@turbot/cis

Recommended Version

Control Categories

• CIS
• CIS > Controls v6
• CIS > Controls v6 > 01 Inventory of Authorized and Unauthorized Devices
• CIS > Controls v6 > 01 Inventory of Authorized and Unauthorized Devices > 1.01 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization’s public and private network(s)
• CIS > Controls v6 > 01 Inventory of Authorized and Unauthorized Devices > 1.02 Deploy DHCP server logging to improve asset inventory and detect unknown systems
• CIS > Controls v6 > 01 Inventory of Authorized and Unauthorized Devices > 1.03 Ensure that all equipment acquisitions automatically update the inventory system
• CIS > Controls v6 > 01 Inventory of Authorized and Unauthorized Devices > 1.04 Maintain an asset inventory of all systems connected to the network along with the network devices
• CIS > Controls v6 > 01 Inventory of Authorized and Unauthorized Devices > 1.05 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network
• CIS > Controls v6 > 01 Inventory of Authorized and Unauthorized Devices > 1.06 Use client certificates to validate and authenticate systems prior to connecting to the private network
• CIS > Controls v6 > 02 Inventory of Authorized and Unauthorized Software
• CIS > Controls v6 > 02 Inventory of Authorized and Unauthorized Software > 2.01 Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses
• CIS > Controls v6 > 02 Inventory of Authorized and Unauthorized Software > 2.02 Deploy application whitelisting that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system
• CIS > Controls v6 > 02 Inventory of Authorized and Unauthorized Software > 2.03 Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops
• CIS > Controls v6 > 02 Inventory of Authorized and Unauthorized Software > 2.04 Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk should not be installed within a networked environment
• CIS > Controls v6 > 03 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CIS > Controls v6 > 03 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 3.01 Establish standard secure configurations of operating systems and software applications
• CIS > Controls v6 > 03 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 3.02 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise
• CIS > Controls v6 > 03 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 3.03 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible
• CIS > Controls v6 > 03 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 3.04 Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels
• CIS > Controls v6 > 03 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 3.05 Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered
• CIS > Controls v6 > 03 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 3.06 Implement and test an automated configuration monitoring system that verifies all remotely testable secure configuration elements, and alerts when unauthorized changes occur
• CIS > Controls v6 > 03 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 3.07 Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation > 4.01 Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation > 4.02 Correlate event logs with information from vulnerability scans to fulfill two goals
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation > 4.03 Perform vulnerability scanning in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation > 4.04 Subscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and use the information gained from this subscription to update the organization’s vulnerability scanning activities on at least a monthly basis
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation > 4.05 Deploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation > 4.06 Monitor logs associated with any scanning activity and associated administrator accounts to ensure that this activity is limited to the timeframes of legitimate scans
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation > 4.07 Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed, either by patching, implementing a compensating control, or documenting and accepting a reasonable business risk
• CIS > Controls v6 > 04 Continuous Vulnerability Assessment and Remediation > 4.08 Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.01 Minimize administrative privileges and only use administrative accounts when they are required
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.02 Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.03 Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.04 Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators’ group, or when a new local administrator account is added on a system
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.05 Configure systems to issue a log entry and alert on any unsuccessful login to an administrative account
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.06 Use multi-factor authentication for all administrative access, including domain administrative access
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.07 Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.08 Administrators should be required to access a system using a fully logged and non-administrative account
• CIS > Controls v6 > 05 Controlled Use of Administrative Privileges > 5.09 Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access
• CIS > Controls v6 > 06 Maintenance, Monitoring, and Analysis of Audit Logs
