "traceroute executable" group ownership to organizational standards. CC ID 08980 | Configuration | Preventive | |
| Configure the "traceroute executable" user ownership to organizational standards. CC ID 08981 | Configuration | Preventive | |
| Configure the "Apache configuration" directory group ownership to organizational standards. CC ID 08991 | Configuration | Preventive | |
| Configure the "Apache configuration" directory user ownership to organizational standards. CC ID 08992 | Configuration | Preventive | |
| Configure the "/var/log/httpd/" file group ownership to organizational standards. CC ID 09027 | Configuration | Preventive | |
| Configure the "/etc/httpd/conf.d" file group ownership to organizational standards. CC ID 09028 | Configuration | Preventive | |
| Configure the "/etc/httpd/conf/passwd" file group ownership to organizational standards. CC ID 09029 | Configuration | Preventive | |
| Configure the "/usr/sbin/apachectl" file group ownership to organizational standards. CC ID 09030 | Configuration | Preventive | |
| Configure the "/usr/sbin/httpd" file group ownership to organizational standards. CC ID 09031 | Configuration | Preventive | |
| Configure the "/var/www/html" file group ownership to organizational standards. CC ID 09032 | Configuration | Preventive | |
| Configure the "log files" the "/var/log/httpd/" directory user ownership to organizational standards. CC ID 09034 | Configuration | Preventive | |
| Configure the "/etc/httpd/conf.d" file ownership to organizational standards. CC ID 09035 | Configuration | Preventive | |
| Configure the "/etc/httpd/conf/passwd" file ownership to organizational standards. CC ID 09036 | Configuration | Preventive | |
| Configure the "/usr/sbin/apachectl" file ownership to organizational standards. CC ID 09037 | Configuration | Preventive | |
| Configure the "/usr/sbin/httpd" file ownership to organizational standards. CC ID 09038 | Configuration | Preventive | |
| Configure the "/var/www/html" file ownership to organizational standards. CC ID 09039 | Configuration | Preventive | |
| Configure the "httpd.conf" file user ownership to organizational standards. CC ID 09055 | Configuration | Preventive | |
| Configure the "httpd.conf" group ownership to organizational standards. CC ID 09056 | Configuration | Preventive | |
| Configure the "htpasswd" file user ownership to organizational standards. CC ID 09058 | Configuration | Preventive | |
| Configure the "htpasswd" file group ownership to organizational standards. CC ID 09059 | Configuration | Preventive | |
| Configure the "files specified by CustomLog" user ownership to organizational standards. CC ID 09074 | Configuration | Preventive | |
| Configure the "files specified by CustomLog" group ownership to organizational standards. CC ID 09075 | Configuration | Preventive | |
| Configure the "files specified by ErrorLog" user ownership to organizational standards. CC ID 09076 | Configuration | Preventive | |
| Configure the "files specified by ErrorLog" group ownership to organizational standards. CC ID 09077 | Configuration | Preventive | |
| Configure the "directories specified by ScriptAlias" user ownership to organizational standards. CC ID 09079 | Configuration | Preventive | |
| Configure the "directories specified by ScriptAlias" group ownership to organizational standards. CC ID 09080 | Configuration | Preventive | |
| Configure the "directories specified by ScriptAliasMatch" user ownership to organizational standards. CC ID 09082 | Configuration | Preventive | |
| Configure the "directories specified by ScriptAliasMatch" group ownership to organizational standards. CC ID 09083 | Configuration | Preventive | |
| Configure the "directories specified by DocumentRoot" user ownership to organizational standards. CC ID 09085 | Configuration | Preventive | |
| Configure the "directories specified by DocumentRoot" group ownership to organizational standards. CC ID 09086 | Configuration | Preventive | |
| Configure the "directories specified by Alias" user ownership to organizational standards. CC ID 09088 | Configuration | Preventive | |
| Configure the "directories specified by Alias" group ownership to organizational standards. CC ID 09089 | Configuration | Preventive | |
| Configure the "directories specified by ServerRoot" user ownership to organizational standards. CC ID 09091 | Configuration | Preventive | |
| Configure the "directories specified by ServerRoot" group ownership to organizational standards. CC ID 09092 | Configuration | Preventive | |
| Configure the "apache /bin" directory user ownership to organizational standards. CC ID 09094 | Configuration | Preventive | |
| Configure the "apache /bin" directory group ownership to organizational standards. CC ID 09095 | Configuration | Preventive | |
| Configure the "apache /logs" directory user ownership to organizational standards. CC ID 09097 | Configuration | Preventive | |
| Configure the "apache /logs" directory group ownership to organizational standards. CC ID 09098 | Configuration | Preventive | |
| Configure the "apache /htdocs" directory user ownership to organizational standards. CC ID 09100 | Configuration | Preventive | |
| Configure the "apache /htdocs" directory group ownership to organizational standards. CC ID 09101 | Configuration | Preventive | |
| Configure the "apache /cgi-bin" directory group ownership to organizational standards. CC ID 09104 | Configuration | Preventive | |
| Configure the "User-specific directories" setting to organizational standards. CC ID 09123 | Configuration | Preventive | |
| Configure the "apache process ID" file user ownership to organizational standards. CC ID 09125 | Configuration | Preventive | |
| Configure the "apache process ID" file group ownership to organizational standards. CC ID 09126 | Configuration | Preventive | |
| Configure the "apache scoreboard" file user ownership to organizational standards. CC ID 09128 | Configuration | Preventive | |
| Configure the "apache scoreboard" file group ownership to organizational standards. CC ID 09129 | Configuration | Preventive | |
| Configure the "Ownership of the asymmetric keys" setting to organizational standards. CC ID 09289 | Configuration | Preventive | |
| Configure the "SQLServer2005ReportServerUser" registry key permissions to organizational standards. CC ID 09326 | Configuration | Preventive | |
| Configure the "SQLServerADHelperUser" registry key permissions to organizational standards. CC ID 09329 | Configuration | Preventive | |
| Configure the "Tomcat home" directory user ownership to organizational standards. CC ID 09772 | Configuration | Preventive | |
| Configure the "group" setting for the "Tomcat installation" to organizational standards. CC ID 09773 | Configuration | Preventive | |
| Configure the "tomcat conf/" directory user ownership to organizational standards. CC ID 09774 | Configuration | Preventive | |
| Configure the "tomcat conf/" directory group ownership to organizational standards. CC ID 09775 | Configuration | Preventive | |
| Configure the "tomcat-users.xml" file user ownership to organizational standards. CC ID 09776 | Configuration | Preventive | |
| Configure the "tomcat-users.xml" file group ownership to organizational standards. CC ID 09777 | Configuration | Preventive | |
| Configure the "group membership" setting for "Tomcat" to organizational standards. CC ID 09793 | Configuration | Preventive | |
| Configure the "Tomcat home" directory group ownership to organizational standards. CC ID 09798 | Configuration | Preventive | |
| Configure the "Tomcat home/conf/" directory user ownership to organizational standards. CC ID 09800 | Configuration | Preventive | |
| Configure the "Tomcat home/conf/" directory group ownership to organizational standards. CC ID 09801 | Configuration | Preventive | |
| Configure the "system" files permissions to organizational standards. CC ID 09922 | Configuration | Preventive | |
| Configure the "size limit" setting for the "application log" to organizational standards. CC ID 10063 | Configuration | Preventive | |
| Configure the "restrict guest access to security log" setting to organizational standards. CC ID 10064 | Configuration | Preventive | |
| Configure the "size limit" setting for the "system log" to organizational standards. CC ID 10065 | Configuration | Preventive | |
| Configure the "Automatic Update service" setting to organizational standards. CC ID 10066 | Configuration | Preventive | |
| Configure the "Safe DLL Search Mode" setting to organizational standards. CC ID 10067 | Configuration | Preventive | |
| Configure the "screensaver" setting to organizational standards. CC ID 10068 | Configuration | Preventive | |
| Configure the "screensaver" setting for the "default" user to organizational standards. CC ID 10069 | Configuration | Preventive | |
| Configure the "Enable User Control Over Installs" setting to organizational standards. CC ID 10070 | Configuration | Preventive | |
| Configure the "Enable User to Browser for Source While Elevated" setting to organizational standards. CC ID 10071 | Configuration | Preventive | |
| Configure the "Enable User to Use Media Source While Elevated" setting to organizational standards. CC ID 10072 | Configuration | Preventive | |
| Configure the "Allow Administrator to Install from Terminal Services Session" setting to organizational standards. CC ID 10073 | Configuration | Preventive | |
| Configure the "Enable User to Patch Elevated Products" setting to organizational standards. CC ID 10074 | Configuration | Preventive | |
| Configure the "Cache Transforms in Secure Location" setting to organizational standards. CC ID 10075 | Configuration | Preventive | |
| Configure the "Disable Media Player for automatic updates" setting to organizational standards. CC ID 10076 | Configuration | Preventive | |
| Configure the "Internet access for Windows Messenger" setting to organizational standards. CC ID 10077 | Configuration | Preventive | |
| Configure the "Do Not Automatically Start Windows Messenger" setting to organizational standards. CC ID 10078 | Configuration | Preventive | |
| Configure the "Hide Property Pages" setting for the "task scheduler" to organizational standards. CC ID 10079 | Configuration | Preventive | |
| Configure the "Prohibit New Task Creation" setting for the "task scheduler" to organizational standards. CC ID 10080 | Configuration | Preventive | |
| Configure "Set time limit for disconnected sessions" to organizational standards. CC ID 10081 | Configuration | Preventive | |
| Configure the "Set time limit for idle sessions" setting to organizational standards. CC ID 10082 | Configuration | Preventive | |
| Configure the "Enable Keep-Alive Messages" setting to organizational standards. CC ID 10083 | Configuration | Preventive | |
| Configure the "Automatic Updates detection frequency" setting to organizational standards. CC ID 10084 | Configuration | Preventive | |
| Configure the "TCPMaxPortsExhausted" setting to organizational standards. CC ID 10085 | Configuration | Preventive | |
| Configure the "built-in Administrator" account to organizational standards. CC ID 10086 | Configuration | Preventive | |
| Configure the "Prevent System Maintenance of Computer Account Password" setting to organizational standards. CC ID 10087 | Configuration | Preventive | |
| Configure the "Digitally Sign Client Communication (When Possible)" setting to organizational standards. CC ID 10088 | Configuration | Preventive | |
| Configure the "number of SYN-ACK retransmissions sent when attempting to respond to a SYN request" setting to organizational standards. CC ID 10089 | Configuration | Preventive | |
| Configure the "warning level" setting for the "audit log" to organizational standards. CC ID 10090 | Configuration | Preventive | |
| Configure the "Change Password" setting for the "Ctrl+Alt+Del dialog" to organizational standards. CC ID 10091 | Configuration | Preventive | |
| Configure the "account description" setting for the "built-in Administrator" account to organizational standards. CC ID 10092 | Configuration | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" setting to organizational standards. CC ID 10201 | Configuration | Preventive | |
| Configure the "when maximum log size is reached" setting for the "Application log" to organizational standards. CC ID 10202 | Configuration | Preventive | |
| Configure the "password filtering DLL" setting to organizational standards. CC ID 10203 | Configuration | Preventive | |
| Configure the "Anonymous access to the registry" setting to organizational standards. CC ID 10204 | Configuration | Preventive | |
| Configure the "Automatic Execution" setting for the "System Debugger" to organizational standards. CC ID 10205 | Configuration | Preventive | |
| Configure the "CD-ROM Autorun" setting to organizational standards. CC ID 10206 | Configuration | Preventive | |
| Configure the "ResetBrowser Frames" setting to organizational standards. CC ID 10207 | Configuration | Preventive | |
| Configure the "Dr. Watson Crash Dumps" setting to organizational standards. CC ID 10208 | Configuration | Preventive | |
| Configure the "File System Checker and Popups" setting to organizational standards. CC ID 10209 | Configuration | Preventive | |
| Configure the "System File Checker" setting to organizational standards. CC ID 10210 | Configuration | Preventive | |
| Configure the "System File Checker Progress Meter" setting to organizational standards. CC ID 10211 | Configuration | Preventive | |
| Configure the "number of TCP/IP Maximum Half-open Sockets" setting to organizational standards. CC ID 10212 | Configuration | Preventive | |
| Configure the "number of TCP/IP Maximum Retried Half-open Sockets" setting to organizational standards. CC ID 10213 | Configuration | Preventive | |
| Configure the "Protect Kernel object attributes" setting to organizational standards. CC ID 10214 | Configuration | Preventive | |
| Configure the "Unsigned Non-Driver Installation Behavior" setting to organizational standards. CC ID 10215 | Configuration | Preventive | |
| Configure the "Automatically Log Off Users When Logon Time Expires (local)" setting to organizational standards. CC ID 10216 | Configuration | Preventive | |
| Configure the "Local volumes" setting to organizational standards. CC ID 10217 | Configuration | Preventive | |
| Configure the "Unused USB Ports" setting to organizational standards. CC ID 10218 | Configuration | Preventive | |
| Configure the "Set Safe for Scripting" setting to organizational standards. CC ID 10219 | Configuration | Preventive | |
| Configure the "Use of the Recycle Bin on file deletion" setting to organizational standards. CC ID 10220 | Configuration | Preventive | |
| Configure the "Membership in the Power Users group" setting to organizational standards. CC ID 10224 | Configuration | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "security log" to organizational standards. CC ID 10225 | Configuration | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "application log" to organizational standards. CC ID 10226 | Configuration | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "system log" to organizational standards. CC ID 10227 | Configuration | Preventive | |
| Configure the "Syskey Encryption Key location and password method" setting to organizational standards. CC ID 10228 | Configuration | Preventive | |
| Configure the "Os2LibPath environmental variable" setting to organizational standards. CC ID 10229 | Configuration | Preventive | |
| Configure the "path to the Microsoft OS/2 version 1.x library" setting to organizational standards. CC ID 10230 | Configuration | Preventive | |
| Configure the "location of the OS/2 subsystem" setting to organizational standards. CC ID 10231 | Configuration | Preventive | |
| Configure the "location of the POSIX subsystem" setting to organizational standards. CC ID 10232 | Configuration | Preventive | |
| Configure the "path to the debugger used for Just-In-Time debugging" setting to organizational standards. CC ID 10234 | Configuration | Preventive | |
| Configure the "Distributed Component Object Model (DCOM)" setting to organizational standards. CC ID 10235 | Configuration | Preventive | |
| Configure the "The "encryption algorithm" setting for "EFS"" setting to organizational standards. CC ID 10236 | Configuration | Preventive | |
| Configure the "Interix Subsystem Startup service startup type" setting to organizational standards. CC ID 10238 | Configuration | Preventive | |
| Configure the "Services for Unix Perl Socket service startup type" setting to organizational standards. CC ID 10247 | Configuration | Preventive | |
| Configure the "Services for Unix Windows Cron service startup type" setting to organizational standards. CC ID 10248 | Configuration | Preventive | |
| Configure the "fDisableCdm" setting to organizational standards. CC ID 10259 | Configuration | Preventive | |
| Configure the "fDisableClip" setting to organizational standards. CC ID 10260 | Configuration | Preventive | |
| Configure the "Inheritance of the shadow setting" setting to organizational standards. CC ID 10261 | Configuration | Preventive | |
| Configure the "remote control configuration" setting to organizational standards. CC ID 10262 | Configuration | Preventive | |
| Configure the "fDisableCam" setting to organizational standards. CC ID 10263 | Configuration | Preventive | |
| Configure the "fDisableCcm" setting to organizational standards. CC ID 10264 | Configuration | Preventive | |
| Configure the "fDisableLPT" setting to organizational standards. CC ID 10265 | Configuration | Preventive | |
| Configure the "ActiveX installation policy for sites in Trusted zones" setting to organizational standards. CC ID 10691 | Configuration | Preventive | |
| Configure the "Add the Administrators security group to roaming user profiles" setting to organizational standards. CC ID 10694 | Configuration | Preventive | |
| Configure the "Administratively assigned offline files" setting to organizational standards. CC ID 10695 | Configuration | Preventive | |
| Configure the "Apply policy to removable media" setting to organizational standards. CC ID 10756 | Configuration | Preventive | |
| Configure the "Baseline file cache maximum size" setting to organizational standards. CC ID 10763 | Configuration | Preventive | |
| Configure the "Check for New Signatures Before Scheduled Scans" setting to organizational standards. CC ID 10770 | Configuration | Preventive | |
| Configure the "Check published state" setting to organizational standards. CC ID 10771 | Configuration | Preventive | |
| Configure the "Communities" setting to organizational standards. CC ID 10772 | Configuration | Preventive | |
| Configure the "Computer location" setting to organizational standards. CC ID 10773 | Configuration | Preventive | |
| Configure the "Background Sync" setting to organizational standards. CC ID 10775 | Configuration | Preventive | |
| Configure the "Corporate Windows Error Reporting" setting to organizational standards. CC ID 10777 | Configuration | Preventive | |
| Configure the "Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10778 | Configuration | Preventive | |
| Configure the "Default consent" setting to organizational standards. CC ID 10780 | Configuration | Preventive | |
| Configure the "list of IEEE 1667 silos usable on your computer" setting to organizational standards. CC ID 10792 | Configuration | Preventive | |
| Configure the "Microsoft SpyNet Reporting" setting to organizational standards. CC ID 10794 | Configuration | Preventive | |
| Configure the "MSI Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10795 | Configuration | Preventive | |
| Configure the "Reliability WMI Providers" setting to organizational standards. CC ID 10804 | Configuration | Preventive | |
| Configure the "Report Archive" setting to organizational standards. CC ID 10805 | Configuration | Preventive | |
| Configure the "Report Queue" setting to organizational standards. CC ID 10806 | Configuration | Preventive | |
| Configure the "root certificate clean up" setting to organizational standards. CC ID 10807 | Configuration | Preventive | |
| Configure the "Security Policy for Scripted Diagnostics" setting to organizational standards. CC ID 10816 | Configuration | Preventive | |
| Configure the "list of blocked TPM commands" setting to organizational standards. CC ID 10822 | Configuration | Preventive | |
| Configure the "refresh interval for Server Manager" setting to organizational standards. CC ID 10823 | Configuration | Preventive | |
| Configure the "server address, refresh interval, and issuer certificate authority of a target Subscription Manager" setting to organizational standards. CC ID 10824 | Configuration | Preventive | |
| Configure the "Customize consent settings" setting to organizational standards. CC ID 10837 | Configuration | Preventive | |
| Configure the "Default behavior for AutoRun" setting to organizational standards. CC ID 10839 | Configuration | Preventive | |
| Configure the "Define Activation Security Check exemptions" setting to organizational standards. CC ID 10841 | Configuration | Preventive | |
| Configure the "Define host name-to-Kerberos realm mappings" setting to organizational standards. CC ID 10842 | Configuration | Preventive | |
| Configure the "Define interoperable Kerberos V5 realm settings" setting to organizational standards. CC ID 10843 | Configuration | Preventive | |
| Configure the "Delay Restart for scheduled installations" setting to organizational standards. CC ID 10844 | Configuration | Preventive | |
| Configure the "Delete cached copies of roaming profiles" setting to organizational standards. CC ID 10845 | Configuration | Preventive | |
| Configure the "Delete user profiles older than a specified number of days on system restart" setting to organizational standards. CC ID 10847 | Configuration | Preventive | |
| Configure the "Diagnostics: Configure scenario retention" setting to organizational standards. CC ID 10857 | Configuration | Preventive | |
| Configure the "Directory pruning interval" setting to organizational standards. CC ID 10858 | Configuration | Preventive | |
| Configure the "Directory pruning priority" setting to organizational standards. CC ID 10859 | Configuration | Preventive | |
| Configure the "Directory pruning retry" setting to organizational standards. CC ID 10860 | Configuration | Preventive | |
| Configure the "Disk Diagnostic: Configure custom alert text" setting to organizational standards. CC ID 10882 | Configuration | Preventive | |
| Configure the "Display Shutdown Event Tracker" setting to organizational standards. CC ID 10888 | Configuration | Preventive | |
| Configure the "Display string when smart card is blocked" setting to organizational standards. CC ID 10889 | Configuration | Preventive | |
| Configure the "Do not automatically encrypt files moved to encrypted folders" setting to organizational standards. CC ID 10924 | Configuration | Preventive | |
| Configure the "Do not check for user ownership of Roaming Profile Folders" setting to organizational standards. CC ID 10925 | Configuration | Preventive | |
| Configure the "Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names" setting to organizational standards. CC ID 10932 | Configuration | Preventive | |
| Configure the "Do not send additional data" machine setting should be configured correctly. to organizational standards. CC ID 10934 | Configuration | Preventive | |
| Configure the "Domain Controller Address Type Returned" setting to organizational standards. CC ID 10939 | Configuration | Preventive | |
| Configure the "Domain Location Determination URL" setting to organizational standards. CC ID 10940 | Configuration | Preventive | |
| Configure the "Don't set the always do this checkbox" setting to organizational standards. CC ID 10941 | Configuration | Preventive | |
| Configure the "Download missing COM components" setting to organizational standards. CC ID 10942 | Configuration | Preventive | |
| Configure the "Dynamic Update" setting to organizational standards. CC ID 10944 | Configuration | Preventive | |
| Configure the "Enable client-side targeting" setting to organizational standards. CC ID 10946 | Configuration | Preventive | |
| Configure the "Enable NTFS pagefile encryption" setting to organizational standards. CC ID 10948 | Configuration | Preventive | |
| Configure the "Enable Persistent Time Stamp" setting to organizational standards. CC ID 10949 | Configuration | Preventive | |
| Configure the "Enable Transparent Caching" setting to organizational standards. CC ID 10950 | Configuration | Preventive | |
| Configure the "Enable Windows NTP Client" setting to organizational standards. CC ID 10951 | Configuration | Preventive | |
| Configure the "Enable Windows NTP Server" setting to organizational standards. CC ID 10952 | Configuration | Preventive | |
| Configure the "Encrypt the Offline Files cache" setting to organizational standards. CC ID 10955 | Configuration | Preventive | |
| Configure the "Enforce upgrade component rules" setting to organizational standards. CC ID 10958 | Configuration | Preventive | |
| Configure the "Events.asp program" setting to organizational standards. CC ID 10959 | Configuration | Preventive | |
| Configure the "Events.asp program command line parameters" setting to organizational standards. CC ID 10960 | Configuration | Preventive | |
| Configure the "Events.asp URL" setting to organizational standards. CC ID 10961 | Configuration | Preventive | |
| Configure the "Exclude credential providers" setting to organizational standards. CC ID 10962 | Configuration | Preventive | |
| Configure the "Exclude files from being cached" setting to organizational standards. CC ID 10963 | Configuration | Preventive | |
| Configure the "Final DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10968 | Configuration | Preventive | |
| Configure the "For tablet pen input, don't show the Input Panel icon" setting to organizational standards. CC ID 10973 | Configuration | Preventive | |
| Configure the "For touch input, don't show the Input Panel icon" setting to organizational standards. CC ID 10974 | Configuration | Preventive | |
| Configure the "Force Rediscovery Interval" setting to organizational standards. CC ID 10975 | Configuration | Preventive | |
| Configure the "Force selected system UI language to overwrite the user UI language" setting to organizational standards. CC ID 10976 | Configuration | Preventive | |
| Configure the "Force the reading of all certificates from the smart card" setting to organizational standards. CC ID 10977 | Configuration | Preventive | |
| Configure the "ForwarderResourceUsage" setting to organizational standards. CC ID 10978 | Configuration | Preventive | |
| Configure the "Global Configuration Settings" setting to organizational standards. CC ID 10979 | Configuration | Preventive | |
| Configure the "Hash Publication for BranchCache" setting to organizational standards. CC ID 10986 | Configuration | Preventive | |
| Configure the "Hide entry points for Fast User Switching" setting to organizational standards. CC ID 10987 | Configuration | Preventive | |
| Configure the "Hide notifications about RD Licensing problems that affect the RD Session Host server" setting to organizational standards. CC ID 10988 | Configuration | Preventive | |
| Configure the "Hide previous versions list for local files" setting to organizational standards. CC ID 10989 | Configuration | Preventive | |
| Configure the "Hide previous versions of files on backup location" setting to organizational standards. CC ID 10991 | Configuration | Preventive | |
| Configure the "Ignore custom consent settings" setting to organizational standards. CC ID 10992 | Configuration | Preventive | |
| Configure the "Ignore Delegation Failure" setting to organizational standards. CC ID 10993 | Configuration | Preventive | |
| Configure the "Ignore the default list of blocked TPM commands" setting to organizational standards. CC ID 10994 | Configuration | Preventive | |
| Configure the "Ignore the local list of blocked TPM commands" setting to organizational standards. CC ID 10995 | Configuration | Preventive | |
| Configure the "Include rarely used Chinese, Kanji, or Hanja characters" setting to organizational standards. CC ID 10996 | Configuration | Preventive | |
| Configure the "Initial DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10997 | Configuration | Preventive | |
| Configure the "IP-HTTPS State" setting to organizational standards. CC ID 11000 | Configuration | Preventive | |
| Configure the "ISATAP Router Name" setting to organizational standards. CC ID 11001 | Configuration | Preventive | |
| Configure the "ISATAP State" setting to organizational standards. CC ID 11002 | Configuration | Preventive | |
| Configure the "License server security group" setting to organizational standards. CC ID 11005 | Configuration | Preventive | |
| Configure the "List of applications to be excluded" setting to organizational standards. CC ID 11023 | Configuration | Preventive | |
| Configure the "Lock Enhanced Storage when the computer is locked" setting to organizational standards. CC ID 11025 | Configuration | Preventive | |
| Configure the "Make Parental Controls control panel visible on a Domain" setting to organizational standards. CC ID 11039 | Configuration | Preventive | |
| Configure the "MaxConcurrentUsers" setting to organizational standards. CC ID 11040 | Configuration | Preventive | |
| Configure the "Maximum DC Discovery Retry Interval Setting for Background Callers" setting to organizational standards. CC ID 11041 | Configuration | Preventive | |
| Configure the "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" setting to organizational standards. CC ID 11045 | Configuration | Preventive | |
| Configure the "Negative DC Discovery Cache Setting" setting to organizational standards. CC ID 11047 | Configuration | Preventive | |
| Configure the "Non-conforming packets" setting to organizational standards. CC ID 11053 | Configuration | Preventive | |
| Configure the "Notify blocked drivers" setting to organizational standards. CC ID 11054 | Configuration | Preventive | |
| Configure the "Notify user of successful smart card driver installation" setting to organizational standards. CC ID 11055 | Configuration | Preventive | |
| Configure the "Permitted Managers" setting to organizational standards. CC ID 11062 | Configuration | Preventive | |
| Configure the "Positive Periodic DC Cache Refresh for Background Callers" setting to organizational standards. CC ID 11063 | Configuration | Preventive | |
| Configure the "Positive Periodic DC Cache Refresh for Non-Background Callers" setting to organizational standards. CC ID 11064 | Configuration | Preventive | |
| Configure the "Prioritize all digitally signed drivers equally during the driver ranking and selection process" setting to organizational standards. CC ID 11098 | Configuration | Preventive | |
| Configure the "Prompt for credentials on the client computer" setting to organizational standards. CC ID 11108 | Configuration | Preventive | |
| Configure the "Propagation of extended error information" setting to organizational standards. CC ID 11110 | Configuration | Preventive | |
| Configure the "Register PTR Records" setting to organizational standards. CC ID 11121 | Configuration | Preventive | |
| Configure the "Registration Refresh Interval" setting to organizational standards. CC ID 11122 | Configuration | Preventive | |
| Configure the "Remove Program Compatibility Property Page" setting to organizational standards. CC ID 11128 | Configuration | Preventive | |
| Configure the "Remove users ability to invoke machine policy refresh" setting to organizational standards. CC ID 11129 | Configuration | Preventive | |
| Configure the "Remove Windows Security item from Start menu" setting to organizational standards. CC ID 11130 | Configuration | Preventive | |
| Configure the "Re-prompt for restart with scheduled installations" setting to organizational standards. CC ID 11131 | Configuration | Preventive | |
| Configure the "Require secure RPC communication" setting to organizational standards. CC ID 11134 | Configuration | Preventive | |
| Configure the "Require strict KDC validation" setting to organizational standards. CC ID 11135 | Configuration | Preventive | |
| Configure the "Reverse the subject name stored in a certificate when displaying" setting to organizational standards. CC ID 11148 | Configuration | Preventive | |
| Configure the "RPC Troubleshooting State Information" setting to organizational standards. CC ID 11150 | Configuration | Preventive | |
| Configure the "Run shutdown scripts visible" setting to organizational standards. CC ID 11152 | Configuration | Preventive | |
| Configure the "Run startup scripts asynchronously" setting to organizational standards. CC ID 11153 | Configuration | Preventive | |
| Configure the "Run startup scripts visible" setting to organizational standards. CC ID 11154 | Configuration | Preventive | |
| Configure the "Scavenge Interval" setting to organizational standards. CC ID 11158 | Configuration | Preventive | |
| Configure the "Server Authentication Certificate Template" setting to organizational standards. CC ID 11170 | Configuration | Preventive | |
| Configure the "Set BranchCache Distributed Cache mode" setting to organizational standards. CC ID 11172 | Configuration | Preventive | |
| Configure the "Set BranchCache Hosted Cache mode" setting to organizational standards. CC ID 11173 | Configuration | Preventive | |
| Configure the "Set compression algorithm for RDP data" setting to organizational standards. CC ID 11174 | Configuration | Preventive | |
| Configure the "Set percentage of disk space used for client computer cache" setting to organizational standards. CC ID 11177 | Configuration | Preventive | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Global" to organizational standards. CC ID 11178 | Configuration | Preventive | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Site Local" to organizational standards. CC ID 11180 | Configuration | Preventive | |
| Configure the "Set the Email IDs to which notifications are to be sent" setting to organizational standards. CC ID 11184 | Configuration | Preventive | |
| Configure the "Set the map update interval for NIS subordinate servers" setting to organizational standards. CC ID 11186 | Configuration | Preventive | |
| Configure the "Set the Seed Server" setting for "IPv6 Global" to organizational standards. CC ID 11189 | Configuration | Preventive | |
| Configure the "Set the Seed Server" setting for "IPv6 Site Local" to organizational standards. CC ID 11191 | Configuration | Preventive | |
| Configure the "Set the SMTP Server used to send notifications" setting to organizational standards. CC ID 11192 | Configuration | Preventive | |
| Configure the "Set timer resolution" setting to organizational standards. CC ID 11196 | Configuration | Preventive | |
| Configure the "Sets how often a DFS Client discovers DC's" setting to organizational standards. CC ID 11199 | Configuration | Preventive | |
| Configure the "Short name creation options" setting to organizational standards. CC ID 11200 | Configuration | Preventive | |
| Configure the "Site Name" setting to organizational standards. CC ID 11201 | Configuration | Preventive | |
| Configure the "Specify a default color" setting to organizational standards. CC ID 11208 | Configuration | Preventive | |
| Configure the "Specify idle Timeout" setting to organizational standards. CC ID 11210 | Configuration | Preventive | |
| Configure the "Specify maximum amount of memory in MB per Shell" setting to organizational standards. CC ID 11211 | Configuration | Preventive | |
| Configure the "Specify maximum number of processes per Shell" setting to organizational standards. CC ID 11212 | Configuration | Preventive | |
| Configure the "Specify Shell Timeout" setting to organizational standards. CC ID 11216 | Configuration | Preventive | |
| Configure the "Specify Windows installation file location" setting to organizational standards. CC ID 11225 | Configuration | Preventive | |
| Configure the "Specify Windows Service Pack installation file location" setting to organizational standards. CC ID 11226 | Configuration | Preventive | |
| Configure the "SSL Cipher Suite Order" setting to organizational standards. CC ID 11227 | Configuration | Preventive | |
| Configure the "Switch to the Simplified Chinese (PRC) gestures" setting to organizational standards. CC ID 11230 | Configuration | Preventive | |
| Configure the "Sysvol share compatibility" setting to organizational standards. CC ID 11231 | Configuration | Preventive | |
| Configure the "Tag Windows Customer Experience Improvement data with Study Identifier" setting to organizational standards. CC ID 11232 | Configuration | Preventive | |
| Configure the "Teredo Client Port" setting to organizational standards. CC ID 11236 | Configuration | Preventive | |
| Configure the "Teredo Default Qualified" setting to organizational standards. CC ID 11237 | Configuration | Preventive | |
| Configure the "Teredo Refresh Rate" setting to organizational standards. CC ID 11238 | Configuration | Preventive | |
| Configure the "Teredo Server Name" setting to organizational standards. CC ID 11239 | Configuration | Preventive | |
| Configure the "Teredo State" setting to organizational standards. CC ID 11240 | Configuration | Preventive | |
| Configure the "Time (in seconds) to force reboot" setting to organizational standards. CC ID 11242 | Configuration | Preventive | |
| Configure the "Time (in seconds) to force reboot when required for policy changes to take effect" setting to organizational standards. CC ID 11243 | Configuration | Preventive | |
| Configure the "Timeout for fast user switching events" setting to organizational standards. CC ID 11244 | Configuration | Preventive | |
| Configure the "Traps for public community" setting to organizational standards. CC ID 11246 | Configuration | Preventive | |
| Configure the "Trusted Hosts" setting to organizational standards. CC ID 11249 | Configuration | Preventive | |
| Configure the "Try Next Closest Site" setting to organizational standards. CC ID 11250 | Configuration | Preventive | |
| Configure the "TTL Set in the A and PTR records" setting to organizational standards. CC ID 11251 | Configuration | Preventive | |
| Configure the "Turn on Accounting for WSRM" setting to organizational standards. CC ID 11333 | Configuration | Preventive | |
| Configure the "Turn on BranchCache" setting to organizational standards. CC ID 11334 | Configuration | Preventive | |
| Configure the "Turn on certificate propagation from smart card" setting to organizational standards. CC ID 11335 | Configuration | Preventive | |
| Configure the "Turn On Compatibility HTTP Listener" setting to organizational standards. CC ID 11336 | Configuration | Preventive | |
| Configure the "Turn On Compatibility HTTPS Listener" setting to organizational standards. CC ID 11337 | Configuration | Preventive | |
| Configure the "Turn on definition updates through both WSUS and the Microsoft Malware Protection Center" setting to organizational standards. CC ID 11338 | Configuration | Preventive | |
| Configure the "Turn on definition updates through both WSUS and Windows Update" setting to organizational standards. CC ID 11339 | Configuration | Preventive | |
| Configure the "Turn on economical application of administratively assigned Offline Files" setting to organizational standards. CC ID 11342 | Configuration | Preventive | |
| Configure the "Turn on Mapper I/O (LLTDIO) driver" setting to organizational standards. CC ID 11346 | Configuration | Preventive | |
| Configure the "Turn on recommended updates via Automatic Updates" setting to organizational standards. CC ID 11347 | Configuration | Preventive | |
| Configure the "Turn on root certificate propagation from smart card" setting to organizational standards. CC ID 11349 | Configuration | Preventive | |
| Configure the "Turn on Software Notifications" setting to organizational standards. CC ID 11352 | Configuration | Preventive | |
| Configure the "Turn on TPM backup to Active Directory Domain Services" setting to organizational standards. CC ID 11356 | Configuration | Preventive | |
| Configure the "Use forest search order" setting for "Key Distribution Center (KDC) searches" to organizational standards. CC ID 11359 | Configuration | Preventive | |
| Configure the "Use forest search order" setting for "Kerberos client searches" to organizational standards. CC ID 11360 | Configuration | Preventive | |
| Configure the "Use IP Address Redirection" setting to organizational standards. CC ID 11361 | Configuration | Preventive | |
| Configure the "Use localized subfolder names when redirecting Start Menu and My Documents" setting to organizational standards. CC ID 11362 | Configuration | Preventive | |
| Configure the "Use mandatory profiles on the RD Session Host server" setting to organizational standards. CC ID 11363 | Configuration | Preventive | |
| Configure the "Verbose vs normal status messages" setting to organizational standards. CC ID 11368 | Configuration | Preventive | |
| Configure the "Verify old and new Folder Redirection targets point to the same share before redirecting" setting to organizational standards. CC ID 11369 | Configuration | Preventive | |
| Configure the "Windows Scaling Heuristics State" setting to organizational standards. CC ID 11372 | Configuration | Preventive | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | Configuration | Preventive | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | Configuration | Preventive | |
| Configure the "shadow" group to organizational standards. CC ID 11386 | Configuration | Preventive | |
| Configure the "AppArmor" setting to organizational standards. CC ID 11387 | Configuration | Preventive | |
| Disable or configure the e-mail server, as necessary. CC ID 06563 | Configuration | Preventive | |
| Configure e-mail servers to enable receiver-side verification. CC ID 12223 [{spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC {spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC] | Configuration | Preventive | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | Configuration | Preventive | |
| Configure user accounts. CC ID 07036 | Configuration | Preventive | |
| Remove unnecessary default accounts. CC ID 01539 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Configuration | Preventive | |
| Disable or delete shared User IDs. CC ID 12478 | Configuration | Corrective | |
| Verify that no UID 0 accounts exist other than root. CC ID 01585 | Configuration | Detective | |
| Disable or delete generic user IDs. CC ID 12479 | Configuration | Corrective | |
| Disable all unnecessary user identifiers. CC ID 02185 | Configuration | Preventive | |
| Remove unnecessary user credentials. CC ID 16409 | Configuration | Preventive | |
| Remove the root user as appropriate. CC ID 01582 | Configuration | Preventive | |
| Disable or remove the null account. CC ID 06572 | Configuration | Preventive | |
| Configure accounts with administrative privilege. CC ID 07033 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. CIS Control 5: Safeguard 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts] | Configuration | Preventive | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider. CIS Control 6: Safeguard 6.5 Require MFA for Administrative Access] | Technical Security | Preventive | |
| Disable root logons or limit the logons to the system console. CC ID 01573 | Configuration | Preventive | |
| Encrypt non-console administrative access. CC ID 00883 | Configuration | Preventive | |
| Invoke a strong encryption method before requesting an authenticator. CC ID 11986 | Technical Security | Preventive | |
| Configure the default group for the root user. CC ID 01586 | Configuration | Preventive | |
| Rename or disable the Administrator Account. CC ID 01721 | Configuration | Preventive | |
| Create a backup administrator account. CC ID 04497 | Configuration | Preventive | |
| Configure mobile device settings in accordance with organizational standards. CC ID 04600 | Configuration | Preventive | |
| Configure mobile devices to organizational standards. CC ID 04639 [Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data. CIS Control 4: Safeguard 4.12 Separate Enterprise Workspaces on Mobile End-User Devices] | Configuration | Preventive | |
| Configure mobile devices to separate organizational data from personal data. CC ID 16463 | Configuration | Preventive | |
| Configure the mobile device properties to organizational standards. CC ID 04640 | Configuration | Preventive | |
| Configure the mobile device menu items to organizational standards. CC ID 04641 | Configuration | Preventive | |
| Configure the BlackBerry handheld device driver settings. CC ID 04642 | Configuration | Preventive | |
| Configure e-mail security settings in accordance with organizational standards. CC ID 07055 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | Configuration | Preventive | |
| Configure e-mail to limit the number of recipients per message. CC ID 07056 | Configuration | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | Configuration | Preventive | |
| Configure the storage parameters for all logs. CC ID 06330 [{be adequate} Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process. CIS Control 8: Safeguard 8.3 Ensure Adequate Audit Log Storage] | Configuration | Preventive | |
| Configure sufficient log storage capacity and prevent the capacity from being exceeded. CC ID 01425 | Configuration | Preventive | |
| Configure the log retention method. CC ID 01715 | Configuration | Preventive | |
| Configure the log retention size. CC ID 01716 | Configuration | Preventive | |
| Configure syslogd to send logs to a Remote LogHost. CC ID 01526 | Configuration | Preventive | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | Configuration | Preventive | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 | Log Management | Detective | |
| Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 | Log Management | Detective | |
| Configure the log to capture the user's identification. CC ID 01334 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | Configuration | Preventive | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | Configuration | Preventive | |
| Configure the log to capture each auditable event's origination. CC ID 01338 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | Log Management | Detective | |
| Configure the log to uniquely identify each asset. CC ID 01339 | Configuration | Preventive | |
| Configure the log to capture remote access information. CC ID 05596 | Configuration | Detective | |
| Configure the log to capture the type of each event. CC ID 06423 | Configuration | Preventive | |
| Configure the log to capture the details of electronic signature transactions. CC ID 16910 | Log Management | Preventive | |
| Configure the log to uniquely identify each accessed record. CC ID 16909 | Log Management | Preventive | |
| Configure the log to capture each event's success or failure indication. CC ID 06424 | Configuration | Preventive | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 [Log sensitive data access, including modification and disposal. CIS Control 3: Safeguard 3.14 Log Sensitive Data Access] | Configuration | Preventive | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | Log Management | Preventive | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | Log Management | Preventive | |
| Configure the log to capture user queries and searches. CC ID 16479 | Log Management | Preventive | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | Log Management | Preventive | |
| Configure the log to capture error messages. CC ID 16477 | Log Management | Preventive | |
| Configure the log to capture system failures. CC ID 16475 | Log Management | Preventive | |
| Configure the log to capture account lockouts. CC ID 16470 | Configuration | Preventive | |
| Configure the log to capture execution events. CC ID 16469 | Configuration | Preventive | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | Log Management | Preventive | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | Configuration | Preventive | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | Configuration | Preventive | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | Configuration | Preventive | |
| Configure the log to capture route table changes. CC ID 15439 | Configuration | Preventive | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | Configuration | Preventive | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | Configuration | Preventive | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | Configuration | Preventive | |
| Configure the log to capture changes to network gateways. CC ID 15421 | Configuration | Preventive | |
| Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577 | Log Management | Detective | |
| Configure the log to capture all spoofed addresses. CC ID 01313 | Configuration | Preventive | |
| Configure the "logging level" to organizational standards. CC ID 14456 | Configuration | Detective | |
| Capture successful operating system access and successful software access. CC ID 00527 | Log Management | Detective | |
| Configure the log to capture hardware and software access attempts. CC ID 01220 | Log Management | Detective | |
| Configure the log to capture all URL requests. CC ID 12138 [Collect URL request audit logs on enterprise assets, where appropriate and supported. CIS Control 8: Safeguard 8.7 Collect URL Request Audit Logs] | Technical Security | Detective | |
| Configure inetd tracing. CC ID 01523 | Configuration | Preventive | |
| Configure the system to capture messages sent to the syslog AUTH facility. CC ID 01525 | Configuration | Preventive | |
| Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915 | Log Management | Detective | |
| Configure Cron logging. CC ID 01528 | Configuration | Preventive | |
| Configure the kernel level auditing setting. CC ID 01530 | Configuration | Preventive | |
| Configure the "audit successful file system mounts" setting to organizational standards. CC ID 09923 | Configuration | Preventive | |
| Configure system accounting/system events. CC ID 01529 | Configuration | Preventive | |
| Configure the privilege use auditing setting. CC ID 01699 | Configuration | Preventive | |
| Configure the log to record the Denial of Access that results from an excessive number of unsuccessful logon attempts. CC ID 01919 | Configuration | Preventive | |
| Configure the Audit Process Tracking setting. CC ID 01700 | Configuration | Preventive | |
| Configure the log to capture access to restricted data or restricted information. CC ID 00644 [Log sensitive data access, including modification and disposal. CIS Control 3: Safeguard 3.14 Log Sensitive Data Access] | Log Management | Detective | |
| Configure the EEPROM security-mode accesses and EEPROM log-failed accesses. CC ID 01575 | Configuration | Preventive | |
| Configure the log to capture user identifier, address, port blocking or blacklisting. CC ID 01918 | Configuration | Preventive | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 | Log Management | Detective | |
| Configure the log to capture identification and authentication mechanism use. CC ID 00648 | Log Management | Detective | |
| Configure the log to capture all access to the audit trail. CC ID 00646 | Log Management | Detective | |
| Configure the log to capture Object access to key directories or key files. CC ID 01697 | Log Management | Detective | |
| Configure the log to capture both access and access attempts to security-relevant objects and security-relevant directories. CC ID 01916 | Log Management | Detective | |
| Configure the log to capture system level object creation and deletion. CC ID 00650 | Log Management | Detective | |
| Enable directory service access events, as appropriate. CC ID 05616 | Configuration | Preventive | |
| Configure the log to capture failed transactions. CC ID 06334 | Configuration | Preventive | |
| Configure the log to capture successful transactions. CC ID 06335 | Configuration | Preventive | |
| Audit non attributable events (na class). CC ID 05604 | Configuration | Preventive | |
| Configure the log to capture configuration changes. CC ID 06881 | Configuration | Preventive | |
| Log, monitor, and review all changes to time settings on critical systems. CC ID 11608 | Configuration | Preventive | |
| Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 | Log Management | Detective | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | Log Management | Preventive | |
| Configure the log to capture all changes to certificates. CC ID 05595 | Configuration | Preventive | |
| Configure the log to capture user authenticator changes. CC ID 01917 | Log Management | Detective | |
| Configure the "inetd logging" setting to organizational standards. CC ID 08970 | Configuration | Preventive | |
| Configure the "audit sudoers" setting to organizational standards. CC ID 09950 | Configuration | Preventive | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | Configuration | Preventive | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{minimum number of characters} Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. CIS Control 5: Safeguard 5.2 Use Unique Passwords] | Configuration | Preventive | |
| Configure security and protection software according to Organizational Standards. CC ID 11917 | Configuration | Preventive | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Configure automatic updates for anti-malware signature files on all enterprise assets. CIS Control 10: Safeguard 10.2 Configure Automatic Anti-Malware Signature Updates] | Testing | Detective | |
| Configure security and protection software to check e-mail attachments. CC ID 11860 [Block unnecessary file types attempting to enter the enterprise's email gateway. CIS Control 9: Safeguard 9.6 Block Unnecessary File Types] | Configuration | Preventive | |
| Configure the Domain Name System in accordance with organizational standards. CC ID 12202 [Configure trusted DNS servers on network infrastructure. Example implementations include configuring network devices to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. CIS Control 4: Safeguard 4.9 Configure Trusted DNS Servers on Enterprise Assets] | Configuration | Preventive | |
| Configure the Domain Name System query logging to organizational standards. CC ID 12210 [Collect DNS query audit logs on enterprise assets, where appropriate and supported. CIS Control 8: Safeguard 8.6 Collect DNS Query Audit Logs] | Configuration | Preventive | |
| Configure the secure name/address resolution service (recursive or caching resolver). CC ID 01625 | Configuration | Preventive | |
| Configure the secure name/address resolution service (authoritative source). CC ID 01624 | Configuration | Preventive | |
| Configure DNS records in accordance with organizational standards. CC ID 17083 | Configuration | Preventive | |
| Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130 [Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | Establish/Maintain Documentation | Preventive | |
| Document and approve any changes to the Configuration Baseline Documentation Record. CC ID 12104 | Establish/Maintain Documentation | Preventive | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 | Configuration | Preventive | |
| Store master images on securely configured servers. CC ID 12089 | Technical Security | Preventive | |
| Test systems to ensure they conform to configuration baselines. CC ID 13062 | Testing | Detective | |
| Update the security configuration of hardened images, as necessary. CC ID 12088 | Technical Security | Corrective | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Establish/Maintain Documentation | Preventive | |
| Define and assign the system development project team roles and responsibilities. CC ID 01061 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Establish Roles | Preventive | |
| Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 | Establish Roles | Preventive | |
| Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 | Establish Roles | Preventive | |
| Restrict system architects from being assigned as Administrators. CC ID 01064 | Testing | Detective | |
| Restrict the development team from having access to the production environment. CC ID 01066 | Testing | Detective | |
| Establish, implement, and maintain security design principles. CC ID 14718 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems Design, Build, and Implementation | Preventive | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems Design, Build, and Implementation | Preventive | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems Design, Build, and Implementation | Preventive | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems Design, Build, and Implementation | Preventive | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems Design, Build, and Implementation | Preventive | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems Design, Build, and Implementation | Preventive | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Establish/Maintain Documentation | Preventive | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems Design, Build, and Implementation | Preventive | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems Design, Build, and Implementation | Preventive | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems Design, Build, and Implementation | Preventive | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems Design, Build, and Implementation | Preventive | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems Design, Build, and Implementation | Preventive | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems Design, Build, and Implementation | Preventive | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems Design, Build, and Implementation | Preventive | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems Design, Build, and Implementation | Preventive | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems Design, Build, and Implementation | Preventive | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems Design, Build, and Implementation | Preventive | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems Design, Build, and Implementation | Preventive | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems Design, Build, and Implementation | Preventive | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems Design, Build, and Implementation | Preventive | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems Design, Build, and Implementation | Preventive | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems Design, Build, and Implementation | Preventive | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems Design, Build, and Implementation | Preventive | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems Design, Build, and Implementation | Preventive | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems Design, Build, and Implementation | Preventive | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems Design, Build, and Implementation | Preventive | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems Design, Build, and Implementation | Preventive | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems Design, Build, and Implementation | Preventive | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems Design, Build, and Implementation | Preventive | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems Design, Build, and Implementation | Preventive | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems Design, Build, and Implementation | Preventive | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems Design, Build, and Implementation | Preventive | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems Design, Build, and Implementation | Preventive | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 | Establish/Maintain Documentation | Preventive | |
| Perform a risk assessment for each system development project. CC ID 01000 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Testing | Detective | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production system} Maintain separate environments for production and non-production systems. CIS Control 16: Safeguard 16.8 Separate Production and Non-Production Systems] | Systems Design, Build, and Implementation | Preventive | |
| Specify appropriate tools for the system development project. CC ID 06830 | Establish/Maintain Documentation | Preventive | |
| Implement security controls in development endpoints. CC ID 16389 | Testing | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Establish/Maintain Documentation | Preventive | |
| Supervise and monitor outsourced development projects. CC ID 01096 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Monitor and Evaluate Occurrences | Detective | |
| Develop new products based on best practices. CC ID 01095 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Establish/Maintain Documentation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 | Establish/Maintain Documentation | Preventive | |
| Include hardware requirements in the system design specification. CC ID 08666 | Establish/Maintain Documentation | Preventive | |
| Include communication links in the system design specification. CC ID 08665 | Establish/Maintain Documentation | Preventive | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Establish/Maintain Documentation | Preventive | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Establish/Maintain Documentation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Establish/Maintain Documentation | Preventive | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Establish/Maintain Documentation | Preventive | |
| Include threat models in the system design specification. CC ID 06829 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems Design, Build, and Implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Establish/Maintain Documentation | Preventive | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 | Process or Activity | Preventive | |
| Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 | Process or Activity | Preventive | |
| Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 | Process or Activity | Preventive | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems Design, Build, and Implementation | Preventive | |
| Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 | Process or Activity | Preventive | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems Design, Build, and Implementation | Preventive | |
| Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 | Process or Activity | Preventive | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Technical Security | Preventive | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain coding guidelines. CC ID 08661 | Establish/Maintain Documentation | Preventive | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Configuration | Preventive | |
| Use valid HTML or other markup languages. CC ID 15153 | Configuration | Preventive | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Establish/Maintain Documentation | Preventive | |
| Ensure users can navigate content. CC ID 15163 | Configuration | Preventive | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Configuration | Preventive | |
| Ensure user interface components are operable. CC ID 15162 | Configuration | Preventive | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Configuration | Preventive | |
| Allow users to reverse submissions. CC ID 15168 | Configuration | Preventive | |
| Provide a mechanism to control audio. CC ID 15158 | Configuration | Preventive | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Configuration | Preventive | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Configuration | Preventive | |
| Programmatically determine the language of content. CC ID 15137 | Configuration | Preventive | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Configuration | Preventive | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Configuration | Preventive | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Configuration | Preventive | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Configuration | Preventive | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Process or Activity | Preventive | |
| Provide captions for live audio content. CC ID 15120 | Configuration | Preventive | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Configuration | Preventive | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Configuration | Preventive | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Configuration | Preventive | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Configuration | Preventive | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Configuration | Preventive | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Configuration | Preventive | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Configuration | Preventive | |
| Allow the use of time limits, as necessary. CC ID 15155 | Configuration | Preventive | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Establish/Maintain Documentation | Preventive | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Configuration | Preventive | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain User Interface documentation. CC ID 12204 | Establish/Maintain Documentation | Preventive | |
| Include system messages in human interface guidelines. CC ID 08663 | Establish/Maintain Documentation | Preventive | |
| Include measurable system performance requirements in the system design specification. CC ID 08667 | Establish/Maintain Documentation | Preventive | |
| Include the data structure in the system design specification. CC ID 08669 | Establish/Maintain Documentation | Preventive | |
| Include the input and output variables in the system design specification. CC ID 08670 | Establish/Maintain Documentation | Preventive | |
| Include data encryption information in the system design specification. CC ID 12209 | Establish/Maintain Documentation | Preventive | |
| Include records disposition information in the system design specification. CC ID 12208 | Establish/Maintain Documentation | Preventive | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Establish/Maintain Documentation | Preventive | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Establish/Maintain Documentation | Preventive | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 | Human Resources Management | Preventive | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Communicate | Preventive | |
| Implement security controls when developing systems. CC ID 06270 [{static analysis tool} Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. CIS Control 16: Safeguard 16.12 Implement Code-Level Security Checks Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components] | Systems Design, Build, and Implementation | Preventive | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Technical Security | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Technical Security | Preventive | |
| Audit all modifications to the application being developed. CC ID 01614 | Testing | Detective | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Establish/Maintain Documentation | Preventive | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Establish/Maintain Documentation | Preventive | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Establish/Maintain Documentation | Preventive | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Establish/Maintain Documentation | Preventive | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Establish/Maintain Documentation | Preventive | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Establish/Maintain Documentation | Preventive | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems Design, Build, and Implementation | Preventive | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems Design, Build, and Implementation | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems Design, Build, and Implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems Design, Build, and Implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems Design, Build, and Implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems Design, Build, and Implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems Design, Build, and Implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems Design, Build, and Implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Establish/Maintain Documentation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems Design, Build, and Implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 | Establish/Maintain Documentation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Establish/Maintain Documentation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Establish/Maintain Documentation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Establish/Maintain Documentation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Establish/Maintain Documentation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems Design, Build, and Implementation | Preventive | |
| Design the security architecture. CC ID 06269 | Systems Design, Build, and Implementation | Preventive | |
| Review and update the security architecture, as necessary. CC ID 14277 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Establish/Maintain Documentation | Corrective | |
| Develop new products based on secure coding techniques. CC ID 11733 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Establish/Maintain Documentation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Technical Security | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Technical Security | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Technical Security | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Technical Security | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Technical Security | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Technical Security | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Technical Security | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems Design, Build, and Implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Technical Security | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Technical Security | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Technical Security | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Technical Security | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems Design, Build, and Implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Technical Security | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Technical Security | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Technical Security | Preventive | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Process or Activity | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Process or Activity | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Process or Activity | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Technical Security | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Process or Activity | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Technical Security | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems Design, Build, and Implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Configuration | Preventive | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems Design, Build, and Implementation | Corrective | |
| Standardize Application Programming Interfaces. CC ID 12167 | Technical Security | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Establish/Maintain Documentation | Preventive | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Establish/Maintain Documentation | Preventive | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Testing | Detective | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Establish/Maintain Documentation | Preventive | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Testing | Detective | |
| Review and test source code. CC ID 01086 | Testing | Detective | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Establish Roles | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Establish/Maintain Documentation | Preventive | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Testing | Corrective | |
| Approve all custom code test results before code is released. CC ID 06293 | Testing | Detective | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
| Perform a final system test prior to implementing a new system. CC ID 01108 | Testing | Detective | |
| Establish, implement, and maintain system acceptance criteria. CC ID 06210 [{annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Establish/Maintain Documentation | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. CIS Control 6: Safeguard 6.7 Centralize Access Control] | Establish/Maintain Documentation | Preventive | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 | Establish/Maintain Documentation | Preventive | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 | Establish/Maintain Documentation | Preventive | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical Security | Preventive | |
| Inventory all user accounts. CC ID 13732 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Establish/Maintain Documentation | Preventive | |
| Identify information system users. CC ID 12081 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical Security | Detective | |
| Review user accounts. CC ID 00525 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical Security | Detective | |
| Match user accounts to authorized parties. CC ID 12126 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Configuration | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical Security | Detective | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Data and Information Management | Preventive | |
| Review shared accounts. CC ID 11840 | Technical Security | Detective | |
| Control access rights to organizational assets. CC ID 00004 [Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. CIS Control 3: Safeguard 3.3 Configure Data Access Control Lists Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user. CIS Control 6: Safeguard 6.1 Establish an Access Granting Process] | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 [Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. CIS Control 3: Safeguard 3.3 Configure Data Access Control Lists] | Configuration | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
| Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Human Resources Management | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts. CIS Control 4: Safeguard 4.10 Enforce Automatic Device Lockout on Portable End-User Devices] | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Communicate | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Configuration | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [{remote connection} Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date. CIS Control 13: Safeguard 13.5 Manage Access Control for Remote Assets] | Technical Security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control] | Technical Security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical Security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Data and Information Management | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical Security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive | |
| Control user privileges. CC ID 11665 | Technical Security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Establish/Maintain Documentation | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control] | Technical Security | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Behavior | Corrective | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Configuration | Preventive | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Behavior | Corrective | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical Security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Human Resources Management | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Establish/Maintain Documentation | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical Security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical Security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Establish/Maintain Documentation | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [{user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management {user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management] | Technical Security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Human Resources Management | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical Security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Remove inactive user accounts, as necessary. CC ID 00517 [{stipulated timeframe} Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. CIS Control 5: Safeguard 5.3 Disable Dormant Accounts] | Technical Security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical Security | Corrective | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Establish/Maintain Documentation | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Establish/Maintain Documentation | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Configuration | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical Security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management] | Technical Security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical Security | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Log Management | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Establish/Maintain Documentation | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical Security | Corrective | |
| Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Log Management | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Communicate | Corrective | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Establish/Maintain Documentation | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Communicate | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Establish/Maintain Documentation | Preventive | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical Security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Communicate | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Employ unique identifiers. CC ID 01273 [{minimum number of characters} Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. CIS Control 5: Safeguard 5.2 Use Unique Passwords] | Testing | Detective | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Data and Information Management | Preventive | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 | Establish/Maintain Documentation | Preventive | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical Security | Preventive | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Process or Activity | Preventive | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Human Resources Management | Preventive | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Testing | Detective | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 | Testing | Detective | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical Security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 | Configuration | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management {user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management] | Configuration | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical Security | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Communicate | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Configuration | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical Security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Establish Roles | Preventive | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Process or Activity | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical Security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical Security | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical Security | Preventive | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Testing | Detective | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Process or Activity | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Configuration | Corrective | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Communicate | Preventive | |
| Identify and control all network access controls. CC ID 00529 [Centralize network AAA. CIS Control 12: Safeguard 12.5 Centralize Network Authentication, Authorization, and Auditing (AAA) Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication. CIS Control 13: Safeguard 13.9 Deploy Port-Level Access Control] | Technical Security | Preventive | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 | Technical Security | Detective | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Establish/Maintain Documentation | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 | Process or Activity | Preventive | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical Security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical Security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Communicate | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Communicate | Preventive | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Establish/Maintain Documentation | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 [{annual basis}{network architecture diagram} Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 12: Safeguard 12.4 Establish and Maintain Architecture Diagram(s) {annual basis}{network architecture diagram} Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 12: Safeguard 12.4 Establish and Maintain Architecture Diagram(s) Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Establish/Maintain Documentation | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Establish/Maintain Documentation | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Data and Information Management | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Establish/Maintain Documentation | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool] | Process or Activity | Detective | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Establish/Maintain Documentation | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Establish/Maintain Documentation | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Communicate | Preventive | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows {annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows] | Establish/Maintain Documentation | Preventive | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Process or Activity | Detective | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 [{annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory] | Establish/Maintain Documentation | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows] | Establish/Maintain Documentation | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Communicate | Preventive | |
| Manage all internal network connections. CC ID 06329 | Technical Security | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109 [{weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory] | Technical Security | Preventive | |
| Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124 | Technical Security | Preventive | |
| Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095 | Technical Security | Preventive | |
| Plan for and approve all network changes. CC ID 00534 | Technical Security | Preventive | |
| Manage all external network connections. CC ID 11842 | Technical Security | Preventive | |
| Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116 | Technical Security | Preventive | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical Security | Preventive | |
| Prohibit systems from connecting directly to external networks. CC ID 08709 | Configuration | Preventive | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical Security | Preventive | |
| Secure the Domain Name System. CC ID 00540 | Configuration | Preventive | |
