Establishing

Essential
Cyber Hygiene

April 2022

Establishing Essential Cyber Hygiene  1

Acknowledgments

The Center for Internet Security® (CIS®) would like to thank the many security experts who This work is licensed under a
Creative Commons Attribution-
volunteer their time and talent to support the CIS Critical Security Controls® (CIS Controls®) Non Commercial-No Derivatives
and other CIS work. CIS products represent the effort of a veritable army of volunteers from 4.0 International Public License
(the link can be found at https://
across the industry, generously giving their time and talent in the name of a more secure creativecommons.org/licenses/
online experience for everyone. by-nc-nd/4.0/legalcode).
To further clarify the Creative
Commons license related to the
EDITORS CIS Critical Security Controls®
Valecia Stocchetti, CIS (CIS Controls®) content, you are
authorized to copy and redistribute
Robin Regnier, CIS the content as a framework for use
by you, within your organization and
outside of your organization, for non-
CONTRIBUTORS commercial purposes only, provided
Emily Sochia, CIS that (i) appropriate credit is given to
CIS, and (ii) a link to the license is
Josh Franklin, CIS provided. Additionally, if you remix,
Tyler Scarlotta, CIS transform, or build upon the CIS
Controls, you may not distribute the
modified materials. Users of the CIS
Controls framework are also required
to refer to (http://www.cisecurity.org/
controls/) when referring to the CIS
Controls in order to ensure that users
are employing the most up-to-date
guidance. Commercial use of the
CIS Controls is subject to the prior
approval of the Center for Internet
Security, Inc.(CIS®).

Establishing Essential Cyber Hygiene

 Introduction 1
Contents How to Get Started 2
IG1 Safeguards: CIS Controls v8 3

CIS Control 01 Inventory and Control of Enterprise Assets 4

CIS Control 02 Inventory and Control of Software Assets 5
CIS Control 03 Data Protection 6
CIS Control 04 Secure Configuration of Enterprise Assets and Software 7
CIS Control 05 Account Management 9
CIS Control 06 Access Control Management 10
CIS Control 07 Continuous Vulnerability Management 11
CIS Control 08 Audit Log Management 12
CIS Control 09 Email and Web Browser Protections 13
CIS Control 10 Malware Defenses 14
CIS Control 11 Data Recovery 15
CIS Control 12 Network Infrastructure Management 16
CIS Control 14 Security Awareness and Skills Training 17
CIS Control 15 Service Provider Management 19
CIS Control 17 Incident Response Management 20

Conclusion 21
Appendix A: Policy Templates 22
Appendix B: Links and Resources 24
Appendix C: Acronyms and Abbreviations 25

Establishing Essential Cyber Hygiene

Introduction

In general, many cyber-attacks can be attributed to a lack of good cyber hygiene. Simple
enough, but there is an important idea in here. Study after study, and test after test gives us
the same depressing result. Almost all successful attacks take advantage of conditions that
could reasonably be described as “poor hygiene” including:
• Failure to patch known vulnerabilities
• Poor configuration management
• Inefficient management of administrative privileges

At CIS, we attribute these failures primarily to the complexity of modern systems management,
as well as a noisy and confusing environment of technology, marketplace claims, and
oversight/regulation (“The Fog of More”). Defenders are overwhelmed. Therefore, any large-
scale security improvement program needs a way to bring focus and attention to the most
effective and fundamental things that need to be done.

We do this at CIS by moving “cyber hygiene” from a notion or tagline into a campaign
of specific actions, supported by a complementary market ecosystem of content, tools,
training, and services. Recently, we codified our definition of “essential cyber hygiene” as
consisting of the Safeguards found in Implementation Group 1 (IG1) of the CIS Critical Security
Controls (CIS Controls). By defining IG1, we can then specify tools that can be put in place to
implement the actions, measurements to track progress or maturity, and reporting that can
be used to manage an enterprise improvement program. In today’s environment of shared
technology, linked by complex business relationships and hidden dependencies, this approach
provides a specific way to negotiate “trust” and an “expectation” of security. (Are you a safe
partner to bring into my supply chain? Can I count on this merchant to safely hold my financial
information?) This approach is better than paper surveys or inconsistent interpretation of
abstract security requirements.

IG1 is not just another list of good things to do; it is an essential set of steps that helps all
enterprises deal with the most common types of attacks we see in real life. Our recent release
of the CIS Community Defense Model v2.0 provides the technical underpinning for that
declaration.

The Center for Internet Security and its divisions, the Multi-State Information Sharing and
Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis
Center® (EI-ISAC®), are offering this guide as a resource to assist with the implementation of
essential cyber hygiene, in alignment with the Nationwide Cybersecurity Review (NCSR) and
National Institute of Standards and Technology® Cybersecurity Framework (NIST® CSF), by
providing the tools, resources, and templates that are needed.

Establishing Essential Cyber Hygiene Introduction 1

How to Get Started

When tasked to implement a cybersecurity program, many enterprises ask “How do we get
started?” In response, the Controls Community sorted the Safeguards in the CIS Controls
into three Implementation Groups (IGs) based on their difficulty and cost to implement. IG1
is the group that is least costly and difficult to implement and are the Safeguards we assert
that every enterprise should deploy. Applying all of the Safeguards listed in IG1 will help
thwart general, non-targeted attacks and strengthen an enterprise’s security program. IG1 is
the definition of essential cyber hygiene and represents a minimum standard of information
security for all enterprises. We acknowledge that a listing of activities will not be the silver
bullet for all security threats, but aim to provide activities for defending against common
threats. For enterprises that face more sophisticated attacks or that must protect more critical
data or systems, IG1 Safeguards provide the foundation for the other two Implementation
Groups (IG2 and IG3).

Enterprises should first review this guide, which will provide an overview of each Safeguard
in IG1 as well as why they are important to implement. Resources, tools, and policy templates
that can be used to help facilitate implementation of these Safeguards are provided after the
applicable Safeguard information, as well as in Appendices A and B of this guide. Enterprises
can learn more about how they can gain access to multiple cybersecurity tools and resources,
at no cost, through a CIS SecureSuite® Membership and MS- and EI-ISAC membership.

Establishing Essential Cyber Hygiene How to Get Started 2

IG1 Safeguards: CIS Controls v8

The CIS Controls are a prioritized set of defensive actions aimed to protect enterprises from
the most common attacks. They are developed by a community of information technology
(IT) experts who apply their first-hand experience as cyber defenders to create these globally
accepted security best practices. Each CIS Control includes smaller actions, known as CIS
Safeguards, which focus on measurable actions so you can more easily track your progress
in applying effective protection against common attacks. There are 153 Safeguards in CIS
Controls v8.