• CIS > Controls v6 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.01 Include at least two synchronized time sources from which all servers and network equipment retrieve time information on a regular basis so that timestamps in logs are consistent
• CIS > Controls v6 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.02 Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction
• CIS > Controls v6 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.03 Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals
• CIS > Controls v6 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.04 Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs
• CIS > Controls v6 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.05 Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device
• CIS > Controls v6 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.06 Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis
• CIS > Controls v6 > 07 Email and Web Browser Protections
• CIS > Controls v6 > 07 Email and Web Browser Protections > 7.01 Ensure that only fully supported web browsers and email clients are allowed to execute in the organization
• CIS > Controls v6 > 07 Email and Web Browser Protections > 7.02 Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications
• CIS > Controls v6 > 07 Email and Web Browser Protections > 7.03 Limit the use of unnecessary scripting languages in all web browsers and email clients
• CIS > Controls v6 > 07 Email and Web Browser Protections > 7.04 Log all URL requests from each of the organization's systems
• CIS > Controls v6 > 07 Email and Web Browser Protections > 7.05 Deploy two separate browser configurations to each system
• CIS > Controls v6 > 07 Email and Web Browser Protections > 7.06 The organization shall maintain and enforce network based URL filters that limit a system's ability to connect to websites not approved by the organization
• CIS > Controls v6 > 07 Email and Web Browser Protections > 7.07 To lower the chance of spoofed email messages, implement the Sender Policy Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers
• CIS > Controls v6 > 07 Email and Web Browser Protections > 7.08 Scan and block all email attachments entering the organization's email gateway if they contain malicious code or file types that are unnecessary for the organization's business
• CIS > Controls v6 > 08 Malware Defenses
• CIS > Controls v6 > 08 Malware Defenses > 8.01 Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality
• CIS > Controls v6 > 08 Malware Defenses > 8.02 Employ anti-malware software that offers a centralized infrastructure that compiles information on file reputations or have administrators manually push updates to all machines
• CIS > Controls v6 > 08 Malware Defenses > 8.03 Limit use of external devices to those with an approved, documented business need. Monitor for use and attempted use of external devices
• CIS > Controls v6 > 08 Malware Defenses > 8.04 Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), virtualization/containerization, etc
• CIS > Controls v6 > 08 Malware Defenses > 8.05 Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature- based detection to identify and filter out malicious content before it arrives at the endpoint
• CIS > Controls v6 > 08 Malware Defenses > 8.06 Enable domain name system (DNS) query logging to detect hostname lookup for known malicious C2 domains
• CIS > Controls v6 > 09 Limitation and Control of Network Ports, Protocols, and Services
• CIS > Controls v6 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.01 Ensure that only ports, protocols, and services with validated business needs are running on each system
• CIS > Controls v6 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.02 Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed
• CIS > Controls v6 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.03 Perform automated port scans on a regular basis against all key servers and compare to a known effective baseline
• CIS > Controls v6 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.04 Verify any server that is visible from the Internet or an untrusted network
• CIS > Controls v6 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.05 Operate critical services on separate physical or logical host machines, such as DNS, file, mail, web, and database servers
• CIS > Controls v6 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.06 Place application firewalls in front of any critical servers to verify and validate the traffic going to the server
• CIS > Controls v6 > 10 Data Recovery Capability
• CIS > Controls v6 > 10 Data Recovery Capability > 10.01 Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information
• CIS > Controls v6 > 10 Data Recovery Capability > 10.02 Test data on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working
• CIS > Controls v6 > 10 Data Recovery Capability > 10.03 Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network
• CIS > Controls v6 > 10 Data Recovery Capability > 10.04 Ensure that key systems have at least one backup destination that is not continuously addressable through operating system calls
• CIS > Controls v6 > 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• CIS > Controls v6 > 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches > 11.01 Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization
• CIS > Controls v6 > 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches > 11.02 All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices
• CIS > Controls v6 > 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches > 11.03 Use automated tools to verify standard device configurations and detect changes