| Implement a fault-tolerant architecture. CC ID 01626 | Technical Security | Preventive | |
| Implement segregation of duties. CC ID 11843 | Technical Security | Preventive | |
| Configure the network to limit zone transfers to trusted servers. CC ID 01876 | Configuration | Preventive | |
| Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210 | Testing | Detective | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. CIS Control 13: Network Monitoring and Defense Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. CIS Control 12: Network Infrastructure Management] | Establish/Maintain Documentation | Preventive | |
| Refrain from disclosing Internet Protocol addresses, routing information, and DNS names, unless necessary. CC ID 11891 | Technical Security | Preventive | |
| Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Communicate | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Technical Security | Preventive | |
| Implement gateways between security domains. CC ID 16493 | Systems Design, Build, and Implementation | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical Security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Technical Security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical Security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical Security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical Security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Data and Information Management | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical Security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical Security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 | Establish/Maintain Documentation | Preventive | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Establish Roles | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical Security | Preventive | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 [Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. CIS Control 4: Safeguard 4.4 Implement and Manage a Firewall on Servers] | Technical Security | Preventive | |
| Place firewalls between security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Configuration | Preventive | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Configuration | Preventive | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Configuration | Preventive | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical Security | Preventive | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 | Establish/Maintain Documentation | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Establish/Maintain Documentation | Preventive | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical Security | Preventive | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Configuration | Preventive | |
| Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 | Process or Activity | Detective | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 | Establish/Maintain Documentation | Preventive | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 | Technical Security | Corrective | |
| Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 | Establish/Maintain Documentation | Preventive | |
| Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 | Establish/Maintain Documentation | Preventive | |
| Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 | Establish/Maintain Documentation | Preventive | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Configuration | Preventive | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 [{secure network management protocol}{secure network communication protocol} Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater). CIS Control 12: Safeguard 12.6 Use Secure Network Management and Communication Protocols] | Establish/Maintain Documentation | Preventive | |
| Configure network ports to organizational standards. CC ID 14007 | Configuration | Preventive | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Establish/Maintain Documentation | Preventive | |
| Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Establish/Maintain Documentation | Preventive | |
| Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 | Establish/Maintain Documentation | Preventive | |
| Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Establish/Maintain Documentation | Preventive | |
| Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Communicate | Preventive | |
| Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 | Configuration | Preventive | |
| Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 | Technical Security | Preventive | |
| Configure network access and control points to protect restricted information and restricted functions. CC ID 01284 | Configuration | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Data and Information Management | Preventive | |
| Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Configuration | Detective | |
| Protect the firewall's network connection interfaces. CC ID 01955 | Technical Security | Preventive | |
| Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. CIS Control 4: Safeguard 4.5 Implement and Manage a Firewall on End-User Devices] | Configuration | Preventive | |
| Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Configuration | Preventive | |
| Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Configuration | Preventive | |
| Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Configuration | Preventive | |
| Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Configuration | Preventive | |
| Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Configuration | Preventive | |
| Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Configuration | Preventive | |
| Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Configuration | Preventive | |
| Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Configuration | Preventive | |
| Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Configuration | Preventive | |
| Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Configuration | Preventive | |
| Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Configuration | Preventive | |
| Establish, implement, and maintain internet protocol address filters on the firewall, as necessary CC ID 01287 | Configuration | Preventive | |
| Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Testing | Detective | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical Security | Preventive | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical Security | Preventive | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 [Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block access to known malicious domains. CIS Control 9: Safeguard 9.2 Use DNS Filtering Services] | Technical Security | Preventive | |
| Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Data and Information Management | Preventive | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical Security | Preventive | |
| Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Data and Information Management | Preventive | |
| Synchronize and secure all router configuration files. CC ID 01291 | Configuration | Preventive | |
| Synchronize and secure all firewall configuration files. CC ID 11851 | Configuration | Preventive | |
| Configure firewalls to generate an audit log. CC ID 12038 | Audits and Risk Management | Preventive | |
| Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Configuration | Preventive | |
| Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Establish/Maintain Documentation | Preventive | |
| Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Establish/Maintain Documentation | Preventive | |
| Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Establish/Maintain Documentation | Preventive | |
| Configure network access and control points to organizational standards. CC ID 12442 | Configuration | Detective | |
| Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 | Configuration | Preventive | |
| Update application layer firewalls to the most current version. CC ID 12037 | Process or Activity | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854 | Establish/Maintain Documentation | Preventive | |
| Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751 | Configuration | Preventive | |
| Remove all unauthorized Wireless Local Area Networks. CC ID 06309 | Configuration | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646 | Establish/Maintain Documentation | Preventive | |
| Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647 | Technical Security | Preventive | |
| Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648 | Configuration | Preventive | |
| Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605 | Technical Security | Preventive | |
| Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830 | Configuration | Preventive | |
| Remove all unauthorized wireless access points. CC ID 11856 | Configuration | Preventive | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Establish/Maintain Documentation | Preventive | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. CIS Control 12: Safeguard 12.7 Ensue Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure] | Testing | Preventive | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Establish/Maintain Documentation | Preventive | |
| Perform content filtering scans on network traffic. CC ID 06761 [Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway. CIS Control 13: Safeguard 13.10 Perform Application Layer Filtering Perform traffic filtering between network segments, where appropriate. CIS Control 13: Safeguard 13.4 Perform Traffic Filtering Between Network Segments] | Monitor and Evaluate Occurrences | Detective | |
| Develop and implement a content filtering word and phrase library. CC ID 07071 | Establish/Maintain Documentation | Preventive | |
| Use content filtering scans to identify information flows by data type specification. CC ID 06762 | Technical Security | Preventive | |
| Use content filtering scans to identify information flows by data type usage. CC ID 11818 | Technical Security | Preventive | |
| Take appropriate action to address information flow anomalies. CC ID 12164 | Investigate | Corrective | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 | Investigate | Detective | |
| Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 | Technical Security | Preventive | |
| Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 [Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory. CIS Control 3: Safeguard 3.13 Deploy a Data Loss Prevention Solution] | Technical Security | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical Security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Establish/Maintain Documentation | Preventive | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 [{spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC] | Configuration | Preventive | |
| Block uncategorized sites using URL filtering. CC ID 12140 [{blacklist website} Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. CIS Control 9: Safeguard 9.3 Maintain and Enforce Network-Based URL Filters] | Technical Security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 [{biannual basis} Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.5 Allowlist Authorized Software {biannual basis} Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.5 Allowlist Authorized Software {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries] | Establish/Maintain Documentation | Preventive | |
| Secure access to each system component operating system. CC ID 00551 | Configuration | Preventive | |
| Separate user functionality from system management functionality. CC ID 11858 [Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. CIS Control 5: Safeguard 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts] | Technical Security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [{remote connection} Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date. CIS Control 13: Safeguard 13.5 Manage Access Control for Remote Assets] | Technical Security | Preventive | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Process or Activity | Preventive | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Establish/Maintain Documentation | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical Security | Preventive | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Configuration | Preventive | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Testing | Detective | |
| Control remote access through a network access control. CC ID 01421 | Technical Security | Preventive | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Configuration | Preventive | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical Security | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Require MFA for remote network access. CIS Control 6: Safeguard 6.4 Require MFA for Remote Network Access] | Technical Security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [{externally-exposed enterprise application} Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. CIS Control 6: Safeguard 6.3 Require MFA for Externally-Exposed Applications] | Configuration | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical Security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical Security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Establish/Maintain Documentation | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical Security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 | Configuration | Preventive | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Monitor and Evaluate Occurrences | Detective | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components] | Technical Security | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Business Processes | Preventive | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Establish/Maintain Documentation | Preventive | |
| Define the cryptographic boundaries. CC ID 06543 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Establish/Maintain Documentation | Preventive | |
| Implement the documented cryptographic module security functions. CC ID 06755 | Data and Information Management | Preventive | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Establish/Maintain Documentation | Preventive | |
| Document the operation of the cryptographic module. CC ID 06546 | Establish/Maintain Documentation | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical Security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Data and Information Management | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Data and Information Management | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Data and Information Management | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Data and Information Management | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Data and Information Management | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Data and Information Management | Preventive | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Establish/Maintain Documentation | Preventive | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Configuration | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. CIS Control 3: Safeguard 3.6 Encrypt Data on End-User Devices Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. CIS Control 3: Safeguard 3.11 Encrypt Sensitive Data at Rest] | Data and Information Management | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical Security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical Security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Data and Information Management | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Process or Activity | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Process or Activity | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Process or Activity | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Communicate | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Establish/Maintain Documentation | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Establish Roles | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Communicate | Preventive | |
| Bind keys to each identity. CC ID 12337 | Technical Security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Establish/Maintain Documentation | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Establish/Maintain Documentation | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Data and Information Management | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 | Data and Information Management | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical Security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Data and Information Management | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical Security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Data and Information Management | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Data and Information Management | Preventive | |
| Store cryptographic keys securely. CC ID 01298 | Data and Information Management | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 | Data and Information Management | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Data and Information Management | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical Security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Communicate | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Data and Information Management | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Data and Information Management | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Data and Information Management | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical Security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Data and Information Management | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Data and Information Management | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Data and Information Management | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Data and Information Management | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Establish/Maintain Documentation | Preventive | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Human Resources Management | Preventive | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Testing | Detective | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Data and Information Management | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Establish/Maintain Documentation | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Establish/Maintain Documentation | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Establish/Maintain Documentation | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Establish/Maintain Documentation | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Establish/Maintain Documentation | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Establish/Maintain Documentation | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical Security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical Security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Establish/Maintain Documentation | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Establish/Maintain Documentation | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Establish/Maintain Documentation | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Establish/Maintain Documentation | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical Security | Preventive | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Records Management | Preventive | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical Security | Preventive | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical Security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). CIS Control 3: Safeguard 3.10 Encrypt Sensitive Data in Transit] | Technical Security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Configuration | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical Security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical Security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Establish/Maintain Documentation | Preventive | |
| Implement non-repudiation for transactions. CC ID 00567 | Testing | Detective | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical Security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{malicious code}{malicious script} Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. CIS Control 10: Malware Defenses Centrally manage anti-malware software. CIS Control 10: Safeguard 10.6 Centrally Manage Anti-Malware Software] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Communicate | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Communicate | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Establish/Maintain Documentation | Preventive | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Behavior | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 [Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and GatekeeperTM. CIS Control 10: Safeguard 10.5 Enable Anti-Exploitation Features Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing. CIS Control 9: Safeguard 9.7 Deploy and Maintain Email Server Anti-Malware Protections Deploy and maintain anti-malware software on all enterprise assets. CIS Control 10: Safeguard 10.1 Deploy and Maintain Anti-Malware Software Use behavior-based anti-malware software. CIS Control 10: Safeguard 10.7 Use Behavior-Based Anti-Malware Software] | Configuration | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
| Scan for malicious code, as necessary. CC ID 11941 | Investigate | Detective | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 [Configure anti-malware software to automatically scan removable media. CIS Control 10: Safeguard 10.4 Configure Automatic Anti-Malware Scanning of Removable Media] | Testing | Detective | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Testing | Detective | |
| Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical Security | Preventive | |
| Protect the system against replay attacks. CC ID 04552 | Technical Security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Establish Roles | Preventive | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Establish/Maintain Documentation | Corrective | |
| Log and react to all malicious code activity. CC ID 07072 | Monitor and Evaluate Occurrences | Detective | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical Security | Detective | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical Security | Corrective | |
| Lock antivirus configurations. CC ID 10047 | Configuration | Preventive | |
| Establish, implement, and maintain an application security policy. CC ID 06438 | Establish/Maintain Documentation | Preventive | |
| Conduct application security reviews, as necessary. CC ID 06298 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Testing | Detective | |
| Include all vulnerabilities in the application security review. CC ID 12036 | Process or Activity | Preventive | |
| Assign application security reviews for web-facing applications to an organization that specializes in application security. CC ID 12035 | Establish Roles | Preventive | |
| Correct all found deficiencies according to organizational standards after a web application policy compliance review. CC ID 06299 | Technical Security | Corrective | |
| Re-evaluate the web application after deficiencies have been corrected. CC ID 06300 | Technical Security | Corrective | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 [{secure manner} Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems. CIS Control 15: Safeguard 15.7 Securely Decommission Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Business Processes | Corrective | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [{process}{accept}{address}{reports}{software vulnerability} Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 2 Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Testing | Detective | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.3 Classify Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Establish/Maintain Documentation | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Establish/Maintain Documentation | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers] | Establish/Maintain Documentation | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Establish/Maintain Documentation | Preventive | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.3 Classify Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Establish/Maintain Documentation | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Establish/Maintain Documentation | Preventive | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Business Processes | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Establish/Maintain Documentation | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Establish/Maintain Documentation | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 | Establish/Maintain Documentation | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Establish/Maintain Documentation | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Establish/Maintain Documentation | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Business Processes | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Business Processes | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Business Processes | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Business Processes | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Establish/Maintain Documentation | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Establish/Maintain Documentation | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Establish/Maintain Documentation | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Establish/Maintain Documentation | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Establish/Maintain Documentation | Preventive | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Data and Information Management | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Establish/Maintain Documentation | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Establish/Maintain Documentation | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Business Processes | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Business Processes | Preventive | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers {annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Business Processes | Preventive | |
| Provide management support for third party due diligence. CC ID 08847 | Business Processes | Preventive | |
| Commit to the supply chain due diligence process. CC ID 08849 | Business Processes | Preventive | |
| Structure the organization to support supply chain due diligence. CC ID 08850 | Business Processes | Preventive | |
| Schedule supply chain audits, as necessary. CC ID 10015 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851 | Business Processes | Preventive | |
| Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 | Business Processes | Preventive | |
| Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 | Establish/Maintain Documentation | Preventive | |
| Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 | Business Processes | Preventive | |
| Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 | Business Processes | Preventive | |
| Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 | Business Processes | Preventive | |
| Develop and implement supply chain due diligence capability training program. CC ID 08862 | Business Processes | Preventive | |
| Determine if additional supply chain due diligence processes are required. CC ID 08863 | Business Processes | Preventive | |
| Review transaction files for compliance with the supply chain audit standard. CC ID 08864 | Establish/Maintain Documentation | Preventive | |
| Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 | Establish/Maintain Documentation | Preventive | |
| Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870 | Business Processes | Preventive | |
| Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 | Business Processes | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Business Processes | Preventive | |
| Identify all service providers in the supply chain. CC ID 12213 | Business Processes | Preventive | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Business Processes | Detective | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 | Business Processes | Detective | |
| Assess third parties' legal risks to the organization during due diligence. CC ID 12078 | Business Processes | Detective | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 | Business Processes | Detective | |
| Review third parties' backup policies. CC ID 13043 | Systems Continuity | Detective | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Business Processes | Detective | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 | Business Processes | Detective | |
| Assess third parties' financial stability during due diligence. CC ID 12066 | Business Processes | Detective | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 | Business Processes | Detective | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Business Processes | Detective | |
| Assess the third parties' reputation during due diligence. CC ID 12068 | Business Processes | Detective | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Business Processes | Detective | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Business Processes | Detective | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Business Processes | Preventive | |
| Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Business Processes | Preventive | |
| Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Business Processes | Preventive | |
| Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Business Processes | Preventive | |
| Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Business Processes | Preventive | |
| Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Business Processes | Preventive | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Testing | Detective | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Establish/Maintain Documentation | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Document that supply chain members investigate security events. CC ID 13348 | Investigate | Detective | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Establish/Maintain Documentation | Detective | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Business Processes | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Business Processes | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately. CIS Control 15: Service Provider Management] | Business Processes | Detective | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Technical Security | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 | Business Processes | Preventive | |
| Determine third party compliance with third party contracts. CC ID 08866 | Business Processes | Preventive | |
| Quarantine non-compliant material. CC ID 08867 | Business Processes | Preventive | |
| Refrain from quarantining conflict-free materials. CC ID 08868 | Business Processes | Preventive | |
| Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Business Processes | Preventive | |
| Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 | Business Processes | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Business Processes | Detective | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Monitor and Evaluate Occurrences | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 | Business Processes | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Preventive | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Preventive | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Operational management | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Preventive | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Monitoring and measurement | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
| Mitigate reported incidents. CC ID 12973 | Operational management | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 | Operational management | Preventive | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Preventive | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 | Monitoring and measurement | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. CIS Control 13: Safeguard 13.1 Centralize Security Event Alerting Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. CIS Control 13: Safeguard 13.1 Centralize Security Event Alerting Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources. CIS Control 8: Safeguard 8.9 Centralize Audit Logs] | Monitoring and measurement | Preventive | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Detective | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [{monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components] | Audits and risk management | Preventive | |
| Configure firewalls to generate an audit log. CC ID 12038 | Technical security | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Third Party and supply chain oversight | Detective | |
| Schedule supply chain audits, as necessary. CC ID 10015 | Third Party and supply chain oversight | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 [Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. CIS Control 18: Safeguard 18.4 Validate Security Measures Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Corrective | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Corrective | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Preventive | |
| Train all new hires, as necessary. CC ID 06673 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Human Resources management | Preventive | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Preventive | |
| Implement personnel supervisory practices. CC ID 00773 | Human Resources management | Preventive | |
| Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 | Human Resources management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program {annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Human Resources management | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Train workforce members to be able to recognize a potential incident and be able to report such an incident. CIS Control 14: Safeguard 14.6 Train Workforce Members on Recognizing and Reporting Security Incidents Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating. CIS Control 14: Safeguard 14.2 Train Workforce Members to Recognize Social Engineering Attacks] | Human Resources management | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Human Resources management | Corrective | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Preventive | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Preventive | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Operational management | Preventive | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Operational management | Preventive | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Operational management | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Leadership and high level objectives | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Leadership and high level objectives | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Preventive | |
| Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Preventive | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Monitoring and measurement | Preventive | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
| Place Information Technology operations in a position to support the business model. CC ID 00766 | Human Resources management | Preventive | |
| Review organizational personnel successes. CC ID 00767 | Human Resources management | Preventive | |
| Evaluate the staffing requirements regularly. CC ID 00775 | Human Resources management | Detective | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{unauthorized asset} Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. CIS Control 1: Inventory and Control of Enterprise Assets Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | Operational management | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
| Define the requirements for where assets can be located. CC ID 17051 | Operational management | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [{annual basis}{authentication system} Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. CIS Control 6: Safeguard 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory] | Operational management | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Preventive | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [{annual basis} Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.6 Define Mechanisms for Communicating During Incident Response] | Operational management | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Detective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
| Analyze and respond to security alerts. CC ID 12504 | Operational management | Detective | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Operational management | Preventive | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Corrective | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | System hardening through configuration management | Preventive | |
| Approve the configuration management plan. CC ID 14717 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 [{secure manner} Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems. CIS Control 15: Safeguard 15.7 Securely Decommission Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Corrective | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Preventive | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Preventive | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Preventive | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Preventive | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Preventive | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers {annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Third Party and supply chain oversight | Preventive | |
| Provide management support for third party due diligence. CC ID 08847 | Third Party and supply chain oversight | Preventive | |
| Commit to the supply chain due diligence process. CC ID 08849 | Third Party and supply chain oversight | Preventive | |
| Structure the organization to support supply chain due diligence. CC ID 08850 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 | Third Party and supply chain oversight | Preventive | |
| Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 | Third Party and supply chain oversight | Preventive | |
| Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 | Third Party and supply chain oversight | Preventive | |
| Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 | Third Party and supply chain oversight | Preventive | |
| Develop and implement supply chain due diligence capability training program. CC ID 08862 | Third Party and supply chain oversight | Preventive | |
| Determine if additional supply chain due diligence processes are required. CC ID 08863 | Third Party and supply chain oversight | Preventive | |
| Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870 | Third Party and supply chain oversight | Preventive | |
| Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Third Party and supply chain oversight | Preventive | |
| Identify all service providers in the supply chain. CC ID 12213 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Third Party and supply chain oversight | Detective | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 | Third Party and supply chain oversight | Detective | |
| Assess third parties' legal risks to the organization during due diligence. CC ID 12078 | Third Party and supply chain oversight | Detective | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 | Third Party and supply chain oversight | Detective | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Third Party and supply chain oversight | Detective | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 | Third Party and supply chain oversight | Detective | |
| Assess third parties' financial stability during due diligence. CC ID 12066 | Third Party and supply chain oversight | Detective | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 | Third Party and supply chain oversight | Detective | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Third Party and supply chain oversight | Detective | |
| Assess the third parties' reputation during due diligence. CC ID 12068 | Third Party and supply chain oversight | Detective | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Third Party and supply chain oversight | Detective | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Third Party and supply chain oversight | Detective | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Third Party and supply chain oversight | Preventive | |
| Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Third Party and supply chain oversight | Preventive | |
| Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Third Party and supply chain oversight | Preventive | |
| Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Third Party and supply chain oversight | Preventive | |
| Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Third Party and supply chain oversight | Preventive | |
| Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Third Party and supply chain oversight | Preventive | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Third Party and supply chain oversight | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately. CIS Control 15: Service Provider Management] | Third Party and supply chain oversight | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 | Third Party and supply chain oversight | Preventive | |
| Determine third party compliance with third party contracts. CC ID 08866 | Third Party and supply chain oversight | Preventive | |
| Quarantine non-compliant material. CC ID 08867 | Third Party and supply chain oversight | Preventive | |
| Refrain from quarantining conflict-free materials. CC ID 08868 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Third Party and supply chain oversight | Preventive | |
| Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 | Third Party and supply chain oversight | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Third Party and supply chain oversight | Detective | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Preventive | |
| Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Preventive | |
| Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Preventive | |
| Submit certification letters to interested personnel and affected parties. CC ID 16969 | Leadership and high level objectives | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Monitoring and measurement | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Corrective | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Preventive | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Preventive | |
| Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Technical security | Preventive | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Technical security | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Preventive | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Preventive | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Operational management | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Preventive | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Operational management | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Operational management | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Preventive | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Operational management | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Corrective | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Operational management | Preventive | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Operational management | Detective | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 | System hardening through configuration management | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Preventive | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Records management | Preventive | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Monitoring and measurement | Preventive | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent. CIS Control 13: Safeguard 13.7 Deploy a Host-Based Intrusion Prevention Solution Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported. CIS Control 13: Safeguard 13.2 Deploy a Host-Based Intrusion Detection Solution Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. CIS Control 13: Safeguard 13.3 Deploy a Network Intrusion Detection Solution Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service. CIS Control 13: Safeguard 13.8 Deploy a Network Intrusion Prevention Solution] | Monitoring and measurement | Preventive | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 [Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. CIS Control 13: Network Monitoring and Defense Collect network traffic flow logs and/or network traffic to review and alert upon from network devices. CIS Control 13: Safeguard 13.6 Collect Network Traffic Flow Logs] | Monitoring and measurement | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [{stipulated amount} Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. CIS Control 8: Safeguard 8.4 Standardize Time Synchronization {stipulated amount} Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. CIS Control 8: Safeguard 8.4 Standardize Time Synchronization] | Monitoring and measurement | Preventive | |
| Centralize network time servers to as few as practical. CC ID 06308 | Monitoring and measurement | Preventive | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets] | Monitoring and measurement | Preventive | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 [Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets {unauthorized asset} Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. CIS Control 1: Inventory and Control of Enterprise Assets] | Monitoring and measurement | Corrective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Corrective | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
| Match user accounts to authorized parties. CC ID 12126 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical security | Detective | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 [Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. CIS Control 3: Safeguard 3.3 Configure Data Access Control Lists] | Technical security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Preventive | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 | Technical security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management {user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management] | Technical security | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Corrective | |
| Prohibit systems from connecting directly to external networks. CC ID 08709 | Technical security | Preventive | |
| Secure the Domain Name System. CC ID 00540 | Technical security | Preventive | |
| Configure the network to limit zone transfers to trusted servers. CC ID 01876 | Technical security | Preventive | |
| Place firewalls between security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Technical security | Preventive | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Technical security | Preventive | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Technical security | Preventive | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Technical security | Preventive | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Technical security | Preventive | |
| Configure network ports to organizational standards. CC ID 14007 | Technical security | Preventive | |
| Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 | Technical security | Preventive | |
| Configure network access and control points to protect restricted information and restricted functions. CC ID 01284 | Technical security | Preventive | |
| Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Technical security | Detective | |
| Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. CIS Control 4: Safeguard 4.5 Implement and Manage a Firewall on End-User Devices] | Technical security | Preventive | |
| Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Preventive | |
| Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Preventive | |
| Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Preventive | |
| Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Preventive | |
| Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Preventive | |
| Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Preventive | |
| Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Preventive | |
| Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Preventive | |
| Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Preventive | |
| Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Preventive | |
| Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Preventive | |
| Establish, implement, and maintain internet protocol address filters on the firewall, as necessary CC ID 01287 | Technical security | Preventive | |
| Synchronize and secure all router configuration files. CC ID 01291 | Technical security | Preventive | |
| Synchronize and secure all firewall configuration files. CC ID 11851 | Technical security | Preventive | |
| Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Technical security | Preventive | |
| Configure network access and control points to organizational standards. CC ID 12442 | Technical security | Detective | |
| Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 | Technical security | Preventive | |
| Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751 | Technical security | Preventive | |
| Remove all unauthorized Wireless Local Area Networks. CC ID 06309 | Technical security | Preventive | |
| Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648 | Technical security | Preventive | |
| Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830 | Technical security | Preventive | |
| Remove all unauthorized wireless access points. CC ID 11856 | Technical security | Preventive | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 [{spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC] | Technical security | Preventive | |
| Secure access to each system component operating system. CC ID 00551 | Technical security | Preventive | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Technical security | Preventive | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Technical security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [{externally-exposed enterprise application} Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. CIS Control 6: Safeguard 6.3 Require MFA for Externally-Exposed Applications] | Technical security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 | Technical security | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 [Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and GatekeeperTM. CIS Control 10: Safeguard 10.5 Enable Anti-Exploitation Features Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing. CIS Control 9: Safeguard 9.7 Deploy and Maintain Email Server Anti-Malware Protections Deploy and maintain anti-malware software on all enterprise assets. CIS Control 10: Safeguard 10.1 Deploy and Maintain Anti-Malware Software Use behavior-based anti-malware software. CIS Control 10: Safeguard 10.7 Use Behavior-Based Anti-Malware Software] | Technical security | Preventive | |
| Lock antivirus configurations. CC ID 10047 | Technical security | Preventive | |
| Encrypt backup data. CC ID 00958 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Operational and Systems Continuity | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Operational management | Preventive | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Operational management | Preventive | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Corrective | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | System hardening through configuration management | Preventive | |
| Employ the Configuration Management program. CC ID 11904 | System hardening through configuration management | Preventive | |
| Document external connections for all systems. CC ID 06415 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain configuration standards. CC ID 11953 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | System hardening through configuration management | Preventive | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 [{daily basis} Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently. CIS Control 1: Safeguard 1.3 Utilize an Active Discovery Tool Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | System hardening through configuration management | Preventive | |
| Document and justify system hardening standard exceptions. CC ID 06845 | System hardening through configuration management | Preventive | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [{stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets] | System hardening through configuration management | Preventive | |
| Display an explicit logout message when disconnecting an authenticated communications session. CC ID 10093 | System hardening through configuration management | Preventive | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets {monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries] | System hardening through configuration management | Preventive | |
| Install the most current Windows Service Pack. CC ID 01695 | System hardening through configuration management | Preventive | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [{blacklist website} Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. CIS Control 9: Safeguard 9.3 Maintain and Enforce Network-Based URL Filters] | System hardening through configuration management | Preventive | |
| Configure virtual networks in accordance with the information security policy. CC ID 13165 [Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. CIS Control 12: Safeguard 12.7 Ensue Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure] | System hardening through configuration management | Preventive | |
| Remove all unnecessary functionality. CC ID 00882 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | System hardening through configuration management | Preventive | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | System hardening through configuration management | Preventive | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | System hardening through configuration management | Preventive | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | System hardening through configuration management | Preventive | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | System hardening through configuration management | Preventive | |
| Disable logon prompts on serial ports. CC ID 01553 | System hardening through configuration management | Preventive | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | System hardening through configuration management | Preventive | |
| Disable all unnecessary interfaces. CC ID 04826 | System hardening through configuration management | Preventive | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | System hardening through configuration management | Preventive | |
| Disable all user-mounted removable file systems. CC ID 01536 | System hardening through configuration management | Preventive | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | System hardening through configuration management | Preventive | |
| Secure the Bluetooth headset connections. CC ID 00593 | System hardening through configuration management | Preventive | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | System hardening through configuration management | Preventive | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | System hardening through configuration management | Preventive | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | System hardening through configuration management | Preventive | |
| Disable Autorun. CC ID 01790 [Disable autorun and autoplay auto-execute functionality for removable media. CIS Control 10: Safeguard 10.3 Disable Autorun and Autoplay for Removable Media] | System hardening through configuration management | Preventive | |
| Disable USB devices (aka hotplugger). CC ID 01545 | System hardening through configuration management | Preventive | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | System hardening through configuration management | Preventive | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | System hardening through configuration management | Preventive | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | System hardening through configuration management | Preventive | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | System hardening through configuration management | Preventive | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | System hardening through configuration management | Preventive | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | System hardening through configuration management | Preventive | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | System hardening through configuration management | Preventive | |
| Remove all compilers and assemblers from the system. CC ID 01594 | System hardening through configuration management | Preventive | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 [{refrain from authorizing}{refrain from requiring} Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. CIS Control 9: Safeguard 9.4 Restrict Unnecessary or Unauthorized and Email Client Extensions] | System hardening through configuration management | Preventive | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | System hardening through configuration management | Preventive | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | System hardening through configuration management | Preventive | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | System hardening through configuration management | Preventive | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | System hardening through configuration management | Preventive | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | System hardening through configuration management | Preventive | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | System hardening through configuration management | Preventive | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | System hardening through configuration management | Preventive | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | System hardening through configuration management | Preventive | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | System hardening through configuration management | Preventive | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | System hardening through configuration management | Preventive | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | System hardening through configuration management | Preventive | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | System hardening through configuration management | Preventive | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | System hardening through configuration management | Preventive | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | System hardening through configuration management | Preventive | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | System hardening through configuration management | Preventive | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | System hardening through configuration management | Preventive | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | System hardening through configuration management | Preventive | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | System hardening through configuration management | Preventive | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | System hardening through configuration management | Preventive | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | System hardening through configuration management | Preventive | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | System hardening through configuration management | Preventive | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | System hardening through configuration management | Preventive | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | System hardening through configuration management | Preventive | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | System hardening through configuration management | Preventive | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | System hardening through configuration management | Preventive | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | System hardening through configuration management | Preventive | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | System hardening through configuration management | Preventive | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | System hardening through configuration management | Preventive | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | System hardening through configuration management | Preventive | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | System hardening through configuration management | Preventive | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | System hardening through configuration management | Preventive | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | System hardening through configuration management | Preventive | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | System hardening through configuration management | Preventive | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | System hardening through configuration management | Preventive | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | System hardening through configuration management | Preventive | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | System hardening through configuration management | Preventive | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | System hardening through configuration management | Preventive | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | System hardening through configuration management | Preventive | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | System hardening through configuration management | Preventive | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | System hardening through configuration management | Preventive | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | System hardening through configuration management | Preventive | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | System hardening through configuration management | Preventive | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | System hardening through configuration management | Preventive | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | System hardening through configuration management | Preventive | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | System hardening through configuration management | Preventive | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | System hardening through configuration management | Preventive | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | System hardening through configuration management | Preventive | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | System hardening through configuration management | Preventive | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | System hardening through configuration management | Preventive | |
| Install and enable samba, as necessary. CC ID 02175 | System hardening through configuration management | Preventive | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | System hardening through configuration management | Preventive | |
| Configure the samba security option option as appropriate. CC ID 05986 | System hardening through configuration management | Preventive | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | System hardening through configuration management | Preventive | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | System hardening through configuration management | Preventive | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | System hardening through configuration management | Preventive | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | System hardening through configuration management | Preventive | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | System hardening through configuration management | Preventive | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | System hardening through configuration management | Preventive | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | System hardening through configuration management | Preventive | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | System hardening through configuration management | Preventive | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | System hardening through configuration management | Preventive | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | System hardening through configuration management | Preventive | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | System hardening through configuration management | Preventive | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | System hardening through configuration management | Preventive | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | System hardening through configuration management | Preventive | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | System hardening through configuration management | Preventive | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | System hardening through configuration management | Preventive | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | System hardening through configuration management | Preventive | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | System hardening through configuration management | Preventive | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | System hardening through configuration management | Preventive | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | System hardening through configuration management | Preventive | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | System hardening through configuration management | Preventive | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | System hardening through configuration management | Preventive | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | System hardening through configuration management | Preventive | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | System hardening through configuration management | Preventive | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | System hardening through configuration management | Preventive | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | System hardening through configuration management | Preventive | |
| Configure Avahi properly. CC ID 05109 | System hardening through configuration management | Preventive | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | System hardening through configuration management | Preventive | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | System hardening through configuration management | Preventive | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | System hardening through configuration management | Preventive | |
| Configure the apache web service properly. CC ID 05113 | System hardening through configuration management | Preventive | |
| Configure the vlock package properly. CC ID 05114 | System hardening through configuration management | Preventive | |
| Configure the daemon account properly. CC ID 05115 | System hardening through configuration management | Preventive | |
| Configure the bin account properly. CC ID 05116 | System hardening through configuration management | Preventive | |
| Configure the nuucp account properly. CC ID 05117 | System hardening through configuration management | Preventive | |
| Configure the smmsp account properly. CC ID 05118 | System hardening through configuration management | Preventive | |
| Configure the listen account properly. CC ID 05119 | System hardening through configuration management | Preventive | |
| Configure the gdm account properly. CC ID 05120 | System hardening through configuration management | Preventive | |
| Configure the webservd account properly. CC ID 05121 | System hardening through configuration management | Preventive | |
| Configure the nobody account properly. CC ID 05122 | System hardening through configuration management | Preventive | |
| Configure the noaccess account properly. CC ID 05123 | System hardening through configuration management | Preventive | |
| Configure the nobody4 account properly. CC ID 05124 | System hardening through configuration management | Preventive | |
| Configure the sys account properly. CC ID 05125 | System hardening through configuration management | Preventive | |
| Configure the adm account properly. CC ID 05126 | System hardening through configuration management | Preventive | |
| Configure the lp account properly. CC ID 05127 | System hardening through configuration management | Preventive | |
| Configure the uucp account properly. CC ID 05128 | System hardening through configuration management | Preventive | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | System hardening through configuration management | Preventive | |
| Enable the web console as necessary. CC ID 05131 | System hardening through configuration management | Preventive | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | System hardening through configuration management | Preventive | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | System hardening through configuration management | Preventive | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | System hardening through configuration management | Preventive | |
| Configure Squid properly. CC ID 05135 | System hardening through configuration management | Preventive | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | System hardening through configuration management | Preventive | |
| Configure the LDAP package to organizational standards. CC ID 09937 | System hardening through configuration management | Preventive | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | System hardening through configuration management | Preventive | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | System hardening through configuration management | Preventive | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | System hardening through configuration management | Preventive | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | System hardening through configuration management | Preventive | |
| Configure the "time" setting to organizational standards. CC ID 11381 | System hardening through configuration management | Preventive | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | System hardening through configuration management | Preventive | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | System hardening through configuration management | Preventive | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | System hardening through configuration management | Preventive | |
| Prevent users from installing printer drivers. CC ID 01730 | System hardening through configuration management | Preventive | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | System hardening through configuration management | Preventive | |
| Configure the unsigned driver installation behavior. CC ID 01733 | System hardening through configuration management | Preventive | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | System hardening through configuration management | Preventive | |
| Remove all demonstration applications on the system. CC ID 01875 | System hardening through configuration management | Preventive | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | System hardening through configuration management | Preventive | |
| Configure the "Remove Security tab" setting. CC ID 04380 | System hardening through configuration management | Preventive | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. CIS Control 4: Safeguard 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software {insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | System hardening through configuration management | Preventive | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | System hardening through configuration management | Preventive | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | System hardening through configuration management | Preventive | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | System hardening through configuration management | Preventive | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | System hardening through configuration management | Preventive | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | System hardening through configuration management | Preventive | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | System hardening through configuration management | Preventive | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | System hardening through configuration management | Preventive | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | System hardening through configuration management | Preventive | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | System hardening through configuration management | Preventive | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | System hardening through configuration management | Preventive | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | System hardening through configuration management | Preventive | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | System hardening through configuration management | Preventive | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | System hardening through configuration management | Preventive | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | System hardening through configuration management | Preventive | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | System hardening through configuration management | Preventive | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | System hardening through configuration management | Preventive | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | System hardening through configuration management | Preventive | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | System hardening through configuration management | Preventive | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | System hardening through configuration management | Preventive | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | System hardening through configuration management | Preventive | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | System hardening through configuration management | Preventive | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | System hardening through configuration management | Preventive | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | System hardening through configuration management | Preventive | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | System hardening through configuration management | Preventive | |
| Disable File Service Protocol. CC ID 02167 | System hardening through configuration management | Preventive | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | System hardening through configuration management | Preventive | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | System hardening through configuration management | Preventive | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | System hardening through configuration management | Preventive | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | System hardening through configuration management | Preventive | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | System hardening through configuration management | Preventive | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | System hardening through configuration management | Preventive | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | System hardening through configuration management | Preventive | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | System hardening through configuration management | Preventive | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | System hardening through configuration management | Preventive | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | System hardening through configuration management | Preventive | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | System hardening through configuration management | Preventive | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | System hardening through configuration management | Preventive | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | System hardening through configuration management | Preventive | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | System hardening through configuration management | Preventive | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | System hardening through configuration management | Preventive | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | System hardening through configuration management | Preventive | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | System hardening through configuration management | Preventive | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | System hardening through configuration management | Preventive | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | System hardening through configuration management | Preventive | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | System hardening through configuration management | Preventive | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | System hardening through configuration management | Preventive | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | System hardening through configuration management | Preventive | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | System hardening through configuration management | Preventive | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | System hardening through configuration management | Preventive | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | System hardening through configuration management | Preventive | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | System hardening through configuration management | Preventive | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | System hardening through configuration management | Preventive | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | System hardening through configuration management | Preventive | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | System hardening through configuration management | Preventive | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | System hardening through configuration management | Preventive | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | System hardening through configuration management | Preventive | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | System hardening through configuration management | Preventive | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | System hardening through configuration management | Preventive | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | System hardening through configuration management | Preventive | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | System hardening through configuration management | Preventive | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | System hardening through configuration management | Preventive | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | System hardening through configuration management | Preventive | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | System hardening through configuration management | Preventive | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | System hardening through configuration management | Preventive | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | System hardening through configuration management | Preventive | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | System hardening through configuration management | Preventive | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | System hardening through configuration management | Preventive | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | System hardening through configuration management | Preventive | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | System hardening through configuration management | Preventive | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | System hardening through configuration management | Preventive | |
| Enable NFS insecure locks as necessary. CC ID 04939 | System hardening through configuration management | Preventive | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | System hardening through configuration management | Preventive | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | System hardening through configuration management | Preventive | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | System hardening through configuration management | Preventive | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | System hardening through configuration management | Preventive | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | System hardening through configuration management | Preventive | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | System hardening through configuration management | Preventive | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | System hardening through configuration management | Preventive | |
| Enable the rhnsd service as necessary. CC ID 04944 | System hardening through configuration management | Preventive | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | System hardening through configuration management | Preventive | |
| Enable the autofs service as necessary. CC ID 04946 | System hardening through configuration management | Preventive | |
| Enable the ip6tables service as necessary. CC ID 04947 | System hardening through configuration management | Preventive | |
| Configure syslog to organizational standards. CC ID 04949 | System hardening through configuration management | Preventive | |
| Enable the auditd service as necessary. CC ID 04950 | System hardening through configuration management | Preventive | |
| Enable the logwatch service as necessary. CC ID 04951 | System hardening through configuration management | Preventive | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | System hardening through configuration management | Preventive | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | System hardening through configuration management | Preventive | |
| Enable the ypbind service as necessary. CC ID 04954 | System hardening through configuration management | Preventive | |
| Enable the ypserv service as necessary. CC ID 04955 | System hardening through configuration management | Preventive | |
| Enable the firstboot service as necessary. CC ID 04956 | System hardening through configuration management | Preventive | |
| Enable the gpm service as necessary. CC ID 04957 | System hardening through configuration management | Preventive | |
| Enable the irqbalance service as necessary. CC ID 04958 | System hardening through configuration management | Preventive | |
| Enable the isdn service as necessary. CC ID 04959 | System hardening through configuration management | Preventive | |
| Enable the kdump service as necessary. CC ID 04960 | System hardening through configuration management | Preventive | |
| Enable the mdmonitor service as necessary. CC ID 04961 | System hardening through configuration management | Preventive | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | System hardening through configuration management | Preventive | |
| Enable the pcscd service as necessary. CC ID 04963 | System hardening through configuration management | Preventive | |
| Enable the smartd service as necessary. CC ID 04964 | System hardening through configuration management | Preventive | |
| Enable the readahead_early service as necessary. CC ID 04965 | System hardening through configuration management | Preventive | |
| Enable the readahead_later service as necessary. CC ID 04966 | System hardening through configuration management | Preventive | |
| Enable the messagebus service as necessary. CC ID 04967 | System hardening through configuration management | Preventive | |
| Enable the haldaemon service as necessary. CC ID 04968 | System hardening through configuration management | Preventive | |