As previously mentioned, in an effort to simplify and prioritize the process of effectively

implementing the CIS Controls, CIS created three IGs—IG1, IG2, and IG3, as shown below. IGs
are based on the risk profile and resources an enterprise has available to them to implement
the CIS Controls. Each IG identifies a set of Safeguards that they need to implement. IG1,
“essential cyber hygiene,” provides effective security value with technology and processes
that are generally already available while providing a basis for more tailored and sophisticated
action, if warranted. Building upon IG1 is an additional set of Safeguards (IG2) for enterprises
with more resources and expertise, but also greater risk exposure. Finally, the rest of the
Safeguards make up IG3, for enterprises with the greatest risk exposure.

ESSENTIAL CYBER HYGIENE

The number of Safeguards an enterprise is expected to implement increases
based on which group the enterprise falls into. 153
TOTAL SAFEGUARDS
IG1

IG2 IG3
IG3
IG3 assists enterprises with IT security experts to secure sensitive and
confidential data. IG3 aims to prevent and/or lessen the impact of
sophisticated attacks.
23
SAFEGUARDS

IG2
IG2 assists enterprises managing IT infrastructure of multiple
departments with differing risk profiles. IG2 aims to help enterprises cope
with increased operational complexity.
74
SAFEGUARDS

IG1
IG1 is the definition of essential cyber hygiene and represents a minimum
standard of information security for all enterprises. IG1 assists enterprises
with limited cybersecurity expertise thwart general, non-targeted attacks.
56
SAFEGUARDS

Establishing Essential Cyber Hygiene IG1 Safeguards: CIS Controls v8 3

CIS CONTROL
01 Inventory and Control of
Enterprise Assets
Overview Actively manage (inventory, track, and correct) all enterprise assets (end-user devices,
including portable and mobile; network devices; non-computing/Internet of Things (IoT)
devices; and servers) connected to the infrastructure physically, virtually, remotely, and
those within cloud environments, to accurately know the totality of assets that need
to be monitored and protected within the enterprise. This will also support identifying
unauthorized and unmanaged assets to remove or remediate.

Why It Matters? Enterprises cannot defend what they do not know they have. Managed control of all enterprise
assets also plays a critical role in security monitoring, incident response, system backup, and
recovery. Enterprises should know what data is critical to them (CIS Control 3), and proper
asset management will help identify those enterprise assets that hold or manage this critical
data, so that appropriate security controls can be applied.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

1.1 Identify Establish and Maintain Detailed Enterprise Asset Inventory

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or
process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices,
and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset
owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-
user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the
infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the
inventory of all enterprise assets bi-annually, or more frequently.
1.2 Respond Address Unauthorized Assets
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset
from the network, deny the asset from connecting remotely to the network, or quarantine the asset.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

CIS Asset Tracking Spreadsheet Spreadsheet to help with asset and data inventory 1.1, 1.2
Nmap® Network Scanning Tool used for reconnaissance and fingerprinting 1.1, 1.2
Zenmap Nmap with a Graphical User Interface (GUI) 1.1, 1.2
Spiceworks® IT inventory and asset management platform 1.1, 1.2
Open-AudIT® Network device discovery and inventory auditing tool 1.1, 1.2
Microsoft® Configuration Manager Windows® application within Microsoft® Endpoint Management used for configuration 1.1, 1.2
management
NIST SP 1800-5 IT Asset Management 1.1, 1.2

Establishing Essential Cyber Hygiene CIS Control 01: Inventory and Control of Enterprise Assets 4
CIS CONTROL
02 Inventory and Control of
Software Assets
Overview Actively manage (inventory, track, and correct) all software (operating systems and
applications) on the network so that only authorized software is installed and can execute,
and that unauthorized and unmanaged software is found and prevented from installation
or execution.

Why It Matters? A complete software inventory is a critical foundation for preventing attacks. Attackers
continuously scan target enterprises looking for vulnerable versions of software that can
be remotely exploited. For example, if a user opens a malicious website or attachment with
a vulnerable browser, an attacker can often install backdoor programs and bots that give
the attacker long-term control of the system. Attackers can also use this access to move
laterally through the network. One of the key defenses against these attacks is updating and
patching software (CIS Control 7). However, without a complete inventory of software assets,
an enterprise cannot determine if they have vulnerable software, or if there are potential
licensing violations.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

2.1 Identify Establish and Maintain a Software Inventory

Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must
document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform
Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the
software inventory bi-annually, or more frequently.
2.2 Identify Ensure Authorized Software is Currently Supported
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If
software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating
controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more frequently.
2.3 Respond Address Unauthorized Software
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review
monthly, or more frequently.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

CIS Asset Tracking Spreadsheet Spreadsheet to help with asset and data inventory 2.1, 2.2, 2.3
Nmap® Network Scanning Tool used for reconnaissance and fingerprinting 2.1, 2.2, 2.3
Zenmap Nmap with a Graphical User Interface (GUI) 2.1, 2.2, 2.3
Spiceworks® IT inventory and asset management platform 2.1, 2.2, 2.3
Open-AudIT® Network device discovery and inventory auditing tool 2.1, 2.2, 2.3
Microsoft® Configuration Manager Windows® application within Microsoft® Endpoint Management used for configuration 2.1, 2.2, 2.3
management
NIST SP 1800-5 IT Asset Management 2.1, 2.2, 2.3
Supported Versions of Windows® List of currently supported versions of Windows® 10 and 11 2.2
Endoflife.date Community-maintained list of end-of-life software 2.2
Uninstall or Remove Apps and Programs in Step-by-step on how to remove a program or application on Windows® 10 2.2
Windows® 10
How to Uninstall Apps on your Mac Step-by-step on how to remove a program or application on macOS 2.2

Establishing Essential Cyber Hygiene CIS Control 02: Inventory and Control of Software Assets 5
CIS CONTROL
03 Data
Protection
Overview Develop processes and technical controls to identify, classify, securely handle, retain, and
dispose of data.

Why It Matters? Data is no longer only contained within an enterprise’s border; it is in the cloud, on portable
end-user devices where users work from home, and is often shared with partners or online
services that might have it anywhere in the world. In addition to sensitive data an enterprise
holds related to finances, intellectual property, and customer data, there also might be
numerous international regulations for protection of personal data. Data privacy has become
increasingly important, and enterprises are learning that privacy is about the appropriate use
and management of data, not just encryption. Data must be appropriately managed through
its entire life cycle. These privacy rules can be complicated for multi-national enterprises of
any size; however, there are fundamentals that can apply to all.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

3.1 Identify Establish and Maintain a Data Management Process

Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data
retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
3.2 Identify Establish and Maintain a Data Inventory
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a
minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.
3.3 Protect Configure Data Access Control Lists
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access
permissions, to local and remote file systems, databases, and applications.
3.4 Protect Enforce Data Retention
Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum
timelines.
3.5 Protect Securely Dispose of Data
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are
commensurate with the data sensitivity.
3.6 Protect Encrypt Data on End-User Devices
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple
FileVault®, Linux® dm-crypt.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