• CIS > Controls v6 > 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches > 11.04 Manage network devices using two-factor authentication and encrypted sessions
• CIS > Controls v6 > 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches > 11.05 Install the latest stable version of any security-related updates on all network devices
• CIS > Controls v6 > 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches > 11.06 Network engineers shall use a dedicated machine for all administrative tasks or tasks requiring elevated access
• CIS > Controls v6 > 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches > 11.07 Manage the network infrastructure across network connections that are separated from the business use of that network
• CIS > Controls v6 > 12 Boundary Defense
• CIS > Controls v6 > 12 Boundary Defense > 12.01 Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists)
• CIS > Controls v6 > 12 Boundary Defense > 12.02 On DMZ networks, configure monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border
• CIS > Controls v6 > 12 Boundary Defense > 12.03 Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems
• CIS > Controls v6 > 12 Boundary Defense > 12.04 Network-based IPS devices should be deployed to complement IDS by blocking known bad signatures or the behavior of potential attacks
• CIS > Controls v6 > 12 Boundary Defense > 12.05 Design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server
• CIS > Controls v6 > 12 Boundary Defense > 12.06 Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication
• CIS > Controls v6 > 12 Boundary Defense > 12.07 All enterprise devices remotely logging into the internal network should be managed by the enterprise, with remote control of their configuration, installed software, and patch levels
• CIS > Controls v6 > 12 Boundary Defense > 12.08 Periodically scan for back-channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems, or other mechanisms
• CIS > Controls v6 > 12 Boundary Defense > 12.09 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity
• CIS > Controls v6 > 12 Boundary Defense > 12.10 To help identify covert channels exfiltrating data through a firewall, configure the built-in firewall session tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually long time for the given organization and firewall device, alerting personnel about the source and destination addresses associated with these long sessions
• CIS > Controls v6 > 13 Data Protection
• CIS > Controls v6 > 13 Data Protection > 13.01 Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls
• CIS > Controls v6 > 13 Data Protection > 13.02 Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data
• CIS > Controls v6 > 13 Data Protection > 13.03 Deploy an automated tool on network perimeters that monitors for sensitive information (e.g., personally identifiable information), keywords, and other document characteristics to discover unauthorized attempts to exfiltrate data across network boundaries and block such transfers while alerting information security personnel
• CIS > Controls v6 > 13 Data Protection > 13.04 Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in clear text
• CIS > Controls v6 > 13 Data Protection > 13.05 If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives
• CIS > Controls v6 > 13 Data Protection > 13.06 Use network-based DLP solutions to monitor and control the flow of data within the network
• CIS > Controls v6 > 13 Data Protection > 13.07 Monitor all traffic leaving the organization and detect any unauthorized use of encryption
• CIS > Controls v6 > 13 Data Protection > 13.08 Block access to known file transfer and email exfiltration websites
• CIS > Controls v6 > 13 Data Protection > 13.09 Use host-based data loss prevention (DLP) to enforce ACLs even when data is copied off a server
• CIS > Controls v6 > 14 Controlled Access Based on the Need to Know
• CIS > Controls v6 > 14 Controlled Access Based on the Need to Know > 14.01 Segment the network based on the label or classification level of the information stored on the servers
• CIS > Controls v6 > 14 Controlled Access Based on the Need to Know > 14.02 All communication of sensitive information over less- trusted networks should be encrypted
• CIS > Controls v6 > 14 Controlled Access Based on the Need to Know > 14.03 All network switches will enable Private Virtual Local Area Networks (VLANs) for segmented workstation networks to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attackers ability to laterally move to compromise neighboring systems
• CIS > Controls v6 > 14 Controlled Access Based on the Need to Know > 14.04 All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists
• CIS > Controls v6 > 14 Controlled Access Based on the Need to Know > 14.05 Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information
• CIS > Controls v6 > 14 Controlled Access Based on the Need to Know > 14.06 Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data
• CIS > Controls v6 > 14 Controlled Access Based on the Need to Know > 14.07 Archived data sets or systems not regularly accessed by the organization shall be removed from the organization's network
• CIS > Controls v6 > 15 Wireless Access Control
• CIS > Controls v6 > 15 Wireless Access Control > 15.01 Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need
• CIS > Controls v6 > 15 Wireless Access Control > 15.02 Configure network vulnerability scanning tools to detect wireless access points connected to the wired network