| Enable the apmd service as necessary. CC ID 04969 | System hardening through configuration management | Preventive | |
| Enable the acpid service as necessary. CC ID 04970 | System hardening through configuration management | Preventive | |
| Enable the cpuspeed service as necessary. CC ID 04971 | System hardening through configuration management | Preventive | |
| Enable the network service as necessary. CC ID 04972 | System hardening through configuration management | Preventive | |
| Enable the hidd service as necessary. CC ID 04973 | System hardening through configuration management | Preventive | |
| Enable the crond service as necessary. CC ID 04974 | System hardening through configuration management | Preventive | |
| Install and enable the anacron service as necessary. CC ID 04975 | System hardening through configuration management | Preventive | |
| Enable the xfs service as necessary. CC ID 04976 | System hardening through configuration management | Preventive | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | System hardening through configuration management | Preventive | |
| Enable the CUPS service, as necessary. CC ID 04978 | System hardening through configuration management | Preventive | |
| Enable the hplip service as necessary. CC ID 04979 | System hardening through configuration management | Preventive | |
| Enable the dhcpd service as necessary. CC ID 04980 | System hardening through configuration management | Preventive | |
| Enable the nfslock service as necessary. CC ID 04981 | System hardening through configuration management | Preventive | |
| Enable the rpcgssd service as necessary. CC ID 04982 | System hardening through configuration management | Preventive | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | System hardening through configuration management | Preventive | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | System hardening through configuration management | Preventive | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | System hardening through configuration management | Preventive | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | System hardening through configuration management | Preventive | |
| Configure the named service, as appropriate. CC ID 04988 | System hardening through configuration management | Preventive | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | System hardening through configuration management | Preventive | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | System hardening through configuration management | Preventive | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | System hardening through configuration management | Preventive | |
| Enable the snmpd service as necessary. CC ID 04992 | System hardening through configuration management | Preventive | |
| Enable the calendar manager as necessary. CC ID 04993 | System hardening through configuration management | Preventive | |
| Enable the GNOME logon service as necessary. CC ID 04994 | System hardening through configuration management | Preventive | |
| Enable the WBEM services as necessary. CC ID 04995 | System hardening through configuration management | Preventive | |
| Enable the keyserv service as necessary. CC ID 04996 | System hardening through configuration management | Preventive | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | System hardening through configuration management | Preventive | |
| Enable the volfs service as necessary. CC ID 04998 | System hardening through configuration management | Preventive | |
| Enable the smserver service as necessary. CC ID 04999 | System hardening through configuration management | Preventive | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | System hardening through configuration management | Preventive | |
| Enable the metainit service as necessary. CC ID 05001 | System hardening through configuration management | Preventive | |
| Enable the meta service as necessary. CC ID 05003 | System hardening through configuration management | Preventive | |
| Enable the metaed service as necessary. CC ID 05004 | System hardening through configuration management | Preventive | |
| Enable the metamh service as necessary. CC ID 05005 | System hardening through configuration management | Preventive | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | System hardening through configuration management | Preventive | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | System hardening through configuration management | Preventive | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | System hardening through configuration management | Preventive | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | System hardening through configuration management | Preventive | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | System hardening through configuration management | Preventive | |
| Enable the sadmin service as necessary. CC ID 05011 | System hardening through configuration management | Preventive | |
| Enable the IPP listener as necessary. CC ID 05012 | System hardening through configuration management | Preventive | |
| Enable the serial port listener as necessary. CC ID 05013 | System hardening through configuration management | Preventive | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | System hardening through configuration management | Preventive | |
| Enable the Application Management service as necessary. CC ID 05015 | System hardening through configuration management | Preventive | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | System hardening through configuration management | Preventive | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | System hardening through configuration management | Preventive | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | System hardening through configuration management | Preventive | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | System hardening through configuration management | Preventive | |
| Enable the RARP service as necessary. CC ID 05020 | System hardening through configuration management | Preventive | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | System hardening through configuration management | Preventive | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | System hardening through configuration management | Preventive | |
| Enable the Certificate Services service as necessary. CC ID 05023 | System hardening through configuration management | Preventive | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | System hardening through configuration management | Preventive | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | System hardening through configuration management | Preventive | |
| Configure the Cluster Service service properly. CC ID 05026 | System hardening through configuration management | Preventive | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | System hardening through configuration management | Preventive | |
| Configure the IAS service properly. CC ID 05028 | System hardening through configuration management | Preventive | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | System hardening through configuration management | Preventive | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | System hardening through configuration management | Preventive | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | System hardening through configuration management | Preventive | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | System hardening through configuration management | Preventive | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | System hardening through configuration management | Preventive | |
| Configure the Utility Manager service properly. CC ID 05035 | System hardening through configuration management | Preventive | |
| Configure the secondary logon service properly. CC ID 05036 | System hardening through configuration management | Preventive | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | System hardening through configuration management | Preventive | |
| Configure the Workstation service properly. CC ID 05038 | System hardening through configuration management | Preventive | |
| Configure the Windows Installer service properly. CC ID 05039 | System hardening through configuration management | Preventive | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | System hardening through configuration management | Preventive | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | System hardening through configuration management | Preventive | |
| Configure the Windows Media Services service properly. CC ID 05047 | System hardening through configuration management | Preventive | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | System hardening through configuration management | Preventive | |
| Configure the Web Element Manager service properly. CC ID 05049 | System hardening through configuration management | Preventive | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | System hardening through configuration management | Preventive | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | System hardening through configuration management | Preventive | |
| Configure the COM+ Event System service properly. CC ID 05052 | System hardening through configuration management | Preventive | |
| Configure the Event Log service properly. CC ID 05053 | System hardening through configuration management | Preventive | |
| Configure the Infrared Monitor service properly. CC ID 05054 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | System hardening through configuration management | Preventive | |
| Configure the System Event Notification Service properly. CC ID 05056 | System hardening through configuration management | Preventive | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | System hardening through configuration management | Preventive | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | System hardening through configuration management | Preventive | |
| Configure the Protected Storage service properly. CC ID 05059 | System hardening through configuration management | Preventive | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | System hardening through configuration management | Preventive | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | System hardening through configuration management | Preventive | |
| Configure the Removable Storage service properly. CC ID 05062 | System hardening through configuration management | Preventive | |
| Configure the Server service properly. CC ID 05063 | System hardening through configuration management | Preventive | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | System hardening through configuration management | Preventive | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | System hardening through configuration management | Preventive | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | System hardening through configuration management | Preventive | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | System hardening through configuration management | Preventive | |
| Configure the File Replication service properly. CC ID 05068 | System hardening through configuration management | Preventive | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | System hardening through configuration management | Preventive | |
| Configure the Intersite Messaging service properly. CC ID 05070 | System hardening through configuration management | Preventive | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | System hardening through configuration management | Preventive | |
| Configure the Distributed File System service properly. CC ID 05072 | System hardening through configuration management | Preventive | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | System hardening through configuration management | Preventive | |
| Configure the FTP Publishing Service properly. CC ID 05074 | System hardening through configuration management | Preventive | |
| Configure the Windows Search service properly. CC ID 05075 | System hardening through configuration management | Preventive | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | System hardening through configuration management | Preventive | |
| Configure the Remote Shell service properly. CC ID 05077 | System hardening through configuration management | Preventive | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | System hardening through configuration management | Preventive | |
| Configure the Print Services for Unix service properly. CC ID 05079 | System hardening through configuration management | Preventive | |
| Configure the File Shares service to organizational standards. CC ID 05080 | System hardening through configuration management | Preventive | |
| Configure the NetMeeting service properly. CC ID 05081 | System hardening through configuration management | Preventive | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | System hardening through configuration management | Preventive | |
| Configure the Cryptographic Services service properly. CC ID 05083 | System hardening through configuration management | Preventive | |
| Configure the Help and Support Service properly. CC ID 05084 | System hardening through configuration management | Preventive | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | System hardening through configuration management | Preventive | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | System hardening through configuration management | Preventive | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | System hardening through configuration management | Preventive | |
| Configure the Network Location Awareness service properly. CC ID 05088 | System hardening through configuration management | Preventive | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | System hardening through configuration management | Preventive | |
| Configure the System Restore Service service properly. CC ID 05090 | System hardening through configuration management | Preventive | |
| Configure the Themes service properly. CC ID 05091 | System hardening through configuration management | Preventive | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | System hardening through configuration management | Preventive | |
| Configure the Upload Manager service properly. CC ID 05093 | System hardening through configuration management | Preventive | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | System hardening through configuration management | Preventive | |
| Configure the WebClient service properly. CC ID 05095 | System hardening through configuration management | Preventive | |
| Configure the Windows Audio service properly. CC ID 05096 | System hardening through configuration management | Preventive | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | System hardening through configuration management | Preventive | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | System hardening through configuration management | Preventive | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | System hardening through configuration management | Preventive | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | System hardening through configuration management | Preventive | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | System hardening through configuration management | Preventive | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | System hardening through configuration management | Preventive | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | System hardening through configuration management | Preventive | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | System hardening through configuration management | Preventive | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | System hardening through configuration management | Preventive | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | System hardening through configuration management | Preventive | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | System hardening through configuration management | Preventive | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | System hardening through configuration management | Preventive | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | System hardening through configuration management | Preventive | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | System hardening through configuration management | Preventive | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | System hardening through configuration management | Preventive | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | System hardening through configuration management | Preventive | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | System hardening through configuration management | Preventive | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | System hardening through configuration management | Preventive | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | System hardening through configuration management | Preventive | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | System hardening through configuration management | Preventive | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | System hardening through configuration management | Preventive | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | System hardening through configuration management | Preventive | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | System hardening through configuration management | Preventive | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | System hardening through configuration management | Preventive | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | System hardening through configuration management | Preventive | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | System hardening through configuration management | Preventive | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | System hardening through configuration management | Preventive | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | System hardening through configuration management | Preventive | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | System hardening through configuration management | Preventive | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | System hardening through configuration management | Preventive | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | System hardening through configuration management | Preventive | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | System hardening through configuration management | Preventive | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | System hardening through configuration management | Preventive | |
| Store state information from applications and software separately. CC ID 14767 | System hardening through configuration management | Preventive | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | System hardening through configuration management | Preventive | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | System hardening through configuration management | Preventive | |
| Configure the "device" argument to organizational standards. CC ID 14536 | System hardening through configuration management | Preventive | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | System hardening through configuration management | Preventive | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | System hardening through configuration management | Preventive | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | System hardening through configuration management | Preventive | |
| Configure the system to restrict Core dumps to a protected directory. CC ID 01513 | System hardening through configuration management | Preventive | |
| Configure the system to enable Stack protection. CC ID 01514 | System hardening through configuration management | Preventive | |
| Configure the system to restrict NFS client requests to privileged ports. CC ID 01515 | System hardening through configuration management | Preventive | |
| Configure the system to use better TCP Sequence Numbers. CC ID 01516 | System hardening through configuration management | Preventive | |
| Configure the system to a default secure level. CC ID 01519 | System hardening through configuration management | Preventive | |
| Configure the system to block users from viewing un-owned processes. CC ID 01520 | System hardening through configuration management | Preventive | |
| Configure the system to block users from viewing processes in other groups. CC ID 01521 | System hardening through configuration management | Preventive | |
| Add the "nosuid" option to /etc/rmmount.conf. CC ID 01532 | System hardening through configuration management | Preventive | |
| Configure the system to block non-privileged mountd requests. CC ID 01533 | System hardening through configuration management | Preventive | |
| Use host-based or Internet Protocol-based export lists for mountd. CC ID 06887 | System hardening through configuration management | Preventive | |
| Add the "nodev" option to the appropriate partitions in /etc/fstab. CC ID 01534 | System hardening through configuration management | Preventive | |
| Add the "nosuid" option and "nodev" option for removable storage media in the /etc/fstab file. CC ID 01535 | System hardening through configuration management | Preventive | |
| Configure the sticky bit on world-writable directories. CC ID 01540 | System hardening through configuration management | Preventive | |
| Run hp_checkperms. CC ID 01548 | System hardening through configuration management | Preventive | |
| Run fix-modes. CC ID 01549 | System hardening through configuration management | Preventive | |
| Convert the system to "Trusted Mode", if possible. CC ID 01550 | System hardening through configuration management | Preventive | |
| Configure the sadmind service to a higher Security level. CC ID 01551 | System hardening through configuration management | Preventive | |
| Use host-based or Internet Protocol-based export lists for sadmind. CC ID 06886 | System hardening through configuration management | Preventive | |
| Configure all.rhosts files to be readable only by their owners. CC ID 01557 | System hardening through configuration management | Preventive | |
| Set the symlink /etc/hosts.equiv file to /dev/null. CC ID 01558 | System hardening through configuration management | Preventive | |
| Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 | System hardening through configuration management | Preventive | |
| Configure the Security Center (Domain PCs only). CC ID 01967 | System hardening through configuration management | Preventive | |
| Configure the system to immediately protect the computer after the Screen saver is activated by setting the time before the Screen saver grace period expires to a predefined amount. CC ID 04276 | System hardening through configuration management | Preventive | |
| Configure the system to require a password before it unlocks the Screen saver software. CC ID 04443 | System hardening through configuration management | Preventive | |
| Enable the safe DLL search mode. CC ID 04273 | System hardening through configuration management | Preventive | |
| Configure the computer to stop generating 8.3 filename formats. CC ID 04274 | System hardening through configuration management | Preventive | |
| Configure the system to use certificate rules for software restriction policies. CC ID 04266 | System hardening through configuration management | Preventive | |
| Configure the "Do not allow drive redirection" setting. CC ID 04316 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the 'Publish to Web' task for files and folders" setting. CC ID 04328 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Internet download for Web publishing and online ordering wizards" setting. CC ID 04329 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Search Companion content file updates" setting. CC ID 04331 | System hardening through configuration management | Preventive | |
| Configure the "Turn off printing over HTTP" setting. CC ID 04332 | System hardening through configuration management | Preventive | |
| Configure the "Turn off downloading of print drivers over HTTP" setting. CC ID 04333 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Update device driver searching" setting. CC ID 04334 | System hardening through configuration management | Preventive | |
| Configure the "Display Error Notification" setting to organizational standards. CC ID 04335 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows error reporting" setting to organizational standards. CC ID 04336 | System hardening through configuration management | Preventive | |
| Configure the "Disable software update shell notifications on program launch" setting. CC ID 04339 | System hardening through configuration management | Preventive | |
| Configure the "Make proxy settings per-machine (rather than per-user)" setting. CC ID 04341 | System hardening through configuration management | Preventive | |
| Configure the "Security Zones: Do not allow users to add/delete sites" setting. CC ID 04342 | System hardening through configuration management | Preventive | |
| Configure the "Security Zones: Do not allow users to change policies" setting. CC ID 04343 | System hardening through configuration management | Preventive | |
| Configure the "Security Zones: Use only machine settings" setting. CC ID 04344 | System hardening through configuration management | Preventive | |
| Configure the "Allow software to run or install even if the signature is invalid" setting. CC ID 04346 | System hardening through configuration management | Preventive | |
| Configure the "internet explorer processes (scripted window security restrictions)" setting. CC ID 04350 | System hardening through configuration management | Preventive | |
| Configure the "internet explorer processes (zone elevation protection)" setting. CC ID 04351 | System hardening through configuration management | Preventive | |
| Configure the "Prevent access to registry editing tools" setting. CC ID 04355 | System hardening through configuration management | Preventive | |
| Configure the "Do not preserve zone information in file attachments" setting. CC ID 04357 | System hardening through configuration management | Preventive | |
| Configure the "Hide mechanisms to remove zone information" setting. CC ID 04358 | System hardening through configuration management | Preventive | |
| Configure the "Notify antivirus programs when opening attachments" setting. CC ID 04359 | System hardening through configuration management | Preventive | |
| Configure the "Configure Outlook Express" setting. CC ID 04360 | System hardening through configuration management | Preventive | |
| Configure the "Disable Changing Automatic Configuration settings" setting. CC ID 04361 | System hardening through configuration management | Preventive | |
| Configure the "Disable changing certificate settings" setting. CC ID 04362 | System hardening through configuration management | Preventive | |
| Configure the "Disable changing connection settings" setting. CC ID 04363 | System hardening through configuration management | Preventive | |
| Configure the "Disable changing proxy settings" setting. CC ID 04364 | System hardening through configuration management | Preventive | |
| Configure the "Turn on the auto-complete feature for user names and passwords on forms" setting. CC ID 04365 | System hardening through configuration management | Preventive | |
| Configure the NetWare bindery contexts. CC ID 04444 | System hardening through configuration management | Preventive | |
| Configure the NetWare console's SECURE.NCF settings. CC ID 04445 | System hardening through configuration management | Preventive | |
| Configure the CPU Hog Timeout setting. CC ID 04446 | System hardening through configuration management | Preventive | |
| Configure the "Check Equivalent to Me" setting. CC ID 04463 | System hardening through configuration management | Preventive | |
| Configure the /etc/sshd_config file. CC ID 04475 | System hardening through configuration management | Preventive | |
| Configure the .Mac preferences. CC ID 04484 | System hardening through configuration management | Preventive | |
| Configure the Fast User Switching setting. CC ID 04485 | System hardening through configuration management | Preventive | |
| Configure the Recent Items List (servers, applications, documents) setting. CC ID 04486 | System hardening through configuration management | Preventive | |
| Configure Apple's Dock preferences. CC ID 04487 | System hardening through configuration management | Preventive | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | System hardening through configuration management | Preventive | |
| Configure the Energy Saver preferences. CC ID 04488 | System hardening through configuration management | Preventive | |
| Configure the local system search preferences to directories that do not contain restricted data or restricted information. CC ID 04492 | System hardening through configuration management | Preventive | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | System hardening through configuration management | Preventive | |
| Enable or disable the ability of users to perform interactive startups, as appropriate. CC ID 05283 | System hardening through configuration management | Preventive | |
| Set the /etc/passwd file's NIS file inclusions properly. CC ID 05284 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | System hardening through configuration management | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | System hardening through configuration management | Preventive | |
| Configure the "Additional restrictions for anonymous connections" policy properly. CC ID 05287 | System hardening through configuration management | Preventive | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | System hardening through configuration management | Preventive | |
| Configure the File System Checker and Popups setting. CC ID 05289 | System hardening through configuration management | Preventive | |
| Configure the System File Checker setting. CC ID 05290 | System hardening through configuration management | Preventive | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | System hardening through configuration management | Preventive | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | System hardening through configuration management | Preventive | |
| Configure the "Deleted Cached Copies of Roaming Profiles" policy properly. CC ID 05293 | System hardening through configuration management | Preventive | |
| Verify that the X*.hosts file lists all authorized X-clients. CC ID 05294 | System hardening through configuration management | Preventive | |
| Verify all files are owned by an existing account and group. CC ID 05295 | System hardening through configuration management | Preventive | |
| Verify programs executed through the aliases file are owned by an appropriate user or group. CC ID 05296 | System hardening through configuration management | Preventive | |
| Verify programs executed through the aliases file are stored in a directory with an appropriate owner. CC ID 05297 | System hardening through configuration management | Preventive | |
| Verify the at directory is owned by an appropriate user or group. CC ID 05298 | System hardening through configuration management | Preventive | |
| Verify the at.allow file is owned by an appropriate user or group. CC ID 05299 | System hardening through configuration management | Preventive | |
| Verify the at.deny file is owned by an appropriate user or group. CC ID 05300 | System hardening through configuration management | Preventive | |
| Verify the crontab directories are owned by an appropriate user or group. CC ID 05302 | System hardening through configuration management | Preventive | |
| Verify the cron.allow file is owned by an appropriate user or group. CC ID 05303 | System hardening through configuration management | Preventive | |
| Verify the cron.deny file is owned by an appropriate user or group. CC ID 05304 | System hardening through configuration management | Preventive | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | System hardening through configuration management | Preventive | |
| Verify the /etc/resolv.conf file is owned by an appropriate user or group. CC ID 05306 | System hardening through configuration management | Preventive | |
| Verify the /etc/named.boot file is owned by an appropriate user or group. CC ID 05307 | System hardening through configuration management | Preventive | |
| Verify the /etc/named.conf file is owned by an appropriate user or group. CC ID 05308 | System hardening through configuration management | Preventive | |
| Verify the /var/named/chroot/etc/named.conf file is owned by an appropriate user or group. CC ID 05309 | System hardening through configuration management | Preventive | |
| Verify home directories are owned by an appropriate user or group. CC ID 05310 | System hardening through configuration management | Preventive | |
| Verify the inetd.conf file is owned by an appropriate user or group. CC ID 05311 | System hardening through configuration management | Preventive | |
| Verify /etc/exports are owned by an appropriate user or group. CC ID 05312 | System hardening through configuration management | Preventive | |
| Verify exported files and exported directories are owned by an appropriate user or group. CC ID 05313 | System hardening through configuration management | Preventive | |
| Verify the /etc/services file is owned by an appropriate user or group. CC ID 05314 | System hardening through configuration management | Preventive | |
| Verify the /etc/notrouter file is owned by an appropriate user or group. CC ID 05315 | System hardening through configuration management | Preventive | |
| Verify the /etc/samba/smb.conf file is owned by an appropriate user or group. CC ID 05316 | System hardening through configuration management | Preventive | |
| Verify the smbpasswd file and smbpasswd executable are owned by an appropriate user or group. CC ID 05317 | System hardening through configuration management | Preventive | |
| Verify the aliases file is owned by an appropriate user or group. CC ID 05318 | System hardening through configuration management | Preventive | |
| Verify Shell files are owned by an appropriate user or group. CC ID 05320 | System hardening through configuration management | Preventive | |
| Verify the snmpd.conf file is owned by an appropriate user or group. CC ID 05321 | System hardening through configuration management | Preventive | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | System hardening through configuration management | Preventive | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | System hardening through configuration management | Preventive | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | System hardening through configuration management | Preventive | |
| Verify the /etc/shadow file is owned by an appropriate user or group. CC ID 05326 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit/config file is owned by an appropriate user or group. CC ID 05327 | System hardening through configuration management | Preventive | |
| Verify the /etc/securit/audit/events file is owned by an appropriate user or group. CC ID 05328 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit/objects file is owned by an appropriate user or group. CC ID 05329 | System hardening through configuration management | Preventive | |
| Verify the /usr/lib/trcload file is owned by an appropriate user or group. CC ID 05330 | System hardening through configuration management | Preventive | |
| Verify the /usr/lib/semutil file is owned by an appropriate user or group. CC ID 05331 | System hardening through configuration management | Preventive | |
| Verify system files are owned by an appropriate user or group. CC ID 05332 | System hardening through configuration management | Preventive | |
| Verify the default/skeleton dot files are owned by an appropriate user or group. CC ID 05333 | System hardening through configuration management | Preventive | |
| Verify the global initialization files are owned by an appropriate user or group. CC ID 05334 | System hardening through configuration management | Preventive | |
| Verify the /etc/rc.config.d/auditing file is owned by an appropriate user or group. CC ID 05335 | System hardening through configuration management | Preventive | |
| Verify the /etc/init.d file is owned by an appropriate user or group. CC ID 05336 | System hardening through configuration management | Preventive | |
| Verify the /etc/hosts.lpd file is owned by an appropriate user or group. CC ID 05337 | System hardening through configuration management | Preventive | |
| Verify the /etc/auto.master file is owned by an appropriate user or group. CC ID 05338 | System hardening through configuration management | Preventive | |
| Verify the /etc/auto.misc file is owned by an appropriate user or group. CC ID 05339 | System hardening through configuration management | Preventive | |
| Verify the /etc/auto.net file is owned by an appropriate user or group. CC ID 05340 | System hardening through configuration management | Preventive | |
| Verify the boot/grub/grub.conf file is owned by an appropriate user or group. CC ID 05341 | System hardening through configuration management | Preventive | |
| Verify the /etc/lilo.conf file is owned by an appropriate user or group. CC ID 05342 | System hardening through configuration management | Preventive | |
| Verify the /etc/login.access file is owned by an appropriate user or group. CC ID 05343 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/access.conf file is owned by an appropriate user or group. CC ID 05344 | System hardening through configuration management | Preventive | |
| Verify the /etc/sysctl.conf file is owned by an appropriate user or group. CC ID 05345 | System hardening through configuration management | Preventive | |
| Configure the "secure_redirects" setting to organizational standards. CC ID 09941 | System hardening through configuration management | Preventive | |
| Configure the "icmp_ignore_bogus_error_responses" setting to organizational standards. CC ID 09942 | System hardening through configuration management | Preventive | |
| Configure the "rp_filter" setting to organizational standards. CC ID 09943 | System hardening through configuration management | Preventive | |
| Verify the /etc/securetty file is owned by an appropriate user or group. CC ID 05346 | System hardening through configuration management | Preventive | |
| Verify the /etc/audit/auditd.conf file is owned by an appropriate user or group. CC ID 05347 | System hardening through configuration management | Preventive | |
| Verify the audit.rules file is owned by an appropriate user or group. CC ID 05348 | System hardening through configuration management | Preventive | |
| Verify the /etc/group file is owned by an appropriate user or group. CC ID 05349 | System hardening through configuration management | Preventive | |
| Verify the /etc/gshadow file is owned by an appropriate user or group. CC ID 05350 | System hardening through configuration management | Preventive | |
| Verify the /usr/sbin/userhelper file is owned by an appropriate user or group. CC ID 05351 | System hardening through configuration management | Preventive | |
| Verify all syslog log files are owned by an appropriate user or group. CC ID 05352 | System hardening through configuration management | Preventive | |
| Verify the /etc/anacrontab file is owned by an appropriate user or group. CC ID 05353 | System hardening through configuration management | Preventive | |
| Verify the /etc/pki/tls/ldap file is owned by an appropriate user or group. CC ID 05354 | System hardening through configuration management | Preventive | |
| Verify the /etc/pki/tls/ldap/serverkey.pem file is owned by an appropriate user or group. CC ID 05355 | System hardening through configuration management | Preventive | |
| Verify the /etc/pki/tls/CA/cacert.pem file is owned by an appropriate user or group. CC ID 05356 | System hardening through configuration management | Preventive | |
| Verify the /etc/pki/tls/ldap/servercert.pem file is owned by an appropriate user or group. CC ID 05357 | System hardening through configuration management | Preventive | |
| Verify the var/lib/ldap/* files are owned by an appropriate user or group. CC ID 05358 | System hardening through configuration management | Preventive | |
| Verify the /etc/httpd/conf/* files are owned by an appropriate user or group. CC ID 05359 | System hardening through configuration management | Preventive | |
| Verify the /etc/auto_* file is owned by an appropriate user. CC ID 05360 | System hardening through configuration management | Preventive | |
| Verify the /etc/rmmount.conf file is owned by an appropriate user or group. CC ID 05361 | System hardening through configuration management | Preventive | |
| Verify the /var/log/pamlog log is owned by an appropriate user or group. CC ID 05362 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit_control file is owned by an appropriate user or group. CC ID 05363 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit_class file is owned by an appropriate user or group. CC ID 05364 | System hardening through configuration management | Preventive | |
| Verify the /etc/security/audit_event file is owned by an appropriate user or group. CC ID 05365 | System hardening through configuration management | Preventive | |
| Verify the ASET userlist file is owned by an appropriate user or group. CC ID 05366 | System hardening through configuration management | Preventive | |
| Verify the /var directory is owned by an appropriate user. CC ID 05367 | System hardening through configuration management | Preventive | |
| Verify the /var/log directory is owned by an appropriate user. CC ID 05368 | System hardening through configuration management | Preventive | |
| Verify the /var/adm directory is owned by an appropriate user. CC ID 05369 | System hardening through configuration management | Preventive | |
| Restrict the debug level daemon logging file owner and daemon debug group owner. CC ID 05370 | System hardening through configuration management | Preventive | |
| Restrict the Cron log file owner and Cron group owner. CC ID 05371 | System hardening through configuration management | Preventive | |
| Restrict the system accounting file owner and system accounting group owner. CC ID 05372 | System hardening through configuration management | Preventive | |
| Restrict audit log file ownership and audit group ownership. CC ID 05373 | System hardening through configuration management | Preventive | |
| Set the X server timeout properly. CC ID 05374 | System hardening through configuration management | Preventive | |
| Configure each user's authentication mechanism (system attribute) properly. CC ID 05375 | System hardening through configuration management | Preventive | |
| Enable or disable SeLinux, as appropriate. CC ID 05376 | System hardening through configuration management | Preventive | |
| Set the SELinux state properly. CC ID 05377 | System hardening through configuration management | Preventive | |
| Set the SELinux policy properly. CC ID 05378 | System hardening through configuration management | Preventive | |
| Configure Dovecot properly. CC ID 05379 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | System hardening through configuration management | Preventive | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | System hardening through configuration management | Preventive | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | System hardening through configuration management | Preventive | |
| Configure "Turn Off Handwriting Recognition Error Reporting" to organizational standards. CC ID 05386 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Help and Support Center 'Did You Know?' content" setting. CC ID 05387 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting. CC ID 05388 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | System hardening through configuration management | Preventive | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | System hardening through configuration management | Preventive | |
| Configure the "Allow only Vista or later connections" setting. CC ID 05396 | System hardening through configuration management | Preventive | |
| Configure the "Turn on bandwidth optimization" setting. CC ID 05397 | System hardening through configuration management | Preventive | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | System hardening through configuration management | Preventive | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | System hardening through configuration management | Preventive | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | System hardening through configuration management | Preventive | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Heap termination on corruption" setting to organizational standards. CC ID 05406 | System hardening through configuration management | Preventive | |
| Configure the "Turn off shell protocol protected mode" setting to organizational standards. CC ID 05407 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit non-administrators from applying vendor signed updates" setting. CC ID 05408 | System hardening through configuration management | Preventive | |
| Configure the "Report when logon server was not available during user logon" setting. CC ID 05409 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Mail application" setting. CC ID 05411 | System hardening through configuration management | Preventive | |
| Configure the "Prevent Windows Media DRM Internet Access" setting. CC ID 05412 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | System hardening through configuration management | Preventive | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | System hardening through configuration management | Preventive | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | System hardening through configuration management | Preventive | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | System hardening through configuration management | Preventive | |
| Configure the "Do not allow Digital Locker to run" setting. CC ID 05418 | System hardening through configuration management | Preventive | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | System hardening through configuration management | Preventive | |
| Configure "Turn on Responder (RSPNDR) driver" to organizational standards. CC ID 05420 | System hardening through configuration management | Preventive | |
| Verify ExecShield has been randomly placed in Virtual Memory regions. CC ID 05436 | System hardening through configuration management | Preventive | |
| Enable the ExecShield, as appropriate. CC ID 05421 | System hardening through configuration management | Preventive | |
| Configure Kernel support for the XD/NX processor feature, as appropriate. CC ID 05422 | System hardening through configuration management | Preventive | |
| Configure the XD/NX processor feature in the BIOS, as appropriate. CC ID 05423 | System hardening through configuration management | Preventive | |
| Configure the Shell for the bin account properly. CC ID 05424 | System hardening through configuration management | Preventive | |
| Configure the Shell for the nuucp account properly. CC ID 05425 | System hardening through configuration management | Preventive | |
| Configure the Shell for the smmsp account properly. CC ID 05426 | System hardening through configuration management | Preventive | |
| Configure the Shell for the listen account properly. CC ID 05427 | System hardening through configuration management | Preventive | |
| Configure the Shell for the gdm account properly. CC ID 05428 | System hardening through configuration management | Preventive | |
| Configure the Shell for the webservd account properly. CC ID 05429 | System hardening through configuration management | Preventive | |
| Configure the Shell for the nobody account properly. CC ID 05430 | System hardening through configuration management | Preventive | |
| Configure the Shell for the noaccess account properly. CC ID 05431 | System hardening through configuration management | Preventive | |
| Configure the Shell for the nobody4 account properly. CC ID 05432 | System hardening through configuration management | Preventive | |
| Configure the Shell for the adm account properly. CC ID 05433 | System hardening through configuration management | Preventive | |
| Configure the Shell for the lp account properly. CC ID 05434 | System hardening through configuration management | Preventive | |
| Configure the Shell for the uucp account properly. CC ID 05435 | System hardening through configuration management | Preventive | |
| Set the noexec_user_stack parameter properly. CC ID 05437 | System hardening through configuration management | Preventive | |
| Set the no_exec_user_stack_log parameter properly. CC ID 05438 | System hardening through configuration management | Preventive | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | System hardening through configuration management | Preventive | |
| Set the TCP max connection limit properly. CC ID 05440 | System hardening through configuration management | Preventive | |
| Set the TCP abort interval properly. CC ID 05441 | System hardening through configuration management | Preventive | |
| Enable or disable the GNOME screenlock, as appropriate. CC ID 05442 | System hardening through configuration management | Preventive | |
| Set the ARP cache cleanup interval properly. CC ID 05443 | System hardening through configuration management | Preventive | |
| Set the ARP IRE scan rate properly. CC ID 05444 | System hardening through configuration management | Preventive | |
| Disable The "proxy ARP" configurable item on all interfaces. CC ID 06570 | System hardening through configuration management | Preventive | |
| Set the FileSpaceSwitch variable to an appropriate value. CC ID 05445 | System hardening through configuration management | Preventive | |
| Set the wakeup switchpoint frequency to an appropriate time interval. CC ID 05446 | System hardening through configuration management | Preventive | |
| Enable or disable the setuid option on removable storage media, as appropriate. CC ID 05447 | System hardening through configuration management | Preventive | |
| Configure TCP/IP PMTU Discovery, as appropriate. CC ID 05991 | System hardening through configuration management | Preventive | |
| Configure Secure Shell to enable or disable empty passwords, as appropriate. CC ID 06016 | System hardening through configuration management | Preventive | |
| Configure each user's Screen Saver Executable Name. CC ID 06027 | System hardening through configuration management | Preventive | |
| Configure the NIS+ server to operate at an appropriate security level. CC ID 06038 | System hardening through configuration management | Preventive | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | System hardening through configuration management | Preventive | |
| Configure the "Block saving of Open XML file types" setting, as appropriate. CC ID 06048 | System hardening through configuration management | Preventive | |
| Enable or disable user-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence for keyboards. CC ID 06051 | System hardening through configuration management | Preventive | |
| Configure the "Syskey mode" to organizational standards. CC ID 06052 | System hardening through configuration management | Preventive | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | System hardening through configuration management | Preventive | |
| Configure the "Allow Remote Shell Access" setting, as appropriate. CC ID 06057 | System hardening through configuration management | Preventive | |
| Configure the "Prevent the computer from joining a homegroup" setting, as appropriate. CC ID 06058 | System hardening through configuration management | Preventive | |
| Enable or disable the authenticator requirement after waking, as appropriate. CC ID 06059 | System hardening through configuration management | Preventive | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | System hardening through configuration management | Preventive | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | System hardening through configuration management | Preventive | |
| Configure the system to purge Policy Caches. CC ID 06569 | System hardening through configuration management | Preventive | |
| Separate authenticator files and application system data on different file systems. CC ID 06790 | System hardening through configuration management | Preventive | |
| Configure Application Programming Interfaces to limit or shut down interactivity based upon a rate limit. CC ID 06811 | System hardening through configuration management | Preventive | |
| Configure the "Executable stack" setting to organizational standards. CC ID 08969 | System hardening through configuration management | Preventive | |
| Configure the "smbpasswd executable" user ownership to organizational standards. CC ID 08975 | System hardening through configuration management | Preventive | |
| Configure the "traceroute executable" group ownership to organizational standards. CC ID 08980 | System hardening through configuration management | Preventive | |
| Configure the "traceroute executable" user ownership to organizational standards. CC ID 08981 | System hardening through configuration management | Preventive | |
| Configure the "Apache configuration" directory group ownership to organizational standards. CC ID 08991 | System hardening through configuration management | Preventive | |
| Configure the "Apache configuration" directory user ownership to organizational standards. CC ID 08992 | System hardening through configuration management | Preventive | |
| Configure the "/var/log/httpd/" file group ownership to organizational standards. CC ID 09027 | System hardening through configuration management | Preventive | |
| Configure the "/etc/httpd/conf.d" file group ownership to organizational standards. CC ID 09028 | System hardening through configuration management | Preventive | |
| Configure the "/etc/httpd/conf/passwd" file group ownership to organizational standards. CC ID 09029 | System hardening through configuration management | Preventive | |
| Configure the "/usr/sbin/apachectl" file group ownership to organizational standards. CC ID 09030 | System hardening through configuration management | Preventive | |
| Configure the "/usr/sbin/httpd" file group ownership to organizational standards. CC ID 09031 | System hardening through configuration management | Preventive | |
| Configure the "/var/www/html" file group ownership to organizational standards. CC ID 09032 | System hardening through configuration management | Preventive | |
| Configure the "log files" the "/var/log/httpd/" directory user ownership to organizational standards. CC ID 09034 | System hardening through configuration management | Preventive | |
| Configure the "/etc/httpd/conf.d" file ownership to organizational standards. CC ID 09035 | System hardening through configuration management | Preventive | |
| Configure the "/etc/httpd/conf/passwd" file ownership to organizational standards. CC ID 09036 | System hardening through configuration management | Preventive | |
| Configure the "/usr/sbin/apachectl" file ownership to organizational standards. CC ID 09037 | System hardening through configuration management | Preventive | |
| Configure the "/usr/sbin/httpd" file ownership to organizational standards. CC ID 09038 | System hardening through configuration management | Preventive | |
| Configure the "/var/www/html" file ownership to organizational standards. CC ID 09039 | System hardening through configuration management | Preventive | |
| Configure the "httpd.conf" file user ownership to organizational standards. CC ID 09055 | System hardening through configuration management | Preventive | |
| Configure the "httpd.conf" group ownership to organizational standards. CC ID 09056 | System hardening through configuration management | Preventive | |
| Configure the "htpasswd" file user ownership to organizational standards. CC ID 09058 | System hardening through configuration management | Preventive | |
| Configure the "htpasswd" file group ownership to organizational standards. CC ID 09059 | System hardening through configuration management | Preventive | |
| Configure the "files specified by CustomLog" user ownership to organizational standards. CC ID 09074 | System hardening through configuration management | Preventive | |
| Configure the "files specified by CustomLog" group ownership to organizational standards. CC ID 09075 | System hardening through configuration management | Preventive | |
| Configure the "files specified by ErrorLog" user ownership to organizational standards. CC ID 09076 | System hardening through configuration management | Preventive | |
| Configure the "files specified by ErrorLog" group ownership to organizational standards. CC ID 09077 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ScriptAlias" user ownership to organizational standards. CC ID 09079 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ScriptAlias" group ownership to organizational standards. CC ID 09080 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ScriptAliasMatch" user ownership to organizational standards. CC ID 09082 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ScriptAliasMatch" group ownership to organizational standards. CC ID 09083 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by DocumentRoot" user ownership to organizational standards. CC ID 09085 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by DocumentRoot" group ownership to organizational standards. CC ID 09086 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by Alias" user ownership to organizational standards. CC ID 09088 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by Alias" group ownership to organizational standards. CC ID 09089 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ServerRoot" user ownership to organizational standards. CC ID 09091 | System hardening through configuration management | Preventive | |
| Configure the "directories specified by ServerRoot" group ownership to organizational standards. CC ID 09092 | System hardening through configuration management | Preventive | |
| Configure the "apache /bin" directory user ownership to organizational standards. CC ID 09094 | System hardening through configuration management | Preventive | |
| Configure the "apache /bin" directory group ownership to organizational standards. CC ID 09095 | System hardening through configuration management | Preventive | |
| Configure the "apache /logs" directory user ownership to organizational standards. CC ID 09097 | System hardening through configuration management | Preventive | |
| Configure the "apache /logs" directory group ownership to organizational standards. CC ID 09098 | System hardening through configuration management | Preventive | |
| Configure the "apache /htdocs" directory user ownership to organizational standards. CC ID 09100 | System hardening through configuration management | Preventive | |
| Configure the "apache /htdocs" directory group ownership to organizational standards. CC ID 09101 | System hardening through configuration management | Preventive | |
| Configure the "apache /cgi-bin" directory group ownership to organizational standards. CC ID 09104 | System hardening through configuration management | Preventive | |
| Configure the "User-specific directories" setting to organizational standards. CC ID 09123 | System hardening through configuration management | Preventive | |
| Configure the "apache process ID" file user ownership to organizational standards. CC ID 09125 | System hardening through configuration management | Preventive | |
| Configure the "apache process ID" file group ownership to organizational standards. CC ID 09126 | System hardening through configuration management | Preventive | |
| Configure the "apache scoreboard" file user ownership to organizational standards. CC ID 09128 | System hardening through configuration management | Preventive | |
| Configure the "apache scoreboard" file group ownership to organizational standards. CC ID 09129 | System hardening through configuration management | Preventive | |
| Configure the "Ownership of the asymmetric keys" setting to organizational standards. CC ID 09289 | System hardening through configuration management | Preventive | |
| Configure the "SQLServer2005ReportServerUser" registry key permissions to organizational standards. CC ID 09326 | System hardening through configuration management | Preventive | |
| Configure the "SQLServerADHelperUser" registry key permissions to organizational standards. CC ID 09329 | System hardening through configuration management | Preventive | |
| Configure the "Tomcat home" directory user ownership to organizational standards. CC ID 09772 | System hardening through configuration management | Preventive | |
| Configure the "group" setting for the "Tomcat installation" to organizational standards. CC ID 09773 | System hardening through configuration management | Preventive | |
| Configure the "tomcat conf/" directory user ownership to organizational standards. CC ID 09774 | System hardening through configuration management | Preventive | |
| Configure the "tomcat conf/" directory group ownership to organizational standards. CC ID 09775 | System hardening through configuration management | Preventive | |
| Configure the "tomcat-users.xml" file user ownership to organizational standards. CC ID 09776 | System hardening through configuration management | Preventive | |
| Configure the "tomcat-users.xml" file group ownership to organizational standards. CC ID 09777 | System hardening through configuration management | Preventive | |
| Configure the "group membership" setting for "Tomcat" to organizational standards. CC ID 09793 | System hardening through configuration management | Preventive | |
| Configure the "Tomcat home" directory group ownership to organizational standards. CC ID 09798 | System hardening through configuration management | Preventive | |
| Configure the "Tomcat home/conf/" directory user ownership to organizational standards. CC ID 09800 | System hardening through configuration management | Preventive | |
| Configure the "Tomcat home/conf/" directory group ownership to organizational standards. CC ID 09801 | System hardening through configuration management | Preventive | |
| Configure the "system" files permissions to organizational standards. CC ID 09922 | System hardening through configuration management | Preventive | |
| Configure the "size limit" setting for the "application log" to organizational standards. CC ID 10063 | System hardening through configuration management | Preventive | |
| Configure the "restrict guest access to security log" setting to organizational standards. CC ID 10064 | System hardening through configuration management | Preventive | |
| Configure the "size limit" setting for the "system log" to organizational standards. CC ID 10065 | System hardening through configuration management | Preventive | |
| Configure the "Automatic Update service" setting to organizational standards. CC ID 10066 | System hardening through configuration management | Preventive | |
| Configure the "Safe DLL Search Mode" setting to organizational standards. CC ID 10067 | System hardening through configuration management | Preventive | |
| Configure the "screensaver" setting to organizational standards. CC ID 10068 | System hardening through configuration management | Preventive | |
| Configure the "screensaver" setting for the "default" user to organizational standards. CC ID 10069 | System hardening through configuration management | Preventive | |
| Configure the "Enable User Control Over Installs" setting to organizational standards. CC ID 10070 | System hardening through configuration management | Preventive | |
| Configure the "Enable User to Browser for Source While Elevated" setting to organizational standards. CC ID 10071 | System hardening through configuration management | Preventive | |
| Configure the "Enable User to Use Media Source While Elevated" setting to organizational standards. CC ID 10072 | System hardening through configuration management | Preventive | |
| Configure the "Allow Administrator to Install from Terminal Services Session" setting to organizational standards. CC ID 10073 | System hardening through configuration management | Preventive | |
| Configure the "Enable User to Patch Elevated Products" setting to organizational standards. CC ID 10074 | System hardening through configuration management | Preventive | |
| Configure the "Cache Transforms in Secure Location" setting to organizational standards. CC ID 10075 | System hardening through configuration management | Preventive | |
| Configure the "Disable Media Player for automatic updates" setting to organizational standards. CC ID 10076 | System hardening through configuration management | Preventive | |
| Configure the "Internet access for Windows Messenger" setting to organizational standards. CC ID 10077 | System hardening through configuration management | Preventive | |
| Configure the "Do Not Automatically Start Windows Messenger" setting to organizational standards. CC ID 10078 | System hardening through configuration management | Preventive | |
| Configure the "Hide Property Pages" setting for the "task scheduler" to organizational standards. CC ID 10079 | System hardening through configuration management | Preventive | |
| Configure the "Prohibit New Task Creation" setting for the "task scheduler" to organizational standards. CC ID 10080 | System hardening through configuration management | Preventive | |
| Configure "Set time limit for disconnected sessions" to organizational standards. CC ID 10081 | System hardening through configuration management | Preventive | |
| Configure the "Set time limit for idle sessions" setting to organizational standards. CC ID 10082 | System hardening through configuration management | Preventive | |
| Configure the "Enable Keep-Alive Messages" setting to organizational standards. CC ID 10083 | System hardening through configuration management | Preventive | |
| Configure the "Automatic Updates detection frequency" setting to organizational standards. CC ID 10084 | System hardening through configuration management | Preventive | |
| Configure the "TCPMaxPortsExhausted" setting to organizational standards. CC ID 10085 | System hardening through configuration management | Preventive | |
| Configure the "built-in Administrator" account to organizational standards. CC ID 10086 | System hardening through configuration management | Preventive | |
| Configure the "Prevent System Maintenance of Computer Account Password" setting to organizational standards. CC ID 10087 | System hardening through configuration management | Preventive | |
| Configure the "Digitally Sign Client Communication (When Possible)" setting to organizational standards. CC ID 10088 | System hardening through configuration management | Preventive | |
| Configure the "number of SYN-ACK retransmissions sent when attempting to respond to a SYN request" setting to organizational standards. CC ID 10089 | System hardening through configuration management | Preventive | |
| Configure the "warning level" setting for the "audit log" to organizational standards. CC ID 10090 | System hardening through configuration management | Preventive | |
| Configure the "Change Password" setting for the "Ctrl+Alt+Del dialog" to organizational standards. CC ID 10091 | System hardening through configuration management | Preventive | |
| Configure the "account description" setting for the "built-in Administrator" account to organizational standards. CC ID 10092 | System hardening through configuration management | Preventive | |
| Configure the "Decoy Admin Account Not Disabled" setting to organizational standards. CC ID 10201 | System hardening through configuration management | Preventive | |
| Configure the "when maximum log size is reached" setting for the "Application log" to organizational standards. CC ID 10202 | System hardening through configuration management | Preventive | |
| Configure the "password filtering DLL" setting to organizational standards. CC ID 10203 | System hardening through configuration management | Preventive | |
| Configure the "Anonymous access to the registry" setting to organizational standards. CC ID 10204 | System hardening through configuration management | Preventive | |
| Configure the "Automatic Execution" setting for the "System Debugger" to organizational standards. CC ID 10205 | System hardening through configuration management | Preventive | |
| Configure the "CD-ROM Autorun" setting to organizational standards. CC ID 10206 | System hardening through configuration management | Preventive | |
| Configure the "ResetBrowser Frames" setting to organizational standards. CC ID 10207 | System hardening through configuration management | Preventive | |
| Configure the "Dr. Watson Crash Dumps" setting to organizational standards. CC ID 10208 | System hardening through configuration management | Preventive | |
| Configure the "File System Checker and Popups" setting to organizational standards. CC ID 10209 | System hardening through configuration management | Preventive | |
| Configure the "System File Checker" setting to organizational standards. CC ID 10210 | System hardening through configuration management | Preventive | |
| Configure the "System File Checker Progress Meter" setting to organizational standards. CC ID 10211 | System hardening through configuration management | Preventive | |
| Configure the "number of TCP/IP Maximum Half-open Sockets" setting to organizational standards. CC ID 10212 | System hardening through configuration management | Preventive | |
| Configure the "number of TCP/IP Maximum Retried Half-open Sockets" setting to organizational standards. CC ID 10213 | System hardening through configuration management | Preventive | |
| Configure the "Protect Kernel object attributes" setting to organizational standards. CC ID 10214 | System hardening through configuration management | Preventive | |
| Configure the "Unsigned Non-Driver Installation Behavior" setting to organizational standards. CC ID 10215 | System hardening through configuration management | Preventive | |
| Configure the "Automatically Log Off Users When Logon Time Expires (local)" setting to organizational standards. CC ID 10216 | System hardening through configuration management | Preventive | |
| Configure the "Local volumes" setting to organizational standards. CC ID 10217 | System hardening through configuration management | Preventive | |
| Configure the "Unused USB Ports" setting to organizational standards. CC ID 10218 | System hardening through configuration management | Preventive | |
| Configure the "Set Safe for Scripting" setting to organizational standards. CC ID 10219 | System hardening through configuration management | Preventive | |
| Configure the "Use of the Recycle Bin on file deletion" setting to organizational standards. CC ID 10220 | System hardening through configuration management | Preventive | |
| Configure the "Membership in the Power Users group" setting to organizational standards. CC ID 10224 | System hardening through configuration management | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "security log" to organizational standards. CC ID 10225 | System hardening through configuration management | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "application log" to organizational standards. CC ID 10226 | System hardening through configuration management | Preventive | |
| Configure the "AutoBackupLogFiles" setting for the "system log" to organizational standards. CC ID 10227 | System hardening through configuration management | Preventive | |
| Configure the "Syskey Encryption Key location and password method" setting to organizational standards. CC ID 10228 | System hardening through configuration management | Preventive | |
| Configure the "Os2LibPath environmental variable" setting to organizational standards. CC ID 10229 | System hardening through configuration management | Preventive | |
| Configure the "path to the Microsoft OS/2 version 1.x library" setting to organizational standards. CC ID 10230 | System hardening through configuration management | Preventive | |
| Configure the "location of the OS/2 subsystem" setting to organizational standards. CC ID 10231 | System hardening through configuration management | Preventive | |
| Configure the "location of the POSIX subsystem" setting to organizational standards. CC ID 10232 | System hardening through configuration management | Preventive | |
| Configure the "path to the debugger used for Just-In-Time debugging" setting to organizational standards. CC ID 10234 | System hardening through configuration management | Preventive | |
| Configure the "Distributed Component Object Model (DCOM)" setting to organizational standards. CC ID 10235 | System hardening through configuration management | Preventive | |
| Configure the "The "encryption algorithm" setting for "EFS"" setting to organizational standards. CC ID 10236 | System hardening through configuration management | Preventive | |
| Configure the "Interix Subsystem Startup service startup type" setting to organizational standards. CC ID 10238 | System hardening through configuration management | Preventive | |
| Configure the "Services for Unix Perl Socket service startup type" setting to organizational standards. CC ID 10247 | System hardening through configuration management | Preventive | |
| Configure the "Services for Unix Windows Cron service startup type" setting to organizational standards. CC ID 10248 | System hardening through configuration management | Preventive | |
| Configure the "fDisableCdm" setting to organizational standards. CC ID 10259 | System hardening through configuration management | Preventive | |
| Configure the "fDisableClip" setting to organizational standards. CC ID 10260 | System hardening through configuration management | Preventive | |
| Configure the "Inheritance of the shadow setting" setting to organizational standards. CC ID 10261 | System hardening through configuration management | Preventive | |
| Configure the "remote control configuration" setting to organizational standards. CC ID 10262 | System hardening through configuration management | Preventive | |
| Configure the "fDisableCam" setting to organizational standards. CC ID 10263 | System hardening through configuration management | Preventive | |
| Configure the "fDisableCcm" setting to organizational standards. CC ID 10264 | System hardening through configuration management | Preventive | |
| Configure the "fDisableLPT" setting to organizational standards. CC ID 10265 | System hardening through configuration management | Preventive | |
| Configure the "ActiveX installation policy for sites in Trusted zones" setting to organizational standards. CC ID 10691 | System hardening through configuration management | Preventive | |
| Configure the "Add the Administrators security group to roaming user profiles" setting to organizational standards. CC ID 10694 | System hardening through configuration management | Preventive | |
| Configure the "Administratively assigned offline files" setting to organizational standards. CC ID 10695 | System hardening through configuration management | Preventive | |
| Configure the "Apply policy to removable media" setting to organizational standards. CC ID 10756 | System hardening through configuration management | Preventive | |
| Configure the "Baseline file cache maximum size" setting to organizational standards. CC ID 10763 | System hardening through configuration management | Preventive | |
| Configure the "Check for New Signatures Before Scheduled Scans" setting to organizational standards. CC ID 10770 | System hardening through configuration management | Preventive | |
| Configure the "Check published state" setting to organizational standards. CC ID 10771 | System hardening through configuration management | Preventive | |
| Configure the "Communities" setting to organizational standards. CC ID 10772 | System hardening through configuration management | Preventive | |
| Configure the "Computer location" setting to organizational standards. CC ID 10773 | System hardening through configuration management | Preventive | |
| Configure the "Background Sync" setting to organizational standards. CC ID 10775 | System hardening through configuration management | Preventive | |
| Configure the "Corporate Windows Error Reporting" setting to organizational standards. CC ID 10777 | System hardening through configuration management | Preventive | |
| Configure the "Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10778 | System hardening through configuration management | Preventive | |
| Configure the "Default consent" setting to organizational standards. CC ID 10780 | System hardening through configuration management | Preventive | |
| Configure the "list of IEEE 1667 silos usable on your computer" setting to organizational standards. CC ID 10792 | System hardening through configuration management | Preventive | |
| Configure the "Microsoft SpyNet Reporting" setting to organizational standards. CC ID 10794 | System hardening through configuration management | Preventive | |
| Configure the "MSI Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10795 | System hardening through configuration management | Preventive | |
| Configure the "Reliability WMI Providers" setting to organizational standards. CC ID 10804 | System hardening through configuration management | Preventive | |
| Configure the "Report Archive" setting to organizational standards. CC ID 10805 | System hardening through configuration management | Preventive | |
| Configure the "Report Queue" setting to organizational standards. CC ID 10806 | System hardening through configuration management | Preventive | |
| Configure the "root certificate clean up" setting to organizational standards. CC ID 10807 | System hardening through configuration management | Preventive | |
| Configure the "Security Policy for Scripted Diagnostics" setting to organizational standards. CC ID 10816 | System hardening through configuration management | Preventive | |
| Configure the "list of blocked TPM commands" setting to organizational standards. CC ID 10822 | System hardening through configuration management | Preventive | |
| Configure the "refresh interval for Server Manager" setting to organizational standards. CC ID 10823 | System hardening through configuration management | Preventive | |
| Configure the "server address, refresh interval, and issuer certificate authority of a target Subscription Manager" setting to organizational standards. CC ID 10824 | System hardening through configuration management | Preventive | |
| Configure the "Customize consent settings" setting to organizational standards. CC ID 10837 | System hardening through configuration management | Preventive | |
| Configure the "Default behavior for AutoRun" setting to organizational standards. CC ID 10839 | System hardening through configuration management | Preventive | |
| Configure the "Define Activation Security Check exemptions" setting to organizational standards. CC ID 10841 | System hardening through configuration management | Preventive | |
| Configure the "Define host name-to-Kerberos realm mappings" setting to organizational standards. CC ID 10842 | System hardening through configuration management | Preventive | |
| Configure the "Define interoperable Kerberos V5 realm settings" setting to organizational standards. CC ID 10843 | System hardening through configuration management | Preventive | |
| Configure the "Delay Restart for scheduled installations" setting to organizational standards. CC ID 10844 | System hardening through configuration management | Preventive | |
| Configure the "Delete cached copies of roaming profiles" setting to organizational standards. CC ID 10845 | System hardening through configuration management | Preventive | |
| Configure the "Delete user profiles older than a specified number of days on system restart" setting to organizational standards. CC ID 10847 | System hardening through configuration management | Preventive | |
| Configure the "Diagnostics: Configure scenario retention" setting to organizational standards. CC ID 10857 | System hardening through configuration management | Preventive | |
| Configure the "Directory pruning interval" setting to organizational standards. CC ID 10858 | System hardening through configuration management | Preventive | |
| Configure the "Directory pruning priority" setting to organizational standards. CC ID 10859 | System hardening through configuration management | Preventive | |
| Configure the "Directory pruning retry" setting to organizational standards. CC ID 10860 | System hardening through configuration management | Preventive | |
| Configure the "Disk Diagnostic: Configure custom alert text" setting to organizational standards. CC ID 10882 | System hardening through configuration management | Preventive | |
| Configure the "Display Shutdown Event Tracker" setting to organizational standards. CC ID 10888 | System hardening through configuration management | Preventive | |
| Configure the "Display string when smart card is blocked" setting to organizational standards. CC ID 10889 | System hardening through configuration management | Preventive | |
| Configure the "Do not automatically encrypt files moved to encrypted folders" setting to organizational standards. CC ID 10924 | System hardening through configuration management | Preventive | |
| Configure the "Do not check for user ownership of Roaming Profile Folders" setting to organizational standards. CC ID 10925 | System hardening through configuration management | Preventive | |
| Configure the "Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names" setting to organizational standards. CC ID 10932 | System hardening through configuration management | Preventive | |
| Configure the "Do not send additional data" machine setting should be configured correctly. to organizational standards. CC ID 10934 | System hardening through configuration management | Preventive | |
| Configure the "Domain Controller Address Type Returned" setting to organizational standards. CC ID 10939 | System hardening through configuration management | Preventive | |
| Configure the "Domain Location Determination URL" setting to organizational standards. CC ID 10940 | System hardening through configuration management | Preventive | |
| Configure the "Don't set the always do this checkbox" setting to organizational standards. CC ID 10941 | System hardening through configuration management | Preventive | |
| Configure the "Download missing COM components" setting to organizational standards. CC ID 10942 | System hardening through configuration management | Preventive | |
| Configure the "Dynamic Update" setting to organizational standards. CC ID 10944 | System hardening through configuration management | Preventive | |
| Configure the "Enable client-side targeting" setting to organizational standards. CC ID 10946 | System hardening through configuration management | Preventive | |
| Configure the "Enable NTFS pagefile encryption" setting to organizational standards. CC ID 10948 | System hardening through configuration management | Preventive | |
| Configure the "Enable Persistent Time Stamp" setting to organizational standards. CC ID 10949 | System hardening through configuration management | Preventive | |
| Configure the "Enable Transparent Caching" setting to organizational standards. CC ID 10950 | System hardening through configuration management | Preventive | |
| Configure the "Enable Windows NTP Client" setting to organizational standards. CC ID 10951 | System hardening through configuration management | Preventive | |
| Configure the "Enable Windows NTP Server" setting to organizational standards. CC ID 10952 | System hardening through configuration management | Preventive | |