CIS Asset Tracking Spreadsheet Spreadsheet to help with asset and data inventory 3.1, 3.2
Active Directory Microsoft Windows® directory service for account management and access control 3.3, 3.4
Local Group Policy Editor Microsoft Management Console (MMC) snap-in used to configure or modify Group Policy settings 3.3, 3.4
with Group Policy Objects (GPOs)
OpenLDAP Open source implementation of the Lightweight Directory Access Protocol (LDAP) 3.3
Deploy Implementing Retention of How to set retention periods in Active Directory through Dynamic Access Control 3.4
Information on File Servers (Windows®)
Disk Wipe Portable Windows® application to permanently delete data volumes 3.5
NIST SP 800-88 Rev. 1 Guides for Media Sanitization 3.5
VeraCrypt On-the-fly encryption 3.6
Apple FileVault Disk encryption for macOS 3.6
BitLocker Built-in Windows® 10 utility used for full volume encryption 3.6

Establishing Essential Cyber Hygiene CIS Control 03: Data Protection 6

CIS CONTROL
04 Secure Configuration of
Enterprise Assets and Software
Overview Establish and maintain the secure configuration of enterprise assets (end-user devices,
including portable and mobile; network devices; non-computing/IoT devices; and servers)
and software (operating systems and applications).

Why It Matters? As delivered from manufacturers and resellers, the default configurations for enterprise
assets and software are normally geared towards ease-of-deployment and ease-of-use,
rather than security. Basic controls, open services and ports, default accounts or passwords,
pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-
installation of unnecessary software can all be exploitable if left in their default state. Further,
these security configuration updates need to be managed and maintained over the life cycle
of enterprise assets and software. Configuration updates need to be tracked and approved
through configuration management workflow process to maintain a record that can be
reviewed for compliance, leveraged for incident response, and to support audits. This CIS
Control is important to on-premises devices, as well as remote devices, network devices, and
cloud environments.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

4.1 Protect Establish and Maintain a Secure Configuration Process

Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile,
non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
4.2 Protect Establish and Maintain a Secure Configuration Process for Network Infrastructure
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
4.3 Protect Configure Automatic Session Locking on Enterprise Assets
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating
systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
4.4 Protect Implement and Manage a Firewall on Servers
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating
system firewall, or a third-party firewall agent.
4.5 Protect Implement and Manage a Firewall on End-User Devices
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all
traffic except those services and ports that are explicitly allowed.
4.6 Protect Securely Manage Enterprise Assets and Software
Securely manage enterprise assets and software. Example implementations include managing configuration through version-
controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell
(SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype
Network) and HTTP, unless operationally essential.
4.7 Protect Manage Default Accounts on Enterprise Assets and Software
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor
accounts. Example implementations can include: disabling default accounts or making them unusable.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

CIS Benchmarks™ Secure configuration guidelines for 100+ technologies, including operating systems, applications, 4.1, 4.2, 4.3, 4.4, 4.5, 4.7
and network devices
CIS SecureSuite® Membership No-cost membership to SLTTs, with access to CIS-CAT Pro Assessor, CIS Build Kits, CIS 4.1, 4.2, 4.3, 4.4, 4.5, 4.7
Benchmarks, and more
CIS-CAT® Pro Tool to scan for proper CIS Benchmark configurations for applications, operating systems, and 4.1, 4.2, 4.3, 4.4, 4.5, 4.7
network devices
CIS Build Kits ZIP files that contain a GPO for each profile within the corresponding CIS Benchmark 4.1, 4.2, 4.3, 4.4, 4.5, 4.7

Establishing Essential Cyber Hygiene CIS Control 04: Secure Configuration of Enterprise Assets and Software 7
NAME DESCRIPTION CIS SAFEGUARD(S)

Active Directory Microsoft Windows® directory service for account management and access control 4.1, 4.2, 4.3, 4.4, 4.5, 4.7
Local Group Policy Editor Microsoft Management Console (MMC) snap-in used to configure or modify Group Policy settings 4.1, 4.2, 4.3, 4.4, 4.5, 4.7
with Group Policy Objects (GPOs)
OpenSCAP Ecosystem providing many tools to assist with assessment, measurement, and enforcement of 4.1, 4.2, 4.3, 4.4, 4.5, 4.7
baselines
OpenVAS Framework for vulnerability scanning and management 4.1, 4.2, 4.3, 4.4, 4.5, 4.7
DISA STIGs A set of configuration guides developed and maintained by the U.S. Department of Defense (DoD) 4.1, 4.2, 4.3, 4.4, 4.5, 4.7
RANCID Monitors the configuration of network devices 4.2
OpenNAC Network access control (NAC) solution 4.2
Zabbix Monitoring tool for IT infrastructure 4.2

Establishing Essential Cyber Hygiene CIS Control 04: Secure Configuration of Enterprise Assets and Software 8
CIS CONTROL
05 Account
Management
Overview Use processes and tools to assign and manage authorization to credentials for user
accounts, including administrator accounts, as well as service accounts, to enterprise
assets and software.

Why It Matters? It is easier for an external or internal threat actor to gain unauthorized access to enterprise
assets or data through using valid user credentials than through “hacking” the environment.
There are many ways to covertly obtain access to user accounts, including: weak passwords,
accounts still valid after a user leaves the enterprise, dormant or lingering test accounts,
shared accounts that have not been changed in months or years, service accounts embedded
in applications for scripts, a user having the same password as one they use for an online
account that has been compromised (in a public password dump), using social engineering
techniques to obtain a password, or using malware to capture passwords or tokens in memory
or over the network. Defenders need to ensure that controls are in place to protect enterprise
accounts, especially those with higher privileges.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

5.1 Identify Establish and Maintain an Inventory of Accounts

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and
administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
5.2 Protect Use Unique Passwords
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password
for accounts using MFA and a 14-character password for accounts not using MFA.
5.3 Respond Disable Dormant Accounts
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
5.4 Protect Restrict Administrator Privileges to Dedicated Administrator Accounts
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities,
such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

OpenLDAP Open source implementation of the Lightweight Directory Access Protocol (LDAP) 5.1
Active Directory Microsoft Windows® directory service for account management and access control 5.1, 5.3, 5.4
Local Group Policy Editor Microsoft Management Console (MMC) snap-in used to configure or modify Group Policy settings 5.1, 5.3, 5.4
with Group Policy Objects (GPOs)
CIS Password Policy Guide CIS Guidance for secure usage of passwords in an enterprise 5.2
KeePass Password manager 5.2
Password Safe® Simple and secure password management 5.2
Have I Been Pwnd Public password data dumps 5.2
Specops Password Auditor Active Directory password audit tool 5.2
NIST SP 800-63 Suite of documents including NIST SP 800-63-3, NIST SP800-63A, NIST 800-63B, and 5.2, 5.4
NIST 800-63C
CIS Benchmarks™ Secure configuration guidelines for 100+ technologies, including operating systems, applications, 5.4
and network devices
CIS SecureSuite® Membership No-cost membership to SLTTs, with access to CIS-CAT Pro Assessor, CIS Build Kits, CIS 5.4
Benchmarks, and more
CIS-CAT® Pro Tool to scan for proper CIS Benchmark configurations for applications, operating systems, and 5.4
network devices
CIS Build Kits ZIP files that contain a GPO for each profile within the corresponding CIS Benchmark 5.4

Establishing Essential Cyber Hygiene CIS Control 05: Account Management 9

CIS CONTROL
06 Access Control
Management
Overview Use processes and tools to create, assign, manage, and revoke access credentials and
privileges for user, administrator, and service accounts for enterprise assets and software.