• CIS > Controls v6 > 15 Wireless Access Control > 15.03 Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromises
• CIS > Controls v6 > 15 Wireless Access Control > 15.04 Where a specific business need for wireless access has been identified, configure wireless access on client machines to allow access only to authorized wireless networks
• CIS > Controls v6 > 15 Wireless Access Control > 15.05 Ensure that all wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection
• CIS > Controls v6 > 15 Wireless Access Control > 15.06 Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential protection and mutual authentication
• CIS > Controls v6 > 15 Wireless Access Control > 15.07 Disable peer-to-peer wireless network capabilities on wireless clients
• CIS > Controls v6 > 15 Wireless Access Control > 15.08 Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need
• CIS > Controls v6 > 15 Wireless Access Control > 15.09 Create separate virtual local area networks (VLANs) for BYOD systems or other untrusted devices
• CIS > Controls v6 > 16 Account Monitoring and Control
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.01 Review all system accounts and disable any account that cannot be associated with a business process and owner
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.02 Ensure that all accounts have an expiration date that is monitored and enforced
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.03 Establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.04 Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.05 Configure screen locks on systems to limit access to unattended workstations
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.06 Monitor account usage to determine dormant accounts, notifying the user or user’s manager
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.07 Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.08 Monitor attempts to access deactivated accounts through audit logging
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.09 Configure access for all accounts through a centralized point of authentication, for example Active Directory or LDAP
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.10 Profile each user’s typical account usage by determining normal time-of-day access and access duration
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.11 Require multi-factor authentication for all user accounts that have access to sensitive data or systems
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.12 Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.13 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels
• CIS > Controls v6 > 16 Account Monitoring and Control > 16.14 Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges
• CIS > Controls v6 > 17 Security Skills Assessment and Appropriate Training to Fill Gaps
• CIS > Controls v6 > 17 Security Skills Assessment and Appropriate Training to Fill Gaps > 17.01 Perform gap analysis to see which skills employees need to implement the other Controls, and which behaviors employees are not adhering to, using this information to build a baseline training and awareness roadmap for all employees
• CIS > Controls v6 > 17 Security Skills Assessment and Appropriate Training to Fill Gaps > 17.02 Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training
• CIS > Controls v6 > 17 Security Skills Assessment and Appropriate Training to Fill Gaps > 17.03 Implement a security awareness program that (1) focuses on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques, (4) is mandated for completion by all employees at least annually, (5) is reliably monitored for employee completion, and 6) includes the senior leadership team’s personal messaging, involvement in training, and accountability through performance metrics
• CIS > Controls v6 > 17 Security Skills Assessment and Appropriate Training to Fill Gaps > 17.04 Validate and improve awareness levels through periodic tests to see whether employees will click on a link from suspicious email or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller; targeted training should be provided to those who fall victim to the exercise
• CIS > Controls v6 > 17 Security Skills Assessment and Appropriate Training to Fill Gaps > 17.05 Use security skills assessments for each of the mission- critical roles to identify skills gaps
• CIS > Controls v6 > 18 Application Software Security
• CIS > Controls v6 > 18 Application Software Security > 18.01 For all acquired application software, check that the version you are using is still supported by the vendor
• CIS > Controls v6 > 18 Application Software Security > 18.02 Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks, including but not limited to cross-site scripting, SQL injection, command injection, and directory traversal attacks
• CIS > Controls v6 > 18 Application Software Security > 18.03 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or format
• CIS > Controls v6 > 18 Application Software Security > 18.04 Test in-house-developed and third-party-procured web applications for common security weaknesses using automated remote web application scanners prior to deployment, whenever updates are made to the application, and on a regular recurring basis
• CIS > Controls v6 > 18 Application Software Security > 18.05 Do not display system error messages to end-users (output sanitization)
• CIS > Controls v6 > 18 Application Software Security > 18.06 Maintain separate environments for production and nonproduction systems