| Configure the "Encrypt the Offline Files cache" setting to organizational standards. CC ID 10955 | System hardening through configuration management | Preventive | |
| Configure the "Enforce upgrade component rules" setting to organizational standards. CC ID 10958 | System hardening through configuration management | Preventive | |
| Configure the "Events.asp program" setting to organizational standards. CC ID 10959 | System hardening through configuration management | Preventive | |
| Configure the "Events.asp program command line parameters" setting to organizational standards. CC ID 10960 | System hardening through configuration management | Preventive | |
| Configure the "Events.asp URL" setting to organizational standards. CC ID 10961 | System hardening through configuration management | Preventive | |
| Configure the "Exclude credential providers" setting to organizational standards. CC ID 10962 | System hardening through configuration management | Preventive | |
| Configure the "Exclude files from being cached" setting to organizational standards. CC ID 10963 | System hardening through configuration management | Preventive | |
| Configure the "Final DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10968 | System hardening through configuration management | Preventive | |
| Configure the "For tablet pen input, don't show the Input Panel icon" setting to organizational standards. CC ID 10973 | System hardening through configuration management | Preventive | |
| Configure the "For touch input, don't show the Input Panel icon" setting to organizational standards. CC ID 10974 | System hardening through configuration management | Preventive | |
| Configure the "Force Rediscovery Interval" setting to organizational standards. CC ID 10975 | System hardening through configuration management | Preventive | |
| Configure the "Force selected system UI language to overwrite the user UI language" setting to organizational standards. CC ID 10976 | System hardening through configuration management | Preventive | |
| Configure the "Force the reading of all certificates from the smart card" setting to organizational standards. CC ID 10977 | System hardening through configuration management | Preventive | |
| Configure the "ForwarderResourceUsage" setting to organizational standards. CC ID 10978 | System hardening through configuration management | Preventive | |
| Configure the "Global Configuration Settings" setting to organizational standards. CC ID 10979 | System hardening through configuration management | Preventive | |
| Configure the "Hash Publication for BranchCache" setting to organizational standards. CC ID 10986 | System hardening through configuration management | Preventive | |
| Configure the "Hide entry points for Fast User Switching" setting to organizational standards. CC ID 10987 | System hardening through configuration management | Preventive | |
| Configure the "Hide notifications about RD Licensing problems that affect the RD Session Host server" setting to organizational standards. CC ID 10988 | System hardening through configuration management | Preventive | |
| Configure the "Hide previous versions list for local files" setting to organizational standards. CC ID 10989 | System hardening through configuration management | Preventive | |
| Configure the "Hide previous versions of files on backup location" setting to organizational standards. CC ID 10991 | System hardening through configuration management | Preventive | |
| Configure the "Ignore custom consent settings" setting to organizational standards. CC ID 10992 | System hardening through configuration management | Preventive | |
| Configure the "Ignore Delegation Failure" setting to organizational standards. CC ID 10993 | System hardening through configuration management | Preventive | |
| Configure the "Ignore the default list of blocked TPM commands" setting to organizational standards. CC ID 10994 | System hardening through configuration management | Preventive | |
| Configure the "Ignore the local list of blocked TPM commands" setting to organizational standards. CC ID 10995 | System hardening through configuration management | Preventive | |
| Configure the "Include rarely used Chinese, Kanji, or Hanja characters" setting to organizational standards. CC ID 10996 | System hardening through configuration management | Preventive | |
| Configure the "Initial DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10997 | System hardening through configuration management | Preventive | |
| Configure the "IP-HTTPS State" setting to organizational standards. CC ID 11000 | System hardening through configuration management | Preventive | |
| Configure the "ISATAP Router Name" setting to organizational standards. CC ID 11001 | System hardening through configuration management | Preventive | |
| Configure the "ISATAP State" setting to organizational standards. CC ID 11002 | System hardening through configuration management | Preventive | |
| Configure the "License server security group" setting to organizational standards. CC ID 11005 | System hardening through configuration management | Preventive | |
| Configure the "List of applications to be excluded" setting to organizational standards. CC ID 11023 | System hardening through configuration management | Preventive | |
| Configure the "Lock Enhanced Storage when the computer is locked" setting to organizational standards. CC ID 11025 | System hardening through configuration management | Preventive | |
| Configure the "Make Parental Controls control panel visible on a Domain" setting to organizational standards. CC ID 11039 | System hardening through configuration management | Preventive | |
| Configure the "MaxConcurrentUsers" setting to organizational standards. CC ID 11040 | System hardening through configuration management | Preventive | |
| Configure the "Maximum DC Discovery Retry Interval Setting for Background Callers" setting to organizational standards. CC ID 11041 | System hardening through configuration management | Preventive | |
| Configure the "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" setting to organizational standards. CC ID 11045 | System hardening through configuration management | Preventive | |
| Configure the "Negative DC Discovery Cache Setting" setting to organizational standards. CC ID 11047 | System hardening through configuration management | Preventive | |
| Configure the "Non-conforming packets" setting to organizational standards. CC ID 11053 | System hardening through configuration management | Preventive | |
| Configure the "Notify blocked drivers" setting to organizational standards. CC ID 11054 | System hardening through configuration management | Preventive | |
| Configure the "Notify user of successful smart card driver installation" setting to organizational standards. CC ID 11055 | System hardening through configuration management | Preventive | |
| Configure the "Permitted Managers" setting to organizational standards. CC ID 11062 | System hardening through configuration management | Preventive | |
| Configure the "Positive Periodic DC Cache Refresh for Background Callers" setting to organizational standards. CC ID 11063 | System hardening through configuration management | Preventive | |
| Configure the "Positive Periodic DC Cache Refresh for Non-Background Callers" setting to organizational standards. CC ID 11064 | System hardening through configuration management | Preventive | |
| Configure the "Prioritize all digitally signed drivers equally during the driver ranking and selection process" setting to organizational standards. CC ID 11098 | System hardening through configuration management | Preventive | |
| Configure the "Prompt for credentials on the client computer" setting to organizational standards. CC ID 11108 | System hardening through configuration management | Preventive | |
| Configure the "Propagation of extended error information" setting to organizational standards. CC ID 11110 | System hardening through configuration management | Preventive | |
| Configure the "Register PTR Records" setting to organizational standards. CC ID 11121 | System hardening through configuration management | Preventive | |
| Configure the "Registration Refresh Interval" setting to organizational standards. CC ID 11122 | System hardening through configuration management | Preventive | |
| Configure the "Remove Program Compatibility Property Page" setting to organizational standards. CC ID 11128 | System hardening through configuration management | Preventive | |
| Configure the "Remove users ability to invoke machine policy refresh" setting to organizational standards. CC ID 11129 | System hardening through configuration management | Preventive | |
| Configure the "Remove Windows Security item from Start menu" setting to organizational standards. CC ID 11130 | System hardening through configuration management | Preventive | |
| Configure the "Re-prompt for restart with scheduled installations" setting to organizational standards. CC ID 11131 | System hardening through configuration management | Preventive | |
| Configure the "Require secure RPC communication" setting to organizational standards. CC ID 11134 | System hardening through configuration management | Preventive | |
| Configure the "Require strict KDC validation" setting to organizational standards. CC ID 11135 | System hardening through configuration management | Preventive | |
| Configure the "Reverse the subject name stored in a certificate when displaying" setting to organizational standards. CC ID 11148 | System hardening through configuration management | Preventive | |
| Configure the "RPC Troubleshooting State Information" setting to organizational standards. CC ID 11150 | System hardening through configuration management | Preventive | |
| Configure the "Run shutdown scripts visible" setting to organizational standards. CC ID 11152 | System hardening through configuration management | Preventive | |
| Configure the "Run startup scripts asynchronously" setting to organizational standards. CC ID 11153 | System hardening through configuration management | Preventive | |
| Configure the "Run startup scripts visible" setting to organizational standards. CC ID 11154 | System hardening through configuration management | Preventive | |
| Configure the "Scavenge Interval" setting to organizational standards. CC ID 11158 | System hardening through configuration management | Preventive | |
| Configure the "Server Authentication Certificate Template" setting to organizational standards. CC ID 11170 | System hardening through configuration management | Preventive | |
| Configure the "Set BranchCache Distributed Cache mode" setting to organizational standards. CC ID 11172 | System hardening through configuration management | Preventive | |
| Configure the "Set BranchCache Hosted Cache mode" setting to organizational standards. CC ID 11173 | System hardening through configuration management | Preventive | |
| Configure the "Set compression algorithm for RDP data" setting to organizational standards. CC ID 11174 | System hardening through configuration management | Preventive | |
| Configure the "Set percentage of disk space used for client computer cache" setting to organizational standards. CC ID 11177 | System hardening through configuration management | Preventive | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Global" to organizational standards. CC ID 11178 | System hardening through configuration management | Preventive | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Site Local" to organizational standards. CC ID 11180 | System hardening through configuration management | Preventive | |
| Configure the "Set the Email IDs to which notifications are to be sent" setting to organizational standards. CC ID 11184 | System hardening through configuration management | Preventive | |
| Configure the "Set the map update interval for NIS subordinate servers" setting to organizational standards. CC ID 11186 | System hardening through configuration management | Preventive | |
| Configure the "Set the Seed Server" setting for "IPv6 Global" to organizational standards. CC ID 11189 | System hardening through configuration management | Preventive | |
| Configure the "Set the Seed Server" setting for "IPv6 Site Local" to organizational standards. CC ID 11191 | System hardening through configuration management | Preventive | |
| Configure the "Set the SMTP Server used to send notifications" setting to organizational standards. CC ID 11192 | System hardening through configuration management | Preventive | |
| Configure the "Set timer resolution" setting to organizational standards. CC ID 11196 | System hardening through configuration management | Preventive | |
| Configure the "Sets how often a DFS Client discovers DC's" setting to organizational standards. CC ID 11199 | System hardening through configuration management | Preventive | |
| Configure the "Short name creation options" setting to organizational standards. CC ID 11200 | System hardening through configuration management | Preventive | |
| Configure the "Site Name" setting to organizational standards. CC ID 11201 | System hardening through configuration management | Preventive | |
| Configure the "Specify a default color" setting to organizational standards. CC ID 11208 | System hardening through configuration management | Preventive | |
| Configure the "Specify idle Timeout" setting to organizational standards. CC ID 11210 | System hardening through configuration management | Preventive | |
| Configure the "Specify maximum amount of memory in MB per Shell" setting to organizational standards. CC ID 11211 | System hardening through configuration management | Preventive | |
| Configure the "Specify maximum number of processes per Shell" setting to organizational standards. CC ID 11212 | System hardening through configuration management | Preventive | |
| Configure the "Specify Shell Timeout" setting to organizational standards. CC ID 11216 | System hardening through configuration management | Preventive | |
| Configure the "Specify Windows installation file location" setting to organizational standards. CC ID 11225 | System hardening through configuration management | Preventive | |
| Configure the "Specify Windows Service Pack installation file location" setting to organizational standards. CC ID 11226 | System hardening through configuration management | Preventive | |
| Configure the "SSL Cipher Suite Order" setting to organizational standards. CC ID 11227 | System hardening through configuration management | Preventive | |
| Configure the "Switch to the Simplified Chinese (PRC) gestures" setting to organizational standards. CC ID 11230 | System hardening through configuration management | Preventive | |
| Configure the "Sysvol share compatibility" setting to organizational standards. CC ID 11231 | System hardening through configuration management | Preventive | |
| Configure the "Tag Windows Customer Experience Improvement data with Study Identifier" setting to organizational standards. CC ID 11232 | System hardening through configuration management | Preventive | |
| Configure the "Teredo Client Port" setting to organizational standards. CC ID 11236 | System hardening through configuration management | Preventive | |
| Configure the "Teredo Default Qualified" setting to organizational standards. CC ID 11237 | System hardening through configuration management | Preventive | |
| Configure the "Teredo Refresh Rate" setting to organizational standards. CC ID 11238 | System hardening through configuration management | Preventive | |
| Configure the "Teredo Server Name" setting to organizational standards. CC ID 11239 | System hardening through configuration management | Preventive | |
| Configure the "Teredo State" setting to organizational standards. CC ID 11240 | System hardening through configuration management | Preventive | |
| Configure the "Time (in seconds) to force reboot" setting to organizational standards. CC ID 11242 | System hardening through configuration management | Preventive | |
| Configure the "Time (in seconds) to force reboot when required for policy changes to take effect" setting to organizational standards. CC ID 11243 | System hardening through configuration management | Preventive | |
| Configure the "Timeout for fast user switching events" setting to organizational standards. CC ID 11244 | System hardening through configuration management | Preventive | |
| Configure the "Traps for public community" setting to organizational standards. CC ID 11246 | System hardening through configuration management | Preventive | |
| Configure the "Trusted Hosts" setting to organizational standards. CC ID 11249 | System hardening through configuration management | Preventive | |
| Configure the "Try Next Closest Site" setting to organizational standards. CC ID 11250 | System hardening through configuration management | Preventive | |
| Configure the "TTL Set in the A and PTR records" setting to organizational standards. CC ID 11251 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Accounting for WSRM" setting to organizational standards. CC ID 11333 | System hardening through configuration management | Preventive | |
| Configure the "Turn on BranchCache" setting to organizational standards. CC ID 11334 | System hardening through configuration management | Preventive | |
| Configure the "Turn on certificate propagation from smart card" setting to organizational standards. CC ID 11335 | System hardening through configuration management | Preventive | |
| Configure the "Turn On Compatibility HTTP Listener" setting to organizational standards. CC ID 11336 | System hardening through configuration management | Preventive | |
| Configure the "Turn On Compatibility HTTPS Listener" setting to organizational standards. CC ID 11337 | System hardening through configuration management | Preventive | |
| Configure the "Turn on definition updates through both WSUS and the Microsoft Malware Protection Center" setting to organizational standards. CC ID 11338 | System hardening through configuration management | Preventive | |
| Configure the "Turn on definition updates through both WSUS and Windows Update" setting to organizational standards. CC ID 11339 | System hardening through configuration management | Preventive | |
| Configure the "Turn on economical application of administratively assigned Offline Files" setting to organizational standards. CC ID 11342 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Mapper I/O (LLTDIO) driver" setting to organizational standards. CC ID 11346 | System hardening through configuration management | Preventive | |
| Configure the "Turn on recommended updates via Automatic Updates" setting to organizational standards. CC ID 11347 | System hardening through configuration management | Preventive | |
| Configure the "Turn on root certificate propagation from smart card" setting to organizational standards. CC ID 11349 | System hardening through configuration management | Preventive | |
| Configure the "Turn on Software Notifications" setting to organizational standards. CC ID 11352 | System hardening through configuration management | Preventive | |
| Configure the "Turn on TPM backup to Active Directory Domain Services" setting to organizational standards. CC ID 11356 | System hardening through configuration management | Preventive | |
| Configure the "Use forest search order" setting for "Key Distribution Center (KDC) searches" to organizational standards. CC ID 11359 | System hardening through configuration management | Preventive | |
| Configure the "Use forest search order" setting for "Kerberos client searches" to organizational standards. CC ID 11360 | System hardening through configuration management | Preventive | |
| Configure the "Use IP Address Redirection" setting to organizational standards. CC ID 11361 | System hardening through configuration management | Preventive | |
| Configure the "Use localized subfolder names when redirecting Start Menu and My Documents" setting to organizational standards. CC ID 11362 | System hardening through configuration management | Preventive | |
| Configure the "Use mandatory profiles on the RD Session Host server" setting to organizational standards. CC ID 11363 | System hardening through configuration management | Preventive | |
| Configure the "Verbose vs normal status messages" setting to organizational standards. CC ID 11368 | System hardening through configuration management | Preventive | |
| Configure the "Verify old and new Folder Redirection targets point to the same share before redirecting" setting to organizational standards. CC ID 11369 | System hardening through configuration management | Preventive | |
| Configure the "Windows Scaling Heuristics State" setting to organizational standards. CC ID 11372 | System hardening through configuration management | Preventive | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | System hardening through configuration management | Preventive | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | System hardening through configuration management | Preventive | |
| Configure the "shadow" group to organizational standards. CC ID 11386 | System hardening through configuration management | Preventive | |
| Configure the "AppArmor" setting to organizational standards. CC ID 11387 | System hardening through configuration management | Preventive | |
| Disable or configure the e-mail server, as necessary. CC ID 06563 | System hardening through configuration management | Preventive | |
| Configure e-mail servers to enable receiver-side verification. CC ID 12223 [{spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC {spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC] | System hardening through configuration management | Preventive | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Preventive | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Preventive | |
| Remove unnecessary default accounts. CC ID 01539 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | System hardening through configuration management | Preventive | |
| Disable or delete shared User IDs. CC ID 12478 | System hardening through configuration management | Corrective | |
| Verify that no UID 0 accounts exist other than root. CC ID 01585 | System hardening through configuration management | Detective | |
| Disable or delete generic user IDs. CC ID 12479 | System hardening through configuration management | Corrective | |
| Disable all unnecessary user identifiers. CC ID 02185 | System hardening through configuration management | Preventive | |
| Remove unnecessary user credentials. CC ID 16409 | System hardening through configuration management | Preventive | |
| Remove the root user as appropriate. CC ID 01582 | System hardening through configuration management | Preventive | |
| Disable or remove the null account. CC ID 06572 | System hardening through configuration management | Preventive | |
| Configure accounts with administrative privilege. CC ID 07033 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. CIS Control 5: Safeguard 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts] | System hardening through configuration management | Preventive | |
| Disable root logons or limit the logons to the system console. CC ID 01573 | System hardening through configuration management | Preventive | |
| Encrypt non-console administrative access. CC ID 00883 | System hardening through configuration management | Preventive | |
| Configure the default group for the root user. CC ID 01586 | System hardening through configuration management | Preventive | |
| Rename or disable the Administrator Account. CC ID 01721 | System hardening through configuration management | Preventive | |
| Create a backup administrator account. CC ID 04497 | System hardening through configuration management | Preventive | |
| Configure mobile device settings in accordance with organizational standards. CC ID 04600 | System hardening through configuration management | Preventive | |
| Configure mobile devices to organizational standards. CC ID 04639 [Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data. CIS Control 4: Safeguard 4.12 Separate Enterprise Workspaces on Mobile End-User Devices] | System hardening through configuration management | Preventive | |
| Configure mobile devices to separate organizational data from personal data. CC ID 16463 | System hardening through configuration management | Preventive | |
| Configure the mobile device properties to organizational standards. CC ID 04640 | System hardening through configuration management | Preventive | |
| Configure the mobile device menu items to organizational standards. CC ID 04641 | System hardening through configuration management | Preventive | |
| Configure the BlackBerry handheld device driver settings. CC ID 04642 | System hardening through configuration management | Preventive | |
| Configure e-mail security settings in accordance with organizational standards. CC ID 07055 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | System hardening through configuration management | Preventive | |
| Configure e-mail to limit the number of recipients per message. CC ID 07056 | System hardening through configuration management | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Preventive | |
| Configure the storage parameters for all logs. CC ID 06330 [{be adequate} Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process. CIS Control 8: Safeguard 8.3 Ensure Adequate Audit Log Storage] | System hardening through configuration management | Preventive | |
| Configure sufficient log storage capacity and prevent the capacity from being exceeded. CC ID 01425 | System hardening through configuration management | Preventive | |
| Configure the log retention method. CC ID 01715 | System hardening through configuration management | Preventive | |
| Configure the log retention size. CC ID 01716 | System hardening through configuration management | Preventive | |
| Configure syslogd to send logs to a Remote LogHost. CC ID 01526 | System hardening through configuration management | Preventive | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | System hardening through configuration management | Preventive | |
| Configure the log to capture the user's identification. CC ID 01334 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | System hardening through configuration management | Preventive | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | System hardening through configuration management | Preventive | |
| Configure the log to uniquely identify each asset. CC ID 01339 | System hardening through configuration management | Preventive | |
| Configure the log to capture remote access information. CC ID 05596 | System hardening through configuration management | Detective | |
| Configure the log to capture the type of each event. CC ID 06423 | System hardening through configuration management | Preventive | |
| Configure the log to capture each event's success or failure indication. CC ID 06424 | System hardening through configuration management | Preventive | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 [Log sensitive data access, including modification and disposal. CIS Control 3: Safeguard 3.14 Log Sensitive Data Access] | System hardening through configuration management | Preventive | |
| Configure the log to capture account lockouts. CC ID 16470 | System hardening through configuration management | Preventive | |
| Configure the log to capture execution events. CC ID 16469 | System hardening through configuration management | Preventive | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | System hardening through configuration management | Preventive | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | System hardening through configuration management | Preventive | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | System hardening through configuration management | Preventive | |
| Configure the log to capture route table changes. CC ID 15439 | System hardening through configuration management | Preventive | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | System hardening through configuration management | Preventive | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | System hardening through configuration management | Preventive | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | System hardening through configuration management | Preventive | |
| Configure the log to capture changes to network gateways. CC ID 15421 | System hardening through configuration management | Preventive | |
| Configure the log to capture all spoofed addresses. CC ID 01313 | System hardening through configuration management | Preventive | |
| Configure the "logging level" to organizational standards. CC ID 14456 | System hardening through configuration management | Detective | |
| Configure inetd tracing. CC ID 01523 | System hardening through configuration management | Preventive | |
| Configure the system to capture messages sent to the syslog AUTH facility. CC ID 01525 | System hardening through configuration management | Preventive | |
| Configure Cron logging. CC ID 01528 | System hardening through configuration management | Preventive | |
| Configure the kernel level auditing setting. CC ID 01530 | System hardening through configuration management | Preventive | |
| Configure the "audit successful file system mounts" setting to organizational standards. CC ID 09923 | System hardening through configuration management | Preventive | |
| Configure system accounting/system events. CC ID 01529 | System hardening through configuration management | Preventive | |
| Configure the privilege use auditing setting. CC ID 01699 | System hardening through configuration management | Preventive | |
| Configure the log to record the Denial of Access that results from an excessive number of unsuccessful logon attempts. CC ID 01919 | System hardening through configuration management | Preventive | |
| Configure the Audit Process Tracking setting. CC ID 01700 | System hardening through configuration management | Preventive | |
| Configure the EEPROM security-mode accesses and EEPROM log-failed accesses. CC ID 01575 | System hardening through configuration management | Preventive | |
| Configure the log to capture user identifier, address, port blocking or blacklisting. CC ID 01918 | System hardening through configuration management | Preventive | |
| Enable directory service access events, as appropriate. CC ID 05616 | System hardening through configuration management | Preventive | |
| Configure the log to capture failed transactions. CC ID 06334 | System hardening through configuration management | Preventive | |
| Configure the log to capture successful transactions. CC ID 06335 | System hardening through configuration management | Preventive | |
| Audit non attributable events (na class). CC ID 05604 | System hardening through configuration management | Preventive | |
| Configure the log to capture configuration changes. CC ID 06881 | System hardening through configuration management | Preventive | |
| Log, monitor, and review all changes to time settings on critical systems. CC ID 11608 | System hardening through configuration management | Preventive | |
| Configure the log to capture all changes to certificates. CC ID 05595 | System hardening through configuration management | Preventive | |
| Configure the "inetd logging" setting to organizational standards. CC ID 08970 | System hardening through configuration management | Preventive | |
| Configure the "audit sudoers" setting to organizational standards. CC ID 09950 | System hardening through configuration management | Preventive | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | System hardening through configuration management | Preventive | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{minimum number of characters} Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. CIS Control 5: Safeguard 5.2 Use Unique Passwords] | System hardening through configuration management | Preventive | |
| Configure security and protection software according to Organizational Standards. CC ID 11917 | System hardening through configuration management | Preventive | |
| Configure security and protection software to check e-mail attachments. CC ID 11860 [Block unnecessary file types attempting to enter the enterprise's email gateway. CIS Control 9: Safeguard 9.6 Block Unnecessary File Types] | System hardening through configuration management | Preventive | |
| Configure the Domain Name System in accordance with organizational standards. CC ID 12202 [Configure trusted DNS servers on network infrastructure. Example implementations include configuring network devices to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. CIS Control 4: Safeguard 4.9 Configure Trusted DNS Servers on Enterprise Assets] | System hardening through configuration management | Preventive | |
| Configure the Domain Name System query logging to organizational standards. CC ID 12210 [Collect DNS query audit logs on enterprise assets, where appropriate and supported. CIS Control 8: Safeguard 8.6 Collect DNS Query Audit Logs] | System hardening through configuration management | Preventive | |
| Configure the secure name/address resolution service (recursive or caching resolver). CC ID 01625 | System hardening through configuration management | Preventive | |
| Configure the secure name/address resolution service (authoritative source). CC ID 01624 | System hardening through configuration management | Preventive | |
| Configure DNS records in accordance with organizational standards. CC ID 17083 | System hardening through configuration management | Preventive | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 | System hardening through configuration management | Preventive | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Systems design, build, and implementation | Preventive | |
| Use valid HTML or other markup languages. CC ID 15153 | Systems design, build, and implementation | Preventive | |
| Ensure users can navigate content. CC ID 15163 | Systems design, build, and implementation | Preventive | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Systems design, build, and implementation | Preventive | |
| Ensure user interface components are operable. CC ID 15162 | Systems design, build, and implementation | Preventive | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Systems design, build, and implementation | Preventive | |
| Allow users to reverse submissions. CC ID 15168 | Systems design, build, and implementation | Preventive | |
| Provide a mechanism to control audio. CC ID 15158 | Systems design, build, and implementation | Preventive | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the language of content. CC ID 15137 | Systems design, build, and implementation | Preventive | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Systems design, build, and implementation | Preventive | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Systems design, build, and implementation | Preventive | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Systems design, build, and implementation | Preventive | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Systems design, build, and implementation | Preventive | |
| Provide captions for live audio content. CC ID 15120 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Systems design, build, and implementation | Preventive | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Systems design, build, and implementation | Preventive | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Systems design, build, and implementation | Preventive | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Systems design, build, and implementation | Preventive | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Systems design, build, and implementation | Preventive | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Systems design, build, and implementation | Preventive | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Systems design, build, and implementation | Preventive | |
| Allow the use of time limits, as necessary. CC ID 15155 | Systems design, build, and implementation | Preventive | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Systems design, build, and implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Preventive | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Technical security | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Technical security | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Preventive | |
| Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Technical security | Preventive | |
| Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Technical security | Preventive | |
| Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. CIS Control 3: Safeguard 3.6 Encrypt Data on End-User Devices Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. CIS Control 3: Safeguard 3.11 Encrypt Sensitive Data at Rest] | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 | Technical security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Preventive | |
| Store cryptographic keys securely. CC ID 01298 | Technical security | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 | Technical security | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Preventive | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Preventive | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
| Record software license information for each asset in the asset inventory. CC ID 11736 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Preventive | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | System hardening through configuration management | Preventive | |
| Ensure data sets have the appropriate characteristics. CC ID 15000 | Records management | Detective | |
| Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 | Records management | Detective | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Preventive | |
| Select the appropriate format for archived data and records. CC ID 06320 | Records management | Preventive | |
| Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Records management | Preventive | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Preventive | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Records management | Preventive | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Preventive | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection] | Records management | Detective | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Preventive | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Preventive | |
| Import data files into a patient's electronic health record. CC ID 14448 | Records management | Preventive | |
| Export requested sections of the electronic health record. CC ID 14447 | Records management | Preventive | |
| Display the implantable device list to authorized users. CC ID 14445 | Records management | Preventive | |
| Include attributes in the decision support intervention. CC ID 16766 | Records management | Preventive | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 [{annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Records management | Detective | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Preventive | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Technical security | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Preventive | |
| Assign application security reviews for web-facing applications to an organization that specializes in application security. CC ID 12035 | Technical security | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 | Operational and Systems Continuity | Preventive | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Human Resources management | Preventive | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Human Resources management | Detective | |
| Rotate duties amongst the critical roles and positions. CC ID 06554 | Human Resources management | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Operational management | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Preventive | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Preventive | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Preventive | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Preventive | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Preventive | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Preventive | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Preventive | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Preventive | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Preventive | |
| Define and assign the system development project team roles and responsibilities. CC ID 01061 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 | Systems design, build, and implementation | Preventive | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Systems design, build, and implementation | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Leadership and high level objectives | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Preventive | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a data classification scheme. CC ID 11628 [{annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme {annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme] | Leadership and high level objectives | Preventive | |
| Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Detective | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Leadership and high level objectives | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [{unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Preventive | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Leadership and high level objectives | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 [Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Preventive | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 [Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise. CIS Control 16: Safeguard 16.3 Perform Root Cause Analysis on Security Vulnerabilities] | Monitoring and measurement | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 [Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Preventive | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Preventive | |
| Align the penetration test program with industry standards. CC ID 12469 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [{annual basis} Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 7: Safeguard 7.1 Establish and Maintain a Vulnerability Management Process {annual basis} Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 7: Safeguard 7.1 Establish and Maintain a Vulnerability Management Process Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. CIS Control 7: Continuous Vulnerability Management {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Define the test frequency for each testing program. CC ID 13176 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 [{annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Monitoring and measurement | Preventive | |
| Include transfer procedures in the log management program. CC ID 17077 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Monitoring and measurement | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Monitoring and measurement | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. CIS Control 6: Safeguard 6.7 Centralize Access Control] | Technical security | Preventive | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 | Technical security | Preventive | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 | Technical security | Preventive | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 | Technical security | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Preventive | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
| Inventory all user accounts. CC ID 13732 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical security | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Preventive | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 | Technical security | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Technical security | Preventive | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 | Technical security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Technical security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Technical security | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Preventive | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Technical security | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 [{annual basis}{network architecture diagram} Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 12: Safeguard 12.4 Establish and Maintain Architecture Diagram(s) {annual basis}{network architecture diagram} Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 12: Safeguard 12.4 Establish and Maintain Architecture Diagram(s) Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Technical security | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Preventive | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Preventive | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows {annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows] | Technical security | Preventive | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 [{annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory] | Technical security | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows] | Technical security | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. CIS Control 13: Network Monitoring and Defense Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. CIS Control 12: Network Infrastructure Management] | Technical security | Preventive | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 | Technical security | Preventive | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 | Technical security | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Preventive | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 | Technical security | Preventive | |
| Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 | Technical security | Preventive | |
| Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 | Technical security | Preventive | |
| Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 | Technical security | Preventive | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 | Technical security | Preventive | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 | Technical security | Preventive | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 [{secure network management protocol}{secure network communication protocol} Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater). CIS Control 12: Safeguard 12.6 Use Secure Network Management and Communication Protocols] | Technical security | Preventive | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Preventive | |
| Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Technical security | Preventive | |
| Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 | Technical security | Preventive | |
| Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Technical security | Preventive | |
| Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Technical security | Preventive | |
| Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Technical security | Preventive | |
| Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Technical security | Preventive | |
| Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Technical security | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853 | Technical security | Preventive | |
| Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854 | Technical security | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449 | Technical security | Preventive | |
| Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Preventive | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Technical security | Preventive | |
| Develop and implement a content filtering word and phrase library. CC ID 07071 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Technical security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 [{biannual basis} Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.5 Allowlist Authorized Software {biannual basis} Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.5 Allowlist Authorized Software {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries] | Technical security | Preventive | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Technical security | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Technical security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Preventive | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Preventive | |
| Define the cryptographic boundaries. CC ID 06543 | Technical security | Preventive | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Preventive | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Preventive | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Preventive | |
| Document the operation of the cryptographic module. CC ID 06546 | Technical security | Preventive | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Preventive | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 | Technical security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Preventive | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Technical security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{malicious code}{malicious script} Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. CIS Control 10: Malware Defenses Centrally manage anti-malware software. CIS Control 10: Safeguard 10.6 Centrally Manage Anti-Malware Software] | Technical security | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Corrective | |
| Establish, implement, and maintain an application security policy. CC ID 06438 | Technical security | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Physical and environmental protection | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. CIS Control 11: Data Recovery {annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process {annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Operational and Systems Continuity | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Operational and Systems Continuity | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 [{annual basis} Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. CIS Control 17: Safeguard 17.2 Establish and Maintain Contact Information for Reporting Security Incidents] | Operational and Systems Continuity | Detective | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Operational and Systems Continuity | Preventive | |
| Log the execution of each backup. CC ID 00956 | Operational and Systems Continuity | Preventive | |
| Digitally sign disk images, as necessary. CC ID 06814 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. CIS Control 14: Security Awareness and Skills Training {annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program {annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Human Resources management | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 [Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. CIS Control 14: Safeguard 14.3 Train Workforce Members on Authentication Best Practices Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. CIS Control 14: Safeguard 14.4 Train Workforce on Data Handling Best Practices] | Human Resources management | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences. CIS Control 14: Safeguard 14.5 Train Workforce Members on Causes of Unintentional Data Exposure Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles. CIS Control 14: Safeguard 14.9 Conduct Role-Specific Security Awareness and Skills Training] | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 [Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. CIS Control 14: Safeguard 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks] | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Operational management | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 [Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. CIS Control 4: Safeguard 4.7 Manage Default Accounts on Enterprise Assets and Software Centralize account management through a directory or identity service. CIS Control 5: Safeguard 5.6 Centralize Account Management] | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows {annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Operational management | Preventive | |
| Establish, implement, and maintain a network management program. CC ID 13123 [{monthly basis} Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. CIS Control 12: Safeguard 12.1 Ensure Network Infrastructure is Up-to-Date Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS. CIS Control 12: Safeguard 12.3 Securely Manage Network Infrastructure] | Operational management | Preventive | |
| Include quality of service requirements in the network management program. CC ID 16429 | Operational management | Preventive | |
| Document the network design in the network management program. CC ID 13135 | Operational management | Preventive | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Operational management | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Preventive | |
| Define confidentiality controls. CC ID 01908 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Operational management | Preventive | |
| Define integrity controls. CC ID 01909 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Preventive | |
| Define availability controls. CC ID 01911 | Operational management | Preventive | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Preventive | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Preventive | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Preventive | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Operational management | Preventive | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Preventive | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Preventive | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Preventive | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Preventive | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Preventive | |
| Include network equipment in the Information Technology inventory. CC ID 00693 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Preventive | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 | Operational management | Preventive | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets {monthly basis} Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. CIS Control 12: Safeguard 12.1 Ensure Network Infrastructure is Up-to-Date {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Preventive | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Detective | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [{annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory {annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory. CIS Control 3: Safeguard 3.13 Deploy a Data Loss Prevention Solution] | Operational management | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Preventive | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts] | Operational management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 [{annual basis}{authentication system} Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. CIS Control 6: Safeguard 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems] | Operational management | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Preventive | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Preventive | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Preventive | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Operational management | Preventive | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Preventive | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Preventive | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Preventive | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts] | Operational management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Preventive | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Preventive | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Preventive | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | Operational management | Preventive | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Preventive | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Preventive | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Preventive | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Preventive | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Preventive | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Preventive | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 | Operational management | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 [Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise. CIS Control 16: Application Software Security] | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Preventive | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Preventive | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Preventive | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Preventive | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Preventive | |
| Establish and maintain an unauthorized software list. CC ID 10601 [{monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Operational management | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Preventive | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds {annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Operational management | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Operational management | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Operational management | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Preventive | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.6 Define Mechanisms for Communicating During Incident Response] | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack. CIS Control 17: Incident Response Management] | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 | Operational management | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Operational management | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Operational management | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Operational management | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Operational management | Preventive | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Operational management | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Preventive | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Preventive | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Preventive | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Preventive | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Preventive | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Preventive | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Preventive | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Preventive | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Preventive | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Preventive | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 [{annual basis} Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. CIS Control 17: Safeguard 17.2 Establish and Maintain Contact Information for Reporting Security Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Operational management | Preventive | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 | Operational management | Preventive | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Preventive | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Operational management | Preventive | |
| Include log management procedures in the incident response program. CC ID 17081 | Operational management | Preventive | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 | Operational management | Preventive | |
| Prepare for incident response notifications. CC ID 00584 | Operational management | Preventive | |
| Include incident response team services in the Incident Response program. CC ID 11766 | Operational management | Preventive | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Operational management | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Preventive | |
| Include compliance requirements in the incident response policy. CC ID 14108 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Operational management | Preventive | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Operational management | Preventive | |
| Include management commitment in the incident response policy. CC ID 14106 | Operational management | Preventive | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Operational management | Preventive | |
| Include the scope in the incident response policy. CC ID 14104 | Operational management | Preventive | |
| Include the purpose in the incident response policy. CC ID 14101 | Operational management | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process {annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Operational management | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Preventive | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 | Operational management | Preventive | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 | Operational management | Preventive | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Preventive | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Operational management | Detective | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Operational management | Preventive | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Operational management | Preventive | |
| Document the legal requirements for evidence collection. CC ID 08654 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Operational management | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Preventive | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Operational management | Detective | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Operational management | Detective | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Operational management | Detective | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Operational management | Detective | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Operational management | Detective | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Operational management | Detective | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{annual basis} Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.1 Establish and Maintain a Secure Configuration Process {annual basis} Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | System hardening through configuration management | Preventive | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | System hardening through configuration management | Preventive | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | System hardening through configuration management | Preventive | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | System hardening through configuration management | Preventive | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | System hardening through configuration management | Preventive | |
| Include management commitment in the configuration management policy. CC ID 14070 | System hardening through configuration management | Preventive | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | System hardening through configuration management | Preventive | |
| Include the scope in the configuration management policy. CC ID 14068 | System hardening through configuration management | Preventive | |
| Include the purpose in the configuration management policy. CC ID 14067 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Preventive | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 [{annual basis} Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.1 Establish and Maintain a Secure Configuration Process {annual basis} Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure] | System hardening through configuration management | Preventive | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Preventive | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | System hardening through configuration management | Preventive | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | System hardening through configuration management | Preventive | |
| Include contact information in the system tracking documentation. CC ID 15280 | System hardening through configuration management | Preventive | |
| Include the username in the system tracking documentation. CC ID 15278 | System hardening through configuration management | Preventive | |
| Include a problem description in the system tracking documentation. CC ID 15276 | System hardening through configuration management | Preventive | |
| Include affected systems in the system tracking documentation. CC ID 15275 | System hardening through configuration management | Preventive | |
| Include root causes in the system tracking documentation. CC ID 15274 | System hardening through configuration management | Preventive | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | System hardening through configuration management | Preventive | |
| Include current status in the system tracking documentation. CC ID 15272 | System hardening through configuration management | Preventive | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). CIS Control 4: Secure Configuration of Enterprise Assets and Software] | System hardening through configuration management | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 [Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | System hardening through configuration management | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Preventive | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | System hardening through configuration management | Preventive | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | System hardening through configuration management | Preventive | |
| Provide documentation verifying devices are not susceptible to known exploits. CC ID 11987 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Document that all enabled functions support secure configurations. CC ID 11985 | System hardening through configuration management | Preventive | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | System hardening through configuration management | Preventive | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | System hardening through configuration management | Preventive | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | System hardening through configuration management | Preventive | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | System hardening through configuration management | Preventive | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | System hardening through configuration management | Preventive | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | System hardening through configuration management | Preventive | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | System hardening through configuration management | Preventive | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | System hardening through configuration management | Preventive | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | System hardening through configuration management | Preventive | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | System hardening through configuration management | Preventive | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | System hardening through configuration management | Preventive | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | System hardening through configuration management | Preventive | |
| Configure the "talk" package to organizational standards. CC ID 08746 | System hardening through configuration management | Preventive | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | System hardening through configuration management | Preventive | |
| Configure the "all world-writable directories" user ownership to organizational standards. CC ID 08714 | System hardening through configuration management | Preventive | |
| Configure the "all rsyslog log" files group ownership to organizational standards. CC ID 08715 | System hardening through configuration management | Preventive | |
| Configure the "all rsyslog log" files user ownership to organizational standards. CC ID 08716 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130 [Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | System hardening through configuration management | Preventive | |
| Document and approve any changes to the Configuration Baseline Documentation Record. CC ID 12104 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an information management program. CC ID 14315 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Records management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines. CIS Control 3: Safeguard 3.4 Enforce Data Retention] | Records management | Detective | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection {disposal method} Securely dispose of data as outlined in the enterprise's documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity. CIS Control 3: Safeguard 3.5 Securely Dispose of Data] | Records management | Preventive | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Preventive | |
| Maintain disposal records or redeployment records. CC ID 01644 | Records management | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Preventive | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Preventive | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Preventive | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Preventive | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Preventive | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
| Assign ownership for all electronic records. CC ID 14814 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Records management | Preventive | |
| Attribute electronic records, as necessary. CC ID 14820 | Records management | Preventive | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Systems design, build, and implementation | Preventive | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 | Systems design, build, and implementation | Preventive | |
| Specify appropriate tools for the system development project. CC ID 06830 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 | Systems design, build, and implementation | Preventive | |
| Include hardware requirements in the system design specification. CC ID 08666 | Systems design, build, and implementation | Preventive | |
| Include communication links in the system design specification. CC ID 08665 | Systems design, build, and implementation | Preventive | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Systems design, build, and implementation | Preventive | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Systems design, build, and implementation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Systems design, build, and implementation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Preventive | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Systems design, build, and implementation | Preventive | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain coding guidelines. CC ID 08661 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Systems design, build, and implementation | Preventive | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Systems design, build, and implementation | Preventive | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Systems design, build, and implementation | Preventive | |
| Establish and maintain User Interface documentation. CC ID 12204 | Systems design, build, and implementation | Preventive | |
| Include system messages in human interface guidelines. CC ID 08663 | Systems design, build, and implementation | Preventive | |
| Include measurable system performance requirements in the system design specification. CC ID 08667 | Systems design, build, and implementation | Preventive | |
| Include the data structure in the system design specification. CC ID 08669 | Systems design, build, and implementation | Preventive | |
| Include the input and output variables in the system design specification. CC ID 08670 | Systems design, build, and implementation | Preventive | |
| Include data encryption information in the system design specification. CC ID 12209 | Systems design, build, and implementation | Preventive | |
| Include records disposition information in the system design specification. CC ID 12208 | Systems design, build, and implementation | Preventive | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Systems design, build, and implementation | Preventive | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Systems design, build, and implementation | Preventive | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Systems design, build, and implementation | Preventive | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Systems design, build, and implementation | Preventive | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Systems design, build, and implementation | Preventive | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Systems design, build, and implementation | Preventive | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Systems design, build, and implementation | Preventive | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Systems design, build, and implementation | Preventive | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Systems design, build, and implementation | Preventive | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Systems design, build, and implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 | Systems design, build, and implementation | Preventive | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 | Systems design, build, and implementation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Systems design, build, and implementation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Systems design, build, and implementation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Systems design, build, and implementation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Systems design, build, and implementation | Preventive | |
| Review and update the security architecture, as necessary. CC ID 14277 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Corrective | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Systems design, build, and implementation | Preventive | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Systems design, build, and implementation | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system acceptance criteria. CC ID 06210 [{annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security requirements in system acquisition contracts. CC ID 01124 [{be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include operational requirements in system acquisition contracts. CC ID 00825 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include required service levels in system acquisition contracts. CC ID 11652 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security controls in system acquisition contracts. CC ID 01125 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain system documentation before acquiring products and services. CC ID 01445 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security functions in the user documentation. CC ID 14313 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [{monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components {monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components {be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components {be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.3 Classify Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers] | Third Party and supply chain oversight | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Preventive | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.3 Classify Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Preventive | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Preventive | |
| Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Preventive | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Preventive | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Preventive | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Preventive | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Preventive | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Preventive | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Preventive | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Preventive | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Preventive | |
| Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 | Third Party and supply chain oversight | Preventive | |
| Review transaction files for compliance with the supply chain audit standard. CC ID 08864 | Third Party and supply chain oversight | Preventive | |
| Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 | Third Party and supply chain oversight | Preventive | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Detective | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Third Party and supply chain oversight | Detective | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Detective | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
| Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Preventive | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Technical security | Preventive | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Preventive | |
| Implement a staff rotation plan. CC ID 12772 | Human Resources management | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Preventive | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Operational management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Preventive | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 | Systems design, build, and implementation | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Preventive | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Corrective | |
| Rank discovered vulnerabilities. CC ID 11940 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Monitoring and measurement | Detective | |
| Take appropriate action to address information flow anomalies. CC ID 12164 | Technical security | Corrective | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 | Technical security | Detective | |
| Scan for malicious code, as necessary. CC ID 11941 | Technical security | Detective | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Detective | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 [{annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Operational management | Detective | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Operational management | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Operational management | Detective | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Operational management | Corrective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Operational management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Detective | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Operational management | Detective | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Operational management | Detective | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Operational management | Detective | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Operational management | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Operational management | Detective | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Operational management | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Operational management | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Operational management | Detective | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Operational management | Detective | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Operational management | Detective | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Operational management | Detective | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Operational management | Detective | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Operational management | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
| Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. CIS Control 8: Safeguard 8.2 Collect Audit Logs {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Monitoring and measurement | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASHTM, and remote administrative terminals. CIS Control 8: Safeguard 8.8 Collect Command-Line Audit Logs Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events. CIS Control 8: Safeguard 8.12 Collect Service Provider Logs] | Monitoring and measurement | Detective | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. CIS Control 8: Safeguard 8.2 Collect Audit Logs {weekly basis} Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. CIS Control 8: Safeguard 8.11 Conduct Audit Log Reviews] | Monitoring and measurement | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [{weekly basis} Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. CIS Control 8: Safeguard 8.11 Conduct Audit Log Reviews {weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Monitoring and measurement | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Monitoring and measurement | Detective | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 [{monthly basis} Tune security event alerting thresholds monthly, or more frequently. CIS Control 13: Safeguard 13.11 Tune Security Event Alerting Thresholds] | Monitoring and measurement | Preventive | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Preventive | |
| Include time information in the chain of custody. CC ID 17068 | Operational management | Preventive | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Operational management | Preventive | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Operational management | Preventive | |
| Verify the log file configured to capture critical sendmail messages is owned by an appropriate user or group. CC ID 05319 | System hardening through configuration management | Preventive | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 | System hardening through configuration management | Detective | |
| Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 | System hardening through configuration management | Detective | |
| Configure the log to capture each auditable event's origination. CC ID 01338 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | System hardening through configuration management | Detective | |
| Configure the log to capture the details of electronic signature transactions. CC ID 16910 | System hardening through configuration management | Preventive | |
| Configure the log to uniquely identify each accessed record. CC ID 16909 | System hardening through configuration management | Preventive | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | System hardening through configuration management | Preventive | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | System hardening through configuration management | Preventive | |
| Configure the log to capture user queries and searches. CC ID 16479 | System hardening through configuration management | Preventive | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | System hardening through configuration management | Preventive | |
| Configure the log to capture error messages. CC ID 16477 | System hardening through configuration management | Preventive | |
| Configure the log to capture system failures. CC ID 16475 | System hardening through configuration management | Preventive | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | System hardening through configuration management | Preventive | |
| Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577 | System hardening through configuration management | Detective | |
| Capture successful operating system access and successful software access. CC ID 00527 | System hardening through configuration management | Detective | |
| Configure the log to capture hardware and software access attempts. CC ID 01220 | System hardening through configuration management | Detective | |
| Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915 | System hardening through configuration management | Detective | |