Why It Matters? Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on
managing what access these accounts have, ensuring users only have access to the data or
enterprise assets appropriate for their role, and ensuring that there is strong authentication
for critical or sensitive enterprise data or functions. Attackers will compromise any account
that will grant them access to a network, especially administrator accounts that have
elevated privileges. Accounts should only have the minimal authorization needed for the
role. Developing consistent access rights for each role and assigning roles to users is a best
practice. Developing a program for complete provision and de-provisioning access is also
important. Centralizing this function is ideal.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

6.1 Protect Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role
change of a user.
6.2 Protect Establish an Access Revoking Process
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts
immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may
be necessary to preserve audit trails.
6.3 Protect Require MFA for Externally-Exposed Applications
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a
directory service or SSO provider is a satisfactory implementation of this Safeguard.
6.4 Protect Require MFA for Remote Network Access
Require MFA for remote network access.
6.5 Protect Require MFA for Administrative Access
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or
through a third-party provider.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

Active Directory Microsoft Windows® directory service for account management and access control 6.1, 6.2
Local Group Policy Editor Microsoft Management Console (MMC) snap-in used to configure or modify Group Policy settings 6.1, 6.2
with Group Policy Objects (GPOs)
NIST SP 800-63 Suite of documents including NIST SP 800-63-3, NIST SP800-63A, NIST 800-63B, and 6.1, 6.2, 6.3, 6.4, 6.5
NIST 800-63C
Google Authenticator 2-step verification codes on your phone 6.3, 6.4, 6.5
Microsoft Authenticator Multi-factor authentication application used for Microsoft® products 6.3, 6.4, 6.5
GCA Cybersecurity Toolkit for Small Links to popular platforms providing instructions on how to turn on multi-factor 6.3, 6.4, 6.5
Business: Set Up 2FA on Your Accounts authentication (MFA)
Two-Factor Authentication for Apple ID How to set up two-factor authentication for your Apple ID 6.3, 6.4, 6.5

Establishing Essential Cyber Hygiene CIS Control 06: Access Control Management 10
CIS CONTROL
07 Continuous Vulnerability
Management
Overview Develop a plan to continuously assess and track vulnerabilities on all enterprise assets
within the enterprise’s infrastructure, in order to remediate, and minimize, the window of
opportunity for attackers. Monitor public and private industry sources for new threat and
vulnerability information.

Why It Matters? Thousands of vulnerabilities are published each year, with several more that are unknown.
Cyber defenders are constantly being challenged from attackers who are looking for
vulnerabilities within their infrastructure to exploit and gain access. Defenders must have
timely threat information available to them about: software updates, patches, security
advisories, threat bulletins, etc., and they should regularly review their environment to identify
these vulnerabilities before the attackers do. Understanding and managing vulnerabilities is a
continuous activity, requiring focus of time, attention, and resources.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

7.1 Protect Establish and Maintain a Vulnerability Management Process

Establish and maintain a documented vulnerability management process for enterprise assets. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
7.2 Respond Establish and Maintain a Remediation Process
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent,
reviews.
7.3 Protect Perform Automated Operating System Patch Management
Perform operating system updates on enterprise assets through automated patch management on a monthly, or more
frequent, basis.
7.4 Protect Perform Automated Application Patch Management
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

CIS Benchmarks™ Secure configuration guidelines for 100+ technologies, including operating systems, applications, and 7.1, 7.2, 7.3, 7.4
network devices
CIS SecureSuite® Membership No-cost membership to SLTTs, with access to CIS-CAT Pro Assessor, CIS Build Kits, CIS Benchmarks, and more 7.1, 7.2, 7.3, 7.4
CIS-CAT® Pro Tool to scan for proper CIS Benchmark configurations for applications, operating systems, and network devices 7.1, 7.2, 7.3, 7.4
CIS Build Kits ZIP files that contain a GPO for each profile within the corresponding CIS Benchmark 7.1, 7.2, 7.3, 7.4
Active Directory Microsoft Windows® directory service for account management and access control 7.1, 7.2, 7.3, 7.4
Local Group Policy Editor Microsoft Management Console (MMC) snap-in used to configure or modify Group Policy settings with Group 7.1, 7.2, 7.3, 7.4
Policy Objects (GPOs)
OpenSCAP Ecosystem providing many tools to assist with assessment, measurement, and enforcement of baselines 7.1, 7.2, 7.3, 7.4
OpenVAS Framework for vulnerability scanning and management 7.1, 7.2, 7.3, 7.4
DISA STIGs A set of configuration guides developed and maintained by the U.S. Department of Defense (DoD) 7.1, 7.2, 7.3, 7.4
Apple® Auto-update—iOS Automatic updates for Apple® iOS devices 7.1, 7.2, 7.3, 7.4
Apple® Auto-update—macOS Automatic updates for Apple® macOS devices 7.1, 7.2, 7.3, 7.4
Auto-update Windows® Automatic updates for Windows® devices 7.1, 7.2, 7.3, 7.4
Auto-update Microsoft® Office on macOS Automatic updates for Microsoft® Office on macOS 7.1, 7.2, 7.3, 7.4
Auto-update Android™ Automatic updates for Android devices 7.1, 7.2, 7.3, 7.4
U.S. National Vulnerability Database (NVD) Repository of standards based on vulnerability management data 7.1, 7.2, 7.3, 7.4
Nmap® Scripting Engine (NSE) Tool used for vulnerability scanning (including identified Common Vulnerabilities and Exposures (CVEs)) 7.1, 7.2, 7.3, 7.4
Lynis Security audit tool used for system hardening 7.1, 7.2, 7.3, 7.4
NIST SP 800-40 Rev. 4 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology 7.1, 7.2, 7.3, 7.4

Establishing Essential Cyber Hygiene CIS Control 07: Continuous Vulnerability Management 11
CIS CONTROL
08 Audit Log
Management
Overview Collect, alert, review, and retain audit logs of events that could help detect, understand, or
recover from an attack.