• CIS > Controls v6 > 18 Application Software Security > 18.07 For applications that rely on a database, use standard hardening configuration templates
• CIS > Controls v6 > 18 Application Software Security > 18.08 Ensure that all software development personnel receive training in writing secure code for their specific development environment
• CIS > Controls v6 > 18 Application Software Security > 18.09 For in-house developed applications, ensure that development artifacts (sample data and scripts; unused libraries, components, debug code; or tools) are not included in the deployed software, or accessible in the production environment
• CIS > Controls v6 > 19 Incident Response and Management
• CIS > Controls v6 > 19 Incident Response and Management > 19.01 Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents
• CIS > Controls v6 > 19 Incident Response and Management > 19.02 Assign job titles and duties for handling computer and network incidents to specific individuals
• CIS > Controls v6 > 19 Incident Response and Management > 19.03 Define management personnel who will support the incident handling process by acting in key decision-making roles
• CIS > Controls v6 > 19 Incident Response and Management > 19.04 Devise organization-wide standards for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification
• CIS > Controls v6 > 19 Incident Response and Management > 19.05 Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an email address of security@organization.com or have a web page http://organization.com/security)
• CIS > Controls v6 > 19 Incident Response and Management > 19.06 Publish information for all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team
• CIS > Controls v6 > 19 Incident Response and Management > 19.07 Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises > 20.01 Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises > 20.02 Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises > 20.03 Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises > 20.04 Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, emails or documents containing passwords or other information critical to system operation
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises > 20.05 Plan clear goals of the penetration test itself with blended attacks in mind, identifying the goal machine or target asset
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises > 20.06 Use vulnerability scanning and penetration testing tools in concert
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises > 20.07 Wherever possible, ensure that Red Teams results are documented using open, machine-readable standards
• CIS > Controls v6 > 20 Penetration Tests and Red Team Exercises > 20.08 Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems
• CIS > Controls v7
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets > 1.01 Utilize an Active Discovery Tool
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets > 1.02 Use a Passive Asset Discovery Tool
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets > 1.03 Use DHCP Logging to Update Asset Inventory
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets > 1.04 Maintain Detailed Asset Inventory
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets > 1.05 Maintain Asset Inventory Information
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets > 1.06 Address Unauthorized Assets
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets > 1.07 Deploy Port Level Access Control
• CIS > Controls v7 > 01 Inventory and Control of Hardware Assets > 1.08 Utilize Client Certificates to Authenticate Hardware Assets
• CIS > Controls v7 > 02 Inventory and Control of Software Assets
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.01 Maintain Inventory of Authorized Software
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.02 Ensure Software is Supported by Vendor
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.03 Utilize Software Inventory Tools
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.04 Track Software Inventory Information
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.05 Integrate Software and Hardware Asset Inventories
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.06 Address Unapproved Software
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.07 Utilize Application Whitelisting
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.08 Implement Application Whitelisting of Libraries
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.09 Implement Application Whitelisting of Scripts
• CIS > Controls v7 > 02 Inventory and Control of Software Assets > 2.10 Physically or Logically Segregate High Risk Applications
• CIS > Controls v7 > 03 Continuous Vulnerability Management
• CIS > Controls v7 > 03 Continuous Vulnerability Management > 3.01 Run Automated Vulnerability Scanning Tools
• CIS > Controls v7 > 03 Continuous Vulnerability Management > 3.02 Perform Authenticated Vulnerability Scanning
• CIS > Controls v7 > 03 Continuous Vulnerability Management > 3.03 Protect Dedicated Assessment Accounts
• CIS > Controls v7 > 03 Continuous Vulnerability Management > 3.04 Deploy Automated Operating System Patch Management Tools
• CIS > Controls v7 > 03 Continuous Vulnerability Management > 3.05 Deploy Automated Software Patch Management Tools
• CIS > Controls v7 > 03 Continuous Vulnerability Management > 3.06 Compare Back-toback Vulnerability Scans
• CIS > Controls v7 > 03 Continuous Vulnerability Management > 3.07 Utilize a Risk-rating Process
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.01 Maintain Inventory of Administrative Accounts