| Configure the log to capture access to restricted data or restricted information. CC ID 00644 [Log sensitive data access, including modification and disposal. CIS Control 3: Safeguard 3.14 Log Sensitive Data Access] | System hardening through configuration management | Detective | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 | System hardening through configuration management | Detective | |
| Configure the log to capture identification and authentication mechanism use. CC ID 00648 | System hardening through configuration management | Detective | |
| Configure the log to capture all access to the audit trail. CC ID 00646 | System hardening through configuration management | Detective | |
| Configure the log to capture Object access to key directories or key files. CC ID 01697 | System hardening through configuration management | Detective | |
| Configure the log to capture both access and access attempts to security-relevant objects and security-relevant directories. CC ID 01916 | System hardening through configuration management | Detective | |
| Configure the log to capture system level object creation and deletion. CC ID 00650 | System hardening through configuration management | Detective | |
| Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 | System hardening through configuration management | Detective | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | System hardening through configuration management | Preventive | |
| Configure the log to capture user authenticator changes. CC ID 01917 | System hardening through configuration management | Detective | |
| Include the sanitization method in the disposal record. CC ID 17073 | Records management | Preventive | |
| Include time information in the disposal record. CC ID 17072 | Records management | Preventive | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Preventive | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Preventive | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Preventive | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Preventive | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Preventive | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Preventive | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Preventive | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Preventive | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Preventive | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Preventive | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Preventive | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Preventive | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Preventive | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Preventive | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Preventive | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Preventive | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Preventive | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Preventive | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Preventive | |
| Use system components only when third party support is available. CC ID 10644 | Operational management | Preventive | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | Monitoring and measurement | Detective | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Preventive | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Detective | |
| Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Detective | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Detective | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Detective | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Preventive | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{monthly basis} Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process] | Monitoring and measurement | Detective | |
| Include monitoring in the corrective action plan. CC ID 11645 [{monthly basis} Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process] | Monitoring and measurement | Detective | |
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Perform content filtering scans on network traffic. CC ID 06761 [Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway. CIS Control 13: Safeguard 13.10 Perform Application Layer Filtering Perform traffic filtering between network segments, where appropriate. CIS Control 13: Safeguard 13.4 Perform Traffic Filtering Between Network Segments] | Technical security | Detective | |
| Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | Technical security | Detective | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Technical security | Detective | |
| Log and react to all malicious code activity. CC ID 07072 | Technical security | Detective | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Corrective | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Corrective | |
| Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Preventive | |
| Supervise and monitor outsourced development projects. CC ID 01096 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Systems design, build, and implementation | Detective | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Systems design, build, and implementation | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Third Party and supply chain oversight | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Preventive | |
| Conduct environmental surveys. CC ID 00690 | Operational management | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Preventive | |
| Control and monitor all maintenance tools. CC ID 01432 | Operational management | Detective | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Corrective | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
| Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Preventive | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Preventive | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Technical security | Preventive | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Preventive | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 | Technical security | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool] | Technical security | Detective | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Detective | |
| Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 | Technical security | Detective | |
| Update application layer firewalls to the most current version. CC ID 12037 | Technical security | Preventive | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Preventive | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
| Include all vulnerabilities in the application security review. CC ID 12036 | Technical security | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 [{be appropriate} Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. CIS Control 4: Safeguard 4.11 Enforce Remote Wipe Capability on Portable End-User Devices] | Physical and environmental protection | Corrective | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Preventive | |
| Perform backup procedures for in scope systems. CC ID 11692 [{weekly basis} Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. CIS Control 11: Safeguard 11.2 Perform Automated Backups] | Operational and Systems Continuity | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Preventive | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Detective | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines. CIS Control 3: Safeguard 3.4 Enforce Data Retention {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Records management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Records management | Preventive | |
| Display required information automatically in electronic health records. CC ID 14442 | Records management | Preventive | |
| Create export summaries, as necessary. CC ID 14446 | Records management | Preventive | |
| Identify patient-specific education resources. CC ID 14439 | Records management | Detective | |
| Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 | Systems design, build, and implementation | Preventive | |
| Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 | Systems design, build, and implementation | Preventive | |
| Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 | Systems design, build, and implementation | Preventive | |
| Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 | Systems design, build, and implementation | Preventive | |
| Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 | Systems design, build, and implementation | Preventive | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Systems design, build, and implementation | Preventive | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Systems design, build, and implementation | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Systems design, build, and implementation | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Systems design, build, and implementation | Preventive | |
| Document attempts to obtain system documentation. CC ID 14284 | Acquisition or sale of facilities, technology, and services | Corrective | |
| Search the Internet for evidence of data leakage. CC ID 10419 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain penetration test results according to internal policy. CC ID 10049 | Monitoring and measurement | Preventive | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Monitoring and measurement | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 [Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services. CIS Control 11: Safeguard 11.4 Establish and Maintain an Isolated Instance of Recovery Data] | Physical and environmental protection | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Operational management | Preventive | |
| Archive appropriate records, logs, and database tables. CC ID 06321 | Records management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. CIS Control 8: Audit Log Management {stipulated time frame} Retain audit logs across enterprise assets for a minimum of 90 days. CIS Control 8: Safeguard 8.10 Retain Audit Logs] | Records management | Preventive | |
| Manage the disposition status for all records. CC ID 00972 [{disposal method} Securely dispose of data as outlined in the enterprise's documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity. CIS Control 3: Safeguard 3.5 Securely Dispose of Data] | Records management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection] | Records management | Detective | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Preventive | |
| Establish and maintain an implantable device list. CC ID 14444 | Records management | Preventive | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Preventive | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Preventive | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Preventive | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Preventive | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Preventive | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Operational and Systems Continuity | Preventive | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [{weekly basis} Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. CIS Control 11: Safeguard 11.2 Perform Automated Backups] | Operational and Systems Continuity | Preventive | |
| Back up all records. CC ID 11974 | Operational and Systems Continuity | Preventive | |
| Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 | Operational and Systems Continuity | Preventive | |
| Protect backup systems and restoration systems at the alternate facility. CC ID 04883 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Operational and Systems Continuity | Preventive | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Operational management | Preventive | |
| Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Detective | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement gateways between security domains. CC ID 16493 | Technical security | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Preventive | |
| Review each system's operational readiness. CC ID 06275 | Operational management | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain security design principles. CC ID 14718 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Preventive | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems design, build, and implementation | Preventive | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems design, build, and implementation | Preventive | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems design, build, and implementation | Preventive | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems design, build, and implementation | Preventive | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems design, build, and implementation | Preventive | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems design, build, and implementation | Preventive | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems design, build, and implementation | Preventive | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems design, build, and implementation | Preventive | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems design, build, and implementation | Preventive | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems design, build, and implementation | Preventive | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems design, build, and implementation | Preventive | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems design, build, and implementation | Preventive | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems design, build, and implementation | Preventive | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems design, build, and implementation | Preventive | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems design, build, and implementation | Preventive | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems design, build, and implementation | Preventive | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems design, build, and implementation | Preventive | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems design, build, and implementation | Preventive | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems design, build, and implementation | Preventive | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems design, build, and implementation | Preventive | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems design, build, and implementation | Preventive | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems design, build, and implementation | Preventive | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems design, build, and implementation | Preventive | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems design, build, and implementation | Preventive | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems design, build, and implementation | Preventive | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems design, build, and implementation | Preventive | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems design, build, and implementation | Preventive | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems design, build, and implementation | Preventive | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems design, build, and implementation | Preventive | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems design, build, and implementation | Preventive | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems design, build, and implementation | Preventive | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems design, build, and implementation | Preventive | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production system} Maintain separate environments for production and non-production systems. CIS Control 16: Safeguard 16.8 Separate Production and Non-Production Systems] | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Preventive | |
| Include threat models in the system design specification. CC ID 06829 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 | Systems design, build, and implementation | Preventive | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems design, build, and implementation | Preventive | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems design, build, and implementation | Preventive | |
| Implement security controls when developing systems. CC ID 06270 [{static analysis tool} Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. CIS Control 16: Safeguard 16.12 Implement Code-Level Security Checks Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components] | Systems design, build, and implementation | Preventive | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems design, build, and implementation | Preventive | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems design, build, and implementation | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems design, build, and implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems design, build, and implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems design, build, and implementation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems design, build, and implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems design, build, and implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems design, build, and implementation | Preventive | |
| Design the security architecture. CC ID 06269 | Systems design, build, and implementation | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Preventive | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems design, build, and implementation | Corrective | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. CIS Control 7: Continuous Vulnerability Management] | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Preventive | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 [Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. CIS Control 8: Audit Log Management] | Monitoring and measurement | Detective | |
| Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Detective | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Monitoring and measurement | Corrective | |
| Perform internal penetration tests, as necessary. CC ID 12471 [{annual basis} Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.5 Perform Periodic Internal Penetration Tests] | Monitoring and measurement | Detective | |
| Perform external penetration tests, as necessary. CC ID 12470 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests] | Monitoring and measurement | Detective | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 [Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. CIS Control 16: Safeguard 16.13 Conduct Application Penetration Testing] | Monitoring and measurement | Detective | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Detective | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Preventive | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Detective | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Corrective | |
| Perform vulnerability scans, as necessary. CC ID 11637 [{quarterly basis} {authenticated vulnerability scan} {unauthenticated vulnerability scan} Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans. CIS Control 7: Safeguard 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets] | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Monitoring and measurement | Detective | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding. CIS Control 18: Safeguard 18.3 Remediate Penetration Test Findings] | Monitoring and measurement | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [{monthly basis} Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. CIS Control 7: Safeguard 7.7 Remediate Detected Vulnerabilities {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding. CIS Control 18: Safeguard 18.3 Remediate Penetration Test Findings] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Corrective | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Preventive | |
| Identify information system users. CC ID 12081 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical security | Detective | |
| Review user accounts. CC ID 00525 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical security | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Detective | |
| Review shared accounts. CC ID 11840 | Technical security | Detective | |
| Control access rights to organizational assets. CC ID 00004 [Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. CIS Control 3: Safeguard 3.3 Configure Data Access Control Lists Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user. CIS Control 6: Safeguard 6.1 Establish an Access Granting Process] | Technical security | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts. CIS Control 4: Safeguard 4.10 Enforce Automatic Device Lockout on Portable End-User Devices] | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [{remote connection} Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date. CIS Control 13: Safeguard 13.5 Manage Access Control for Remote Assets] | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control] | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
| Control user privileges. CC ID 11665 | Technical security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control] | Technical security | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [{user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management {user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management] | Technical security | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Preventive | |
| Remove inactive user accounts, as necessary. CC ID 00517 [{stipulated timeframe} Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. CIS Control 5: Safeguard 5.3 Disable Dormant Accounts] | Technical security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Corrective | |
| Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management] | Technical security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Corrective | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Preventive | |
| Identify and control all network access controls. CC ID 00529 [Centralize network AAA. CIS Control 12: Safeguard 12.5 Centralize Network Authentication, Authorization, and Auditing (AAA) Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication. CIS Control 13: Safeguard 13.9 Deploy Port-Level Access Control] | Technical security | Preventive | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 | Technical security | Detective | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Preventive | |
| Manage all internal network connections. CC ID 06329 | Technical security | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109 [{weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory] | Technical security | Preventive | |
| Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124 | Technical security | Preventive | |
| Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095 | Technical security | Preventive | |
| Plan for and approve all network changes. CC ID 00534 | Technical security | Preventive | |
| Manage all external network connections. CC ID 11842 | Technical security | Preventive | |
| Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116 | Technical security | Preventive | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical security | Preventive | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical security | Preventive | |
| Implement a fault-tolerant architecture. CC ID 01626 | Technical security | Preventive | |
| Implement segregation of duties. CC ID 11843 | Technical security | Preventive | |
| Refrain from disclosing Internet Protocol addresses, routing information, and DNS names, unless necessary. CC ID 11891 | Technical security | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Technical security | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Preventive | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Technical security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Preventive | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Preventive | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Preventive | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Preventive | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 [Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. CIS Control 4: Safeguard 4.4 Implement and Manage a Firewall on Servers] | Technical security | Preventive | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical security | Preventive | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical security | Preventive | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 | Technical security | Corrective | |
| Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 | Technical security | Preventive | |
| Protect the firewall's network connection interfaces. CC ID 01955 | Technical security | Preventive | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Preventive | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical security | Preventive | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 [Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block access to known malicious domains. CIS Control 9: Safeguard 9.2 Use DNS Filtering Services] | Technical security | Preventive | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical security | Preventive | |
| Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647 | Technical security | Preventive | |
| Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605 | Technical security | Preventive | |
| Use content filtering scans to identify information flows by data type specification. CC ID 06762 | Technical security | Preventive | |
| Use content filtering scans to identify information flows by data type usage. CC ID 11818 | Technical security | Preventive | |
| Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 | Technical security | Preventive | |
| Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 [Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory. CIS Control 3: Safeguard 3.13 Deploy a Data Loss Prevention Solution] | Technical security | Preventive | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical security | Preventive | |
| Block uncategorized sites using URL filtering. CC ID 12140 [{blacklist website} Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. CIS Control 9: Safeguard 9.3 Maintain and Enforce Network-Based URL Filters] | Technical security | Preventive | |
| Separate user functionality from system management functionality. CC ID 11858 [Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. CIS Control 5: Safeguard 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts] | Technical security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [{remote connection} Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date. CIS Control 13: Safeguard 13.5 Manage Access Control for Remote Assets] | Technical security | Preventive | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical security | Preventive | |
| Control remote access through a network access control. CC ID 01421 | Technical security | Preventive | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical security | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Require MFA for remote network access. CIS Control 6: Safeguard 6.4 Require MFA for Remote Network Access] | Technical security | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components] | Technical security | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Preventive | |
| Bind keys to each identity. CC ID 12337 | Technical security | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Preventive | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Preventive | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). CIS Control 3: Safeguard 3.10 Encrypt Sensitive Data in Transit] | Technical security | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical security | Preventive | |
| Protect the system against replay attacks. CC ID 04552 | Technical security | Preventive | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Detective | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Corrective | |
| Correct all found deficiencies according to organizational standards after a web application policy compliance review. CC ID 06299 | Technical security | Corrective | |
| Re-evaluate the web application after deficiencies have been corrected. CC ID 06300 | Technical security | Corrective | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 [Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. CIS Control 6: Safeguard 6.2 Establish an Access Revoking Process] | Human Resources management | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [{user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. CIS Control 6: Safeguard 6.2 Establish an Access Revoking Process] | Human Resources management | Corrective | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 [{daily basis} Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently. CIS Control 1: Safeguard 1.3 Utilize an Active Discovery Tool Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. CIS Control 2: Safeguard 2.4 Utilize Automated Software Inventory Tools] | Operational management | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Detective | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Preventive | |
| Approve all remote maintenance sessions. CC ID 10615 | Operational management | Preventive | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Preventive | |
| Employ dedicated systems during system maintenance. CC ID 12108 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work] | Operational management | Preventive | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work] | Operational management | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
| Patch software. CC ID 11825 [{monthly basis} Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.4 Perform Automated Application Patch Management] | Operational management | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 [{monthly basis} Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.3 Perform Operating System Patch Management] | Operational management | Corrective | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | System hardening through configuration management | Preventive | |
| Configure session timeout and reauthentication settings according to organizational standards. CC ID 12460 [{stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets {stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets] | System hardening through configuration management | Preventive | |
| Terminate all dependent sessions upon session termination. CC ID 16984 | System hardening through configuration management | Preventive | |
| Invalidate session identifiers upon session termination. CC ID 10649 | System hardening through configuration management | Preventive | |
| Use the latest approved version of all assets. CC ID 00897 [Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. CIS Control 9: Safeguard 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients] | System hardening through configuration management | Preventive | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain service accounts. CC ID 13861 | System hardening through configuration management | Preventive | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | System hardening through configuration management | Detective | |
| Manage access credentials for service accounts. CC ID 13862 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management] | System hardening through configuration management | Preventive | |
| Verify system files are not world-writable. CC ID 01546 | System hardening through configuration management | Preventive | |
| Verify backup directories containing patches are not accessible. CC ID 01547 | System hardening through configuration management | Preventive | |
| Find files and directories with extended attributes. CC ID 01552 | System hardening through configuration management | Detective | |
| Digitally sign and encrypt e-mail, as necessary. CC ID 04493 | System hardening through configuration management | Preventive | |
| Manage temporary files, as necessary. CC ID 04847 | System hardening through configuration management | Preventive | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | System hardening through configuration management | Preventive | |
| Verify the /usr/lib/sendmail file is owned by an appropriate user or group. CC ID 05324 | System hardening through configuration management | Preventive | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider. CIS Control 6: Safeguard 6.5 Require MFA for Administrative Access] | System hardening through configuration management | Preventive | |
| Invoke a strong encryption method before requesting an authenticator. CC ID 11986 | System hardening through configuration management | Preventive | |
| Configure the log to capture all URL requests. CC ID 12138 [Collect URL request audit logs on enterprise assets, where appropriate and supported. CIS Control 8: Safeguard 8.7 Collect URL Request Audit Logs] | System hardening through configuration management | Detective | |
| Store master images on securely configured servers. CC ID 12089 | System hardening through configuration management | Preventive | |
| Update the security configuration of hardened images, as necessary. CC ID 12088 | System hardening through configuration management | Corrective | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [Encrypt data on removable media. CIS Control 3: Safeguard 3.9 Encrypt Data on Removable Media] | Records management | Preventive | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Systems design, build, and implementation | Preventive | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Systems design, build, and implementation | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Systems design, build, and implementation | Preventive | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Systems design, build, and implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Systems design, build, and implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Systems design, build, and implementation | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Systems design, build, and implementation | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Systems design, build, and implementation | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Preventive | |
| Standardize Application Programming Interfaces. CC ID 12167 | Systems design, build, and implementation | Preventive | |
| Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653 | Acquisition or sale of facilities, technology, and services | Detective | |
| Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Detective | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Preventive | |
| Validate all testing assumptions in the test plans. CC ID 00663 [Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. CIS Control 18: Safeguard 18.4 Validate Security Measures] | Monitoring and measurement | Detective | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Preventive | |
| Scan organizational networks for rogue devices. CC ID 00536 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool] | Monitoring and measurement | Detective | |
| Scan the network for wireless access points. CC ID 00370 | Monitoring and measurement | Detective | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Monitoring and measurement | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 [Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker. CIS Control 18: Penetration Testing] | Monitoring and measurement | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests] | Monitoring and measurement | Detective | |
| Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Detective | |
| Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Detective | |
| Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Detective | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Detective | |
| Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Detective | |
| Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Detective | |
| Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Detective | |
| Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Detective | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Detective | |
| Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Detective | |
| Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Detective | |
| Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Detective | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 [{monthly basis} Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets] | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{monthly basis} Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets] | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
| Employ unique identifiers. CC ID 01273 [{minimum number of characters} Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. CIS Control 5: Safeguard 5.2 Use Unique Passwords] | Technical security | Detective | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Technical security | Detective | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 | Technical security | Detective | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Detective | |
| Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210 | Technical security | Detective | |
| Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Technical security | Detective | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. CIS Control 12: Safeguard 12.7 Ensue Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure] | Technical security | Preventive | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Technical security | Detective | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Detective | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Detective | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 [Configure anti-malware software to automatically scan removable media. CIS Control 10: Safeguard 10.4 Configure Automatic Anti-Malware Scanning of Removable Media] | Technical security | Detective | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Detective | |
| Conduct application security reviews, as necessary. CC ID 06298 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Technical security | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [{quarterly basis} Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets. CIS Control 11: Safeguard 11.5 Test Data Recovery] | Operational and Systems Continuity | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Operational and Systems Continuity | Detective | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Operational and Systems Continuity | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Operational and Systems Continuity | Detective | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Operational and Systems Continuity | Corrective | |
| Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Detective | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 | Human Resources management | Detective | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Detective | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Detective | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Detective | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Corrective | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Detective | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Corrective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Corrective | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Operational management | Detective | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Operational management | Detective | |
| Test the incident response procedures. CC ID 01216 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Operational management | Detective | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | System hardening through configuration management | Detective | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | System hardening through configuration management | Detective | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Configure automatic updates for anti-malware signature files on all enterprise assets. CIS Control 10: Safeguard 10.2 Configure Automatic Anti-Malware Signature Updates] | System hardening through configuration management | Detective | |
| Test systems to ensure they conform to configuration baselines. CC ID 13062 | System hardening through configuration management | Detective | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 | Records management | Detective | |
| Restrict system architects from being assigned as Administrators. CC ID 01064 | Systems design, build, and implementation | Detective | |
| Restrict the development team from having access to the production environment. CC ID 01066 | Systems design, build, and implementation | Detective | |
| Perform a risk assessment for each system development project. CC ID 01000 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Detective | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Preventive | |
| Audit all modifications to the application being developed. CC ID 01614 | Systems design, build, and implementation | Detective | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Systems design, build, and implementation | Detective | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Detective | |
| Review and test source code. CC ID 01086 | Systems design, build, and implementation | Detective | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Systems design, build, and implementation | Corrective | |
| Approve all custom code test results before code is released. CC ID 06293 | Systems design, build, and implementation | Detective | |
| Perform a final system test prior to implementing a new system. CC ID 01108 | Systems design, build, and implementation | Detective | |
| Provide a Configuration Management plan by the Information System developer for all newly acquired assets. CC ID 01446 | Acquisition or sale of facilities, technology, and services | Detective | |
| Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets. CC ID 01447 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [{be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Acquisition or sale of facilities, technology, and services | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [{process}{accept}{address}{reports}{software vulnerability} Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 2 Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Third Party and supply chain oversight | Detective | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 [Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. CIS Control 14: Safeguard 14.4 Train Workforce on Data Handling Best Practices Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. CIS Control 14: Safeguard 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks] | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 [Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. CIS Control 14: Safeguard 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. CIS Control 14: Safeguard 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates] | Human Resources management | Preventive | |
| Conduct incident response training. CC ID 11889 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Operational management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Establish/Maintain Documentation | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Log Management | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Investigate | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Monitoring and measurement | Technical Security | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 [Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets {unauthorized asset} Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. CIS Control 1: Inventory and Control of Enterprise Assets] | Monitoring and measurement | Configuration | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Testing | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Technical Security | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Technical Security | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding. CIS Control 18: Safeguard 18.3 Remediate Penetration Test Findings] | Monitoring and measurement | Technical Security | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Configuration | |
| Correct or mitigate vulnerabilities. CC ID 12497 [{monthly basis} Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. CIS Control 7: Safeguard 7.7 Remediate Detected Vulnerabilities {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding. CIS Control 18: Safeguard 18.3 Remediate Penetration Test Findings] | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Technical Security | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Behavior | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Behavior | |
| Remove inactive user accounts, as necessary. CC ID 00517 [{stipulated timeframe} Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. CIS Control 5: Safeguard 5.3 Disable Dormant Accounts] | Technical security | Technical Security | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Technical Security | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Technical Security | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Communicate | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Configuration | |
| Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 | Technical security | Technical Security | |
| Take appropriate action to address information flow anomalies. CC ID 12164 | Technical security | Investigate | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Data and Information Management | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Data and Information Management | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Establish/Maintain Documentation | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Technical Security | |
| Correct all found deficiencies according to organizational standards after a web application policy compliance review. CC ID 06299 | Technical security | Technical Security | |
| Re-evaluate the web application after deficiencies have been corrected. CC ID 06300 | Technical security | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 [{be appropriate} Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. CIS Control 4: Safeguard 4.11 Enforce Remote Wipe Capability on Portable End-User Devices] | Physical and environmental protection | Process or Activity | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Operational and Systems Continuity | Testing | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 [Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. CIS Control 6: Safeguard 6.2 Establish an Access Revoking Process] | Human Resources management | Technical Security | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [{user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. CIS Control 6: Safeguard 6.2 Establish an Access Revoking Process] | Human Resources management | Technical Security | |
| Conduct secure coding and development training for developers. CC ID 06822 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Human Resources management | Behavior | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Monitor and Evaluate Occurrences | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Monitor and Evaluate Occurrences | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Physical and Environmental Protection | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Establish/Maintain Documentation | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Log Management | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Testing | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Testing | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Communicate | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Operational management | Investigate | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Business Processes | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Configuration | |
| Patch software. CC ID 11825 [{monthly basis} Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.4 Perform Automated Application Patch Management] | Operational management | Technical Security | |
| Patch the operating system, as necessary. CC ID 11824 [{monthly basis} Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.3 Perform Operating System Patch Management] | Operational management | Technical Security | |
| Disable or delete shared User IDs. CC ID 12478 | System hardening through configuration management | Configuration | |
| Disable or delete generic user IDs. CC ID 12479 | System hardening through configuration management | Configuration | |
| Update the security configuration of hardened images, as necessary. CC ID 12088 | System hardening through configuration management | Technical Security | |
| Review and update the security architecture, as necessary. CC ID 14277 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Systems design, build, and implementation | Testing | |
| Document attempts to obtain system documentation. CC ID 14284 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
| Terminate supplier relationships, as necessary. CC ID 13489 [{secure manner} Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems. CIS Control 15: Safeguard 15.7 Securely Decommission Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
| Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. CIS Control 7: Continuous Vulnerability Management] | Leadership and high level objectives | Technical Security | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Human Resources Management | |
| Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASHTM, and remote administrative terminals. CIS Control 8: Safeguard 8.8 Collect Command-Line Audit Logs Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events. CIS Control 8: Safeguard 8.12 Collect Service Provider Logs] | Monitoring and measurement | Log Management | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [{weekly basis} Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. CIS Control 8: Safeguard 8.11 Conduct Audit Log Reviews {weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 [Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. CIS Control 8: Audit Log Management] | Monitoring and measurement | Technical Security | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Monitoring and measurement | Log Management | |
| Analyze firewall logs for the correct capturing of data. CC ID 00549 | Monitoring and measurement | Log Management | |
| Validate all testing assumptions in the test plans. CC ID 00663 [Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. CIS Control 18: Safeguard 18.4 Validate Security Measures] | Monitoring and measurement | Testing | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
| Scan organizational networks for rogue devices. CC ID 00536 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool] | Monitoring and measurement | Testing | |
| Scan the network for wireless access points. CC ID 00370 | Monitoring and measurement | Testing | |
| Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Technical Security | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Testing | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Testing | |
| Perform penetration tests, as necessary. CC ID 00655 [Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker. CIS Control 18: Penetration Testing] | Monitoring and measurement | Testing | |
| Perform internal penetration tests, as necessary. CC ID 12471 [{annual basis} Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.5 Perform Periodic Internal Penetration Tests] | Monitoring and measurement | Technical Security | |
| Perform external penetration tests, as necessary. CC ID 12470 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests] | Monitoring and measurement | Technical Security | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests] | Monitoring and measurement | Testing | |
| Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Testing | |
| Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Testing | |
| Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Testing | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Testing | |
| Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Testing | |
| Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Testing | |
| Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Testing | |
| Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Testing | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Testing | |
| Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Testing | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 [Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. CIS Control 16: Safeguard 16.13 Conduct Application Penetration Testing] | Monitoring and measurement | Technical Security | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Technical Security | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Audits and Risk Management | |
| Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Testing | |
| Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Testing | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Technical Security | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Testing | |
| Perform vulnerability scans, as necessary. CC ID 11637 [{quarterly basis} {authenticated vulnerability scan} {unauthenticated vulnerability scan} Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans. CIS Control 7: Safeguard 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets] | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 [{monthly basis} Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets] | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 [{monthly basis} Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis. CIS Control 7: Safeguard 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets] | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Monitoring and measurement | Technical Security | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Testing | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
| Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
| Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{monthly basis} Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include monitoring in the corrective action plan. CC ID 11645 [{monthly basis} Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Identify information system users. CC ID 12081 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical security | Technical Security | |
| Review user accounts. CC ID 00525 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical security | Technical Security | |
| Match user accounts to authorized parties. CC ID 12126 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical security | Configuration | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Technical Security | |
| Review shared accounts. CC ID 11840 | Technical security | Technical Security | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Employ unique identifiers. CC ID 01273 [{minimum number of characters} Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. CIS Control 5: Safeguard 5.2 Use Unique Passwords] | Technical security | Testing | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Technical security | Testing | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 | Technical security | Testing | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Testing | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 | Technical security | Technical Security | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool] | Technical security | Process or Activity | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Process or Activity | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 [{annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory] | Technical security | Establish/Maintain Documentation | |
| Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210 | Technical security | Testing | |
| Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 | Technical security | Process or Activity | |
| Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Technical security | Configuration | |
| Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Technical security | Testing | |
| Configure network access and control points to organizational standards. CC ID 12442 | Technical security | Configuration | |
| Perform content filtering scans on network traffic. CC ID 06761 [Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway. CIS Control 13: Safeguard 13.10 Perform Application Layer Filtering Perform traffic filtering between network segments, where appropriate. CIS Control 13: Safeguard 13.4 Perform Traffic Filtering Between Network Segments] | Technical security | Monitor and Evaluate Occurrences | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 | Technical security | Investigate | |
| Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | Technical security | Monitor and Evaluate Occurrences | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Technical security | Testing | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Technical security | Monitor and Evaluate Occurrences | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Testing | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Testing | |
| Scan for malicious code, as necessary. CC ID 11941 | Technical security | Investigate | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 [Configure anti-malware software to automatically scan removable media. CIS Control 10: Safeguard 10.4 Configure Automatic Anti-Malware Scanning of Removable Media] | Technical security | Testing | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Testing | |
| Log and react to all malicious code activity. CC ID 07072 | Technical security | Monitor and Evaluate Occurrences | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Technical Security | |
| Conduct application security reviews, as necessary. CC ID 06298 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Technical security | Testing | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
| Test the recovery plan, as necessary. CC ID 13290 [{quarterly basis} Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets. CIS Control 11: Safeguard 11.5 Test Data Recovery] | Operational and Systems Continuity | Testing | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 [{annual basis} Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. CIS Control 17: Safeguard 17.2 Establish and Maintain Contact Information for Reporting Security Incidents] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Operational and Systems Continuity | Testing | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Operational and Systems Continuity | Testing | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Operational and Systems Continuity | Testing | |
| Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Human Resources management | Establish Roles | |
| Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Testing | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 | Human Resources management | Testing | |
| Evaluate the staffing requirements regularly. CC ID 00775 | Human Resources management | Business Processes | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Establish/Maintain Documentation | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Technical Security | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Testing | |
| Control and monitor all maintenance tools. CC ID 01432 | Operational management | Physical and Environmental Protection | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Testing | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Testing | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Testing | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Business Processes | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Establish/Maintain Documentation | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Testing | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Process or Activity | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Investigate | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Investigate | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Investigate | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Investigate | |
| Analyze and respond to security alerts. CC ID 12504 | Operational management | Business Processes | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 [{annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Operational management | Investigate | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process {annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Operational management | Establish/Maintain Documentation | |
| Establish trust between the incident response team and the end user community during an incident. CC ID 01217 | Operational management | Testing | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Operational management | Investigate | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Operational management | Investigate | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Operational management | Establish/Maintain Documentation | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Operational management | Communicate | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Investigate | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Operational management | Investigate | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Operational management | Investigate | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Operational management | Establish/Maintain Documentation | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Operational management | Testing | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Operational management | Investigate | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Operational management | Establish/Maintain Documentation | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Operational management | Establish/Maintain Documentation | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Operational management | Establish/Maintain Documentation | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Operational management | Establish/Maintain Documentation | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Operational management | Establish/Maintain Documentation | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Operational management | Investigate | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Operational management | Investigate | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Operational management | Investigate | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Operational management | Investigate | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Operational management | Investigate | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Operational management | Investigate | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Operational management | Investigate | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Operational management | Investigate | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Operational management | Investigate | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Operational management | Investigate | |
| Test the incident response procedures. CC ID 01216 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Operational management | Testing | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | System hardening through configuration management | Testing | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | System hardening through configuration management | Testing | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | System hardening through configuration management | Technical Security | |
| Find files and directories with extended attributes. CC ID 01552 | System hardening through configuration management | Technical Security | |
| Verify that no UID 0 accounts exist other than root. CC ID 01585 | System hardening through configuration management | Configuration | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 | System hardening through configuration management | Log Management | |
| Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 | System hardening through configuration management | Log Management | |
| Configure the log to capture each auditable event's origination. CC ID 01338 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | System hardening through configuration management | Log Management | |
| Configure the log to capture remote access information. CC ID 05596 | System hardening through configuration management | Configuration | |
| Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577 | System hardening through configuration management | Log Management | |
| Configure the "logging level" to organizational standards. CC ID 14456 | System hardening through configuration management | Configuration | |
| Capture successful operating system access and successful software access. CC ID 00527 | System hardening through configuration management | Log Management | |
| Configure the log to capture hardware and software access attempts. CC ID 01220 | System hardening through configuration management | Log Management | |
| Configure the log to capture all URL requests. CC ID 12138 [Collect URL request audit logs on enterprise assets, where appropriate and supported. CIS Control 8: Safeguard 8.7 Collect URL Request Audit Logs] | System hardening through configuration management | Technical Security | |
| Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915 | System hardening through configuration management | Log Management | |
| Configure the log to capture access to restricted data or restricted information. CC ID 00644 [Log sensitive data access, including modification and disposal. CIS Control 3: Safeguard 3.14 Log Sensitive Data Access] | System hardening through configuration management | Log Management | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 | System hardening through configuration management | Log Management | |
| Configure the log to capture identification and authentication mechanism use. CC ID 00648 | System hardening through configuration management | Log Management | |
| Configure the log to capture all access to the audit trail. CC ID 00646 | System hardening through configuration management | Log Management | |
| Configure the log to capture Object access to key directories or key files. CC ID 01697 | System hardening through configuration management | Log Management | |
| Configure the log to capture both access and access attempts to security-relevant objects and security-relevant directories. CC ID 01916 | System hardening through configuration management | Log Management | |
| Configure the log to capture system level object creation and deletion. CC ID 00650 | System hardening through configuration management | Log Management | |
| Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698 | System hardening through configuration management | Log Management | |
| Configure the log to capture user authenticator changes. CC ID 01917 | System hardening through configuration management | Log Management | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Configure automatic updates for anti-malware signature files on all enterprise assets. CIS Control 10: Safeguard 10.2 Configure Automatic Anti-Malware Signature Updates] | System hardening through configuration management | Testing | |
| Test systems to ensure they conform to configuration baselines. CC ID 13062 | System hardening through configuration management | Testing | |
| Ensure data sets have the appropriate characteristics. CC ID 15000 | Records management | Data and Information Management | |
| Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 | Records management | Data and Information Management | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines. CIS Control 3: Safeguard 3.4 Enforce Data Retention] | Records management | Establish/Maintain Documentation | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 | Records management | Testing | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection] | Records management | Records Management | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection] | Records management | Data and Information Management | |
| Identify patient-specific education resources. CC ID 14439 | Records management | Process or Activity | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 [{annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Records management | Data and Information Management | |
| Restrict system architects from being assigned as Administrators. CC ID 01064 | Systems design, build, and implementation | Testing | |
| Restrict the development team from having access to the production environment. CC ID 01066 | Systems design, build, and implementation | Testing | |
| Perform a risk assessment for each system development project. CC ID 01000 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Testing | |
| Supervise and monitor outsourced development projects. CC ID 01096 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
| Audit all modifications to the application being developed. CC ID 01614 | Systems design, build, and implementation | Testing | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Systems design, build, and implementation | Testing | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Testing | |
| Review and test source code. CC ID 01086 | Systems design, build, and implementation | Testing | |
| Approve all custom code test results before code is released. CC ID 06293 | Systems design, build, and implementation | Testing | |
| Perform a final system test prior to implementing a new system. CC ID 01108 | Systems design, build, and implementation | Testing | |
| Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653 | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Provide a Configuration Management plan by the Information System developer for all newly acquired assets. CC ID 01446 | Acquisition or sale of facilities, technology, and services | Testing | |
| Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets. CC ID 01447 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [{be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Acquisition or sale of facilities, technology, and services | Testing | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [{process}{accept}{address}{reports}{software vulnerability} Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 2 Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers] | Third Party and supply chain oversight | Testing | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Third Party and supply chain oversight | Audits and Risk Management | |
| Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' relevant experience during due diligence. CC ID 12070 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' legal risks to the organization during due diligence. CC ID 12078 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' business continuity capabilities during due diligence. CC ID 12077 | Third Party and supply chain oversight | Business Processes | |
| Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Systems Continuity | |
| Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' abilities to provide services during due diligence. CC ID 12074 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' financial stability during due diligence. CC ID 12066 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' use of subcontractors during due diligence. CC ID 12073 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' insurance coverage during due diligence. CC ID 12072 | Third Party and supply chain oversight | Business Processes | |
| Assess the third parties' reputation during due diligence. CC ID 12068 | Third Party and supply chain oversight | Business Processes | |
| Assess any litigation case files against third parties during due diligence. CC ID 12071 | Third Party and supply chain oversight | Business Processes | |
| Assess complaints against third parties during due diligence. CC ID 12069 | Third Party and supply chain oversight | Business Processes | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Third Party and supply chain oversight | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Investigate | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Request attestation of compliance from third parties. CC ID 12067 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 [Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately. CIS Control 15: Service Provider Management] | Third Party and supply chain oversight | Business Processes | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Technical Security | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Third Party and supply chain oversight | Business Processes | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. CIS Control 15: Safeguard 15.6 Monitor Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Communicate | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain warning procedures. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 | Leadership and high level objectives | Business Processes | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 | Leadership and high level objectives | Communicate | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Communicate | |
| Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Business Processes | |
| Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Investigate | |
| Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Communicate | |
| Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Process or Activity | |
| Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Communicate | |
| Include information about the organizational culture in the external reporting program. CC ID 15610 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Submit certification letters to interested personnel and affected parties. CC ID 16969 | Leadership and high level objectives | Communicate | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Communicate | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Process or Activity | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a data classification scheme. CC ID 11628 [{annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme {annual basis} Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Data and Information Management | |
| Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Communicate | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [{unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. CIS Control 8: Safeguard 8.2 Collect Audit Logs {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Monitoring and measurement | Log Management | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Process or Activity | |
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent. CIS Control 13: Safeguard 13.7 Deploy a Host-Based Intrusion Prevention Solution Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported. CIS Control 13: Safeguard 13.2 Deploy a Host-Based Intrusion Detection Solution Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. CIS Control 13: Safeguard 13.3 Deploy a Network Intrusion Detection Solution Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service. CIS Control 13: Safeguard 13.8 Deploy a Network Intrusion Prevention Solution] | Monitoring and measurement | Configuration | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 | Monitoring and measurement | Audits and Risk Management | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Data and Information Management | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. CIS Control 8: Safeguard 8.2 Collect Audit Logs {weekly basis} Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. CIS Control 8: Safeguard 8.11 Conduct Audit Log Reviews] | Monitoring and measurement | Log Management | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Log Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Testing | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. CIS Control 13: Safeguard 13.1 Centralize Security Event Alerting Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. CIS Control 13: Safeguard 13.1 Centralize Security Event Alerting Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations include leveraging a SIEM tool to centralize multiple log sources. CIS Control 8: Safeguard 8.9 Centralize Audit Logs] | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Technical Security | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Log Management | |
| Enable and configure logging on network access controls in accordance with organizational standards. CC ID 01963 [Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. CIS Control 13: Network Monitoring and Defense Collect network traffic flow logs and/or network traffic to review and alert upon from network devices. CIS Control 13: Safeguard 13.6 Collect Network Traffic Flow Logs] | Monitoring and measurement | Configuration | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [{stipulated amount} Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. CIS Control 8: Safeguard 8.4 Standardize Time Synchronization {stipulated amount} Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. CIS Control 8: Safeguard 8.4 Standardize Time Synchronization] | Monitoring and measurement | Configuration | |
| Centralize network time servers to as few as practical. CC ID 06308 | Monitoring and measurement | Configuration | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Testing | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 [Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Establish/Maintain Documentation | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 [Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise. CIS Control 16: Safeguard 16.3 Perform Root Cause Analysis on Security Vulnerabilities] | Monitoring and measurement | Establish/Maintain Documentation | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
| Define the test requirements for each testing program. CC ID 13177 [Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Testing | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 1: Safeguard 1.2 Address Unauthorized Assets] | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 [Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. CIS Control 18: Safeguard 18.4 Validate Security Measures Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Behavior | |
| Align the penetration test program with industry standards. CC ID 12469 | Monitoring and measurement | Establish/Maintain Documentation | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 [{annual basis} Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. CIS Control 18: Safeguard 18.2 Perform Periodic External Penetration Tests Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Establish Roles | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Monitoring and measurement | Testing | |
| Retain penetration test results according to internal policy. CC ID 10049 | Monitoring and measurement | Records Management | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Monitoring and measurement | Records Management | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [{annual basis} Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 7: Safeguard 7.1 Establish and Maintain a Vulnerability Management Process {annual basis} Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 7: Safeguard 7.1 Establish and Maintain a Vulnerability Management Process Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. CIS Control 7: Continuous Vulnerability Management {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1 {annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Monitoring and measurement | Establish/Maintain Documentation | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Testing | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Define the test frequency for each testing program. CC ID 13176 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 [{monthly basis} Tune security event alerting thresholds monthly, or more frequently. CIS Control 13: Safeguard 13.11 Tune Security Event Alerting Thresholds] | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a log management program. CC ID 00673 [{annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include transfer procedures in the log management program. CC ID 17077 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
| Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Log Management | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
| Include evidence of the closure of findings in the corrective action plan. CC ID 16978 | Monitoring and measurement | Actionable Reports or Measurements | |
| Include roles and responsibilities in the corrective action plan. CC ID 16926 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include actions taken to resolve issues in the corrective action plan. CC ID 16884 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [{monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. CIS Control 6: Safeguard 6.7 Centralize Access Control] | Technical security | Establish/Maintain Documentation | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 | Technical security | Establish/Maintain Documentation | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 | Technical security | Establish/Maintain Documentation | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Technical Security | |
| Inventory all user accounts. CC ID 13732 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Technical security | Establish/Maintain Documentation | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Data and Information Management | |
| Control access rights to organizational assets. CC ID 00004 [Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. CIS Control 3: Safeguard 3.3 Configure Data Access Control Lists Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user. CIS Control 6: Safeguard 6.1 Establish an Access Granting Process] | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 [Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. CIS Control 3: Safeguard 3.3 Configure Data Access Control Lists] | Technical security | Configuration | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
| Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Human Resources Management | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
| Establish access rights based on least privilege. CC ID 01411 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts. CIS Control 4: Safeguard 4.10 Enforce Automatic Device Lockout on Portable End-User Devices] | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Communicate | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Configuration | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [{remote connection} Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date. CIS Control 13: Safeguard 13.5 Manage Access Control for Remote Assets] | Technical security | Technical Security | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control] | Technical security | Technical Security | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Technical Security | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Data and Information Management | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Technical Security | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
| Control user privileges. CC ID 11665 | Technical security | Technical Security | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Establish/Maintain Documentation | |