Why It Matters? Log collection and analysis is important for an enterprise’s ability to detect malicious activity
quickly. Sometimes audit records are the only evidence of a successful attack. Attackers
know that many enterprises keep audit logs for compliance purposes, but rarely analyze
them. They know there’s very little risk of being exposed through the audit logs if the logs
are never analyzed. As a result, attackers use this knowledge to hide their location, malicious
software, and activities on victim machines. Due to poor or nonexistent log analysis processes,
attackers sometimes control victim machines for months or years without anyone in the target
enterprise knowing. Logging records are critical for incident response. After an attack has
been detected, log analysis can help enterprises understand the extent of an attack.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

8.1 Protect Establish and Maintain an Audit Log Management Process

Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum,
address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
8.2 Detect Collect Audit Logs
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across
enterprise assets.
8.3 Protect Ensure Adequate Audit Log Storage
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

CIS Benchmarks™ Secure configuration guidelines for 100+ technologies, including operating systems, applications, 8.1, 8.2, 8.3
and network devices
CIS SecureSuite® Membership No-cost membership to SLTTs, with access to CIS-CAT Pro Assessor, CIS Build Kits, CIS 8.1, 8.2, 8.3
Benchmarks, and more
CIS-CAT® Pro Tool to scan for proper CIS Benchmark configurations for applications, operating systems, and 8.1, 8.2, 8.3
network devices
CIS Build Kits ZIP files that contain a GPO for each profile within the corresponding CIS Benchmark 8.1, 8.2, 8.3
Active Directory Microsoft Windows® directory service for account management and access control 8.1, 8.2, 8.3
Local Group Policy Editor Microsoft Management Console (MMC) snap-in used to configure or modify Group Policy settings 8.1, 8.2, 8.3
with Group Policy Objects (GPOs)
OpenSCAP Ecosystem providing many tools to assist with assessment, measurement, and enforcement of 8.1, 8.2, 8.3
baselines
OpenVAS Framework for vulnerability scanning and management 8.1, 8.2, 8.3
DISA STIGs A set of configuration guides developed and maintained by the U.S. Department of Defense (DoD) 8.1, 8.2, 8.3
ELK Stack™ Acronym for three open source projects (Elasticsearch®, Logstash®, Kibana®) used for log 8.1, 8.2, 8.3
aggregation
Syslog-ng® Log management solution for Unix and Unix-like systems 8.1, 8.2, 8.3
AlienVault® OSSIM Open-source security information and event management (SIEM) system 8.1, 8.2, 8.3

Establishing Essential Cyber Hygiene CIS Control 08: Audit Log Management 12
CIS CONTROL
09 Email and Web Browser
Protections
Overview Improve protections and detections of threats from email and web vectors, as these are
opportunities for attackers to manipulate human behavior through direct engagement.

Why It Matters? Web browsers and email clients are very common points of entry for attackers because of
their direct interaction with users inside an enterprise. Content can be crafted to entice or
spoof users into disclosing credentials, providing sensitive data, or providing an open channel
to allow attackers to gain access, thus increasing risk to the enterprise. Since email and web
are the main means that users interact with external and untrusted users and environments,
these are prime targets for both malicious code and social engineering. Additionally, as
enterprises move to web-based email, or mobile email access, users no longer use traditional
full-featured email clients, which provide embedded security controls like connection
encryption, strong authentication, and phishing reporting buttons. Defenders must ensure
that browsers and email clients are kept up to date and that other activities, such as using
DNS filtering services, are implemented to reduce the risk of a system communicating with a
malicious domain.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

9.1 Protect Ensure Use of Only Fully Supported Browsers and Email Clients
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of
browsers and email clients provided through the vendor.
9.2 Protect Use DNS Filtering Services
Use DNS filtering services on all enterprise assets to block access to known malicious domains.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

U.S. National Vulnerability Database (NVD) Repository of standards based on vulnerability management data 9.1
Nmap® Scripting Engine (NSE) Tool used for vulnerability scanning (including identified Common Vulnerabilities and 9.1
Exposures (CVEs))
Lynis Security audit tool used for system hardening 9.1
NIST SP 800-40 Rev. 4 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology 9.1
Comodo Dragon Virtualized browser 9.1
NIST SP 800-177 Rev. 1 Trustworthy Email 9.1, 9.2
MS-ISAC® and EI-ISAC® Service: Malicious MS- and EI-ISAC DNS filtering service that prevents IT systems from connecting to harmful 9.2
Domain Blocking and Reporting (MDBR) web domains
Quad9® Domain Name System (DNS) filtering service 9.2
OpenDNS® Domain Name System (DNS) filtering service 9.2

Establishing Essential Cyber Hygiene CIS Control 09: Email and Web Browser Protections 13
CIS CONTROL
10 Malware
Defenses
Overview Prevent or control the installation, spread, and execution of malicious applications, code,
or scripts on enterprise assets.

Why It Matters? Malicious software (sometimes categorized as viruses or Trojans) is an integral and dangerous
aspect of internet threats. They can have many purposes, from capturing credentials, stealing
data, identifying other targets within the network, and encrypting or destroying data. Malware
is ever-evolving and adaptive, as modern variants leverage machine learning techniques.
Malware defenses must be able to operate in this dynamic environment through automation,
timely and rapid updating, and integration with other processes like vulnerability management
and incident response. They must be deployed at all possible entry points and enterprise
assets to detect, prevent spread, or control the execution of malicious software or code.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

10.1 Protect Deploy and Maintain Anti-Malware Software

Deploy and maintain anti-malware software on all enterprise assets.
10.2 Protect Configure Automatic Anti-Malware Signature Updates
Configure automatic updates for anti-malware signature files on all enterprise assets.
10.3 Protect Disable Autorun and Autoplay for Removable Media
Disable autorun and autoplay auto-execute functionality for removable media.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

MS-ISAC® and EI-ISAC® Service: Malicious No-cost web-based sandbox to submit suspicious files to in a controlled and non-public fashion 10.1
Code Analysis Platform (MCAP)
European Institute for Computer Antivirus File used to test anti-malware appliances 10.1, 10.2
Research (EICAR) Anti-Virus Test File
ClamAV Antimalware toolkit for UNIX 10.1, 10.2
Bitdefender® Antivirus Free Antivirus for Android 10.1, 10.2
Windows® Defender Security Center Anti-malware application built into Windows® 10.1, 10.2
Active Directory Microsoft Windows® directory service for account management and access control 10.3
Local Group Policy Editor Microsoft Management Console (MMC) snap-in used to configure or modify Group Policy settings 10.3
with Group Policy Objects (GPOs)
OpenSCAP Ecosystem providing many tools to assist with assessment, measurement, and enforcement of 10.3
baselines
OpenVAS Framework for vulnerability scanning and management 10.3
DISA STIGs A set of configuration guides developed and maintained by the U.S. Department of Defense (DoD) 10.3
CIS Benchmarks™ Secure configuration guidelines for 100+ technologies, including operating systems, applications, 10.3
and network devices
CIS SecureSuite® Membership No-cost membership to SLTTs, with access to CIS-CAT Pro Assessor, CIS Build Kits, CIS 10.3
Benchmarks, and more
CIS-CAT® Pro Tool to scan for proper CIS Benchmark configurations for applications, operating systems, and 10.3
network devices
CIS Build Kits ZIP files that contain a GPO for each profile within the corresponding CIS Benchmark 10.3

Establishing Essential Cyber Hygiene CIS Control 10: Malware Defenses 14

CIS CONTROL
11 Data
Recovery
Overview Establish and maintain data recovery practices sufficient to restore in-scope enterprise
assets to a pre-incident and trusted state.