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.02 Change Default Passwords
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.03 Ensure the Use of Dedicated Administrative Accounts
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.04 Use Unique Passwords
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.05 Use Multifactor Authentication For All Administrative Access
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.06 Use Dedicated Workstations For All Administrative
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.07 Limit Access to Scripting Tools
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.08 Log and Alert on Changes to Administrative Group Membership
• CIS > Controls v7 > 04 Controlled Use of Administrative Privileges > 4.09 Log and Alert on Unsuccessful Administrative Account Login
• CIS > Controls v7 > 05 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CIS > Controls v7 > 05 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 5.01 Establish Secure Configurations
• CIS > Controls v7 > 05 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 5.02 Maintain Secure Images
• CIS > Controls v7 > 05 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 5.03 Securely Store Master Images
• CIS > Controls v7 > 05 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 5.04 Deploy System Configuration Management Tools
• CIS > Controls v7 > 05 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers > 5.05 Implement Automated Configuration Monitoring Systems
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.01 Utilize Three Synchronized Time Sources
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.02 Activate Audit Logging
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.03 Enable Detailed Logging
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.04 Ensure Adequate Storage for Logs
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.05 Central Log Management
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.06 Deploy SIEM or Log Analytic Tools
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.07 Regularly Review Logs
• CIS > Controls v7 > 06 Maintenance, Monitoring, and Analysis of Audit Logs > 6.08 Regularly Tune SIEM
• CIS > Controls v7 > 07 Email and Web Browser Protections
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.01 Ensure Use of Only Fully Supported Browsers and Email Clients
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.02 Disable Unnecessary or Unauthorized Browser or Email Client Plugins
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.03 Limit Use of Scripting Languages in Web Browsers and Email Clients
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.04 Maintain and Enforce Network-Based URL Filters
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.05 Subscribe to URL Categorization service
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.06 Log all URL Requests
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.07 Use of DNS Filtering Services
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.08 Implement DMARC and Enable Receiver-Side Verification
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.09 Block Unnecessary File Types
• CIS > Controls v7 > 07 Email and Web Browser Protections > 7.10 Sandbox All Email Attachments
• CIS > Controls v7 > 08 Malware Defenses
• CIS > Controls v7 > 08 Malware Defenses > 8.01 Utilize Centrally Managed Antimalware Software
• CIS > Controls v7 > 08 Malware Defenses > 8.02 Ensure AntiMalware Software and Signatures are Updated
• CIS > Controls v7 > 08 Malware Defenses > 8.03 Enable Operating System AntiExploitation Features/ Deploy Anti-Exploit Technologies
• CIS > Controls v7 > 08 Malware Defenses > 8.04 Configure AntiMalware Scanning of Removable
• CIS > Controls v7 > 08 Malware Defenses > 8.05 Configure Devices to Not Auto-run Content
• CIS > Controls v7 > 08 Malware Defenses > 8.06 Centralize Antimalware Logging
• CIS > Controls v7 > 08 Malware Defenses > 8.07 Enable DNS Query Logging
• CIS > Controls v7 > 08 Malware Defenses > 8.08 Enable Commandline Audit Logging
• CIS > Controls v7 > 09 Limitation and Control of Network Ports, Protocols, and Services
• CIS > Controls v7 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.01 Associate Active Ports, Services and Protocols to Asset Inventory
• CIS > Controls v7 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.02 Ensure Only Approved Ports, Protocols and Services Are Running
• CIS > Controls v7 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.03 Perform Regular Automated Port Scans
• CIS > Controls v7 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.04 Apply Host-based Firewalls or Port Filtering
• CIS > Controls v7 > 09 Limitation and Control of Network Ports, Protocols, and Services > 9.05 Implement Application Firewalls
• CIS > Controls v7 > 10 Data Recovery Capabilities
• CIS > Controls v7 > 10 Data Recovery Capabilities > 10.01 Ensure Regular Automated Back Ups
• CIS > Controls v7 > 10 Data Recovery Capabilities > 10.02 Perform Complete System Backups
• CIS > Controls v7 > 10 Data Recovery Capabilities > 10.03 Test Data on Backup Media
• CIS > Controls v7 > 10 Data Recovery Capabilities > 10.04 Protect Backups
• CIS > Controls v7 > 10 Data Recovery Capabilities > 10.05 Ensure Backups Have At least One Non-Continuously Addressable Destination
• CIS > Controls v7 > 11 Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