| Review all user privileges, as necessary. CC ID 06784 [{annual basis} Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 6: Safeguard 6.8 Define and Maintain Role-Based Access Control] | Technical security | Technical Security | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Configuration | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Technical Security | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Human Resources Management | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Establish/Maintain Documentation | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Technical Security | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Technical Security | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Establish/Maintain Documentation | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [{user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management {user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management] | Technical security | Technical Security | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Human Resources Management | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Technical Security | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Technical Security | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Establish/Maintain Documentation | |
| Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Establish/Maintain Documentation | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Configuration | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Technical Security | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management] | Technical security | Technical Security | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Technical Security | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Log Management | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Establish/Maintain Documentation | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
| Document approving and granting access in the access control log. CC ID 06786 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Log Management | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Establish/Maintain Documentation | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Communicate | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 | Technical security | Establish/Maintain Documentation | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Technical Security | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Communicate | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Technical security | Data and Information Management | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 | Technical security | Establish/Maintain Documentation | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical security | Technical Security | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Technical security | Process or Activity | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Technical security | Human Resources Management | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Technical Security | |
| Assign authenticators to user accounts. CC ID 06855 | Technical security | Configuration | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management {user account}{administrator account} Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. CIS Control 6: Access Control Management] | Technical security | Configuration | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Technical Security | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Communicate | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Configuration | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Technical Security | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Establish Roles | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Process or Activity | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Technical Security | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Technical Security | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Technical Security | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Process or Activity | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Communicate | |
| Identify and control all network access controls. CC ID 00529 [Centralize network AAA. CIS Control 12: Safeguard 12.5 Centralize Network Authentication, Authorization, and Auditing (AAA) Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication. CIS Control 13: Safeguard 13.9 Deploy Port-Level Access Control] | Technical security | Technical Security | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Technical security | Establish/Maintain Documentation | |
| Enforce the network segmentation requirements. CC ID 16381 | Technical security | Process or Activity | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical security | Technical Security | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Technical Security | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Communicate | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Communicate | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Technical security | Establish/Maintain Documentation | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Establish/Maintain Documentation | |
| Maintain up-to-date network diagrams. CC ID 00531 [{annual basis}{network architecture diagram} Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 12: Safeguard 12.4 Establish and Maintain Architecture Diagram(s) {annual basis}{network architecture diagram} Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 12: Safeguard 12.4 Establish and Maintain Architecture Diagram(s) Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Technical security | Establish/Maintain Documentation | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Establish/Maintain Documentation | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Data and Information Management | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Establish/Maintain Documentation | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Establish/Maintain Documentation | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Establish/Maintain Documentation | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Communicate | |
| Maintain up-to-date data flow diagrams. CC ID 10059 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows {annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows] | Technical security | Establish/Maintain Documentation | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows] | Technical security | Establish/Maintain Documentation | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Communicate | |
| Manage all internal network connections. CC ID 06329 | Technical security | Technical Security | |
| Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109 [{weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory] | Technical security | Technical Security | |
| Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124 | Technical security | Technical Security | |
| Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095 | Technical security | Technical Security | |
| Plan for and approve all network changes. CC ID 00534 | Technical security | Technical Security | |
| Manage all external network connections. CC ID 11842 | Technical security | Technical Security | |
| Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116 | Technical security | Technical Security | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical security | Technical Security | |
| Prohibit systems from connecting directly to external networks. CC ID 08709 | Technical security | Configuration | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical security | Technical Security | |
| Secure the Domain Name System. CC ID 00540 | Technical security | Configuration | |
| Implement a fault-tolerant architecture. CC ID 01626 | Technical security | Technical Security | |
| Implement segregation of duties. CC ID 11843 | Technical security | Technical Security | |
| Configure the network to limit zone transfers to trusted servers. CC ID 01876 | Technical security | Configuration | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. CIS Control 13: Network Monitoring and Defense Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. CIS Control 12: Network Infrastructure Management] | Technical security | Establish/Maintain Documentation | |
| Refrain from disclosing Internet Protocol addresses, routing information, and DNS names, unless necessary. CC ID 11891 | Technical security | Technical Security | |
| Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Technical security | Communicate | |
| Segregate systems in accordance with organizational standards. CC ID 12546 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Technical security | Technical Security | |
| Implement gateways between security domains. CC ID 16493 | Technical security | Systems Design, Build, and Implementation | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Technical Security | |
| Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Technical security | Technical Security | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Technical Security | |
| Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Technical Security | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Technical Security | |
| Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Data and Information Management | |
| Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Technical Security | |
| Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Technical Security | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Technical security | Data and Information Management | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 | Technical security | Establish/Maintain Documentation | |
| Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Technical security | Establish Roles | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Technical Security | |
| Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 [Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. CIS Control 4: Safeguard 4.4 Implement and Manage a Firewall on Servers] | Technical security | Technical Security | |
| Place firewalls between security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Technical security | Configuration | |
| Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Technical security | Configuration | |
| Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Technical security | Configuration | |
| Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical security | Technical Security | |
| Include configuration management and rulesets in the network access control standard. CC ID 11845 | Technical security | Establish/Maintain Documentation | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Establish/Maintain Documentation | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical security | Technical Security | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Technical security | Configuration | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 | Technical security | Establish/Maintain Documentation | |
| Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 | Technical security | Establish/Maintain Documentation | |
| Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 | Technical security | Establish/Maintain Documentation | |
| Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 | Technical security | Establish/Maintain Documentation | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 | Technical security | Establish/Maintain Documentation | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 | Technical security | Establish/Maintain Documentation | |
| Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Technical security | Configuration | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 [{secure network management protocol}{secure network communication protocol} Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater). CIS Control 12: Safeguard 12.6 Use Secure Network Management and Communication Protocols] | Technical security | Establish/Maintain Documentation | |
| Configure network ports to organizational standards. CC ID 14007 | Technical security | Configuration | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Establish/Maintain Documentation | |
| Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Technical security | Establish/Maintain Documentation | |
| Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 | Technical security | Establish/Maintain Documentation | |
| Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Technical security | Establish/Maintain Documentation | |
| Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Technical security | Communicate | |
| Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 | Technical security | Configuration | |
| Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 | Technical security | Technical Security | |
| Configure network access and control points to protect restricted information and restricted functions. CC ID 01284 | Technical security | Configuration | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Data and Information Management | |
| Protect the firewall's network connection interfaces. CC ID 01955 | Technical security | Technical Security | |
| Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. CIS Control 4: Safeguard 4.5 Implement and Manage a Firewall on End-User Devices] | Technical security | Configuration | |
| Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Configuration | |
| Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Configuration | |
| Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Configuration | |
| Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Configuration | |
| Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Configuration | |
| Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Configuration | |
| Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Configuration | |
| Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Configuration | |
| Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Configuration | |
| Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Configuration | |
| Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Configuration | |
| Establish, implement, and maintain internet protocol address filters on the firewall, as necessary CC ID 01287 | Technical security | Configuration | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Technical Security | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical security | Technical Security | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 [Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block access to known malicious domains. CIS Control 9: Safeguard 9.2 Use DNS Filtering Services] | Technical security | Technical Security | |
| Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Technical security | Data and Information Management | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical security | Technical Security | |
| Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Technical security | Data and Information Management | |
| Synchronize and secure all router configuration files. CC ID 01291 | Technical security | Configuration | |
| Synchronize and secure all firewall configuration files. CC ID 11851 | Technical security | Configuration | |
| Configure firewalls to generate an audit log. CC ID 12038 | Technical security | Audits and Risk Management | |
| Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Technical security | Configuration | |
| Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Technical security | Establish/Maintain Documentation | |
| Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Technical security | Establish/Maintain Documentation | |
| Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Technical security | Establish/Maintain Documentation | |
| Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 | Technical security | Configuration | |
| Update application layer firewalls to the most current version. CC ID 12037 | Technical security | Process or Activity | |
| Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854 | Technical security | Establish/Maintain Documentation | |
| Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751 | Technical security | Configuration | |
| Remove all unauthorized Wireless Local Area Networks. CC ID 06309 | Technical security | Configuration | |
| Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646 | Technical security | Establish/Maintain Documentation | |
| Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647 | Technical security | Technical Security | |
| Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648 | Technical security | Configuration | |
| Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605 | Technical security | Technical Security | |
| Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830 | Technical security | Configuration | |
| Remove all unauthorized wireless access points. CC ID 11856 | Technical security | Configuration | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Establish/Maintain Documentation | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. CIS Control 12: Safeguard 12.7 Ensue Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure] | Technical security | Testing | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Technical security | Establish/Maintain Documentation | |
| Develop and implement a content filtering word and phrase library. CC ID 07071 | Technical security | Establish/Maintain Documentation | |
| Use content filtering scans to identify information flows by data type specification. CC ID 06762 | Technical security | Technical Security | |
| Use content filtering scans to identify information flows by data type usage. CC ID 11818 | Technical security | Technical Security | |
| Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 | Technical security | Technical Security | |
| Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 [Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory. CIS Control 3: Safeguard 3.13 Deploy a Data Loss Prevention Solution] | Technical security | Technical Security | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical security | Technical Security | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Technical security | Establish/Maintain Documentation | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 [{spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC] | Technical security | Configuration | |
| Block uncategorized sites using URL filtering. CC ID 12140 [{blacklist website} Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. CIS Control 9: Safeguard 9.3 Maintain and Enforce Network-Based URL Filters] | Technical security | Technical Security | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 [{biannual basis} Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.5 Allowlist Authorized Software {biannual basis} Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.5 Allowlist Authorized Software {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries] | Technical security | Establish/Maintain Documentation | |
| Secure access to each system component operating system. CC ID 00551 | Technical security | Configuration | |
| Separate user functionality from system management functionality. CC ID 11858 [Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. CIS Control 5: Safeguard 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts] | Technical security | Technical Security | |
| Control all methods of remote access and teleworking. CC ID 00559 [{remote connection} Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date. CIS Control 13: Safeguard 13.5 Manage Access Control for Remote Assets] | Technical security | Technical Security | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Process or Activity | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Technical security | Establish/Maintain Documentation | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical security | Technical Security | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Technical security | Configuration | |
| Control remote access through a network access control. CC ID 01421 | Technical security | Technical Security | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Technical security | Configuration | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical security | Technical Security | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 [Require MFA for remote network access. CIS Control 6: Safeguard 6.4 Require MFA for Remote Network Access] | Technical security | Technical Security | |
| Implement multifactor authentication techniques. CC ID 00561 [{externally-exposed enterprise application} Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. CIS Control 6: Safeguard 6.3 Require MFA for Externally-Exposed Applications] | Technical security | Configuration | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Technical Security | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Technical Security | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Establish/Maintain Documentation | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Technical Security | |
| Protect remote access accounts with encryption. CC ID 00562 | Technical security | Configuration | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components] | Technical security | Technical Security | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Business Processes | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Establish/Maintain Documentation | |
| Define the cryptographic boundaries. CC ID 06543 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Establish/Maintain Documentation | |
| Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Data and Information Management | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Establish/Maintain Documentation | |
| Document the operation of the cryptographic module. CC ID 06546 | Technical security | Establish/Maintain Documentation | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Technical Security | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Data and Information Management | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Data and Information Management | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Data and Information Management | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Data and Information Management | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Data and Information Management | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Data and Information Management | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Establish/Maintain Documentation | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Configuration | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. CIS Control 3: Safeguard 3.6 Encrypt Data on End-User Devices Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. CIS Control 3: Safeguard 3.11 Encrypt Sensitive Data at Rest] | Technical security | Data and Information Management | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Technical Security | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Technical Security | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Data and Information Management | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Process or Activity | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Process or Activity | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Process or Activity | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Communicate | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Establish/Maintain Documentation | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Establish Roles | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Communicate | |
| Bind keys to each identity. CC ID 12337 | Technical security | Technical Security | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Establish/Maintain Documentation | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Establish/Maintain Documentation | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Technical security | Establish/Maintain Documentation | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Data and Information Management | |
| Generate strong cryptographic keys. CC ID 01299 | Technical security | Data and Information Management | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Technical Security | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Data and Information Management | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Technical Security | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Data and Information Management | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Data and Information Management | |
| Store cryptographic keys securely. CC ID 01298 | Technical security | Data and Information Management | |
| Restrict access to cryptographic keys. CC ID 01297 | Technical security | Data and Information Management | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Data and Information Management | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Technical Security | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Data and Information Management | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Technical security | Communicate | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Data and Information Management | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Data and Information Management | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Data and Information Management | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Technical Security | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Data and Information Management | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Data and Information Management | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Establish/Maintain Documentation | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Human Resources Management | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Data and Information Management | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Establish/Maintain Documentation | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Establish/Maintain Documentation | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Establish/Maintain Documentation | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Establish/Maintain Documentation | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Establish/Maintain Documentation | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Establish/Maintain Documentation | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Technical Security | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Technical Security | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Establish/Maintain Documentation | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Establish/Maintain Documentation | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Establish/Maintain Documentation | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Establish/Maintain Documentation | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Technical Security | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Records Management | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Technical Security | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Technical Security | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). CIS Control 3: Safeguard 3.10 Encrypt Sensitive Data in Transit] | Technical security | Technical Security | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Configuration | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Technical Security | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Technical Security | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Establish/Maintain Documentation | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Technical Security | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{malicious code}{malicious script} Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. CIS Control 10: Malware Defenses Centrally manage anti-malware software. CIS Control 10: Safeguard 10.6 Centrally Manage Anti-Malware Software] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Communicate | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Communicate | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Establish/Maintain Documentation | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Behavior | |
| Install security and protection software, as necessary. CC ID 00575 [Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and GatekeeperTM. CIS Control 10: Safeguard 10.5 Enable Anti-Exploitation Features Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing. CIS Control 9: Safeguard 9.7 Deploy and Maintain Email Server Anti-Malware Protections Deploy and maintain anti-malware software on all enterprise assets. CIS Control 10: Safeguard 10.1 Deploy and Maintain Anti-Malware Software Use behavior-based anti-malware software. CIS Control 10: Safeguard 10.7 Use Behavior-Based Anti-Malware Software] | Technical security | Configuration | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical security | Technical Security | |
| Protect the system against replay attacks. CC ID 04552 | Technical security | Technical Security | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Establish Roles | |
| Lock antivirus configurations. CC ID 10047 | Technical security | Configuration | |
| Establish, implement, and maintain an application security policy. CC ID 06438 | Technical security | Establish/Maintain Documentation | |
| Include all vulnerabilities in the application security review. CC ID 12036 | Technical security | Process or Activity | |
| Assign application security reviews for web-facing applications to an organization that specializes in application security. CC ID 12035 | Technical security | Establish Roles | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Data and Information Management | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 [Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup destinations through offline, cloud, or off-site systems or services. CIS Control 11: Safeguard 11.4 Establish and Maintain an Isolated Instance of Recovery Data] | Physical and environmental protection | Records Management | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Process or Activity | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Physical and Environmental Protection | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Physical and Environmental Protection | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Data and Information Management | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. CIS Control 11: Data Recovery {annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process {annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
| Include restoration procedures in the continuity plan. CC ID 01169 | Operational and Systems Continuity | Establish Roles | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Human Resources Management | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Operational and Systems Continuity | Systems Continuity | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [{weekly basis} Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. CIS Control 11: Safeguard 11.2 Perform Automated Backups] | Operational and Systems Continuity | Systems Continuity | |
| Perform backup procedures for in scope systems. CC ID 11692 [{weekly basis} Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. CIS Control 11: Safeguard 11.2 Perform Automated Backups] | Operational and Systems Continuity | Process or Activity | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Data and Information Management | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Data and Information Management | |
| Back up all records. CC ID 11974 | Operational and Systems Continuity | Systems Continuity | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Data and Information Management | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Encrypt backup data. CC ID 00958 [{be equivalent} Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. CIS Control 11: Safeguard 11.3 Protect Recovery Data] | Operational and Systems Continuity | Configuration | |
| Log the execution of each backup. CC ID 00956 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Digitally sign disk images, as necessary. CC ID 06814 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 | Operational and Systems Continuity | Systems Continuity | |
| Protect backup systems and restoration systems at the alternate facility. CC ID 04883 [{annual basis} Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 11: Safeguard 11.1 Establish and Maintain a Data Recovery Process] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Establish/Maintain Documentation | |
| Train all new hires, as necessary. CC ID 06673 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Human Resources management | Behavior | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Human Resources management | Establish Roles | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Behavior | |
| Implement a staff rotation plan. CC ID 12772 | Human Resources management | Human Resources Management | |
| Rotate duties amongst the critical roles and positions. CC ID 06554 | Human Resources management | Establish Roles | |
| Place Information Technology operations in a position to support the business model. CC ID 00766 | Human Resources management | Business Processes | |
| Review organizational personnel successes. CC ID 00767 | Human Resources management | Business Processes | |
| Implement personnel supervisory practices. CC ID 00773 | Human Resources management | Behavior | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Technical Security | |
| Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 | Human Resources management | Behavior | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Business Processes | |
| Retrain all personnel, as necessary. CC ID 01362 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program {annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Human Resources management | Behavior | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Human Resources management | Behavior | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. CIS Control 14: Security Awareness and Skills Training {annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program {annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Human Resources management | Establish/Maintain Documentation | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 [{annual basis} Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program] | Human Resources management | Establish/Maintain Documentation | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Training | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Training | |
| Include security policies and security standards in the security awareness program. CC ID 13045 [Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. CIS Control 14: Safeguard 14.3 Train Workforce Members on Authentication Best Practices Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. CIS Control 14: Safeguard 14.4 Train Workforce on Data Handling Best Practices] | Human Resources management | Establish/Maintain Documentation | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Training | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Training | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 [Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. CIS Control 14: Safeguard 14.4 Train Workforce on Data Handling Best Practices Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. CIS Control 14: Safeguard 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks] | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences. CIS Control 14: Safeguard 14.5 Train Workforce Members on Causes of Unintentional Data Exposure Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles. CIS Control 14: Safeguard 14.9 Conduct Role-Specific Security Awareness and Skills Training] | Human Resources management | Establish/Maintain Documentation | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 [Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. CIS Control 14: Safeguard 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks] | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Train workforce members to be able to recognize a potential incident and be able to report such an incident. CIS Control 14: Safeguard 14.6 Train Workforce Members on Recognizing and Reporting Security Incidents Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating. CIS Control 14: Safeguard 14.2 Train Workforce Members to Recognize Social Engineering Attacks] | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 [Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. CIS Control 14: Safeguard 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. CIS Control 14: Safeguard 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates] | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [{annual basis} Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding] | Operational management | Business Processes | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 [{annual basis} Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 [Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. CIS Control 4: Safeguard 4.7 Manage Default Accounts on Enterprise Assets and Software Centralize account management through a directory or identity service. CIS Control 5: Safeguard 5.6 Centralize Account Management] | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{annual basis} Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.8 Document Data Flows {annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a network management program. CC ID 13123 [{monthly basis} Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. CIS Control 12: Safeguard 12.1 Ensure Network Infrastructure is Up-to-Date Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS. CIS Control 12: Safeguard 12.3 Securely Manage Network Infrastructure] | Operational management | Establish/Maintain Documentation | |
| Include quality of service requirements in the network management program. CC ID 16429 | Operational management | Establish/Maintain Documentation | |
| Document the network design in the network management program. CC ID 13135 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Operational management | Communicate | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{unauthorized asset} Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. CIS Control 1: Inventory and Control of Enterprise Assets Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | Operational management | Business Processes | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Establish/Maintain Documentation | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Human Resources Management | |
| Define the requirements for where assets can be located. CC ID 17051 | Operational management | Business Processes | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Business Processes | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Establish/Maintain Documentation | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Establish/Maintain Documentation | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Establish/Maintain Documentation | |
| Define confidentiality controls. CC ID 01908 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components. CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture] | Operational management | Establish/Maintain Documentation | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Process or Activity | |
| Define integrity controls. CC ID 01909 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Establish/Maintain Documentation | |
| Define availability controls. CC ID 01911 | Operational management | Establish/Maintain Documentation | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Establish Roles | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Establish/Maintain Documentation | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Establish Roles | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 [{data storage}{be lower than} Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. CIS Control 3: Safeguard 3.12 Segment Data Processing and Storage Based on Sensitivity] | Operational management | Configuration | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [{annual basis}{authentication system} Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. CIS Control 6: Safeguard 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {weekly basis} Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory] | Operational management | Business Processes | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [{weekly basis} Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Include all account types in the Information Technology inventory. CC ID 13311 [{user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Operational management | Establish/Maintain Documentation | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Systems Design, Build, and Implementation | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Data and Information Management | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Establish/Maintain Documentation | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Establish/Maintain Documentation | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Establish/Maintain Documentation | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Establish/Maintain Documentation | |
| Conduct environmental surveys. CC ID 00690 | Operational management | Physical and Environmental Protection | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Establish/Maintain Documentation | |
| Include network equipment in the Information Technology inventory. CC ID 00693 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Establish/Maintain Documentation | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Establish/Maintain Documentation | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Process or Activity | |
| Include software in the Information Technology inventory. CC ID 00692 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets {monthly basis} Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. CIS Control 12: Safeguard 12.1 Ensure Network Infrastructure is Up-to-Date {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [{annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory {annual basis} Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. CIS Control 3: Safeguard 3.2 Establish and Maintain a Data Inventory Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory. CIS Control 3: Safeguard 3.13 Deploy a Data Loss Prevention Solution] | Operational management | Establish/Maintain Documentation | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Establish/Maintain Documentation | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Establish/Maintain Documentation | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 [{daily basis} Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently. CIS Control 1: Safeguard 1.3 Utilize an Active Discovery Tool Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. CIS Control 2: Safeguard 2.4 Utilize Automated Software Inventory Tools] | Operational management | Technical Security | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Human Resources Management | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 [{quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts] | Operational management | Establish/Maintain Documentation | |
| Record software license information for each asset in the asset inventory. CC ID 11736 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Data and Information Management | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
| Record the software version in the asset inventory. CC ID 12196 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Record the authentication system in the asset inventory. CC ID 13724 [{annual basis}{authentication system} Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. CIS Control 6: Safeguard 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems] | Operational management | Establish/Maintain Documentation | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Establish/Maintain Documentation | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Establish/Maintain Documentation | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Establish/Maintain Documentation | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Establish/Maintain Documentation | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Data and Information Management | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Establish/Maintain Documentation | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {user account} {quarterly basis} Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.1 Establish and Maintain an Inventory of Accounts] | Operational management | Establish/Maintain Documentation | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Establish/Maintain Documentation | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Establish/Maintain Documentation | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts {biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 [{biannual basis} {install date} Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently. CIS Control 2: Safeguard 2.1 Establish and Maintain a Software Inventory] | Operational management | Establish/Maintain Documentation | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory] | Operational management | Establish/Maintain Documentation | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Establish/Maintain Documentation | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [{biannual basis}{MAC address} Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory {quarterly basis} Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. CIS Control 5: Safeguard 5.5 Establish and Maintain an Inventory of Service Accounts] | Operational management | Establish/Maintain Documentation | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Establish/Maintain Documentation | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Establish/Maintain Documentation | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | Operational management | Establish/Maintain Documentation | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Establish/Maintain Documentation | |
| Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Behavior | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Data and Information Management | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Operational management | Configuration | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Acquisition/Sale of Assets or Services | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Establish/Maintain Documentation | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Establish/Maintain Documentation | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Business Processes | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Business Processes | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain maintenance reports. CC ID 11749 | Operational management | Establish/Maintain Documentation | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Maintenance | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Maintenance | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Maintenance | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Maintenance | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 [Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise. CIS Control 16: Application Software Security] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Establish/Maintain Documentation | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Communicate | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Physical and Environmental Protection | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Behavior | |
| Use system components only when third party support is available. CC ID 10644 | Operational management | Maintenance | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Process or Activity | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Maintenance | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Technical Security | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Configuration | |
| Approve all remote maintenance sessions. CC ID 10615 | Operational management | Technical Security | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Technical Security | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Behavior | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Establish/Maintain Documentation | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Acquisition/Sale of Assets or Services | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Behavior | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
| Employ dedicated systems during system maintenance. CC ID 12108 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work] | Operational management | Technical Security | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 [Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. CIS Control 12: Safeguard 12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work] | Operational management | Technical Security | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Establish/Maintain Documentation | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Business Processes | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Operational management | Communicate | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Business Processes | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Business Processes | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Establish/Maintain Documentation | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Establish/Maintain Documentation | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Business Processes | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Establish/Maintain Documentation | |
| Review each system's operational readiness. CC ID 06275 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain an unauthorized software list. CC ID 10601 [{monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {unauthorized software}{monthly basis} Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. CIS Control 2: Safeguard 2.2 Ensure Authorized Software is Currently Supported] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [{annual basis} Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.6 Define Mechanisms for Communicating During Incident Response] | Operational management | Business Processes | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Communicate | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Operational management | Human Resources Management | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Establish/Maintain Documentation | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Establish/Maintain Documentation | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Operational management | Establish/Maintain Documentation | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [{annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds {annual basis} Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.9 Establish and Maintain Security Incident Thresholds] | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Business Processes | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Monitor and Evaluate Occurrences | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Establish/Maintain Documentation | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Establish/Maintain Documentation | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Technical Security | |
| Include incident management procedures in the Incident Management program. CC ID 12689 [Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Establish/Maintain Documentation | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Establish/Maintain Documentation | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Data and Information Management | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Records Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Log Management | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Establish/Maintain Documentation | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Establish/Maintain Documentation | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Establish/Maintain Documentation | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents {annual basis} Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.6 Define Mechanisms for Communicating During Incident Response] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Operational management | Communicate | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 [Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack. CIS Control 17: Incident Response Management] | Operational management | Establish/Maintain Documentation | |
| Create an incident response report. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Establish/Maintain Documentation | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Establish/Maintain Documentation | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Establish/Maintain Documentation | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Establish/Maintain Documentation | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Establish/Maintain Documentation | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Establish/Maintain Documentation | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Establish/Maintain Documentation | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Establish/Maintain Documentation | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Establish/Maintain Documentation | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Establish/Maintain Documentation | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Establish/Maintain Documentation | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Establish/Maintain Documentation | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Establish/Maintain Documentation | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Establish/Maintain Documentation | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Establish/Maintain Documentation | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Establish/Maintain Documentation | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Establish/Maintain Documentation | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Operational management | Establish/Maintain Documentation | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Establish/Maintain Documentation | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Operational management | Establish/Maintain Documentation | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Establish/Maintain Documentation | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Establish/Maintain Documentation | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. CIS Control 17: Safeguard 17.8 Conduct Post-Incident Reviews] | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Establish/Maintain Documentation | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Establish/Maintain Documentation | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Operational management | Establish/Maintain Documentation | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Communicate | |
| Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 | Operational management | Acquisition/Sale of Assets or Services | |
| Define target resolution times for incident response in the Incident Response program. CC ID 13072 | Operational management | Establish/Maintain Documentation | |
| Mitigate reported incidents. CC ID 12973 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Establish/Maintain Documentation | |
| Include addressing external communications in the incident response plan. CC ID 13351 | Operational management | Establish/Maintain Documentation | |
| Include addressing internal communications in the incident response plan. CC ID 13350 | Operational management | Establish/Maintain Documentation | |
| Include change control procedures in the incident response plan. CC ID 15479 | Operational management | Establish/Maintain Documentation | |
| Include addressing information sharing in the incident response plan. CC ID 13349 | Operational management | Establish/Maintain Documentation | |
| Include dynamic reconfiguration in the incident response plan. CC ID 14306 | Operational management | Establish/Maintain Documentation | |
| Include a definition of reportable incidents in the incident response plan. CC ID 14303 | Operational management | Establish/Maintain Documentation | |
| Include the management support needed for incident response in the incident response plan. CC ID 14300 | Operational management | Establish/Maintain Documentation | |
| Include root cause analysis in the incident response plan. CC ID 16423 | Operational management | Establish/Maintain Documentation | |
| Include how incident response fits into the organization in the incident response plan. CC ID 14294 | Operational management | Establish/Maintain Documentation | |
| Include the resources needed for incident response in the incident response plan. CC ID 14292 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cyber incident response plan. CC ID 13286 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838 | Operational management | Communicate | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities {annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Operational management | Establish Roles | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Establish Roles | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Establish Roles | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Establish Roles | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Establish Roles | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Establish Roles | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Establish Roles | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Establish Roles | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Establish Roles | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Establish Roles | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Human Resources Management | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Establish/Maintain Documentation | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Communicate | |
| Include personnel contact information in the event of an incident in the Incident Response program. CC ID 06385 [{annual basis} Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. CIS Control 17: Safeguard 17.2 Establish and Maintain Contact Information for Reporting Security Incidents {annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Operational management | Establish/Maintain Documentation | |
| Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program. CC ID 11789 | Operational management | Establish/Maintain Documentation | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Establish/Maintain Documentation | |
| Include procedures for providing updated status information to the crisis management team in the incident response plan. CC ID 12776 | Operational management | Establish/Maintain Documentation | |
| Include log management procedures in the incident response program. CC ID 17081 | Operational management | Establish/Maintain Documentation | |
| Include coverage of all system components in the Incident Response program. CC ID 11955 | Operational management | Establish/Maintain Documentation | |
| Prepare for incident response notifications. CC ID 00584 | Operational management | Establish/Maintain Documentation | |
| Include incident response team services in the Incident Response program. CC ID 11766 | Operational management | Establish/Maintain Documentation | |
| Include the incident response training program in the Incident Response program. CC ID 06750 | Operational management | Establish/Maintain Documentation | |
| Incorporate simulated events into the incident response training program. CC ID 06751 | Operational management | Behavior | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 | Operational management | Behavior | |
| Conduct incident response training. CC ID 11889 [Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-making, and workflows. Conduct testing on an annual basis, at a minimum. CIS Control 17: Safeguard 17.7 Conduct Routine Incident Response Exercises] | Operational management | Training | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the incident response policy. CC ID 14108 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the incident response policy. CC ID 14107 [{annual basis} Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.4 Establish and Maintain an Incident Response Process] | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the incident response policy. CC ID 14106 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the incident response policy. CC ID 14105 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the incident response policy. CC ID 14104 | Operational management | Establish/Maintain Documentation | |
| Include the purpose in the incident response policy. CC ID 14101 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 | Operational management | Communicate | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Establish/Maintain Documentation | |
| Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 | Operational management | Behavior | |
| Include business continuity procedures in the Incident Response program. CC ID 06433 | Operational management | Establish/Maintain Documentation | |
| Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures. CC ID 06432 | Operational management | Establish/Maintain Documentation | |
| Include consumer protection procedures in the Incident Response program. CC ID 12755 | Operational management | Systems Continuity | |
| Include the reimbursement of customers for financial losses due to incidents in the Incident Response program. CC ID 12756 | Operational management | Business Processes | |
| Include business recovery procedures in the Incident Response program. CC ID 11774 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Establish/Maintain Documentation | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Records Management | |
| Include time information in the chain of custody. CC ID 17068 | Operational management | Log Management | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Operational management | Log Management | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Operational management | Log Management | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Operational management | Establish/Maintain Documentation | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Operational management | Establish/Maintain Documentation | |
| Identify potential sources of digital forensic evidence. CC ID 08651 | Operational management | Investigate | |
| Document the legal requirements for evidence collection. CC ID 08654 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Operational management | Records Management | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [{annual basis} Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 | Operational management | Actionable Reports or Measurements | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [{annual basis} Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.1 Establish and Maintain a Secure Configuration Process {annual basis} Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure] | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | System hardening through configuration management | Business Processes | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | System hardening through configuration management | Establish/Maintain Documentation | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Communicate | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include management commitment in the configuration management policy. CC ID 14070 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the scope in the configuration management policy. CC ID 14068 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the purpose in the configuration management policy. CC ID 14067 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | System hardening through configuration management | Communicate | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 [{annual basis} Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.1 Establish and Maintain a Secure Configuration Process {annual basis} Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 4: Safeguard 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure] | System hardening through configuration management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | System hardening through configuration management | Establish/Maintain Documentation | |
| Approve the configuration management plan. CC ID 14717 | System hardening through configuration management | Business Processes | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include contact information in the system tracking documentation. CC ID 15280 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the username in the system tracking documentation. CC ID 15278 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include a problem description in the system tracking documentation. CC ID 15276 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include affected systems in the system tracking documentation. CC ID 15275 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include root causes in the system tracking documentation. CC ID 15274 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include current status in the system tracking documentation. CC ID 15272 | System hardening through configuration management | Establish/Maintain Documentation | |
| Employ the Configuration Management program. CC ID 11904 | System hardening through configuration management | Configuration | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 | System hardening through configuration management | Communicate | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | System hardening through configuration management | Establish/Maintain Documentation | |
| Document external connections for all systems. CC ID 06415 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). CIS Control 4: Secure Configuration of Enterprise Assets and Software] | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include installed custom software in the baseline configuration. CC ID 13274 [Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | System hardening through configuration management | Establish/Maintain Documentation | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration standards. CC ID 11953 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | System hardening through configuration management | Configuration | |
| Include common security parameter settings in the configuration standards for all systems. CC ID 12544 | System hardening through configuration management | Establish/Maintain Documentation | |
| Apply configuration standards to all systems, as necessary. CC ID 12503 [{daily basis} Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently. CIS Control 1: Safeguard 1.3 Utilize an Active Discovery Tool Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | System hardening through configuration management | Configuration | |
| Document and justify system hardening standard exceptions. CC ID 06845 | System hardening through configuration management | Configuration | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | System hardening through configuration management | Technical Security | |
| Provide documentation verifying devices are not susceptible to known exploits. CC ID 11987 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure session timeout and reauthentication settings according to organizational standards. CC ID 12460 [{stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets {stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets] | System hardening through configuration management | Technical Security | |
| Terminate all dependent sessions upon session termination. CC ID 16984 | System hardening through configuration management | Technical Security | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [{stipulated timeframe} Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. CIS Control 4: Safeguard 4.3 Configure Automatic Session Locking on Enterprise Assets] | System hardening through configuration management | Configuration | |
| Display an explicit logout message when disconnecting an authenticated communications session. CC ID 10093 | System hardening through configuration management | Configuration | |
| Invalidate session identifiers upon session termination. CC ID 10649 | System hardening through configuration management | Technical Security | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [{unauthorized software} Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CIS Control 2: Inventory and Control of Software Assets {monthly basis} Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. CIS Control 2: Safeguard 2.3 Address Unauthorized Software {insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures {unauthorized software library} {biannual basis} Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries] | System hardening through configuration management | Configuration | |
| Use the latest approved version of all assets. CC ID 00897 [Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. CIS Control 9: Safeguard 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients] | System hardening through configuration management | Technical Security | |
| Install the most current Windows Service Pack. CC ID 01695 | System hardening through configuration management | Configuration | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [{blacklist website} Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. CIS Control 9: Safeguard 9.3 Maintain and Enforce Network-Based URL Filters] | System hardening through configuration management | Configuration | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Communicate | |
| Configure virtual networks in accordance with the information security policy. CC ID 13165 [Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. CIS Control 12: Safeguard 12.7 Ensue Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure] | System hardening through configuration management | Configuration | |
| Remove all unnecessary functionality. CC ID 00882 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | System hardening through configuration management | Configuration | |
| Document that all enabled functions support secure configurations. CC ID 11985 | System hardening through configuration management | Establish/Maintain Documentation | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | System hardening through configuration management | Configuration | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | System hardening through configuration management | Configuration | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | System hardening through configuration management | Configuration | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | System hardening through configuration management | Configuration | |
| Disable logon prompts on serial ports. CC ID 01553 | System hardening through configuration management | Configuration | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | System hardening through configuration management | Configuration | |
| Disable all unnecessary interfaces. CC ID 04826 | System hardening through configuration management | Configuration | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | System hardening through configuration management | Configuration | |
| Disable all user-mounted removable file systems. CC ID 01536 | System hardening through configuration management | Configuration | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | System hardening through configuration management | Configuration | |
| Secure the Bluetooth headset connections. CC ID 00593 | System hardening through configuration management | Configuration | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | System hardening through configuration management | Configuration | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | System hardening through configuration management | Configuration | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | System hardening through configuration management | Configuration | |
| Disable Autorun. CC ID 01790 [Disable autorun and autoplay auto-execute functionality for removable media. CIS Control 10: Safeguard 10.3 Disable Autorun and Autoplay for Removable Media] | System hardening through configuration management | Configuration | |
| Disable USB devices (aka hotplugger). CC ID 01545 | System hardening through configuration management | Configuration | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | System hardening through configuration management | Configuration | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | System hardening through configuration management | Configuration | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | System hardening through configuration management | Configuration | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | System hardening through configuration management | Configuration | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | System hardening through configuration management | Configuration | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | System hardening through configuration management | Configuration | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | System hardening through configuration management | Configuration | |
| Remove all compilers and assemblers from the system. CC ID 01594 | System hardening through configuration management | Configuration | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 [{refrain from authorizing}{refrain from requiring} Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. CIS Control 9: Safeguard 9.4 Restrict Unnecessary or Unauthorized and Email Client Extensions] | System hardening through configuration management | Configuration | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | System hardening through configuration management | Technical Security | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | System hardening through configuration management | Configuration | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | System hardening through configuration management | Configuration | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | System hardening through configuration management | Configuration | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | System hardening through configuration management | Configuration | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | System hardening through configuration management | Configuration | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | System hardening through configuration management | Configuration | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | System hardening through configuration management | Configuration | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | System hardening through configuration management | Configuration | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | System hardening through configuration management | Configuration | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | System hardening through configuration management | Configuration | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | System hardening through configuration management | Configuration | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | System hardening through configuration management | Configuration | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | System hardening through configuration management | Configuration | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | System hardening through configuration management | Configuration | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | System hardening through configuration management | Configuration | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | System hardening through configuration management | Configuration | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | System hardening through configuration management | Configuration | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | System hardening through configuration management | Configuration | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | System hardening through configuration management | Configuration | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | System hardening through configuration management | Configuration | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | System hardening through configuration management | Configuration | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | System hardening through configuration management | Configuration | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | System hardening through configuration management | Configuration | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | System hardening through configuration management | Configuration | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | System hardening through configuration management | Configuration | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | System hardening through configuration management | Configuration | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | System hardening through configuration management | Configuration | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | System hardening through configuration management | Configuration | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | System hardening through configuration management | Configuration | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | System hardening through configuration management | Configuration | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | System hardening through configuration management | Configuration | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | System hardening through configuration management | Configuration | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | System hardening through configuration management | Configuration | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | System hardening through configuration management | Configuration | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | System hardening through configuration management | Configuration | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | System hardening through configuration management | Configuration | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | System hardening through configuration management | Configuration | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | System hardening through configuration management | Configuration | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | System hardening through configuration management | Configuration | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | System hardening through configuration management | Configuration | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | System hardening through configuration management | Configuration | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | System hardening through configuration management | Data and Information Management | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | System hardening through configuration management | Configuration | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | System hardening through configuration management | Configuration | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | System hardening through configuration management | Configuration | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | System hardening through configuration management | Configuration | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | System hardening through configuration management | Configuration | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | System hardening through configuration management | Configuration | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | System hardening through configuration management | Configuration | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | System hardening through configuration management | Configuration | |
| Install and enable samba, as necessary. CC ID 02175 | System hardening through configuration management | Configuration | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | System hardening through configuration management | Configuration | |
| Configure the samba security option option as appropriate. CC ID 05986 | System hardening through configuration management | Configuration | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | System hardening through configuration management | Configuration | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | System hardening through configuration management | Configuration | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | System hardening through configuration management | Configuration | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | System hardening through configuration management | Configuration | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | System hardening through configuration management | Configuration | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | System hardening through configuration management | Configuration | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | System hardening through configuration management | Configuration | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | System hardening through configuration management | Configuration | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | System hardening through configuration management | Configuration | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | System hardening through configuration management | Configuration | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | System hardening through configuration management | Configuration | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | System hardening through configuration management | Configuration | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | System hardening through configuration management | Configuration | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | System hardening through configuration management | Configuration | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | System hardening through configuration management | Configuration | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | System hardening through configuration management | Configuration | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | System hardening through configuration management | Configuration | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | System hardening through configuration management | Configuration | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | System hardening through configuration management | Configuration | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | System hardening through configuration management | Configuration | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | System hardening through configuration management | Configuration | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | System hardening through configuration management | Configuration | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | System hardening through configuration management | Configuration | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | System hardening through configuration management | Configuration | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | System hardening through configuration management | Configuration | |
| Configure Avahi properly. CC ID 05109 | System hardening through configuration management | Configuration | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | System hardening through configuration management | Configuration | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | System hardening through configuration management | Configuration | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | System hardening through configuration management | Configuration | |
| Configure the apache web service properly. CC ID 05113 | System hardening through configuration management | Configuration | |
| Configure the vlock package properly. CC ID 05114 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain service accounts. CC ID 13861 | System hardening through configuration management | Technical Security | |