Why It Matters? There has been an exponential rise in ransomware over the last few years. It is not a new
threat, though it has become more commercialized and organized as a reliable method
for attackers to make money. If an attacker encrypts an enterprise’s data and demands
ransom for its restoration, having a recent backup to recover to a known, trusted state can
be helpful. However, as ransomware has evolved, it has also become an extortion technique,
where data is exfiltrated before being encrypted, and the attacker asks for payment to
restore the enterprise’s data, as well as to keep it from being sold or publicized. In this case,
restoration would only solve the issue of restoring systems to a trusted state and continuing
operations. Leveraging the guidance within IG1 of the CIS Controls will help reduce the risk of
ransomware through improved cyber hygiene, as attackers usually use older or basic exploits
on insecure systems.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

11.1 Recover Establish and Maintain a Data Recovery Process 

Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery
prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
11.2 Recover Perform Automated Backups 
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of
the data.
11.3 Protect Protect Recovery Data
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on
requirements.
11.4 Recover Establish and Maintain an Isolated Instance of Recovery Data 
Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup
destinations through offline, cloud, or off-site systems or services.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

DHS CISA & MS-ISAC® Joint Ransomware best practices and recommendations are based on operational insight from CISA 11.1, 11.2, 11.3, 11.4
Ransomware Guide (Cybersecurity and Infrastructure Security Agency) and the Multi-State Information Sharing and
Analysis Center (MS-ISAC)
VeraCrypt On-the-fly encryption 11.1, 11.2, 11.3, 11.4
Microsoft® Backup and Restore Built-in backup utility tool 11.1, 11.2, 11.3, 11.4
Microsoft® Volume Shadow Copy Tool to create backup copies or snapshots of files or volumes 11.1, 11.2, 11.3, 11.4
Service (VSS)
Bacula® Network backup and recovery solution 11.1, 11.2, 11.3, 11.4
Amanda Network Backup Backup tool 11.1, 11.2, 11.3, 11.4
Apple Time Machine Built-in backup utility tool for macOS 11.1, 11.2, 11.3, 11.4
No More Ransom Website to help victims of ransomware retrieve their data, report a crime, and more 11.1, 11.2, 11.3, 11.4
Clonezilla® Disk imaging and cloning tool 11.1, 11.2, 11.3, 11.4
Redo™ Backup and disaster recovery tool 11.1, 11.2, 11.3, 11.4
DHS CISA & MS-ISAC® Joint Ransomware best practices and recommendations are based on operational insight from CISA 11.1, 11.2, 11.3, 11.4
Ransomware Guide (Cybersecurity and Infrastructure Security Agency) and the Multi-State Information Sharing and
Analysis Center (MS-ISAC)
VeraCrypt On-the-fly encryption 11.1, 11.2, 11.3, 11.4
Microsoft® Backup and Restore Built-in backup utility tool 11.1, 11.2, 11.3, 11.4

Establishing Essential Cyber Hygiene CIS Control 11: Data Recovery 15

CIS CONTROL
12 Network Infrastructure
Management
Overview Establish, implement, and actively manage (track, report, correct) network devices, in
order to prevent attackers from exploiting vulnerable network services and access points.

Why It Matters? Secure network infrastructure is an essential defense against attacks. Network infrastructure
includes devices such as physical and virtualized gateways, firewalls, wireless access points,
routers, and switches. Default configurations for network devices are geared for ease-of-
deployment and ease-of-use—not security. Potential default vulnerabilities include open
services and ports, default accounts and passwords (including service accounts), support for
older vulnerable protocols, and pre-installation of unnecessary software. Attackers search for
vulnerable default settings, gaps or inconsistencies in firewall rule sets, routers, and switches
and use those holes to penetrate defenses. They exploit flaws in these devices to gain access
to networks, redirect traffic on a network, and intercept data while in transmission. Ensuring
that network infrastructure is kept up to date as well as establishing secure configurations
(Safeguard 4.2) is an important line of defense to mitigate the risk of an attack.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

12.1 Protect Ensure Network Infrastructure is Up-to-Date

Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software
and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
to verify software support.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

RANCID Monitors the configuration of network devices 12.1

OpenNAC Network access control (NAC) solution 12.1
Zabbix Monitoring tool for IT infrastructure 12.1

Establishing Essential Cyber Hygiene CIS Control 12: Network Infrastructure Management 16
CIS CONTROL
14 Security Awareness
and Skills Training
Overview Establish and maintain a security awareness program to influence behavior among the
workforce to be security conscious and properly skilled to reduce cybersecurity risks to
the enterprise.

Why It Matters? The actions of people play a critical part in the success or failure of an enterprise’s security
program. It is easier for an attacker to entice a user to click a link or open an email attachment
to install malware in order to get into an enterprise, than to find a network exploit to do it
directly. Users themselves, both intentionally and unintentionally, can cause incidents as
a result of mishandling sensitive data, sending an email with sensitive data to the wrong
recipient, losing a portable end-user device, using weak passwords, or using the same
password they use on public sites. No security program can effectively address cyber risk
without a means to address this fundamental human vulnerability. An enterprise’s training
material should be reviewed and updated regularly. This will increase the culture of security
and discourage risky workarounds.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

14.1 Protect Establish and Maintain a Security Awareness Program

Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the
enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a
minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this
Safeguard.
14.2 Protect Train Workforce Members to Recognize Social Engineering Attacks
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
14.3 Protect Train Workforce Members on Authentication Best Practices
Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential
management.
14.4 Protect Train Workforce on Data Handling Best Practices
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes
training workforce members on clear screen and desk best practices, such as locking their screen when they step away from
their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
14.5 Protect Train Workforce Members on Causes of Unintentional Data Exposure
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive
data, losing a portable end-user device, or publishing data to unintended audiences.
14.6 Protect Train Workforce Members on Recognizing and Reporting Security Incidents
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
14.7 Protect Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and
tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
14.8 Protect Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities.
If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home
network infrastructure.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

SANS: Ouch! Newsletters Security awareness newsletter 14.1

SANS: Internet Storm Center® Monitors the level of malicious activity on the internet 14.1
YouTube: Social Engineering Attacks Educational videos 14.1, 14.2
(Professor Messer)
NIST: You’ve Been Phished! videos Educational videos 14.1, 14.2
Berkeley: The Phish Tank Phishing examples 14.1, 14.2

Establishing Essential Cyber Hygiene CIS Control 14: Security Awareness and Skills Training 17
NAME DESCRIPTION CIS SAFEGUARD(S)