• CIS > Controls v7 > 11 Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches > 11.01 Maintain Standard Security Configurations for Network Devices
• CIS > Controls v7 > 11 Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches > 11.02 Document Traffic Configuration Rules
• CIS > Controls v7 > 11 Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches > 11.03 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
• CIS > Controls v7 > 11 Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches > 11.04 Install the Latest Stable Version of Any Security-related Updates on All Network Devices
• CIS > Controls v7 > 11 Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches > 11.05 Manage Network Devices Using MultiFactor Authentication and Encrypted Sessions
• CIS > Controls v7 > 11 Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches > 11.06 Use Dedicated Workstations For All Network Administrative Tasks
• CIS > Controls v7 > 11 Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches > 11.07 Manage Network Infrastructure Through a Dedicated Network
• CIS > Controls v7 > 12 Boundary Defense
• CIS > Controls v7 > 12 Boundary Defense > 12.01 Maintain an Inventory of Network Boundaries
• CIS > Controls v7 > 12 Boundary Defense > 12.02 Scan for Unauthorized Connections across Trusted Network Boundaries
• CIS > Controls v7 > 12 Boundary Defense > 12.03 Deny Communications with Known Malicious IP Addresses
• CIS > Controls v7 > 12 Boundary Defense > 12.04 Deny Communication over Unauthorized Ports
• CIS > Controls v7 > 12 Boundary Defense > 12.05 Configure Monitoring Systems to Record Network Packets
• CIS > Controls v7 > 12 Boundary Defense > 12.06 Deploy Networkbased IDS Sensors
• CIS > Controls v7 > 12 Boundary Defense > 12.07 Deploy NetworkBased Intrusion Prevention Systems
• CIS > Controls v7 > 12 Boundary Defense > 12.08 Deploy NetFlow Collection on Networking Boundary Devices
• CIS > Controls v7 > 12 Boundary Defense > 12.09 Deploy Application Layer Filtering Proxy Server
• CIS > Controls v7 > 12 Boundary Defense > 12.10 Decrypt Network Traffic at Proxy
• CIS > Controls v7 > 12 Boundary Defense > 12.11 Require All Remote Logins to Use Multi-factor Authentication
• CIS > Controls v7 > 12 Boundary Defense > 12.12 Manage All Devices Remotely Logging into Internal Network
• CIS > Controls v7 > 13 Data Protection
• CIS > Controls v7 > 13 Data Protection > 13.01 Maintain an Inventory Sensitive Information
• CIS > Controls v7 > 13 Data Protection > 13.02 Remove Sensitive Data or Systems Not Regularly Accessed by Organization
• CIS > Controls v7 > 13 Data Protection > 13.03 Monitor and Block Unauthorized Network Traffic
• CIS > Controls v7 > 13 Data Protection > 13.04 Only Allow Access to Authorized Cloud Storage or Email Providers
• CIS > Controls v7 > 13 Data Protection > 13.05 Monitor and Detect Any Unauthorized Use of Encryption
• CIS > Controls v7 > 13 Data Protection > 13.06 Encrypt the Hard Drive of All Mobile Devices
• CIS > Controls v7 > 13 Data Protection > 13.07 Manage USB Devices
• CIS > Controls v7 > 13 Data Protection > 13.08 Manage System's External Removable Media's Read/write Configurations
• CIS > Controls v7 > 13 Data Protection > 13.09 Encrypt Data on USB Storage Devices
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.01 Segment the Network Based on Sensitivity
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.02 Enable Firewall Filtering Between VLANs
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.03 Disable Workstation to Workstation Communication
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.04 Encrypt All Sensitive Information in Transit
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.05 Utilize an Active Discovery Tool to Identify Sensitive Data
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.06 Protect Information through Access Control Lists
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.07 Enforce Access Control to Data through Automated Tools
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.08 Encrypt Sensitive Information at Rest
• CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.09 t Enforce Detail Logging for Access or Changes to Sensitive Data
• CIS > Controls v7 > 15 Wireless Access Control
• CIS > Controls v7 > 15 Wireless Access Control > 15.01 Maintain an Inventory of Authorized Wireless Access Points
• CIS > Controls v7 > 15 Wireless Access Control > 15.02 Detect Wireless Access Points Connected to the Wired Network
• CIS > Controls v7 > 15 Wireless Access Control > 15.03 Use a Wireless Intrusion Detection System
• CIS > Controls v7 > 15 Wireless Access Control > 15.04 Disable Wireless Access on Devices if it is Not Required
• CIS > Controls v7 > 15 Wireless Access Control > 15.05 Limit Wireless Access on Client Devices
• CIS > Controls v7 > 15 Wireless Access Control > 15.06 Disable Peer-to-peer Wireless Network Capabilities on Wireless Clients
• CIS > Controls v7 > 15 Wireless Access Control > 15.07 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
• CIS > Controls v7 > 15 Wireless Access Control > 15.08 Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication
• CIS > Controls v7 > 15 Wireless Access Control > 15.09 Disable Wireless Peripheral Access to Devices
• CIS > Controls v7 > 15 Wireless Access Control > 15.10 Create Separate Wireless Network for Personal and Untrusted Devices
• CIS > Controls v7 > 16 Account Monitoring and Control
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.01 Maintain an Inventory of Authentication Systems
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.02 Configure Centralized Point of Authentication