| Manage access credentials for service accounts. CC ID 13862 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management] | System hardening through configuration management | Technical Security | |
| Configure the daemon account properly. CC ID 05115 | System hardening through configuration management | Configuration | |
| Configure the bin account properly. CC ID 05116 | System hardening through configuration management | Configuration | |
| Configure the nuucp account properly. CC ID 05117 | System hardening through configuration management | Configuration | |
| Configure the smmsp account properly. CC ID 05118 | System hardening through configuration management | Configuration | |
| Configure the listen account properly. CC ID 05119 | System hardening through configuration management | Configuration | |
| Configure the gdm account properly. CC ID 05120 | System hardening through configuration management | Configuration | |
| Configure the webservd account properly. CC ID 05121 | System hardening through configuration management | Configuration | |
| Configure the nobody account properly. CC ID 05122 | System hardening through configuration management | Configuration | |
| Configure the noaccess account properly. CC ID 05123 | System hardening through configuration management | Configuration | |
| Configure the nobody4 account properly. CC ID 05124 | System hardening through configuration management | Configuration | |
| Configure the sys account properly. CC ID 05125 | System hardening through configuration management | Configuration | |
| Configure the adm account properly. CC ID 05126 | System hardening through configuration management | Configuration | |
| Configure the lp account properly. CC ID 05127 | System hardening through configuration management | Configuration | |
| Configure the uucp account properly. CC ID 05128 | System hardening through configuration management | Configuration | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | System hardening through configuration management | Configuration | |
| Enable the web console as necessary. CC ID 05131 | System hardening through configuration management | Configuration | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | System hardening through configuration management | Configuration | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | System hardening through configuration management | Configuration | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | System hardening through configuration management | Configuration | |
| Configure Squid properly. CC ID 05135 | System hardening through configuration management | Configuration | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "talk" package to organizational standards. CC ID 08746 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | System hardening through configuration management | Configuration | |
| Configure the LDAP package to organizational standards. CC ID 09937 | System hardening through configuration management | Configuration | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | System hardening through configuration management | Configuration | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | System hardening through configuration management | Configuration | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | System hardening through configuration management | Configuration | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | System hardening through configuration management | Configuration | |
| Configure the "time" setting to organizational standards. CC ID 11381 | System hardening through configuration management | Configuration | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | System hardening through configuration management | Configuration | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | System hardening through configuration management | Configuration | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | System hardening through configuration management | Configuration | |
| Prevent users from installing printer drivers. CC ID 01730 | System hardening through configuration management | Configuration | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | System hardening through configuration management | Configuration | |
| Configure the unsigned driver installation behavior. CC ID 01733 | System hardening through configuration management | Configuration | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | System hardening through configuration management | Configuration | |
| Remove all demonstration applications on the system. CC ID 01875 | System hardening through configuration management | Configuration | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | System hardening through configuration management | Configuration | |
| Configure the "Remove Security tab" setting. CC ID 04380 | System hardening through configuration management | Configuration | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. CIS Control 4: Safeguard 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software {insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software] | System hardening through configuration management | Configuration | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | System hardening through configuration management | Configuration | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | System hardening through configuration management | Configuration | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | System hardening through configuration management | Configuration | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | System hardening through configuration management | Configuration | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | System hardening through configuration management | Configuration | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | System hardening through configuration management | Configuration | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | System hardening through configuration management | Configuration | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | System hardening through configuration management | Configuration | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | System hardening through configuration management | Configuration | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | System hardening through configuration management | Configuration | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | System hardening through configuration management | Configuration | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | System hardening through configuration management | Configuration | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | System hardening through configuration management | Configuration | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | System hardening through configuration management | Configuration | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | System hardening through configuration management | Configuration | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | System hardening through configuration management | Configuration | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | System hardening through configuration management | Configuration | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | System hardening through configuration management | Configuration | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | System hardening through configuration management | Configuration | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | System hardening through configuration management | Configuration | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | System hardening through configuration management | Configuration | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | System hardening through configuration management | Configuration | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | System hardening through configuration management | Configuration | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | System hardening through configuration management | Configuration | |
| Disable File Service Protocol. CC ID 02167 | System hardening through configuration management | Configuration | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | System hardening through configuration management | Configuration | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | System hardening through configuration management | Configuration | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | System hardening through configuration management | Configuration | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | System hardening through configuration management | Configuration | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | System hardening through configuration management | Configuration | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | System hardening through configuration management | Configuration | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | System hardening through configuration management | Configuration | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | System hardening through configuration management | Configuration | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | System hardening through configuration management | Configuration | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | System hardening through configuration management | Configuration | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | System hardening through configuration management | Configuration | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | System hardening through configuration management | Configuration | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | System hardening through configuration management | Configuration | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | System hardening through configuration management | Configuration | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | System hardening through configuration management | Configuration | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | System hardening through configuration management | Configuration | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | System hardening through configuration management | Configuration | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | System hardening through configuration management | Configuration | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | System hardening through configuration management | Configuration | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | System hardening through configuration management | Configuration | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | System hardening through configuration management | Configuration | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | System hardening through configuration management | Configuration | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | System hardening through configuration management | Configuration | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | System hardening through configuration management | Configuration | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | System hardening through configuration management | Configuration | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | System hardening through configuration management | Configuration | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | System hardening through configuration management | Configuration | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | System hardening through configuration management | Configuration | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | System hardening through configuration management | Configuration | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | System hardening through configuration management | Configuration | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | System hardening through configuration management | Configuration | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | System hardening through configuration management | Configuration | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | System hardening through configuration management | Configuration | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | System hardening through configuration management | Configuration | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | System hardening through configuration management | Configuration | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | System hardening through configuration management | Configuration | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | System hardening through configuration management | Configuration | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | System hardening through configuration management | Configuration | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | System hardening through configuration management | Configuration | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | System hardening through configuration management | Configuration | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | System hardening through configuration management | Configuration | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | System hardening through configuration management | Configuration | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | System hardening through configuration management | Configuration | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | System hardening through configuration management | Configuration | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | System hardening through configuration management | Configuration | |
| Enable NFS insecure locks as necessary. CC ID 04939 | System hardening through configuration management | Configuration | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | System hardening through configuration management | Configuration | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | System hardening through configuration management | Configuration | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | System hardening through configuration management | Configuration | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | System hardening through configuration management | Configuration | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | System hardening through configuration management | Configuration | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | System hardening through configuration management | Configuration | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | System hardening through configuration management | Configuration | |
| Enable the rhnsd service as necessary. CC ID 04944 | System hardening through configuration management | Configuration | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | System hardening through configuration management | Configuration | |
| Enable the autofs service as necessary. CC ID 04946 | System hardening through configuration management | Configuration | |
| Enable the ip6tables service as necessary. CC ID 04947 | System hardening through configuration management | Configuration | |
| Configure syslog to organizational standards. CC ID 04949 | System hardening through configuration management | Configuration | |
| Enable the auditd service as necessary. CC ID 04950 | System hardening through configuration management | Configuration | |
| Enable the logwatch service as necessary. CC ID 04951 | System hardening through configuration management | Configuration | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | System hardening through configuration management | Configuration | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | System hardening through configuration management | Configuration | |
| Enable the ypbind service as necessary. CC ID 04954 | System hardening through configuration management | Configuration | |
| Enable the ypserv service as necessary. CC ID 04955 | System hardening through configuration management | Configuration | |
| Enable the firstboot service as necessary. CC ID 04956 | System hardening through configuration management | Configuration | |
| Enable the gpm service as necessary. CC ID 04957 | System hardening through configuration management | Configuration | |
| Enable the irqbalance service as necessary. CC ID 04958 | System hardening through configuration management | Configuration | |
| Enable the isdn service as necessary. CC ID 04959 | System hardening through configuration management | Configuration | |
| Enable the kdump service as necessary. CC ID 04960 | System hardening through configuration management | Configuration | |
| Enable the mdmonitor service as necessary. CC ID 04961 | System hardening through configuration management | Configuration | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | System hardening through configuration management | Configuration | |
| Enable the pcscd service as necessary. CC ID 04963 | System hardening through configuration management | Configuration | |
| Enable the smartd service as necessary. CC ID 04964 | System hardening through configuration management | Configuration | |
| Enable the readahead_early service as necessary. CC ID 04965 | System hardening through configuration management | Configuration | |
| Enable the readahead_later service as necessary. CC ID 04966 | System hardening through configuration management | Configuration | |
| Enable the messagebus service as necessary. CC ID 04967 | System hardening through configuration management | Configuration | |
| Enable the haldaemon service as necessary. CC ID 04968 | System hardening through configuration management | Configuration | |
| Enable the apmd service as necessary. CC ID 04969 | System hardening through configuration management | Configuration | |
| Enable the acpid service as necessary. CC ID 04970 | System hardening through configuration management | Configuration | |
| Enable the cpuspeed service as necessary. CC ID 04971 | System hardening through configuration management | Configuration | |
| Enable the network service as necessary. CC ID 04972 | System hardening through configuration management | Configuration | |
| Enable the hidd service as necessary. CC ID 04973 | System hardening through configuration management | Configuration | |
| Enable the crond service as necessary. CC ID 04974 | System hardening through configuration management | Configuration | |
| Install and enable the anacron service as necessary. CC ID 04975 | System hardening through configuration management | Configuration | |
| Enable the xfs service as necessary. CC ID 04976 | System hardening through configuration management | Configuration | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | System hardening through configuration management | Configuration | |
| Enable the CUPS service, as necessary. CC ID 04978 | System hardening through configuration management | Configuration | |
| Enable the hplip service as necessary. CC ID 04979 | System hardening through configuration management | Configuration | |
| Enable the dhcpd service as necessary. CC ID 04980 | System hardening through configuration management | Configuration | |
| Enable the nfslock service as necessary. CC ID 04981 | System hardening through configuration management | Configuration | |
| Enable the rpcgssd service as necessary. CC ID 04982 | System hardening through configuration management | Configuration | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | System hardening through configuration management | Configuration | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | System hardening through configuration management | Configuration | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | System hardening through configuration management | Configuration | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | System hardening through configuration management | Configuration | |
| Configure the named service, as appropriate. CC ID 04988 | System hardening through configuration management | Configuration | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | System hardening through configuration management | Configuration | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | System hardening through configuration management | Configuration | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | System hardening through configuration management | Configuration | |
| Enable the snmpd service as necessary. CC ID 04992 | System hardening through configuration management | Configuration | |
| Enable the calendar manager as necessary. CC ID 04993 | System hardening through configuration management | Configuration | |
| Enable the GNOME logon service as necessary. CC ID 04994 | System hardening through configuration management | Configuration | |
| Enable the WBEM services as necessary. CC ID 04995 | System hardening through configuration management | Configuration | |
| Enable the keyserv service as necessary. CC ID 04996 | System hardening through configuration management | Configuration | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | System hardening through configuration management | Configuration | |
| Enable the volfs service as necessary. CC ID 04998 | System hardening through configuration management | Configuration | |
| Enable the smserver service as necessary. CC ID 04999 | System hardening through configuration management | Configuration | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | System hardening through configuration management | Configuration | |
| Enable the metainit service as necessary. CC ID 05001 | System hardening through configuration management | Configuration | |
| Enable the meta service as necessary. CC ID 05003 | System hardening through configuration management | Configuration | |
| Enable the metaed service as necessary. CC ID 05004 | System hardening through configuration management | Configuration | |
| Enable the metamh service as necessary. CC ID 05005 | System hardening through configuration management | Configuration | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | System hardening through configuration management | Configuration | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | System hardening through configuration management | Configuration | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | System hardening through configuration management | Configuration | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | System hardening through configuration management | Configuration | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | System hardening through configuration management | Configuration | |
| Enable the sadmin service as necessary. CC ID 05011 | System hardening through configuration management | Configuration | |
| Enable the IPP listener as necessary. CC ID 05012 | System hardening through configuration management | Configuration | |
| Enable the serial port listener as necessary. CC ID 05013 | System hardening through configuration management | Configuration | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | System hardening through configuration management | Configuration | |
| Enable the Application Management service as necessary. CC ID 05015 | System hardening through configuration management | Configuration | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | System hardening through configuration management | Configuration | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | System hardening through configuration management | Configuration | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | System hardening through configuration management | Configuration | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | System hardening through configuration management | Configuration | |
| Enable the RARP service as necessary. CC ID 05020 | System hardening through configuration management | Configuration | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | System hardening through configuration management | Configuration | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | System hardening through configuration management | Configuration | |
| Enable the Certificate Services service as necessary. CC ID 05023 | System hardening through configuration management | Configuration | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | System hardening through configuration management | Configuration | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | System hardening through configuration management | Configuration | |
| Configure the Cluster Service service properly. CC ID 05026 | System hardening through configuration management | Configuration | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | System hardening through configuration management | Configuration | |
| Configure the IAS service properly. CC ID 05028 | System hardening through configuration management | Configuration | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | System hardening through configuration management | Configuration | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | System hardening through configuration management | Configuration | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | System hardening through configuration management | Configuration | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | System hardening through configuration management | Configuration | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | System hardening through configuration management | Configuration | |
| Configure the Utility Manager service properly. CC ID 05035 | System hardening through configuration management | Configuration | |
| Configure the secondary logon service properly. CC ID 05036 | System hardening through configuration management | Configuration | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | System hardening through configuration management | Configuration | |
| Configure the Workstation service properly. CC ID 05038 | System hardening through configuration management | Configuration | |
| Configure the Windows Installer service properly. CC ID 05039 | System hardening through configuration management | Configuration | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | System hardening through configuration management | Configuration | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | System hardening through configuration management | Configuration | |
| Configure the Windows Media Services service properly. CC ID 05047 | System hardening through configuration management | Configuration | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | System hardening through configuration management | Configuration | |
| Configure the Web Element Manager service properly. CC ID 05049 | System hardening through configuration management | Configuration | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | System hardening through configuration management | Configuration | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | System hardening through configuration management | Configuration | |
| Configure the COM+ Event System service properly. CC ID 05052 | System hardening through configuration management | Configuration | |
| Configure the Event Log service properly. CC ID 05053 | System hardening through configuration management | Configuration | |
| Configure the Infrared Monitor service properly. CC ID 05054 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | System hardening through configuration management | Configuration | |
| Configure the System Event Notification Service properly. CC ID 05056 | System hardening through configuration management | Configuration | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | System hardening through configuration management | Configuration | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | System hardening through configuration management | Configuration | |
| Configure the Protected Storage service properly. CC ID 05059 | System hardening through configuration management | Configuration | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | System hardening through configuration management | Configuration | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | System hardening through configuration management | Configuration | |
| Configure the Removable Storage service properly. CC ID 05062 | System hardening through configuration management | Configuration | |
| Configure the Server service properly. CC ID 05063 | System hardening through configuration management | Configuration | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | System hardening through configuration management | Configuration | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | System hardening through configuration management | Configuration | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | System hardening through configuration management | Configuration | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | System hardening through configuration management | Configuration | |
| Configure the File Replication service properly. CC ID 05068 | System hardening through configuration management | Configuration | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | System hardening through configuration management | Configuration | |
| Configure the Intersite Messaging service properly. CC ID 05070 | System hardening through configuration management | Configuration | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | System hardening through configuration management | Configuration | |
| Configure the Distributed File System service properly. CC ID 05072 | System hardening through configuration management | Configuration | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | System hardening through configuration management | Configuration | |
| Configure the FTP Publishing Service properly. CC ID 05074 | System hardening through configuration management | Configuration | |
| Configure the Windows Search service properly. CC ID 05075 | System hardening through configuration management | Configuration | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | System hardening through configuration management | Configuration | |
| Configure the Remote Shell service properly. CC ID 05077 | System hardening through configuration management | Configuration | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | System hardening through configuration management | Configuration | |
| Configure the Print Services for Unix service properly. CC ID 05079 | System hardening through configuration management | Configuration | |
| Configure the File Shares service to organizational standards. CC ID 05080 | System hardening through configuration management | Configuration | |
| Configure the NetMeeting service properly. CC ID 05081 | System hardening through configuration management | Configuration | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | System hardening through configuration management | Configuration | |
| Configure the Cryptographic Services service properly. CC ID 05083 | System hardening through configuration management | Configuration | |
| Configure the Help and Support Service properly. CC ID 05084 | System hardening through configuration management | Configuration | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | System hardening through configuration management | Configuration | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | System hardening through configuration management | Configuration | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | System hardening through configuration management | Configuration | |
| Configure the Network Location Awareness service properly. CC ID 05088 | System hardening through configuration management | Configuration | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | System hardening through configuration management | Configuration | |
| Configure the System Restore Service service properly. CC ID 05090 | System hardening through configuration management | Configuration | |
| Configure the Themes service properly. CC ID 05091 | System hardening through configuration management | Configuration | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | System hardening through configuration management | Configuration | |
| Configure the Upload Manager service properly. CC ID 05093 | System hardening through configuration management | Configuration | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | System hardening through configuration management | Configuration | |
| Configure the WebClient service properly. CC ID 05095 | System hardening through configuration management | Configuration | |
| Configure the Windows Audio service properly. CC ID 05096 | System hardening through configuration management | Configuration | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | System hardening through configuration management | Configuration | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | System hardening through configuration management | Configuration | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | System hardening through configuration management | Configuration | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | System hardening through configuration management | Configuration | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | System hardening through configuration management | Configuration | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | System hardening through configuration management | Configuration | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | System hardening through configuration management | Configuration | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | System hardening through configuration management | Configuration | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | System hardening through configuration management | Configuration | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | System hardening through configuration management | Configuration | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | System hardening through configuration management | Configuration | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | System hardening through configuration management | Configuration | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | System hardening through configuration management | Configuration | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | System hardening through configuration management | Configuration | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | System hardening through configuration management | Configuration | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | System hardening through configuration management | Configuration | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | System hardening through configuration management | Configuration | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | System hardening through configuration management | Configuration | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | System hardening through configuration management | Configuration | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 [{biannual basis} Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. CIS Control 2: Safeguard 2.7 Allowlist Authorized Scripts] | System hardening through configuration management | Configuration | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | System hardening through configuration management | Configuration | |
| Configure Hypertext Transfer Protocol headers in accordance with organizational standards. CC ID 16851 | System hardening through configuration management | Configuration | |
| Configure Hypertext Transfer Protocol security headers in accordance with organizational standards. CC ID 16488 | System hardening through configuration management | Configuration | |
| Configure "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to organizational standards. CC ID 15385 | System hardening through configuration management | Configuration | |
| Configure Microsoft Attack Surface Reduction rules in accordance with organizational standards. CC ID 16478 | System hardening through configuration management | Configuration | |
| Configure "Remote host allows delegation of non-exportable credentials" to organizational standards. CC ID 15379 | System hardening through configuration management | Configuration | |
| Configure "Configure enhanced anti-spoofing" to organizational standards. CC ID 15376 | System hardening through configuration management | Configuration | |
| Configure "Block user from showing account details on sign-in" to organizational standards. CC ID 15374 | System hardening through configuration management | Configuration | |
| Configure "Configure Attack Surface Reduction rules" to organizational standards. CC ID 15370 | System hardening through configuration management | Configuration | |
| Configure "Turn on e-mail scanning" to organizational standards. CC ID 15361 | System hardening through configuration management | Configuration | |
| Configure "Prevent users and apps from accessing dangerous websites" to organizational standards. CC ID 15359 | System hardening through configuration management | Configuration | |
| Configure "Enumeration policy for external devices incompatible with Kernel DMA Protection" to organizational standards. CC ID 15352 | System hardening through configuration management | Configuration | |
| Configure "Prevent Internet Explorer security prompt for Windows Installer scripts" to organizational standards. CC ID 15351 | System hardening through configuration management | Configuration | |
| Store state information from applications and software separately. CC ID 14767 | System hardening through configuration management | Configuration | |
| Configure the "aufs storage" to organizational standards. CC ID 14461 | System hardening through configuration management | Configuration | |
| Configure the "AppArmor Profile" to organizational standards. CC ID 14496 | System hardening through configuration management | Configuration | |
| Configure the "device" argument to organizational standards. CC ID 14536 | System hardening through configuration management | Configuration | |
| Configure the "Docker" group ownership to organizational standards. CC ID 14495 | System hardening through configuration management | Configuration | |
| Configure the "Docker" user ownership to organizational standards. CC ID 14505 | System hardening through configuration management | Configuration | |
| Configure "Allow upload of User Activities" to organizational standards. CC ID 15338 | System hardening through configuration management | Configuration | |
| Configure the system to restrict Core dumps to a protected directory. CC ID 01513 | System hardening through configuration management | Configuration | |
| Configure the system to enable Stack protection. CC ID 01514 | System hardening through configuration management | Configuration | |
| Configure the system to restrict NFS client requests to privileged ports. CC ID 01515 | System hardening through configuration management | Configuration | |
| Configure the system to use better TCP Sequence Numbers. CC ID 01516 | System hardening through configuration management | Configuration | |
| Configure the system to a default secure level. CC ID 01519 | System hardening through configuration management | Configuration | |
| Configure the system to block users from viewing un-owned processes. CC ID 01520 | System hardening through configuration management | Configuration | |
| Configure the system to block users from viewing processes in other groups. CC ID 01521 | System hardening through configuration management | Configuration | |
| Add the "nosuid" option to /etc/rmmount.conf. CC ID 01532 | System hardening through configuration management | Configuration | |
| Configure the system to block non-privileged mountd requests. CC ID 01533 | System hardening through configuration management | Configuration | |
| Use host-based or Internet Protocol-based export lists for mountd. CC ID 06887 | System hardening through configuration management | Configuration | |
| Add the "nodev" option to the appropriate partitions in /etc/fstab. CC ID 01534 | System hardening through configuration management | Configuration | |
| Add the "nosuid" option and "nodev" option for removable storage media in the /etc/fstab file. CC ID 01535 | System hardening through configuration management | Configuration | |
| Configure the sticky bit on world-writable directories. CC ID 01540 | System hardening through configuration management | Configuration | |
| Verify system files are not world-writable. CC ID 01546 | System hardening through configuration management | Technical Security | |
| Verify backup directories containing patches are not accessible. CC ID 01547 | System hardening through configuration management | Technical Security | |
| Run hp_checkperms. CC ID 01548 | System hardening through configuration management | Configuration | |
| Run fix-modes. CC ID 01549 | System hardening through configuration management | Configuration | |
| Convert the system to "Trusted Mode", if possible. CC ID 01550 | System hardening through configuration management | Configuration | |
| Configure the sadmind service to a higher Security level. CC ID 01551 | System hardening through configuration management | Configuration | |
| Use host-based or Internet Protocol-based export lists for sadmind. CC ID 06886 | System hardening through configuration management | Configuration | |
| Configure all.rhosts files to be readable only by their owners. CC ID 01557 | System hardening through configuration management | Configuration | |
| Set the symlink /etc/hosts.equiv file to /dev/null. CC ID 01558 | System hardening through configuration management | Configuration | |
| Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 | System hardening through configuration management | Configuration | |
| Configure the Security Center (Domain PCs only). CC ID 01967 | System hardening through configuration management | Configuration | |
| Configure the system to immediately protect the computer after the Screen saver is activated by setting the time before the Screen saver grace period expires to a predefined amount. CC ID 04276 | System hardening through configuration management | Configuration | |
| Configure the system to require a password before it unlocks the Screen saver software. CC ID 04443 | System hardening through configuration management | Configuration | |
| Enable the safe DLL search mode. CC ID 04273 | System hardening through configuration management | Configuration | |
| Configure the computer to stop generating 8.3 filename formats. CC ID 04274 | System hardening through configuration management | Configuration | |
| Configure the system to use certificate rules for software restriction policies. CC ID 04266 | System hardening through configuration management | Configuration | |
| Configure the "Do not allow drive redirection" setting. CC ID 04316 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the 'Publish to Web' task for files and folders" setting. CC ID 04328 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Internet download for Web publishing and online ordering wizards" setting. CC ID 04329 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Search Companion content file updates" setting. CC ID 04331 | System hardening through configuration management | Configuration | |
| Configure the "Turn off printing over HTTP" setting. CC ID 04332 | System hardening through configuration management | Configuration | |
| Configure the "Turn off downloading of print drivers over HTTP" setting. CC ID 04333 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Update device driver searching" setting. CC ID 04334 | System hardening through configuration management | Configuration | |
| Configure the "Display Error Notification" setting to organizational standards. CC ID 04335 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows error reporting" setting to organizational standards. CC ID 04336 | System hardening through configuration management | Configuration | |
| Configure the "Disable software update shell notifications on program launch" setting. CC ID 04339 | System hardening through configuration management | Configuration | |
| Configure the "Make proxy settings per-machine (rather than per-user)" setting. CC ID 04341 | System hardening through configuration management | Configuration | |
| Configure the "Security Zones: Do not allow users to add/delete sites" setting. CC ID 04342 | System hardening through configuration management | Configuration | |
| Configure the "Security Zones: Do not allow users to change policies" setting. CC ID 04343 | System hardening through configuration management | Configuration | |
| Configure the "Security Zones: Use only machine settings" setting. CC ID 04344 | System hardening through configuration management | Configuration | |
| Configure the "Allow software to run or install even if the signature is invalid" setting. CC ID 04346 | System hardening through configuration management | Configuration | |
| Configure the "internet explorer processes (scripted window security restrictions)" setting. CC ID 04350 | System hardening through configuration management | Configuration | |
| Configure the "internet explorer processes (zone elevation protection)" setting. CC ID 04351 | System hardening through configuration management | Configuration | |
| Configure the "Prevent access to registry editing tools" setting. CC ID 04355 | System hardening through configuration management | Configuration | |
| Configure the "Do not preserve zone information in file attachments" setting. CC ID 04357 | System hardening through configuration management | Configuration | |
| Configure the "Hide mechanisms to remove zone information" setting. CC ID 04358 | System hardening through configuration management | Configuration | |
| Configure the "Notify antivirus programs when opening attachments" setting. CC ID 04359 | System hardening through configuration management | Configuration | |
| Configure the "Configure Outlook Express" setting. CC ID 04360 | System hardening through configuration management | Configuration | |
| Configure the "Disable Changing Automatic Configuration settings" setting. CC ID 04361 | System hardening through configuration management | Configuration | |
| Configure the "Disable changing certificate settings" setting. CC ID 04362 | System hardening through configuration management | Configuration | |
| Configure the "Disable changing connection settings" setting. CC ID 04363 | System hardening through configuration management | Configuration | |
| Configure the "Disable changing proxy settings" setting. CC ID 04364 | System hardening through configuration management | Configuration | |
| Configure the "Turn on the auto-complete feature for user names and passwords on forms" setting. CC ID 04365 | System hardening through configuration management | Configuration | |
| Configure the NetWare bindery contexts. CC ID 04444 | System hardening through configuration management | Configuration | |
| Configure the NetWare console's SECURE.NCF settings. CC ID 04445 | System hardening through configuration management | Configuration | |
| Configure the CPU Hog Timeout setting. CC ID 04446 | System hardening through configuration management | Configuration | |
| Configure the "Check Equivalent to Me" setting. CC ID 04463 | System hardening through configuration management | Configuration | |
| Configure the /etc/sshd_config file. CC ID 04475 | System hardening through configuration management | Configuration | |
| Configure the .Mac preferences. CC ID 04484 | System hardening through configuration management | Configuration | |
| Configure the Fast User Switching setting. CC ID 04485 | System hardening through configuration management | Configuration | |
| Configure the Recent Items List (servers, applications, documents) setting. CC ID 04486 | System hardening through configuration management | Configuration | |
| Configure Apple's Dock preferences. CC ID 04487 | System hardening through configuration management | Configuration | |
| Configure the "ulimit" to organizational standards. CC ID 14499 | System hardening through configuration management | Configuration | |
| Configure the Energy Saver preferences. CC ID 04488 | System hardening through configuration management | Configuration | |
| Configure the local system search preferences to directories that do not contain restricted data or restricted information. CC ID 04492 | System hardening through configuration management | Configuration | |
| Digitally sign and encrypt e-mail, as necessary. CC ID 04493 | System hardening through configuration management | Technical Security | |
| Manage temporary files, as necessary. CC ID 04847 | System hardening through configuration management | Technical Security | |
| Configure the computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender properly. CC ID 05282 | System hardening through configuration management | Configuration | |
| Enable or disable the ability of users to perform interactive startups, as appropriate. CC ID 05283 | System hardening through configuration management | Configuration | |
| Set the /etc/passwd file's NIS file inclusions properly. CC ID 05284 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Help Ratings" setting. CC ID 05285 | System hardening through configuration management | Configuration | |
| Configure the "Decoy Admin Account Not Disabled" policy properly. CC ID 05286 | System hardening through configuration management | Configuration | |
| Configure the "Additional restrictions for anonymous connections" policy properly. CC ID 05287 | System hardening through configuration management | Configuration | |
| Configure the "Anonymous access to the registry" policy properly. CC ID 05288 | System hardening through configuration management | Configuration | |
| Configure the File System Checker and Popups setting. CC ID 05289 | System hardening through configuration management | Configuration | |
| Configure the System File Checker setting. CC ID 05290 | System hardening through configuration management | Configuration | |
| Configure the System File Checker Progress Meter setting. CC ID 05291 | System hardening through configuration management | Configuration | |
| Configure the Protect Kernel object attributes properly. CC ID 05292 | System hardening through configuration management | Configuration | |
| Configure the "Deleted Cached Copies of Roaming Profiles" policy properly. CC ID 05293 | System hardening through configuration management | Configuration | |
| Verify that the X*.hosts file lists all authorized X-clients. CC ID 05294 | System hardening through configuration management | Configuration | |
| Verify all files are owned by an existing account and group. CC ID 05295 | System hardening through configuration management | Configuration | |
| Verify programs executed through the aliases file are owned by an appropriate user or group. CC ID 05296 | System hardening through configuration management | Configuration | |
| Verify programs executed through the aliases file are stored in a directory with an appropriate owner. CC ID 05297 | System hardening through configuration management | Configuration | |
| Verify the at directory is owned by an appropriate user or group. CC ID 05298 | System hardening through configuration management | Configuration | |
| Verify the at.allow file is owned by an appropriate user or group. CC ID 05299 | System hardening through configuration management | Configuration | |
| Verify the at.deny file is owned by an appropriate user or group. CC ID 05300 | System hardening through configuration management | Configuration | |
| Verify the crontab directories are owned by an appropriate user or group. CC ID 05302 | System hardening through configuration management | Configuration | |
| Verify the cron.allow file is owned by an appropriate user or group. CC ID 05303 | System hardening through configuration management | Configuration | |
| Verify the cron.deny file is owned by an appropriate user or group. CC ID 05304 | System hardening through configuration management | Configuration | |
| Verify crontab files are owned by an appropriate user or group. CC ID 05305 | System hardening through configuration management | Configuration | |
| Verify the /etc/resolv.conf file is owned by an appropriate user or group. CC ID 05306 | System hardening through configuration management | Configuration | |
| Verify the /etc/named.boot file is owned by an appropriate user or group. CC ID 05307 | System hardening through configuration management | Configuration | |
| Verify the /etc/named.conf file is owned by an appropriate user or group. CC ID 05308 | System hardening through configuration management | Configuration | |
| Verify the /var/named/chroot/etc/named.conf file is owned by an appropriate user or group. CC ID 05309 | System hardening through configuration management | Configuration | |
| Verify home directories are owned by an appropriate user or group. CC ID 05310 | System hardening through configuration management | Configuration | |
| Verify the inetd.conf file is owned by an appropriate user or group. CC ID 05311 | System hardening through configuration management | Configuration | |
| Verify /etc/exports are owned by an appropriate user or group. CC ID 05312 | System hardening through configuration management | Configuration | |
| Verify exported files and exported directories are owned by an appropriate user or group. CC ID 05313 | System hardening through configuration management | Configuration | |
| Restrict the exporting of files and directories, as necessary. CC ID 16315 | System hardening through configuration management | Technical Security | |
| Verify the /etc/services file is owned by an appropriate user or group. CC ID 05314 | System hardening through configuration management | Configuration | |
| Verify the /etc/notrouter file is owned by an appropriate user or group. CC ID 05315 | System hardening through configuration management | Configuration | |
| Verify the /etc/samba/smb.conf file is owned by an appropriate user or group. CC ID 05316 | System hardening through configuration management | Configuration | |
| Verify the smbpasswd file and smbpasswd executable are owned by an appropriate user or group. CC ID 05317 | System hardening through configuration management | Configuration | |
| Verify the aliases file is owned by an appropriate user or group. CC ID 05318 | System hardening through configuration management | Configuration | |
| Verify the log file configured to capture critical sendmail messages is owned by an appropriate user or group. CC ID 05319 | System hardening through configuration management | Log Management | |
| Verify Shell files are owned by an appropriate user or group. CC ID 05320 | System hardening through configuration management | Configuration | |
| Verify the snmpd.conf file is owned by an appropriate user or group. CC ID 05321 | System hardening through configuration management | Configuration | |
| Verify the /etc/syslog.conf file is owned by an appropriate user or group. CC ID 05322 | System hardening through configuration management | Configuration | |
| Verify the traceroute executable is owned by an appropriate user or group. CC ID 05323 | System hardening through configuration management | Configuration | |
| Verify the /usr/lib/sendmail file is owned by an appropriate user or group. CC ID 05324 | System hardening through configuration management | Technical Security | |
| Verify the /etc/passwd file is owned by an appropriate user or group. CC ID 05325 | System hardening through configuration management | Configuration | |
| Verify the /etc/shadow file is owned by an appropriate user or group. CC ID 05326 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit/config file is owned by an appropriate user or group. CC ID 05327 | System hardening through configuration management | Configuration | |
| Verify the /etc/securit/audit/events file is owned by an appropriate user or group. CC ID 05328 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit/objects file is owned by an appropriate user or group. CC ID 05329 | System hardening through configuration management | Configuration | |
| Verify the /usr/lib/trcload file is owned by an appropriate user or group. CC ID 05330 | System hardening through configuration management | Configuration | |
| Verify the /usr/lib/semutil file is owned by an appropriate user or group. CC ID 05331 | System hardening through configuration management | Configuration | |
| Verify system files are owned by an appropriate user or group. CC ID 05332 | System hardening through configuration management | Configuration | |
| Verify the default/skeleton dot files are owned by an appropriate user or group. CC ID 05333 | System hardening through configuration management | Configuration | |
| Verify the global initialization files are owned by an appropriate user or group. CC ID 05334 | System hardening through configuration management | Configuration | |
| Verify the /etc/rc.config.d/auditing file is owned by an appropriate user or group. CC ID 05335 | System hardening through configuration management | Configuration | |
| Verify the /etc/init.d file is owned by an appropriate user or group. CC ID 05336 | System hardening through configuration management | Configuration | |
| Verify the /etc/hosts.lpd file is owned by an appropriate user or group. CC ID 05337 | System hardening through configuration management | Configuration | |
| Verify the /etc/auto.master file is owned by an appropriate user or group. CC ID 05338 | System hardening through configuration management | Configuration | |
| Verify the /etc/auto.misc file is owned by an appropriate user or group. CC ID 05339 | System hardening through configuration management | Configuration | |
| Verify the /etc/auto.net file is owned by an appropriate user or group. CC ID 05340 | System hardening through configuration management | Configuration | |
| Verify the boot/grub/grub.conf file is owned by an appropriate user or group. CC ID 05341 | System hardening through configuration management | Configuration | |
| Verify the /etc/lilo.conf file is owned by an appropriate user or group. CC ID 05342 | System hardening through configuration management | Configuration | |
| Verify the /etc/login.access file is owned by an appropriate user or group. CC ID 05343 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/access.conf file is owned by an appropriate user or group. CC ID 05344 | System hardening through configuration management | Configuration | |
| Verify the /etc/sysctl.conf file is owned by an appropriate user or group. CC ID 05345 | System hardening through configuration management | Configuration | |
| Configure the "secure_redirects" setting to organizational standards. CC ID 09941 | System hardening through configuration management | Configuration | |
| Configure the "icmp_ignore_bogus_error_responses" setting to organizational standards. CC ID 09942 | System hardening through configuration management | Configuration | |
| Configure the "rp_filter" setting to organizational standards. CC ID 09943 | System hardening through configuration management | Configuration | |
| Verify the /etc/securetty file is owned by an appropriate user or group. CC ID 05346 | System hardening through configuration management | Configuration | |
| Verify the /etc/audit/auditd.conf file is owned by an appropriate user or group. CC ID 05347 | System hardening through configuration management | Configuration | |
| Verify the audit.rules file is owned by an appropriate user or group. CC ID 05348 | System hardening through configuration management | Configuration | |
| Verify the /etc/group file is owned by an appropriate user or group. CC ID 05349 | System hardening through configuration management | Configuration | |
| Verify the /etc/gshadow file is owned by an appropriate user or group. CC ID 05350 | System hardening through configuration management | Configuration | |
| Verify the /usr/sbin/userhelper file is owned by an appropriate user or group. CC ID 05351 | System hardening through configuration management | Configuration | |
| Verify all syslog log files are owned by an appropriate user or group. CC ID 05352 | System hardening through configuration management | Configuration | |
| Verify the /etc/anacrontab file is owned by an appropriate user or group. CC ID 05353 | System hardening through configuration management | Configuration | |
| Verify the /etc/pki/tls/ldap file is owned by an appropriate user or group. CC ID 05354 | System hardening through configuration management | Configuration | |
| Verify the /etc/pki/tls/ldap/serverkey.pem file is owned by an appropriate user or group. CC ID 05355 | System hardening through configuration management | Configuration | |
| Verify the /etc/pki/tls/CA/cacert.pem file is owned by an appropriate user or group. CC ID 05356 | System hardening through configuration management | Configuration | |
| Verify the /etc/pki/tls/ldap/servercert.pem file is owned by an appropriate user or group. CC ID 05357 | System hardening through configuration management | Configuration | |
| Verify the var/lib/ldap/* files are owned by an appropriate user or group. CC ID 05358 | System hardening through configuration management | Configuration | |
| Verify the /etc/httpd/conf/* files are owned by an appropriate user or group. CC ID 05359 | System hardening through configuration management | Configuration | |
| Verify the /etc/auto_* file is owned by an appropriate user. CC ID 05360 | System hardening through configuration management | Configuration | |
| Verify the /etc/rmmount.conf file is owned by an appropriate user or group. CC ID 05361 | System hardening through configuration management | Configuration | |
| Verify the /var/log/pamlog log is owned by an appropriate user or group. CC ID 05362 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit_control file is owned by an appropriate user or group. CC ID 05363 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit_class file is owned by an appropriate user or group. CC ID 05364 | System hardening through configuration management | Configuration | |
| Verify the /etc/security/audit_event file is owned by an appropriate user or group. CC ID 05365 | System hardening through configuration management | Configuration | |
| Verify the ASET userlist file is owned by an appropriate user or group. CC ID 05366 | System hardening through configuration management | Configuration | |
| Verify the /var directory is owned by an appropriate user. CC ID 05367 | System hardening through configuration management | Configuration | |
| Verify the /var/log directory is owned by an appropriate user. CC ID 05368 | System hardening through configuration management | Configuration | |
| Verify the /var/adm directory is owned by an appropriate user. CC ID 05369 | System hardening through configuration management | Configuration | |
| Restrict the debug level daemon logging file owner and daemon debug group owner. CC ID 05370 | System hardening through configuration management | Configuration | |
| Restrict the Cron log file owner and Cron group owner. CC ID 05371 | System hardening through configuration management | Configuration | |
| Restrict the system accounting file owner and system accounting group owner. CC ID 05372 | System hardening through configuration management | Configuration | |
| Restrict audit log file ownership and audit group ownership. CC ID 05373 | System hardening through configuration management | Configuration | |
| Set the X server timeout properly. CC ID 05374 | System hardening through configuration management | Configuration | |
| Configure each user's authentication mechanism (system attribute) properly. CC ID 05375 | System hardening through configuration management | Configuration | |
| Enable or disable SeLinux, as appropriate. CC ID 05376 | System hardening through configuration management | Configuration | |
| Set the SELinux state properly. CC ID 05377 | System hardening through configuration management | Configuration | |
| Set the SELinux policy properly. CC ID 05378 | System hardening through configuration management | Configuration | |
| Configure Dovecot properly. CC ID 05379 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit Access of the Windows Connect Now Wizards" setting. CC ID 05380 | System hardening through configuration management | Configuration | |
| Configure the "Allow remote access to the PnP interface" setting. CC ID 05381 | System hardening through configuration management | Configuration | |
| Configure the "Do not create system restore point when new device driver installed" setting. CC ID 05382 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Access to All Windows Update Feature" setting. CC ID 05383 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Automatic Root Certificates Update" setting. CC ID 05384 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Event Views 'Events.asp' Links" setting. CC ID 05385 | System hardening through configuration management | Configuration | |
| Configure "Turn Off Handwriting Recognition Error Reporting" to organizational standards. CC ID 05386 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Help and Support Center 'Did You Know?' content" setting. CC ID 05387 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting. CC ID 05388 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Internet File Association Service" setting. CC ID 05389 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting. CC ID 05390 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the 'Order Prints' Picture task" setting. CC ID 05391 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Windows Movie Maker Online Web Links" setting. CC ID 05392 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting. CC ID 05393 | System hardening through configuration management | Configuration | |
| Configure the "Don't Display the Getting Started Welcome Screen at Logon" setting. CC ID 05394 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Startup Sound" setting. CC ID 05395 | System hardening through configuration management | Configuration | |
| Configure the "Allow only Vista or later connections" setting. CC ID 05396 | System hardening through configuration management | Configuration | |
| Configure the "Turn on bandwidth optimization" setting. CC ID 05397 | System hardening through configuration management | Configuration | |
| Configure the "Prevent IIS Installation" setting. CC ID 05398 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Active Help" setting. CC ID 05399 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Untrusted Content" setting. CC ID 05400 | System hardening through configuration management | Configuration | |
| Configure the "Turn off downloading of enclosures" setting. CC ID 05401 | System hardening through configuration management | Configuration | |
| Configure "Allow indexing of encrypted files" to organizational standards. CC ID 05402 | System hardening through configuration management | Configuration | |
| Configure the "Prevent indexing uncached Exchange folders" setting. CC ID 05403 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Calendar" setting. CC ID 05404 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Defender" setting. CC ID 05405 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Heap termination on corruption" setting to organizational standards. CC ID 05406 | System hardening through configuration management | Configuration | |
| Configure the "Turn off shell protocol protected mode" setting to organizational standards. CC ID 05407 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit non-administrators from applying vendor signed updates" setting. CC ID 05408 | System hardening through configuration management | Configuration | |
| Configure the "Report when logon server was not available during user logon" setting. CC ID 05409 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the communication features" setting. CC ID 05410 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Mail application" setting. CC ID 05411 | System hardening through configuration management | Configuration | |
| Configure the "Prevent Windows Media DRM Internet Access" setting. CC ID 05412 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Windows Meeting Space" setting. CC ID 05413 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Windows Meeting Space auditing" setting. CC ID 05414 | System hardening through configuration management | Configuration | |
| Configure the "Disable unpacking and installation of gadgets that are not digitally signed" setting. CC ID 05415 | System hardening through configuration management | Configuration | |
| Configure the "Override the More Gadgets Link" setting. CC ID 05416 | System hardening through configuration management | Configuration | |
| Configure the "Turn Off User Installed Windows Sidebar Gadgets" setting. CC ID 05417 | System hardening through configuration management | Configuration | |
| Configure the "Do not allow Digital Locker to run" setting. CC ID 05418 | System hardening through configuration management | Configuration | |
| Configure the "Turn off Downloading of Game Information" setting. CC ID 05419 | System hardening through configuration management | Configuration | |
| Configure "Turn on Responder (RSPNDR) driver" to organizational standards. CC ID 05420 | System hardening through configuration management | Configuration | |
| Verify ExecShield has been randomly placed in Virtual Memory regions. CC ID 05436 | System hardening through configuration management | Configuration | |
| Enable the ExecShield, as appropriate. CC ID 05421 | System hardening through configuration management | Configuration | |
| Configure Kernel support for the XD/NX processor feature, as appropriate. CC ID 05422 | System hardening through configuration management | Configuration | |
| Configure the XD/NX processor feature in the BIOS, as appropriate. CC ID 05423 | System hardening through configuration management | Configuration | |
| Configure the Shell for the bin account properly. CC ID 05424 | System hardening through configuration management | Configuration | |
| Configure the Shell for the nuucp account properly. CC ID 05425 | System hardening through configuration management | Configuration | |
| Configure the Shell for the smmsp account properly. CC ID 05426 | System hardening through configuration management | Configuration | |
| Configure the Shell for the listen account properly. CC ID 05427 | System hardening through configuration management | Configuration | |
| Configure the Shell for the gdm account properly. CC ID 05428 | System hardening through configuration management | Configuration | |
| Configure the Shell for the webservd account properly. CC ID 05429 | System hardening through configuration management | Configuration | |
| Configure the Shell for the nobody account properly. CC ID 05430 | System hardening through configuration management | Configuration | |
| Configure the Shell for the noaccess account properly. CC ID 05431 | System hardening through configuration management | Configuration | |
| Configure the Shell for the nobody4 account properly. CC ID 05432 | System hardening through configuration management | Configuration | |
| Configure the Shell for the adm account properly. CC ID 05433 | System hardening through configuration management | Configuration | |
| Configure the Shell for the lp account properly. CC ID 05434 | System hardening through configuration management | Configuration | |
| Configure the Shell for the uucp account properly. CC ID 05435 | System hardening through configuration management | Configuration | |
| Set the noexec_user_stack parameter properly. CC ID 05437 | System hardening through configuration management | Configuration | |
| Set the no_exec_user_stack_log parameter properly. CC ID 05438 | System hardening through configuration management | Configuration | |
| Set the noexec_user_stack flag on the user stack properly. CC ID 05439 | System hardening through configuration management | Configuration | |
| Set the TCP max connection limit properly. CC ID 05440 | System hardening through configuration management | Configuration | |
| Set the TCP abort interval properly. CC ID 05441 | System hardening through configuration management | Configuration | |
| Enable or disable the GNOME screenlock, as appropriate. CC ID 05442 | System hardening through configuration management | Configuration | |
| Set the ARP cache cleanup interval properly. CC ID 05443 | System hardening through configuration management | Configuration | |
| Set the ARP IRE scan rate properly. CC ID 05444 | System hardening through configuration management | Configuration | |
| Disable The "proxy ARP" configurable item on all interfaces. CC ID 06570 | System hardening through configuration management | Configuration | |
| Set the FileSpaceSwitch variable to an appropriate value. CC ID 05445 | System hardening through configuration management | Configuration | |
| Set the wakeup switchpoint frequency to an appropriate time interval. CC ID 05446 | System hardening through configuration management | Configuration | |
| Enable or disable the setuid option on removable storage media, as appropriate. CC ID 05447 | System hardening through configuration management | Configuration | |
| Configure TCP/IP PMTU Discovery, as appropriate. CC ID 05991 | System hardening through configuration management | Configuration | |
| Configure Secure Shell to enable or disable empty passwords, as appropriate. CC ID 06016 | System hardening through configuration management | Configuration | |
| Configure each user's Screen Saver Executable Name. CC ID 06027 | System hardening through configuration management | Configuration | |
| Configure the NIS+ server to operate at an appropriate security level. CC ID 06038 | System hardening through configuration management | Configuration | |
| Configure the "restrict guest access to system log" policy, as appropriate. CC ID 06047 | System hardening through configuration management | Configuration | |
| Configure the "Block saving of Open XML file types" setting, as appropriate. CC ID 06048 | System hardening through configuration management | Configuration | |
| Enable or disable user-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence for keyboards. CC ID 06051 | System hardening through configuration management | Configuration | |
| Configure the "Syskey mode" to organizational standards. CC ID 06052 | System hardening through configuration management | Configuration | |
| Configure the Trusted Platform Module (TPM) platform validation profile, as appropriate. CC ID 06056 | System hardening through configuration management | Configuration | |
| Configure the "Allow Remote Shell Access" setting, as appropriate. CC ID 06057 | System hardening through configuration management | Configuration | |
| Configure the "Prevent the computer from joining a homegroup" setting, as appropriate. CC ID 06058 | System hardening through configuration management | Configuration | |
| Enable or disable the authenticator requirement after waking, as appropriate. CC ID 06059 | System hardening through configuration management | Configuration | |
| Enable or disable the standby states, as appropriate. CC ID 06060 | System hardening through configuration management | Configuration | |
| Configure the Trusted Platform Module startup options properly. CC ID 06061 | System hardening through configuration management | Configuration | |
| Configure the system to purge Policy Caches. CC ID 06569 | System hardening through configuration management | Configuration | |
| Separate authenticator files and application system data on different file systems. CC ID 06790 | System hardening through configuration management | Configuration | |
| Configure Application Programming Interfaces to limit or shut down interactivity based upon a rate limit. CC ID 06811 | System hardening through configuration management | Configuration | |
| Configure the "all world-writable directories" user ownership to organizational standards. CC ID 08714 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "all rsyslog log" files group ownership to organizational standards. CC ID 08715 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "all rsyslog log" files user ownership to organizational standards. CC ID 08716 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Executable stack" setting to organizational standards. CC ID 08969 | System hardening through configuration management | Configuration | |
| Configure the "smbpasswd executable" user ownership to organizational standards. CC ID 08975 | System hardening through configuration management | Configuration | |
| Configure the "traceroute executable" group ownership to organizational standards. CC ID 08980 | System hardening through configuration management | Configuration | |
| Configure the "traceroute executable" user ownership to organizational standards. CC ID 08981 | System hardening through configuration management | Configuration | |
| Configure the "Apache configuration" directory group ownership to organizational standards. CC ID 08991 | System hardening through configuration management | Configuration | |
| Configure the "Apache configuration" directory user ownership to organizational standards. CC ID 08992 | System hardening through configuration management | Configuration | |
| Configure the "/var/log/httpd/" file group ownership to organizational standards. CC ID 09027 | System hardening through configuration management | Configuration | |
| Configure the "/etc/httpd/conf.d" file group ownership to organizational standards. CC ID 09028 | System hardening through configuration management | Configuration | |
| Configure the "/etc/httpd/conf/passwd" file group ownership to organizational standards. CC ID 09029 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/apachectl" file group ownership to organizational standards. CC ID 09030 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/httpd" file group ownership to organizational standards. CC ID 09031 | System hardening through configuration management | Configuration | |
| Configure the "/var/www/html" file group ownership to organizational standards. CC ID 09032 | System hardening through configuration management | Configuration | |
| Configure the "log files" the "/var/log/httpd/" directory user ownership to organizational standards. CC ID 09034 | System hardening through configuration management | Configuration | |
| Configure the "/etc/httpd/conf.d" file ownership to organizational standards. CC ID 09035 | System hardening through configuration management | Configuration | |
| Configure the "/etc/httpd/conf/passwd" file ownership to organizational standards. CC ID 09036 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/apachectl" file ownership to organizational standards. CC ID 09037 | System hardening through configuration management | Configuration | |
| Configure the "/usr/sbin/httpd" file ownership to organizational standards. CC ID 09038 | System hardening through configuration management | Configuration | |
| Configure the "/var/www/html" file ownership to organizational standards. CC ID 09039 | System hardening through configuration management | Configuration | |
| Configure the "httpd.conf" file user ownership to organizational standards. CC ID 09055 | System hardening through configuration management | Configuration | |
| Configure the "httpd.conf" group ownership to organizational standards. CC ID 09056 | System hardening through configuration management | Configuration | |
| Configure the "htpasswd" file user ownership to organizational standards. CC ID 09058 | System hardening through configuration management | Configuration | |
| Configure the "htpasswd" file group ownership to organizational standards. CC ID 09059 | System hardening through configuration management | Configuration | |
| Configure the "files specified by CustomLog" user ownership to organizational standards. CC ID 09074 | System hardening through configuration management | Configuration | |
| Configure the "files specified by CustomLog" group ownership to organizational standards. CC ID 09075 | System hardening through configuration management | Configuration | |
| Configure the "files specified by ErrorLog" user ownership to organizational standards. CC ID 09076 | System hardening through configuration management | Configuration | |
| Configure the "files specified by ErrorLog" group ownership to organizational standards. CC ID 09077 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ScriptAlias" user ownership to organizational standards. CC ID 09079 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ScriptAlias" group ownership to organizational standards. CC ID 09080 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ScriptAliasMatch" user ownership to organizational standards. CC ID 09082 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ScriptAliasMatch" group ownership to organizational standards. CC ID 09083 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by DocumentRoot" user ownership to organizational standards. CC ID 09085 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by DocumentRoot" group ownership to organizational standards. CC ID 09086 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by Alias" user ownership to organizational standards. CC ID 09088 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by Alias" group ownership to organizational standards. CC ID 09089 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ServerRoot" user ownership to organizational standards. CC ID 09091 | System hardening through configuration management | Configuration | |
| Configure the "directories specified by ServerRoot" group ownership to organizational standards. CC ID 09092 | System hardening through configuration management | Configuration | |
| Configure the "apache /bin" directory user ownership to organizational standards. CC ID 09094 | System hardening through configuration management | Configuration | |
| Configure the "apache /bin" directory group ownership to organizational standards. CC ID 09095 | System hardening through configuration management | Configuration | |
| Configure the "apache /logs" directory user ownership to organizational standards. CC ID 09097 | System hardening through configuration management | Configuration | |
| Configure the "apache /logs" directory group ownership to organizational standards. CC ID 09098 | System hardening through configuration management | Configuration | |
| Configure the "apache /htdocs" directory user ownership to organizational standards. CC ID 09100 | System hardening through configuration management | Configuration | |
| Configure the "apache /htdocs" directory group ownership to organizational standards. CC ID 09101 | System hardening through configuration management | Configuration | |
| Configure the "apache /cgi-bin" directory group ownership to organizational standards. CC ID 09104 | System hardening through configuration management | Configuration | |
| Configure the "User-specific directories" setting to organizational standards. CC ID 09123 | System hardening through configuration management | Configuration | |
| Configure the "apache process ID" file user ownership to organizational standards. CC ID 09125 | System hardening through configuration management | Configuration | |
| Configure the "apache process ID" file group ownership to organizational standards. CC ID 09126 | System hardening through configuration management | Configuration | |
| Configure the "apache scoreboard" file user ownership to organizational standards. CC ID 09128 | System hardening through configuration management | Configuration | |
| Configure the "apache scoreboard" file group ownership to organizational standards. CC ID 09129 | System hardening through configuration management | Configuration | |
| Configure the "Ownership of the asymmetric keys" setting to organizational standards. CC ID 09289 | System hardening through configuration management | Configuration | |
| Configure the "SQLServer2005ReportServerUser" registry key permissions to organizational standards. CC ID 09326 | System hardening through configuration management | Configuration | |