MS-ISAC® Newsletter Subscription Newsletters, advisories, and webinars on cybersecurity threats 14.1, 14.2, 14.3, 14.4,
14.5, 14.6, 14.7, 14.8
MS-ISAC® Cybersecurity Awareness Toolkit Features educational materials designed to raise cybersecurity awareness. Digital materials are 14.1, 14.2, 14.3, 14.4,
aggregated for your use. 14.5, 14.6, 14.7, 14.8
Federal Virtual Training Environment Free online cybersecurity training to State, Local, Tribal, and Territorial (SLTT) governments 14.1, 14.2, 14.3, 14.4,
(FedVTE) Online Courses 14.5, 14.6, 14.7, 14.8
National Cyber Security Alliance (NCSA®) Nonprofit promoting cybersecurity awareness and education 14.1, 14.2, 14.3, 14.4,
14.5, 14.6, 14.7, 14.8
Security Awareness Toolbox Security awareness training resources 14.1, 14.2, 14.3, 14.4,
14.5, 14.6, 14.7, 14.8
YouTube: StaySafeOnline.org Educational videos 14.1, 14.2, 14.3, 14.4,
14.5, 14.6, 14.7, 14.8

Establishing Essential Cyber Hygiene CIS Control 14: Security Awareness and Skills Training 18
CIS CONTROL
15 Service Provider
Management
Overview Develop a process to evaluate service providers who hold sensitive data, or are
responsible for an enterprise’s critical IT platforms or processes, to ensure these providers
are protecting those platforms and data appropriately.

Why It Matters? In our modern, connected world, enterprises rely on vendors and partners to help manage
their data or rely on third-party infrastructure for core applications or functions. There
have been numerous examples where third-party breaches have significantly impacted an
enterprise; for example, as early as the late 2000s, payment cards were compromised after
attackers infiltrated smaller third-party vendors in the retail industry. More recent examples
include ransomware attacks that impact an enterprise indirectly, due to one of their service
providers being locked down, causing disruption to business. Or worse, if directly connected,
a ransomware attack could encrypt data on the main enterprise. Third-party providers
serve as attractive targets for cyber-attacks due to the level of access they afford actors
into the clients’ networks and the ease with which actors can affect multiple victims by
compromising one entity.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

15.1 Identify Establish and Maintain an Inventory of Service Providers

Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or
when significant enterprise changes occur that could impact this Safeguard.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

CIS Companion Guide—Establishing Guideline questionnaire to ensure that the enterprise’s essential cyber hygiene needs are met by 15.1
Essential Cyber Hygiene Through a their MSP
Managed Service Provider (MSP)
FedRAMP Standardized approach to security and risk assessment for cloud technologies and federal 15.1
agencies

Establishing Essential Cyber Hygiene CIS Control 15: Service Provider Management 19
CIS CONTROL
17 Incident Response
Management
Overview Establish a program to develop and maintain an incident response capability (e.g., policies,
plans, procedures, defined roles, training, and communications) to prepare, detect, and
quickly respond to an attack.

Why It Matters? A comprehensive cybersecurity program includes protections, detections, response, and
recovery capabilities. Often, the final two get overlooked in immature enterprises, or the
response technique to compromised systems is just to re-image them to original state,
and move on. The primary goal of incident response is to identify threats on the enterprise,
respond to them before they can spread, and remediate them before they can cause harm.
Without understanding the full scope of an incident, how it happened, and what can be
done to prevent it from happening again, defenders will just be in a perpetual “whack-a-
mole” pattern.

Safeguards
SAFEGUARD NIST CSF SECURITY FUNCTION TITLE/DESCRIPTION

17.1 Respond Designate Personnel to Manage Incident Handling

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management
personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least
one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes
occur that could impact this Safeguard.
17.2 Respond Establish and Maintain Contact Information for Reporting Security Incidents
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include
internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is
up-to-date.
17.3 Respond Establish and Maintain an Enterprise Process for Reporting Incidents
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting
timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is
publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.

Tools and Resources

NAME DESCRIPTION CIS SAFEGUARD(S)

MS-ISAC® and EI-ISAC® Service: Cyber SLTT governments can report incidents to the MS-ISAC Call 866-787-4722 or email soc@ 17.1, 17.2, 17.3
Incident Response Team (CIRT) cisecurity.org for assistance from the MS-ISAC/EI-ISAC Security Operations Center (SOC) and
Cyber Incident Response Team (CIRT)
NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide 17.1, 17.2, 17.3
NIST SP 800-184 Guide for Cybersecurity Event Recovery 17.1, 17.2, 17.3
Guide for Cybersecurity Incident Recovery Guide for Cybersecurity Incident Recovery 17.1, 17.2, 17.3

Establishing Essential Cyber Hygiene CIS Control 17: Incident Response Management 20
Conclusion

IG1 (essential cyber hygiene) is a foundational set of cyber defense Safeguards that every
enterprise (especially those with limited resources or expertise) should apply to guard against
the most common attacks, and represents a minimum standard of information security
for all enterprises. Essential cyber hygiene is the on-ramp to the CIS Controls. From there,
enterprises may find that they need to implement higher-level CIS Safeguards, such as those
found in IG2 and IG3, as their risk profiles increase. Each IG builds upon the previous one: IG2
includes IG1, and IG3 includes all CIS Safeguards in IG1 and IG2.

This guide aims to provide essential cyber hygiene activities from the CIS Controls, as well as
their relationship to the NIST Cybersecurity Framework. Implementation of these practices
through an MS- and EI-ISAC membership, a SecureSuite Membership, and other additional
tools and resources will lead to a more formalized cybersecurity program to mitigate
common threats.

Establishing Essential Cyber Hygiene Conclusion 21

APPENDIX A:

Policy Templates

The MS-ISAC provides (Courtesy of the State of New York and the State of California) the following policy templates that can be
customized and used as an outline of an organizational policy, with additional details to be added by the enterprise.

Identify

Acceptable Use of Information Technology Information Security Risk Management Standard

Resources Policy
Risk Assessment Policy
Access Control Policy
Systems and Services Acquisition Policy
Account Management/Access Control Standard
Monitoring Vendor Performance & Compliance
Identification and Authentication Policy Policy Template

Information Security Policy Vendor Acquisition & Selection Policy Template

Security Assessment and Authorization Policy Computer Security Threat Response Policy

Security Awareness and Training Policy Cyber Incident Response Standard

System and Communications Protection Policy Incident Response Policy

Information Classification Standard Access Control Policy

Protect

Account Management/Access Control Standard Physical and Environmental Protection Policy

Authentication Tokens Standard Security Awareness and Training Policy

Configuration Management Policy Computer Security Threat Response Policy

Identification and Authentication Policy Cyber Incident Response Standard

Sanitization Secure Disposal Standard Encryption Standard

Secure Configuration Standard Incident Response Policy

Secure System Development Life Cycle Standard Maintenance Policy

802.11 Wireless Network Security Standard Media Protection Policy

Mobile Device Security Mobile Device Security

System and Information Integrity Policy Patch Management Standard

Acceptable Use of Information Technology Remote Access Standard

Resources Policy
Security Logging Standard
Information Security Policy

Personnel Security Policy

Establishing Essential Cyber Hygiene Appendix A: Policy Templates 22

Detect

Auditing and Accountability Standard Mobile Device Security

Security Logging Standard Patch Management Standard

System and Information Integrity Policy Security Assessment and Authorization Policy