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.03 Require Multi-factor Authentication
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.04 Encrypt or Hash all Authentication Credentials
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.05 Encrypt Transmittal of Username and Authentication Credentials
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.06 Maintain an Inventory of Accounts
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.07 Establish Process for Revoking Access
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.08 Disable Any Unassociated Accounts
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.09 Disable Dormant Accounts
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.10 Ensure All Accounts Have An Expiration Date
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.11 Lock Workstation Sessions After Inactivity
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.12 Monitor Attempts to Access Deactivated Accounts
• CIS > Controls v7 > 16 Account Monitoring and Control > 16.13 Alert on Account Login Behavior Deviation
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.01 Perform a Skills Gap Analysis
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.02 Deliver Training to Fill the Skills Gap
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.03 Implement a Security Awareness Program
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.04 Update Awareness Content Frequently
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.05 Train Workforce on Secure Authentication
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.06 Train Workforce on Identifying Social Engineering Attacks
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.07 Train Workforce on Sensitive Data Handling
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.08 Train Workforce on Causes of Unintentional Data Exposure
• CIS > Controls v7 > 17 Implement a Security Awareness and Training Program > 17.09 Train Workforce Members on Identifying and Reporting Incidents
• CIS > Controls v7 > 18 Application Software Security
• CIS > Controls v7 > 18 Application Software Security > 18.01 Establish Secure Coding Practices
• CIS > Controls v7 > 18 Application Software Security > 18.02 Ensure Explicit Error Checking is Performed for All In-house Developed Software
• CIS > Controls v7 > 18 Application Software Security > 18.03 Verify That Acquired Software is Still Supported
• CIS > Controls v7 > 18 Application Software Security > 18.04 Only Use Up-to-date And Trusted ThirdParty Components
• CIS > Controls v7 > 18 Application Software Security > 18.05 Only Standardized and Extensively Reviewed Encryption Algorithms
• CIS > Controls v7 > 18 Application Software Security > 18.06 Ensure Software Development Personnel are Trained in Secure Coding
• CIS > Controls v7 > 18 Application Software Security > 18.07 Apply Static and Dynamic Code Analysis Tools
• CIS > Controls v7 > 18 Application Software Security > 18.08 Establish a Process to Accept and Address Reports of Software Vulnerabilities
• CIS > Controls v7 > 18 Application Software Security > 18.09 Separate Production and Non-Production Systems
• CIS > Controls v7 > 18 Application Software Security > 18.10 Deploy Web Application Firewalls
• CIS > Controls v7 > 18 Application Software Security > 18.11 Use Standard Hardening Configuration Templates for Databases
• CIS > Controls v7 > 19 Incident Response and Management
• CIS > Controls v7 > 19 Incident Response and Management > 19.01 Document Incident Response Procedures
• CIS > Controls v7 > 19 Incident Response and Management > 19.02 Assign Job Titles and Duties for Incident Response
• CIS > Controls v7 > 19 Incident Response and Management > 19.03 Designate Management Personnel to Support Incident Handling
• CIS > Controls v7 > 19 Incident Response and Management > 19.04 Devise Organization-wide Standards for Reporting Incidents
• CIS > Controls v7 > 19 Incident Response and Management > 19.05 Maintain Contact Information For Reporting Security Incidents
• CIS > Controls v7 > 19 Incident Response and Management > 19.06 Publish Information Regarding Reporting Computer Anomalies and Incidents
• CIS > Controls v7 > 19 Incident Response and Management > 19.07 Conduct Periodic Incident Scenario Sessions for Personnel
• CIS > Controls v7 > 19 Incident Response and Management > 19.08 Create Incident Scoring and Prioritization Schema
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises > 20.01 Establish a Penetration Testing Program
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises > 20.02 Conduct Regular External and Internal Penetration Tests
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises > 20.03 Perform Periodic Red Team Exercises
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises > 20.04 Include Tests for Presence of Unprotected System Information and Artifacts
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises > 20.05 Create a Test Bed for Elements Not Typically Tested in Production
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises > 20.06 Use Vulnerability Scanning and Penetration Testing Tools in Concert
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises > 20.07 Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
• CIS > Controls v7 > 20 Penetration Tests and Red Team Exercises > 20.08 Control and Monitor Accounts Associated with Penetration Testing

Release Notes

5.0.1 (2024-04-24)

Bug fixes

• Fixed control category names for v7.2.10, v7.7.10 and v7.14.1.