| Configure the "SQLServerADHelperUser" registry key permissions to organizational standards. CC ID 09329 | System hardening through configuration management | Configuration | |
| Configure the "Tomcat home" directory user ownership to organizational standards. CC ID 09772 | System hardening through configuration management | Configuration | |
| Configure the "group" setting for the "Tomcat installation" to organizational standards. CC ID 09773 | System hardening through configuration management | Configuration | |
| Configure the "tomcat conf/" directory user ownership to organizational standards. CC ID 09774 | System hardening through configuration management | Configuration | |
| Configure the "tomcat conf/" directory group ownership to organizational standards. CC ID 09775 | System hardening through configuration management | Configuration | |
| Configure the "tomcat-users.xml" file user ownership to organizational standards. CC ID 09776 | System hardening through configuration management | Configuration | |
| Configure the "tomcat-users.xml" file group ownership to organizational standards. CC ID 09777 | System hardening through configuration management | Configuration | |
| Configure the "group membership" setting for "Tomcat" to organizational standards. CC ID 09793 | System hardening through configuration management | Configuration | |
| Configure the "Tomcat home" directory group ownership to organizational standards. CC ID 09798 | System hardening through configuration management | Configuration | |
| Configure the "Tomcat home/conf/" directory user ownership to organizational standards. CC ID 09800 | System hardening through configuration management | Configuration | |
| Configure the "Tomcat home/conf/" directory group ownership to organizational standards. CC ID 09801 | System hardening through configuration management | Configuration | |
| Configure the "system" files permissions to organizational standards. CC ID 09922 | System hardening through configuration management | Configuration | |
| Configure the "size limit" setting for the "application log" to organizational standards. CC ID 10063 | System hardening through configuration management | Configuration | |
| Configure the "restrict guest access to security log" setting to organizational standards. CC ID 10064 | System hardening through configuration management | Configuration | |
| Configure the "size limit" setting for the "system log" to organizational standards. CC ID 10065 | System hardening through configuration management | Configuration | |
| Configure the "Automatic Update service" setting to organizational standards. CC ID 10066 | System hardening through configuration management | Configuration | |
| Configure the "Safe DLL Search Mode" setting to organizational standards. CC ID 10067 | System hardening through configuration management | Configuration | |
| Configure the "screensaver" setting to organizational standards. CC ID 10068 | System hardening through configuration management | Configuration | |
| Configure the "screensaver" setting for the "default" user to organizational standards. CC ID 10069 | System hardening through configuration management | Configuration | |
| Configure the "Enable User Control Over Installs" setting to organizational standards. CC ID 10070 | System hardening through configuration management | Configuration | |
| Configure the "Enable User to Browser for Source While Elevated" setting to organizational standards. CC ID 10071 | System hardening through configuration management | Configuration | |
| Configure the "Enable User to Use Media Source While Elevated" setting to organizational standards. CC ID 10072 | System hardening through configuration management | Configuration | |
| Configure the "Allow Administrator to Install from Terminal Services Session" setting to organizational standards. CC ID 10073 | System hardening through configuration management | Configuration | |
| Configure the "Enable User to Patch Elevated Products" setting to organizational standards. CC ID 10074 | System hardening through configuration management | Configuration | |
| Configure the "Cache Transforms in Secure Location" setting to organizational standards. CC ID 10075 | System hardening through configuration management | Configuration | |
| Configure the "Disable Media Player for automatic updates" setting to organizational standards. CC ID 10076 | System hardening through configuration management | Configuration | |
| Configure the "Internet access for Windows Messenger" setting to organizational standards. CC ID 10077 | System hardening through configuration management | Configuration | |
| Configure the "Do Not Automatically Start Windows Messenger" setting to organizational standards. CC ID 10078 | System hardening through configuration management | Configuration | |
| Configure the "Hide Property Pages" setting for the "task scheduler" to organizational standards. CC ID 10079 | System hardening through configuration management | Configuration | |
| Configure the "Prohibit New Task Creation" setting for the "task scheduler" to organizational standards. CC ID 10080 | System hardening through configuration management | Configuration | |
| Configure "Set time limit for disconnected sessions" to organizational standards. CC ID 10081 | System hardening through configuration management | Configuration | |
| Configure the "Set time limit for idle sessions" setting to organizational standards. CC ID 10082 | System hardening through configuration management | Configuration | |
| Configure the "Enable Keep-Alive Messages" setting to organizational standards. CC ID 10083 | System hardening through configuration management | Configuration | |
| Configure the "Automatic Updates detection frequency" setting to organizational standards. CC ID 10084 | System hardening through configuration management | Configuration | |
| Configure the "TCPMaxPortsExhausted" setting to organizational standards. CC ID 10085 | System hardening through configuration management | Configuration | |
| Configure the "built-in Administrator" account to organizational standards. CC ID 10086 | System hardening through configuration management | Configuration | |
| Configure the "Prevent System Maintenance of Computer Account Password" setting to organizational standards. CC ID 10087 | System hardening through configuration management | Configuration | |
| Configure the "Digitally Sign Client Communication (When Possible)" setting to organizational standards. CC ID 10088 | System hardening through configuration management | Configuration | |
| Configure the "number of SYN-ACK retransmissions sent when attempting to respond to a SYN request" setting to organizational standards. CC ID 10089 | System hardening through configuration management | Configuration | |
| Configure the "warning level" setting for the "audit log" to organizational standards. CC ID 10090 | System hardening through configuration management | Configuration | |
| Configure the "Change Password" setting for the "Ctrl+Alt+Del dialog" to organizational standards. CC ID 10091 | System hardening through configuration management | Configuration | |
| Configure the "account description" setting for the "built-in Administrator" account to organizational standards. CC ID 10092 | System hardening through configuration management | Configuration | |
| Configure the "Decoy Admin Account Not Disabled" setting to organizational standards. CC ID 10201 | System hardening through configuration management | Configuration | |
| Configure the "when maximum log size is reached" setting for the "Application log" to organizational standards. CC ID 10202 | System hardening through configuration management | Configuration | |
| Configure the "password filtering DLL" setting to organizational standards. CC ID 10203 | System hardening through configuration management | Configuration | |
| Configure the "Anonymous access to the registry" setting to organizational standards. CC ID 10204 | System hardening through configuration management | Configuration | |
| Configure the "Automatic Execution" setting for the "System Debugger" to organizational standards. CC ID 10205 | System hardening through configuration management | Configuration | |
| Configure the "CD-ROM Autorun" setting to organizational standards. CC ID 10206 | System hardening through configuration management | Configuration | |
| Configure the "ResetBrowser Frames" setting to organizational standards. CC ID 10207 | System hardening through configuration management | Configuration | |
| Configure the "Dr. Watson Crash Dumps" setting to organizational standards. CC ID 10208 | System hardening through configuration management | Configuration | |
| Configure the "File System Checker and Popups" setting to organizational standards. CC ID 10209 | System hardening through configuration management | Configuration | |
| Configure the "System File Checker" setting to organizational standards. CC ID 10210 | System hardening through configuration management | Configuration | |
| Configure the "System File Checker Progress Meter" setting to organizational standards. CC ID 10211 | System hardening through configuration management | Configuration | |
| Configure the "number of TCP/IP Maximum Half-open Sockets" setting to organizational standards. CC ID 10212 | System hardening through configuration management | Configuration | |
| Configure the "number of TCP/IP Maximum Retried Half-open Sockets" setting to organizational standards. CC ID 10213 | System hardening through configuration management | Configuration | |
| Configure the "Protect Kernel object attributes" setting to organizational standards. CC ID 10214 | System hardening through configuration management | Configuration | |
| Configure the "Unsigned Non-Driver Installation Behavior" setting to organizational standards. CC ID 10215 | System hardening through configuration management | Configuration | |
| Configure the "Automatically Log Off Users When Logon Time Expires (local)" setting to organizational standards. CC ID 10216 | System hardening through configuration management | Configuration | |
| Configure the "Local volumes" setting to organizational standards. CC ID 10217 | System hardening through configuration management | Configuration | |
| Configure the "Unused USB Ports" setting to organizational standards. CC ID 10218 | System hardening through configuration management | Configuration | |
| Configure the "Set Safe for Scripting" setting to organizational standards. CC ID 10219 | System hardening through configuration management | Configuration | |
| Configure the "Use of the Recycle Bin on file deletion" setting to organizational standards. CC ID 10220 | System hardening through configuration management | Configuration | |
| Configure the "Membership in the Power Users group" setting to organizational standards. CC ID 10224 | System hardening through configuration management | Configuration | |
| Configure the "AutoBackupLogFiles" setting for the "security log" to organizational standards. CC ID 10225 | System hardening through configuration management | Configuration | |
| Configure the "AutoBackupLogFiles" setting for the "application log" to organizational standards. CC ID 10226 | System hardening through configuration management | Configuration | |
| Configure the "AutoBackupLogFiles" setting for the "system log" to organizational standards. CC ID 10227 | System hardening through configuration management | Configuration | |
| Configure the "Syskey Encryption Key location and password method" setting to organizational standards. CC ID 10228 | System hardening through configuration management | Configuration | |
| Configure the "Os2LibPath environmental variable" setting to organizational standards. CC ID 10229 | System hardening through configuration management | Configuration | |
| Configure the "path to the Microsoft OS/2 version 1.x library" setting to organizational standards. CC ID 10230 | System hardening through configuration management | Configuration | |
| Configure the "location of the OS/2 subsystem" setting to organizational standards. CC ID 10231 | System hardening through configuration management | Configuration | |
| Configure the "location of the POSIX subsystem" setting to organizational standards. CC ID 10232 | System hardening through configuration management | Configuration | |
| Configure the "path to the debugger used for Just-In-Time debugging" setting to organizational standards. CC ID 10234 | System hardening through configuration management | Configuration | |
| Configure the "Distributed Component Object Model (DCOM)" setting to organizational standards. CC ID 10235 | System hardening through configuration management | Configuration | |
| Configure the "The "encryption algorithm" setting for "EFS"" setting to organizational standards. CC ID 10236 | System hardening through configuration management | Configuration | |
| Configure the "Interix Subsystem Startup service startup type" setting to organizational standards. CC ID 10238 | System hardening through configuration management | Configuration | |
| Configure the "Services for Unix Perl Socket service startup type" setting to organizational standards. CC ID 10247 | System hardening through configuration management | Configuration | |
| Configure the "Services for Unix Windows Cron service startup type" setting to organizational standards. CC ID 10248 | System hardening through configuration management | Configuration | |
| Configure the "fDisableCdm" setting to organizational standards. CC ID 10259 | System hardening through configuration management | Configuration | |
| Configure the "fDisableClip" setting to organizational standards. CC ID 10260 | System hardening through configuration management | Configuration | |
| Configure the "Inheritance of the shadow setting" setting to organizational standards. CC ID 10261 | System hardening through configuration management | Configuration | |
| Configure the "remote control configuration" setting to organizational standards. CC ID 10262 | System hardening through configuration management | Configuration | |
| Configure the "fDisableCam" setting to organizational standards. CC ID 10263 | System hardening through configuration management | Configuration | |
| Configure the "fDisableCcm" setting to organizational standards. CC ID 10264 | System hardening through configuration management | Configuration | |
| Configure the "fDisableLPT" setting to organizational standards. CC ID 10265 | System hardening through configuration management | Configuration | |
| Configure the "ActiveX installation policy for sites in Trusted zones" setting to organizational standards. CC ID 10691 | System hardening through configuration management | Configuration | |
| Configure the "Add the Administrators security group to roaming user profiles" setting to organizational standards. CC ID 10694 | System hardening through configuration management | Configuration | |
| Configure the "Administratively assigned offline files" setting to organizational standards. CC ID 10695 | System hardening through configuration management | Configuration | |
| Configure the "Apply policy to removable media" setting to organizational standards. CC ID 10756 | System hardening through configuration management | Configuration | |
| Configure the "Baseline file cache maximum size" setting to organizational standards. CC ID 10763 | System hardening through configuration management | Configuration | |
| Configure the "Check for New Signatures Before Scheduled Scans" setting to organizational standards. CC ID 10770 | System hardening through configuration management | Configuration | |
| Configure the "Check published state" setting to organizational standards. CC ID 10771 | System hardening through configuration management | Configuration | |
| Configure the "Communities" setting to organizational standards. CC ID 10772 | System hardening through configuration management | Configuration | |
| Configure the "Computer location" setting to organizational standards. CC ID 10773 | System hardening through configuration management | Configuration | |
| Configure the "Background Sync" setting to organizational standards. CC ID 10775 | System hardening through configuration management | Configuration | |
| Configure the "Corporate Windows Error Reporting" setting to organizational standards. CC ID 10777 | System hardening through configuration management | Configuration | |
| Configure the "Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10778 | System hardening through configuration management | Configuration | |
| Configure the "Default consent" setting to organizational standards. CC ID 10780 | System hardening through configuration management | Configuration | |
| Configure the "list of IEEE 1667 silos usable on your computer" setting to organizational standards. CC ID 10792 | System hardening through configuration management | Configuration | |
| Configure the "Microsoft SpyNet Reporting" setting to organizational standards. CC ID 10794 | System hardening through configuration management | Configuration | |
| Configure the "MSI Corrupted File Recovery Behavior" setting to organizational standards. CC ID 10795 | System hardening through configuration management | Configuration | |
| Configure the "Reliability WMI Providers" setting to organizational standards. CC ID 10804 | System hardening through configuration management | Configuration | |
| Configure the "Report Archive" setting to organizational standards. CC ID 10805 | System hardening through configuration management | Configuration | |
| Configure the "Report Queue" setting to organizational standards. CC ID 10806 | System hardening through configuration management | Configuration | |
| Configure the "root certificate clean up" setting to organizational standards. CC ID 10807 | System hardening through configuration management | Configuration | |
| Configure the "Security Policy for Scripted Diagnostics" setting to organizational standards. CC ID 10816 | System hardening through configuration management | Configuration | |
| Configure the "list of blocked TPM commands" setting to organizational standards. CC ID 10822 | System hardening through configuration management | Configuration | |
| Configure the "refresh interval for Server Manager" setting to organizational standards. CC ID 10823 | System hardening through configuration management | Configuration | |
| Configure the "server address, refresh interval, and issuer certificate authority of a target Subscription Manager" setting to organizational standards. CC ID 10824 | System hardening through configuration management | Configuration | |
| Configure the "Customize consent settings" setting to organizational standards. CC ID 10837 | System hardening through configuration management | Configuration | |
| Configure the "Default behavior for AutoRun" setting to organizational standards. CC ID 10839 | System hardening through configuration management | Configuration | |
| Configure the "Define Activation Security Check exemptions" setting to organizational standards. CC ID 10841 | System hardening through configuration management | Configuration | |
| Configure the "Define host name-to-Kerberos realm mappings" setting to organizational standards. CC ID 10842 | System hardening through configuration management | Configuration | |
| Configure the "Define interoperable Kerberos V5 realm settings" setting to organizational standards. CC ID 10843 | System hardening through configuration management | Configuration | |
| Configure the "Delay Restart for scheduled installations" setting to organizational standards. CC ID 10844 | System hardening through configuration management | Configuration | |
| Configure the "Delete cached copies of roaming profiles" setting to organizational standards. CC ID 10845 | System hardening through configuration management | Configuration | |
| Configure the "Delete user profiles older than a specified number of days on system restart" setting to organizational standards. CC ID 10847 | System hardening through configuration management | Configuration | |
| Configure the "Diagnostics: Configure scenario retention" setting to organizational standards. CC ID 10857 | System hardening through configuration management | Configuration | |
| Configure the "Directory pruning interval" setting to organizational standards. CC ID 10858 | System hardening through configuration management | Configuration | |
| Configure the "Directory pruning priority" setting to organizational standards. CC ID 10859 | System hardening through configuration management | Configuration | |
| Configure the "Directory pruning retry" setting to organizational standards. CC ID 10860 | System hardening through configuration management | Configuration | |
| Configure the "Disk Diagnostic: Configure custom alert text" setting to organizational standards. CC ID 10882 | System hardening through configuration management | Configuration | |
| Configure the "Display Shutdown Event Tracker" setting to organizational standards. CC ID 10888 | System hardening through configuration management | Configuration | |
| Configure the "Display string when smart card is blocked" setting to organizational standards. CC ID 10889 | System hardening through configuration management | Configuration | |
| Configure the "Do not automatically encrypt files moved to encrypted folders" setting to organizational standards. CC ID 10924 | System hardening through configuration management | Configuration | |
| Configure the "Do not check for user ownership of Roaming Profile Folders" setting to organizational standards. CC ID 10925 | System hardening through configuration management | Configuration | |
| Configure the "Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names" setting to organizational standards. CC ID 10932 | System hardening through configuration management | Configuration | |
| Configure the "Do not send additional data" machine setting should be configured correctly. to organizational standards. CC ID 10934 | System hardening through configuration management | Configuration | |
| Configure the "Domain Controller Address Type Returned" setting to organizational standards. CC ID 10939 | System hardening through configuration management | Configuration | |
| Configure the "Domain Location Determination URL" setting to organizational standards. CC ID 10940 | System hardening through configuration management | Configuration | |
| Configure the "Don't set the always do this checkbox" setting to organizational standards. CC ID 10941 | System hardening through configuration management | Configuration | |
| Configure the "Download missing COM components" setting to organizational standards. CC ID 10942 | System hardening through configuration management | Configuration | |
| Configure the "Dynamic Update" setting to organizational standards. CC ID 10944 | System hardening through configuration management | Configuration | |
| Configure the "Enable client-side targeting" setting to organizational standards. CC ID 10946 | System hardening through configuration management | Configuration | |
| Configure the "Enable NTFS pagefile encryption" setting to organizational standards. CC ID 10948 | System hardening through configuration management | Configuration | |
| Configure the "Enable Persistent Time Stamp" setting to organizational standards. CC ID 10949 | System hardening through configuration management | Configuration | |
| Configure the "Enable Transparent Caching" setting to organizational standards. CC ID 10950 | System hardening through configuration management | Configuration | |
| Configure the "Enable Windows NTP Client" setting to organizational standards. CC ID 10951 | System hardening through configuration management | Configuration | |
| Configure the "Enable Windows NTP Server" setting to organizational standards. CC ID 10952 | System hardening through configuration management | Configuration | |
| Configure the "Encrypt the Offline Files cache" setting to organizational standards. CC ID 10955 | System hardening through configuration management | Configuration | |
| Configure the "Enforce upgrade component rules" setting to organizational standards. CC ID 10958 | System hardening through configuration management | Configuration | |
| Configure the "Events.asp program" setting to organizational standards. CC ID 10959 | System hardening through configuration management | Configuration | |
| Configure the "Events.asp program command line parameters" setting to organizational standards. CC ID 10960 | System hardening through configuration management | Configuration | |
| Configure the "Events.asp URL" setting to organizational standards. CC ID 10961 | System hardening through configuration management | Configuration | |
| Configure the "Exclude credential providers" setting to organizational standards. CC ID 10962 | System hardening through configuration management | Configuration | |
| Configure the "Exclude files from being cached" setting to organizational standards. CC ID 10963 | System hardening through configuration management | Configuration | |
| Configure the "Final DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10968 | System hardening through configuration management | Configuration | |
| Configure the "For tablet pen input, don't show the Input Panel icon" setting to organizational standards. CC ID 10973 | System hardening through configuration management | Configuration | |
| Configure the "For touch input, don't show the Input Panel icon" setting to organizational standards. CC ID 10974 | System hardening through configuration management | Configuration | |
| Configure the "Force Rediscovery Interval" setting to organizational standards. CC ID 10975 | System hardening through configuration management | Configuration | |
| Configure the "Force selected system UI language to overwrite the user UI language" setting to organizational standards. CC ID 10976 | System hardening through configuration management | Configuration | |
| Configure the "Force the reading of all certificates from the smart card" setting to organizational standards. CC ID 10977 | System hardening through configuration management | Configuration | |
| Configure the "ForwarderResourceUsage" setting to organizational standards. CC ID 10978 | System hardening through configuration management | Configuration | |
| Configure the "Global Configuration Settings" setting to organizational standards. CC ID 10979 | System hardening through configuration management | Configuration | |
| Configure the "Hash Publication for BranchCache" setting to organizational standards. CC ID 10986 | System hardening through configuration management | Configuration | |
| Configure the "Hide entry points for Fast User Switching" setting to organizational standards. CC ID 10987 | System hardening through configuration management | Configuration | |
| Configure the "Hide notifications about RD Licensing problems that affect the RD Session Host server" setting to organizational standards. CC ID 10988 | System hardening through configuration management | Configuration | |
| Configure the "Hide previous versions list for local files" setting to organizational standards. CC ID 10989 | System hardening through configuration management | Configuration | |
| Configure the "Hide previous versions of files on backup location" setting to organizational standards. CC ID 10991 | System hardening through configuration management | Configuration | |
| Configure the "Ignore custom consent settings" setting to organizational standards. CC ID 10992 | System hardening through configuration management | Configuration | |
| Configure the "Ignore Delegation Failure" setting to organizational standards. CC ID 10993 | System hardening through configuration management | Configuration | |
| Configure the "Ignore the default list of blocked TPM commands" setting to organizational standards. CC ID 10994 | System hardening through configuration management | Configuration | |
| Configure the "Ignore the local list of blocked TPM commands" setting to organizational standards. CC ID 10995 | System hardening through configuration management | Configuration | |
| Configure the "Include rarely used Chinese, Kanji, or Hanja characters" setting to organizational standards. CC ID 10996 | System hardening through configuration management | Configuration | |
| Configure the "Initial DC Discovery Retry Setting for Background Callers" setting to organizational standards. CC ID 10997 | System hardening through configuration management | Configuration | |
| Configure the "IP-HTTPS State" setting to organizational standards. CC ID 11000 | System hardening through configuration management | Configuration | |
| Configure the "ISATAP Router Name" setting to organizational standards. CC ID 11001 | System hardening through configuration management | Configuration | |
| Configure the "ISATAP State" setting to organizational standards. CC ID 11002 | System hardening through configuration management | Configuration | |
| Configure the "License server security group" setting to organizational standards. CC ID 11005 | System hardening through configuration management | Configuration | |
| Configure the "List of applications to be excluded" setting to organizational standards. CC ID 11023 | System hardening through configuration management | Configuration | |
| Configure the "Lock Enhanced Storage when the computer is locked" setting to organizational standards. CC ID 11025 | System hardening through configuration management | Configuration | |
| Configure the "Make Parental Controls control panel visible on a Domain" setting to organizational standards. CC ID 11039 | System hardening through configuration management | Configuration | |
| Configure the "MaxConcurrentUsers" setting to organizational standards. CC ID 11040 | System hardening through configuration management | Configuration | |
| Configure the "Maximum DC Discovery Retry Interval Setting for Background Callers" setting to organizational standards. CC ID 11041 | System hardening through configuration management | Configuration | |
| Configure the "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" setting to organizational standards. CC ID 11045 | System hardening through configuration management | Configuration | |
| Configure the "Negative DC Discovery Cache Setting" setting to organizational standards. CC ID 11047 | System hardening through configuration management | Configuration | |
| Configure the "Non-conforming packets" setting to organizational standards. CC ID 11053 | System hardening through configuration management | Configuration | |
| Configure the "Notify blocked drivers" setting to organizational standards. CC ID 11054 | System hardening through configuration management | Configuration | |
| Configure the "Notify user of successful smart card driver installation" setting to organizational standards. CC ID 11055 | System hardening through configuration management | Configuration | |
| Configure the "Permitted Managers" setting to organizational standards. CC ID 11062 | System hardening through configuration management | Configuration | |
| Configure the "Positive Periodic DC Cache Refresh for Background Callers" setting to organizational standards. CC ID 11063 | System hardening through configuration management | Configuration | |
| Configure the "Positive Periodic DC Cache Refresh for Non-Background Callers" setting to organizational standards. CC ID 11064 | System hardening through configuration management | Configuration | |
| Configure the "Prioritize all digitally signed drivers equally during the driver ranking and selection process" setting to organizational standards. CC ID 11098 | System hardening through configuration management | Configuration | |
| Configure the "Prompt for credentials on the client computer" setting to organizational standards. CC ID 11108 | System hardening through configuration management | Configuration | |
| Configure the "Propagation of extended error information" setting to organizational standards. CC ID 11110 | System hardening through configuration management | Configuration | |
| Configure the "Register PTR Records" setting to organizational standards. CC ID 11121 | System hardening through configuration management | Configuration | |
| Configure the "Registration Refresh Interval" setting to organizational standards. CC ID 11122 | System hardening through configuration management | Configuration | |
| Configure the "Remove Program Compatibility Property Page" setting to organizational standards. CC ID 11128 | System hardening through configuration management | Configuration | |
| Configure the "Remove users ability to invoke machine policy refresh" setting to organizational standards. CC ID 11129 | System hardening through configuration management | Configuration | |
| Configure the "Remove Windows Security item from Start menu" setting to organizational standards. CC ID 11130 | System hardening through configuration management | Configuration | |
| Configure the "Re-prompt for restart with scheduled installations" setting to organizational standards. CC ID 11131 | System hardening through configuration management | Configuration | |
| Configure the "Require secure RPC communication" setting to organizational standards. CC ID 11134 | System hardening through configuration management | Configuration | |
| Configure the "Require strict KDC validation" setting to organizational standards. CC ID 11135 | System hardening through configuration management | Configuration | |
| Configure the "Reverse the subject name stored in a certificate when displaying" setting to organizational standards. CC ID 11148 | System hardening through configuration management | Configuration | |
| Configure the "RPC Troubleshooting State Information" setting to organizational standards. CC ID 11150 | System hardening through configuration management | Configuration | |
| Configure the "Run shutdown scripts visible" setting to organizational standards. CC ID 11152 | System hardening through configuration management | Configuration | |
| Configure the "Run startup scripts asynchronously" setting to organizational standards. CC ID 11153 | System hardening through configuration management | Configuration | |
| Configure the "Run startup scripts visible" setting to organizational standards. CC ID 11154 | System hardening through configuration management | Configuration | |
| Configure the "Scavenge Interval" setting to organizational standards. CC ID 11158 | System hardening through configuration management | Configuration | |
| Configure the "Server Authentication Certificate Template" setting to organizational standards. CC ID 11170 | System hardening through configuration management | Configuration | |
| Configure the "Set BranchCache Distributed Cache mode" setting to organizational standards. CC ID 11172 | System hardening through configuration management | Configuration | |
| Configure the "Set BranchCache Hosted Cache mode" setting to organizational standards. CC ID 11173 | System hardening through configuration management | Configuration | |
| Configure the "Set compression algorithm for RDP data" setting to organizational standards. CC ID 11174 | System hardening through configuration management | Configuration | |
| Configure the "Set percentage of disk space used for client computer cache" setting to organizational standards. CC ID 11177 | System hardening through configuration management | Configuration | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Global" to organizational standards. CC ID 11178 | System hardening through configuration management | Configuration | |
| Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Site Local" to organizational standards. CC ID 11180 | System hardening through configuration management | Configuration | |
| Configure the "Set the Email IDs to which notifications are to be sent" setting to organizational standards. CC ID 11184 | System hardening through configuration management | Configuration | |
| Configure the "Set the map update interval for NIS subordinate servers" setting to organizational standards. CC ID 11186 | System hardening through configuration management | Configuration | |
| Configure the "Set the Seed Server" setting for "IPv6 Global" to organizational standards. CC ID 11189 | System hardening through configuration management | Configuration | |
| Configure the "Set the Seed Server" setting for "IPv6 Site Local" to organizational standards. CC ID 11191 | System hardening through configuration management | Configuration | |
| Configure the "Set the SMTP Server used to send notifications" setting to organizational standards. CC ID 11192 | System hardening through configuration management | Configuration | |
| Configure the "Set timer resolution" setting to organizational standards. CC ID 11196 | System hardening through configuration management | Configuration | |
| Configure the "Sets how often a DFS Client discovers DC's" setting to organizational standards. CC ID 11199 | System hardening through configuration management | Configuration | |
| Configure the "Short name creation options" setting to organizational standards. CC ID 11200 | System hardening through configuration management | Configuration | |
| Configure the "Site Name" setting to organizational standards. CC ID 11201 | System hardening through configuration management | Configuration | |
| Configure the "Specify a default color" setting to organizational standards. CC ID 11208 | System hardening through configuration management | Configuration | |
| Configure the "Specify idle Timeout" setting to organizational standards. CC ID 11210 | System hardening through configuration management | Configuration | |
| Configure the "Specify maximum amount of memory in MB per Shell" setting to organizational standards. CC ID 11211 | System hardening through configuration management | Configuration | |
| Configure the "Specify maximum number of processes per Shell" setting to organizational standards. CC ID 11212 | System hardening through configuration management | Configuration | |
| Configure the "Specify Shell Timeout" setting to organizational standards. CC ID 11216 | System hardening through configuration management | Configuration | |
| Configure the "Specify Windows installation file location" setting to organizational standards. CC ID 11225 | System hardening through configuration management | Configuration | |
| Configure the "Specify Windows Service Pack installation file location" setting to organizational standards. CC ID 11226 | System hardening through configuration management | Configuration | |
| Configure the "SSL Cipher Suite Order" setting to organizational standards. CC ID 11227 | System hardening through configuration management | Configuration | |
| Configure the "Switch to the Simplified Chinese (PRC) gestures" setting to organizational standards. CC ID 11230 | System hardening through configuration management | Configuration | |
| Configure the "Sysvol share compatibility" setting to organizational standards. CC ID 11231 | System hardening through configuration management | Configuration | |
| Configure the "Tag Windows Customer Experience Improvement data with Study Identifier" setting to organizational standards. CC ID 11232 | System hardening through configuration management | Configuration | |
| Configure the "Teredo Client Port" setting to organizational standards. CC ID 11236 | System hardening through configuration management | Configuration | |
| Configure the "Teredo Default Qualified" setting to organizational standards. CC ID 11237 | System hardening through configuration management | Configuration | |
| Configure the "Teredo Refresh Rate" setting to organizational standards. CC ID 11238 | System hardening through configuration management | Configuration | |
| Configure the "Teredo Server Name" setting to organizational standards. CC ID 11239 | System hardening through configuration management | Configuration | |
| Configure the "Teredo State" setting to organizational standards. CC ID 11240 | System hardening through configuration management | Configuration | |
| Configure the "Time (in seconds) to force reboot" setting to organizational standards. CC ID 11242 | System hardening through configuration management | Configuration | |
| Configure the "Time (in seconds) to force reboot when required for policy changes to take effect" setting to organizational standards. CC ID 11243 | System hardening through configuration management | Configuration | |
| Configure the "Timeout for fast user switching events" setting to organizational standards. CC ID 11244 | System hardening through configuration management | Configuration | |
| Configure the "Traps for public community" setting to organizational standards. CC ID 11246 | System hardening through configuration management | Configuration | |
| Configure the "Trusted Hosts" setting to organizational standards. CC ID 11249 | System hardening through configuration management | Configuration | |
| Configure the "Try Next Closest Site" setting to organizational standards. CC ID 11250 | System hardening through configuration management | Configuration | |
| Configure the "TTL Set in the A and PTR records" setting to organizational standards. CC ID 11251 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Accounting for WSRM" setting to organizational standards. CC ID 11333 | System hardening through configuration management | Configuration | |
| Configure the "Turn on BranchCache" setting to organizational standards. CC ID 11334 | System hardening through configuration management | Configuration | |
| Configure the "Turn on certificate propagation from smart card" setting to organizational standards. CC ID 11335 | System hardening through configuration management | Configuration | |
| Configure the "Turn On Compatibility HTTP Listener" setting to organizational standards. CC ID 11336 | System hardening through configuration management | Configuration | |
| Configure the "Turn On Compatibility HTTPS Listener" setting to organizational standards. CC ID 11337 | System hardening through configuration management | Configuration | |
| Configure the "Turn on definition updates through both WSUS and the Microsoft Malware Protection Center" setting to organizational standards. CC ID 11338 | System hardening through configuration management | Configuration | |
| Configure the "Turn on definition updates through both WSUS and Windows Update" setting to organizational standards. CC ID 11339 | System hardening through configuration management | Configuration | |
| Configure the "Turn on economical application of administratively assigned Offline Files" setting to organizational standards. CC ID 11342 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Mapper I/O (LLTDIO) driver" setting to organizational standards. CC ID 11346 | System hardening through configuration management | Configuration | |
| Configure the "Turn on recommended updates via Automatic Updates" setting to organizational standards. CC ID 11347 | System hardening through configuration management | Configuration | |
| Configure the "Turn on root certificate propagation from smart card" setting to organizational standards. CC ID 11349 | System hardening through configuration management | Configuration | |
| Configure the "Turn on Software Notifications" setting to organizational standards. CC ID 11352 | System hardening through configuration management | Configuration | |
| Configure the "Turn on TPM backup to Active Directory Domain Services" setting to organizational standards. CC ID 11356 | System hardening through configuration management | Configuration | |
| Configure the "Use forest search order" setting for "Key Distribution Center (KDC) searches" to organizational standards. CC ID 11359 | System hardening through configuration management | Configuration | |
| Configure the "Use forest search order" setting for "Kerberos client searches" to organizational standards. CC ID 11360 | System hardening through configuration management | Configuration | |
| Configure the "Use IP Address Redirection" setting to organizational standards. CC ID 11361 | System hardening through configuration management | Configuration | |
| Configure the "Use localized subfolder names when redirecting Start Menu and My Documents" setting to organizational standards. CC ID 11362 | System hardening through configuration management | Configuration | |
| Configure the "Use mandatory profiles on the RD Session Host server" setting to organizational standards. CC ID 11363 | System hardening through configuration management | Configuration | |
| Configure the "Verbose vs normal status messages" setting to organizational standards. CC ID 11368 | System hardening through configuration management | Configuration | |
| Configure the "Verify old and new Folder Redirection targets point to the same share before redirecting" setting to organizational standards. CC ID 11369 | System hardening through configuration management | Configuration | |
| Configure the "Windows Scaling Heuristics State" setting to organizational standards. CC ID 11372 | System hardening through configuration management | Configuration | |
| Configure the "Obtain Software Package Updates with apt-get" setting to organizational standards. CC ID 11375 | System hardening through configuration management | Configuration | |
| Configure the "display a banner before authentication" setting for "LightDM" to organizational standards. CC ID 11385 | System hardening through configuration management | Configuration | |
| Configure the "shadow" group to organizational standards. CC ID 11386 | System hardening through configuration management | Configuration | |
| Configure the "AppArmor" setting to organizational standards. CC ID 11387 | System hardening through configuration management | Configuration | |
| Disable or configure the e-mail server, as necessary. CC ID 06563 | System hardening through configuration management | Configuration | |
| Configure e-mail servers to enable receiver-side verification. CC ID 12223 [{spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC {spoofed e-mail message} To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. CIS Control 9: Safeguard 9.5 Implement DMARC] | System hardening through configuration management | Configuration | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Configuration | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Configuration | |
| Remove unnecessary default accounts. CC ID 01539 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | System hardening through configuration management | Configuration | |
| Disable all unnecessary user identifiers. CC ID 02185 | System hardening through configuration management | Configuration | |
| Remove unnecessary user credentials. CC ID 16409 | System hardening through configuration management | Configuration | |
| Remove the root user as appropriate. CC ID 01582 | System hardening through configuration management | Configuration | |
| Disable or remove the null account. CC ID 06572 | System hardening through configuration management | Configuration | |
| Configure accounts with administrative privilege. CC ID 07033 [Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 5: Account Management Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. CIS Control 5: Safeguard 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts] | System hardening through configuration management | Configuration | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider. CIS Control 6: Safeguard 6.5 Require MFA for Administrative Access] | System hardening through configuration management | Technical Security | |
| Disable root logons or limit the logons to the system console. CC ID 01573 | System hardening through configuration management | Configuration | |
| Encrypt non-console administrative access. CC ID 00883 | System hardening through configuration management | Configuration | |
| Invoke a strong encryption method before requesting an authenticator. CC ID 11986 | System hardening through configuration management | Technical Security | |
| Configure the default group for the root user. CC ID 01586 | System hardening through configuration management | Configuration | |
| Rename or disable the Administrator Account. CC ID 01721 | System hardening through configuration management | Configuration | |
| Create a backup administrator account. CC ID 04497 | System hardening through configuration management | Configuration | |
| Configure mobile device settings in accordance with organizational standards. CC ID 04600 | System hardening through configuration management | Configuration | |
| Configure mobile devices to organizational standards. CC ID 04639 [Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data. CIS Control 4: Safeguard 4.12 Separate Enterprise Workspaces on Mobile End-User Devices] | System hardening through configuration management | Configuration | |
| Configure mobile devices to separate organizational data from personal data. CC ID 16463 | System hardening through configuration management | Configuration | |
| Configure the mobile device properties to organizational standards. CC ID 04640 | System hardening through configuration management | Configuration | |
| Configure the mobile device menu items to organizational standards. CC ID 04641 | System hardening through configuration management | Configuration | |
| Configure the BlackBerry handheld device driver settings. CC ID 04642 | System hardening through configuration management | Configuration | |
| Configure e-mail security settings in accordance with organizational standards. CC ID 07055 [Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. CIS Control 9: Email and Web Browser Protections] | System hardening through configuration management | Configuration | |
| Configure e-mail to limit the number of recipients per message. CC ID 07056 | System hardening through configuration management | Configuration | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Configuration | |
| Configure the storage parameters for all logs. CC ID 06330 [{be adequate} Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process. CIS Control 8: Safeguard 8.3 Ensure Adequate Audit Log Storage] | System hardening through configuration management | Configuration | |
| Configure sufficient log storage capacity and prevent the capacity from being exceeded. CC ID 01425 | System hardening through configuration management | Configuration | |
| Configure the log retention method. CC ID 01715 | System hardening through configuration management | Configuration | |
| Configure the log retention size. CC ID 01716 | System hardening through configuration management | Configuration | |
| Configure syslogd to send logs to a Remote LogHost. CC ID 01526 | System hardening through configuration management | Configuration | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | System hardening through configuration management | Configuration | |
| Configure the log to capture the user's identification. CC ID 01334 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | System hardening through configuration management | Configuration | |
| Configure the log to capture a date and time stamp. CC ID 01336 [Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. CIS Control 8: Safeguard 8.5 Collect Detailed Audit Logs] | System hardening through configuration management | Configuration | |
| Configure the log to uniquely identify each asset. CC ID 01339 | System hardening through configuration management | Configuration | |
| Configure the log to capture the type of each event. CC ID 06423 | System hardening through configuration management | Configuration | |
| Configure the log to capture the details of electronic signature transactions. CC ID 16910 | System hardening through configuration management | Log Management | |
| Configure the log to uniquely identify each accessed record. CC ID 16909 | System hardening through configuration management | Log Management | |
| Configure the log to capture each event's success or failure indication. CC ID 06424 | System hardening through configuration management | Configuration | |
| Configure all logs to capture auditable events or actionable events. CC ID 06332 [Log sensitive data access, including modification and disposal. CIS Control 3: Safeguard 3.14 Log Sensitive Data Access] | System hardening through configuration management | Configuration | |
| Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494 | System hardening through configuration management | Log Management | |
| Configure the log to capture startups and shutdowns. CC ID 16491 | System hardening through configuration management | Log Management | |
| Configure the log to capture user queries and searches. CC ID 16479 | System hardening through configuration management | Log Management | |
| Configure the log to capture Internet Protocol addresses. CC ID 16495 | System hardening through configuration management | Log Management | |
| Configure the log to capture error messages. CC ID 16477 | System hardening through configuration management | Log Management | |
| Configure the log to capture system failures. CC ID 16475 | System hardening through configuration management | Log Management | |
| Configure the log to capture account lockouts. CC ID 16470 | System hardening through configuration management | Configuration | |
| Configure the log to capture execution events. CC ID 16469 | System hardening through configuration management | Configuration | |
| Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078 | System hardening through configuration management | Log Management | |
| Configure the log to capture AWS Organizations changes. CC ID 15445 | System hardening through configuration management | Configuration | |
| Configure the log to capture Identity and Access Management policy changes. CC ID 15442 | System hardening through configuration management | Configuration | |
| Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441 | System hardening through configuration management | Configuration | |
| Configure the log to capture route table changes. CC ID 15439 | System hardening through configuration management | Configuration | |
| Configure the log to capture virtual private cloud changes. CC ID 15435 | System hardening through configuration management | Configuration | |
| Configure the log to capture changes to encryption keys. CC ID 15432 | System hardening through configuration management | Configuration | |
| Configure the log to capture unauthorized API calls. CC ID 15429 | System hardening through configuration management | Configuration | |
| Configure the log to capture changes to network gateways. CC ID 15421 | System hardening through configuration management | Configuration | |
| Configure the log to capture all spoofed addresses. CC ID 01313 | System hardening through configuration management | Configuration | |
| Configure inetd tracing. CC ID 01523 | System hardening through configuration management | Configuration | |
| Configure the system to capture messages sent to the syslog AUTH facility. CC ID 01525 | System hardening through configuration management | Configuration | |
| Configure Cron logging. CC ID 01528 | System hardening through configuration management | Configuration | |
| Configure the kernel level auditing setting. CC ID 01530 | System hardening through configuration management | Configuration | |
| Configure the "audit successful file system mounts" setting to organizational standards. CC ID 09923 | System hardening through configuration management | Configuration | |
| Configure system accounting/system events. CC ID 01529 | System hardening through configuration management | Configuration | |
| Configure the privilege use auditing setting. CC ID 01699 | System hardening through configuration management | Configuration | |
| Configure the log to record the Denial of Access that results from an excessive number of unsuccessful logon attempts. CC ID 01919 | System hardening through configuration management | Configuration | |
| Configure the Audit Process Tracking setting. CC ID 01700 | System hardening through configuration management | Configuration | |
| Configure the EEPROM security-mode accesses and EEPROM log-failed accesses. CC ID 01575 | System hardening through configuration management | Configuration | |
| Configure the log to capture user identifier, address, port blocking or blacklisting. CC ID 01918 | System hardening through configuration management | Configuration | |
| Enable directory service access events, as appropriate. CC ID 05616 | System hardening through configuration management | Configuration | |
| Configure the log to capture failed transactions. CC ID 06334 | System hardening through configuration management | Configuration | |
| Configure the log to capture successful transactions. CC ID 06335 | System hardening through configuration management | Configuration | |
| Audit non attributable events (na class). CC ID 05604 | System hardening through configuration management | Configuration | |
| Configure the log to capture configuration changes. CC ID 06881 | System hardening through configuration management | Configuration | |
| Log, monitor, and review all changes to time settings on critical systems. CC ID 11608 | System hardening through configuration management | Configuration | |
| Configure the log to capture user account additions, modifications, and deletions. CC ID 16482 | System hardening through configuration management | Log Management | |
| Configure the log to capture all changes to certificates. CC ID 05595 | System hardening through configuration management | Configuration | |
| Configure the "inetd logging" setting to organizational standards. CC ID 08970 | System hardening through configuration management | Configuration | |
| Configure the "audit sudoers" setting to organizational standards. CC ID 09950 | System hardening through configuration management | Configuration | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | System hardening through configuration management | Configuration | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{minimum number of characters} Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. CIS Control 5: Safeguard 5.2 Use Unique Passwords] | System hardening through configuration management | Configuration | |
| Configure security and protection software according to Organizational Standards. CC ID 11917 | System hardening through configuration management | Configuration | |
| Configure security and protection software to check e-mail attachments. CC ID 11860 [Block unnecessary file types attempting to enter the enterprise's email gateway. CIS Control 9: Safeguard 9.6 Block Unnecessary File Types] | System hardening through configuration management | Configuration | |
| Configure the Domain Name System in accordance with organizational standards. CC ID 12202 [Configure trusted DNS servers on network infrastructure. Example implementations include configuring network devices to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. CIS Control 4: Safeguard 4.9 Configure Trusted DNS Servers on Enterprise Assets] | System hardening through configuration management | Configuration | |
| Configure the Domain Name System query logging to organizational standards. CC ID 12210 [Collect DNS query audit logs on enterprise assets, where appropriate and supported. CIS Control 8: Safeguard 8.6 Collect DNS Query Audit Logs] | System hardening through configuration management | Configuration | |
| Configure the secure name/address resolution service (recursive or caching resolver). CC ID 01625 | System hardening through configuration management | Configuration | |
| Configure the secure name/address resolution service (authoritative source). CC ID 01624 | System hardening through configuration management | Configuration | |
| Configure DNS records in accordance with organizational standards. CC ID 17083 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130 [Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure] | System hardening through configuration management | Establish/Maintain Documentation | |
| Document and approve any changes to the Configuration Baseline Documentation Record. CC ID 12104 | System hardening through configuration management | Establish/Maintain Documentation | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 | System hardening through configuration management | Configuration | |
| Store master images on securely configured servers. CC ID 12089 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain an information management program. CC ID 14315 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Data and Information Management | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Process or Activity | |
| Select the appropriate format for archived data and records. CC ID 06320 | Records management | Data and Information Management | |
| Archive appropriate records, logs, and database tables. CC ID 06321 | Records management | Records Management | |
| Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 | Records management | Data and Information Management | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Data and Information Management | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines. CIS Control 3: Safeguard 3.4 Enforce Data Retention {annual basis} Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process] | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. CIS Control 8: Audit Log Management {stipulated time frame} Retain audit logs across enterprise assets for a minimum of 90 days. CIS Control 8: Safeguard 8.10 Retain Audit Logs] | Records management | Records Management | |
| Define each system's disposition requirements for records and logs. CC ID 11651 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Records management | Process or Activity | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection {disposal method} Securely dispose of data as outlined in the enterprise's documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity. CIS Control 3: Safeguard 3.5 Securely Dispose of Data] | Records management | Establish/Maintain Documentation | |
| Manage the disposition status for all records. CC ID 00972 [{disposal method} Securely dispose of data as outlined in the enterprise's documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity. CIS Control 3: Safeguard 3.5 Securely Dispose of Data] | Records management | Records Management | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Records management | Data and Information Management | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Records Management | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Physical and Environmental Protection | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Physical and Environmental Protection | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Data and Information Management | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Establish/Maintain Documentation | |
| Maintain disposal records or redeployment records. CC ID 01644 | Records management | Establish/Maintain Documentation | |
| Include the sanitization method in the disposal record. CC ID 17073 | Records management | Log Management | |
| Include time information in the disposal record. CC ID 17072 | Records management | Log Management | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Establish/Maintain Documentation | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Records management | Communicate | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Establish/Maintain Documentation | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Establish/Maintain Documentation | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Establish/Maintain Documentation | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Data and Information Management | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Data and Information Management | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Records Management | |
| Display required information automatically in electronic health records. CC ID 14442 | Records management | Process or Activity | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Establish/Maintain Documentation | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Actionable Reports or Measurements | |
| Create export summaries, as necessary. CC ID 14446 | Records management | Process or Activity | |
| Import data files into a patient's electronic health record. CC ID 14448 | Records management | Data and Information Management | |
| Export requested sections of the electronic health record. CC ID 14447 | Records management | Data and Information Management | |
| Establish and maintain an implantable device list. CC ID 14444 | Records management | Records Management | |
| Display the implantable device list to authorized users. CC ID 14445 | Records management | Data and Information Management | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Business Processes | |
| Include attributes in the decision support intervention. CC ID 16766 | Records management | Data and Information Management | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Records Management | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Records Management | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Records Management | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Records Management | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Log Management | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Log Management | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Establish/Maintain Documentation | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Log Management | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Log Management | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Log Management | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Log Management | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Log Management | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Log Management | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Log Management | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Log Management | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Log Management | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Log Management | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Log Management | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Log Management | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Records Management | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Log Management | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Log Management | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Log Management | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Log Management | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Records Management | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Log Management | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Log Management | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Log Management | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [Encrypt data on removable media. CIS Control 3: Safeguard 3.9 Encrypt Data on Removable Media] | Records management | Technical Security | |
| Assign ownership for all electronic records. CC ID 14814 [{annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Records management | Establish/Maintain Documentation | |
| Attribute electronic records, as necessary. CC ID 14820 | Records management | Establish/Maintain Documentation | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Define and assign the system development project team roles and responsibilities. CC ID 01061 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Establish Roles | |
| Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 | Systems design, build, and implementation | Establish Roles | |
| Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 | Systems design, build, and implementation | Establish Roles | |
| Establish, implement, and maintain security design principles. CC ID 14718 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain project management standards. CC ID 00992 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Separate the design and development environment from the production environment. CC ID 06088 [{production system} Maintain separate environments for production and non-production systems. CIS Control 16: Safeguard 16.8 Separate Production and Non-Production Systems] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Specify appropriate tools for the system development project. CC ID 06830 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Testing | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system design specification. CC ID 04557 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document the system architecture in the system design specification. CC ID 12287 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include hardware requirements in the system design specification. CC ID 08666 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include communication links in the system design specification. CC ID 08665 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include a description of each module and asset in the system design specification. CC ID 11734 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include supporting software requirements in the system design specification. CC ID 08664 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the logical data flows and process steps in the system design specification. CC ID 08668 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include threat models in the system design specification. CC ID 06829 [Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. CIS Control 16: Safeguard 16.14 Conduct Threat Modeling] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include security requirements in the system design specification. CC ID 06826 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 | Systems design, build, and implementation | Process or Activity | |
| Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 | Systems design, build, and implementation | Process or Activity | |
| Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 | Systems design, build, and implementation | Process or Activity | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 | Systems design, build, and implementation | Process or Activity | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 | Systems design, build, and implementation | Process or Activity | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Systems design, build, and implementation | Technical Security | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain coding guidelines. CC ID 08661 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Systems design, build, and implementation | Configuration | |
| Use valid HTML or other markup languages. CC ID 15153 | Systems design, build, and implementation | Configuration | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Ensure users can navigate content. CC ID 15163 | Systems design, build, and implementation | Configuration | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Systems design, build, and implementation | Configuration | |
| Ensure user interface components are operable. CC ID 15162 | Systems design, build, and implementation | Configuration | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Systems design, build, and implementation | Configuration | |
| Allow users to reverse submissions. CC ID 15168 | Systems design, build, and implementation | Configuration | |
| Provide a mechanism to control audio. CC ID 15158 | Systems design, build, and implementation | Configuration | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the language of content. CC ID 15137 | Systems design, build, and implementation | Configuration | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Systems design, build, and implementation | Configuration | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Systems design, build, and implementation | Configuration | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Systems design, build, and implementation | Configuration | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Systems design, build, and implementation | Configuration | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Systems design, build, and implementation | Process or Activity | |
| Provide captions for live audio content. CC ID 15120 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Systems design, build, and implementation | Configuration | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Systems design, build, and implementation | Configuration | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Systems design, build, and implementation | Configuration | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Systems design, build, and implementation | Configuration | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Systems design, build, and implementation | Configuration | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Systems design, build, and implementation | Configuration | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Systems design, build, and implementation | Configuration | |
| Allow the use of time limits, as necessary. CC ID 15155 | Systems design, build, and implementation | Configuration | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Systems design, build, and implementation | Configuration | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain User Interface documentation. CC ID 12204 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include system messages in human interface guidelines. CC ID 08663 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include measurable system performance requirements in the system design specification. CC ID 08667 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the data structure in the system design specification. CC ID 08669 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the input and output variables in the system design specification. CC ID 08670 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include data encryption information in the system design specification. CC ID 12209 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include records disposition information in the system design specification. CC ID 12208 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Assign appropriate parties to approve the system design specification. CC ID 13070 | Systems design, build, and implementation | Human Resources Management | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Systems design, build, and implementation | Communicate | |
| Implement security controls when developing systems. CC ID 06270 [{static analysis tool} Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. CIS Control 16: Safeguard 16.12 Implement Code-Level Security Checks Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Systems design, build, and implementation | Technical Security | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Technical Security | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 [{insecure service} Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the security architecture. CC ID 06269 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop new products based on secure coding techniques. CC ID 11733 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 16: Safeguard 16.11 Leverage Vetted Modules or Services for Application Security Components {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process {annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Systems design, build, and implementation | Technical Security | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Technical Security | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Systems design, build, and implementation | Technical Security | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Systems design, build, and implementation | Technical Security | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Systems design, build, and implementation | Process or Activity | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [{annual basis} Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process] | Systems design, build, and implementation | Process or Activity | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Systems design, build, and implementation | Process or Activity | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Systems design, build, and implementation | Process or Activity | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Technical Security | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Configuration | |
| Standardize Application Programming Interfaces. CC ID 12167 | Systems design, build, and implementation | Technical Security | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Systems design, build, and implementation | Establish Roles | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain system acceptance criteria. CC ID 06210 [{annual basis} Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security requirements in system acquisition contracts. CC ID 01124 [{be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include operational requirements in system acquisition contracts. CC ID 00825 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include required service levels in system acquisition contracts. CC ID 11652 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security controls in system acquisition contracts. CC ID 01125 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Obtain system documentation before acquiring products and services. CC ID 01445 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security functions in the user documentation. CC ID 14313 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [{monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components {monthly basis} Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components {be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components {be up to date} Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 [Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. CIS Control 3: Data Protection {annual basis} Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 3: Safeguard 3.1 Establish and Maintain a Data Management Process] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Data and Information Management | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{annual basis} Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 15: Safeguard 15.4 Ensure Service Provider Contracts Include Security Requirements] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{annual basis} Assign key roles and responsibilities for incident response, including staff from incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.3 Classify Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [{annual basis} Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.1 Establish and Maintain an Inventory of Service Providers {annual basis} Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.3 Classify Service Providers {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 [{annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy {annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 | Third Party and supply chain oversight | Business Processes | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
| Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{annual basis} Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 15: Safeguard 15.2: Establish and Maintain a Service Provider Management Policy] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a clear management process in the supply chain management policy. CC ID 08810 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party due diligence standards in the supply chain management policy. CC ID 08812 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
| Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Business Processes | |
| Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Business Processes | |
| Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Business Processes | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Data and Information Management | |
| Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Business Processes | |
| Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers {annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Third Party and supply chain oversight | Business Processes | |
| Provide management support for third party due diligence. CC ID 08847 | Third Party and supply chain oversight | Business Processes | |
| Commit to the supply chain due diligence process. CC ID 08849 | Third Party and supply chain oversight | Business Processes | |
| Structure the organization to support supply chain due diligence. CC ID 08850 | Third Party and supply chain oversight | Business Processes | |
| Schedule supply chain audits, as necessary. CC ID 10015 | Third Party and supply chain oversight | Audits and Risk Management | |
| Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 | Third Party and supply chain oversight | Business Processes | |
| Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 | Third Party and supply chain oversight | Business Processes | |
| Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 | Third Party and supply chain oversight | Business Processes | |
| Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 | Third Party and supply chain oversight | Business Processes | |
| Develop and implement supply chain due diligence capability training program. CC ID 08862 | Third Party and supply chain oversight | Business Processes | |
| Determine if additional supply chain due diligence processes are required. CC ID 08863 | Third Party and supply chain oversight | Business Processes | |
| Review transaction files for compliance with the supply chain audit standard. CC ID 08864 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870 | Third Party and supply chain oversight | Business Processes | |
| Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 | Third Party and supply chain oversight | Business Processes | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 [{annual basis} Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. CIS Control 15: Safeguard 15.5 Assess Service Providers] | Third Party and supply chain oversight | Business Processes | |
| Identify all service providers in the supply chain. CC ID 12213 | Third Party and supply chain oversight | Business Processes | |
| Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Third Party and supply chain oversight | Business Processes | |
| Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Third Party and supply chain oversight | Business Processes | |
| Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Third Party and supply chain oversight | Business Processes | |
| Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Third Party and supply chain oversight | Business Processes | |
| Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Third Party and supply chain oversight | Business Processes | |
| Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Third Party and supply chain oversight | Business Processes | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Business Processes | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 | Third Party and supply chain oversight | Business Processes | |
| Determine third party compliance with third party contracts. CC ID 08866 | Third Party and supply chain oversight | Business Processes | |
| Quarantine non-compliant material. CC ID 08867 | Third Party and supply chain oversight | Business Processes | |
| Refrain from quarantining conflict-free materials. CC ID 08868 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Third Party and supply chain oversight | Business Processes | |
| Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 | Third Party and supply chain oversight | Business Processes | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 | Third Party and supply chain oversight | Business Processes | |