Vulnerability Scanning Standard Secure Coding Standard

Encryption Standard Computer Security Threat Response Policy

Information Security Policy Incident Response Policy

Maintenance Policy Cyber Incident Response Standard

Media Protection Policy

Respond

Computer Security Threat Response Policy Incident Response Policy

Cyber Incident Response Standard Planning Policy

Recover

Computer Security Threat Response Policy Cyber Incident Response Standard

Contingency Planning Policy Incident Response Policy

Establishing Essential Cyber Hygiene Appendix A: Policy Templates 23

APPENDIX B:

Links and Resources

CIS Critical Security Controls (CIS Controls) v8: Learn more CIS Build Kits: ZIP files that contain a Group Policy
about the CIS Controls, including how to get started, why Object (GPO) for each profile within the corresponding
each Control is critical, procedures and tools to use during CIS Benchmark.
implementation, and a complete listing of Safeguards for
CIS Hardened Images®: Virtual machine images securely
each Control.
pre-configured to the CIS Benchmarks.
CIS Controls v8 Mapping to NIST CSF: To provide the
CIS WorkBench: Get involved in one of our many
connection between the CIS Controls v8 and NIST CSF
communities.
frameworks.
CIS Password Policy Guide: CIS Guidance for secure usage
CIS Controls Assessment Specification: Provides an
of passwords in an enterprise
understanding of what should be measured in order to verify
that the Safeguards are properly implemented. MS-ISAC Membership: Free for all 50 states, the District
of Columbia, U.S. territories, local and tribal governments,
CIS Controls Navigator: Learn more about the Controls
public K-12 education entities, public institutions of higher
and Safeguards and see how they map to other security
education, authorities, and any other non-federal public
standards (e.g., CMMC, NIST SP 800-53 Rev. 5, PCI DSS,
entity in the U.S.
MITRE ATT&CK).
EI-ISAC Membership: Free for all SLTT government
CIS Controls Self Assessment Tool (CIS CSAT): Enables
organizations that support the elections officials of the U.S.,
enterprises to assess and track their implementation of the
and associations thereof.
CIS Controls for Versions 8 and 7.1.
MS-ISAC Cybersecurity Resources Guide: Mapping of
CIS Community Defense Model (CDM) v2: A guide
various resources to NIST CSF.
published by CIS that leverages the open availability of
comprehensive summaries of attacks and security incidents, Malicious Domain Blocking and Reporting: MS- and
and the industry-endorsed ecosystem that is developing EI-ISAC DNS filtering service that prevents IT systems from
around the MITRE ATT&CK (Adversarial Tactics, Techniques, connecting to harmful web domains.
and Common Knowledge) Model.
Nationwide Cybersecurity Review (NCSR): No-cost,
CIS Risk Assessment Method (CIS RAM) v2.1: An anonymous, annual self-assessment designed to evaluate
information security risk assessment method that helps cybersecurity maturity.
enterprises implement and assess their security posture
NIST CSF Policy Template Guide: Resource to assist with
against the CIS Controls.
the application and advancement of cybersecurity policies.
CIS SecureSuite Membership: No-cost membership to
No-Cost and Fee-Based Listing of MS-ISAC/EI-ISAC
SLTTs, with access to CIS-CAT Pro Assessor, CIS Build Kits,
Services: Overview of available services. Contact
CIS Benchmarks, and more.
[email protected] for more information.
CIS Benchmarks: Secure configuration guidelines for 100+
technologies, including operating systems, applications, and
network devices.

CIS-CAT Pro: Tool to scan for proper CIS Benchmark

configurations for applications, operating systems, and
network devices.

Establishing Essential Cyber Hygiene Appendix B: Links and Resources 24

APPENDIX C:

Acronyms and Abbreviations

CIRT: Cyber Incident Response Team IT: Information Technology

CIS: Center for Internet Security LDAP: Lightweight Directory Access Protocol

CIS-CAT: CIS Configuration Assessment Tool MCAP: Malicious Code Analysis Platform

CIS CDM: CIS Community Defense Model MDM: Mobile Device Management

CIS CSAT: CIS Controls Self Assessment Tool MFA: Multi-Factor Authentication

CISA: Cybersecurity and Infrastructure Security Agency MMC: Microsoft Management Console

CMMC: Cybersecurity Maturity Model Certification MS-ISAC: Multi-State Information Sharing and
Analysis Center
CVEs: Common Vulnerabilities and Exposures
MSP: Managed Service Provider
DNS: Domain Name System
NAC: Network Access Control
DoD: U.S. Department of Defense
NaaS: Network as a Service
EI-ISAC: Elections Infrastructure Information Sharing and
Analysis Center NCSR: Nationwide Cybersecurity Review

FedVTE: Federal Virtual Training Environment NIST: National Institute of Standards and Technology

GPO: Group Policy Object NIST CSF: NIST Cybersecurity Framework

GUI: Graphical User Interface PCI DSS: Payment Card Industry Data Security Standard

HTTP: Hypertext Transfer Protocol SBP: Security Best Practices

HTTPS: Hypertext Transfer Protocol Secure SOC: Security Operations Center

IG: Implementation Group SLTT: State, Local, Tribal, and Territorial governments

IG1: Implementation Group 1 SP: Special Publication

IG2: Implementation Group 2 SSH: Secure Shell

IG3: Implementation Group 3 Telnet: Teletype Network Protocol

IoT: Internet of Things URL: Uniform Resource Locator

Establishing Essential Cyber Hygiene Appendix C: Acronyms and Abbreviations 25

The Center for Internet Security, Inc. (CIS®) makes the
connected world a safer place for people, businesses,
and governments through our core competencies of
collaboration and innovation. We are a community-
driven nonprofit, responsible for the CIS Critical Security
Controls® and CIS Benchmarks™, globally recognized
best practices for securing IT systems and data. We lead
a global community of IT professionals to continuously
evolve these standards and provide products and services
to proactively safeguard against emerging threats. Our CIS
Hardened Images® provide secure, on-demand, scalable
computing environments in the cloud.

CIS is home to the Multi-State Information Sharing

and Analysis Center® (MS-ISAC®), the trusted resource
for cyber threat prevention, protection, response, and
recovery for U.S. State, Local, Tribal, and Territorial
government entities, and the Elections Infrastructure
Information Sharing and Analysis Center® (EI-ISAC®),
which supports the rapidly changing cybersecurity needs
of U.S. election offices. To learn more, visit CISecurity.org
or follow us on Twitter: @CISecurity.

cisecurity.org
[email protected]
518-266-3460
Center for Internet Security
@CISecurity
TheCISecurity
cisecurity

Establishing Essential Cyber Hygiene Appendix C: Acronyms and Abbreviations 26