A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | CIS Control | CIS Safeguard | Asset Type | Security Function | Title | Description | IG1 | IG2 | IG3 | |||||||||||||||||
2 | 1 | Inventory and Control of Enterprise Assets | Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. | |||||||||||||||||||||||
3 | 1 | 1.1 | Devices | Identify | Establish and Maintain Detailed Enterprise Asset Inventory | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. | x | x | x | |||||||||||||||||
4 | 1 | 1.2 | Devices | Respond | Address Unauthorized Assets | Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. | x | x | x | |||||||||||||||||
5 | 1 | 1.3 | Devices | Detect | Utilize an Active Discovery Tool | Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently. | x | x | ||||||||||||||||||
6 | 1 | 1.4 | Devices | Identify | Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory | Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently. | x | x | ||||||||||||||||||
7 | 1 | 1.5 | Devices | Detect | Use a Passive Asset Discovery Tool | Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently. | x | |||||||||||||||||||
8 | 2 | Inventory and Control of Software Assets | Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. | |||||||||||||||||||||||
9 | 2 | 2.1 | Applications | Identify | Establish and Maintain a Software Inventory | Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. | x | x | x | |||||||||||||||||
10 | 2 | 2.2 | Applications | Identify | Ensure Authorized Software is Currently Supported | Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. | x | x | x | |||||||||||||||||
11 | 2 | 2.3 | Applications | Respond | Address Unauthorized Software | Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. | x | x | x | |||||||||||||||||
12 | 2 | 2.4 | Applications | Detect | Utilize Automated Software Inventory Tools | Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. | x | x | ||||||||||||||||||
13 | 2 | 2.5 | Applications | Protect | Allowlist Authorized Software | Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. | x | x | ||||||||||||||||||
14 | 2 | 2.6 | Applications | Protect | Allowlist Authorized Libraries | Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. | x | x | ||||||||||||||||||
15 | 2 | 2.7 | Applications | Protect | Allowlist Authorized Scripts | Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. | x | |||||||||||||||||||
16 | 3 | Data Protection | Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. | |||||||||||||||||||||||
17 | 3 | 3.1 | Data | Identify | Establish and Maintain a Data Management Process | Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | x | x | x | |||||||||||||||||
18 | 3 | 3.2 | Data | Identify | Establish and Maintain a Data Inventory | Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. | x | x | x | |||||||||||||||||
19 | 3 | 3.3 | Data | Protect | Configure Data Access Control Lists | Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. | x | x | x | |||||||||||||||||
20 | 3 | 3.4 | Data | Protect | Enforce Data Retention | Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. | x | x | x | |||||||||||||||||
21 | 3 | 3.5 | Data | Protect | Securely Dispose of Data | Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity. | x | x | x | |||||||||||||||||
22 | 3 | 3.6 | Devices | Protect | Encrypt Data on End-User Devices | Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. | x | x | x | |||||||||||||||||
23 | 3 | 3.7 | Data | Identify | Establish and Maintain a Data Classification Scheme | Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. | x | x | ||||||||||||||||||
24 | 3 | 3.8 | Data | Identify | Document Data Flows | Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | x | x | ||||||||||||||||||
25 | 3 | 3.9 | Data | Protect | Encrypt Data on Removable Media | Encrypt data on removable media. | x | x | ||||||||||||||||||
26 | 3 | 3.10 | Data | Protect | Encrypt Sensitive Data in Transit | Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). | x | x | ||||||||||||||||||
27 | 3 | 3.11 | Data | Protect | Encrypt Sensitive Data at Rest | Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. | x | x | ||||||||||||||||||
28 | 3 | 3.12 | Network | Protect | Segment Data Processing and Storage Based on Sensitivity | Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. | x | x | ||||||||||||||||||
29 | 3 | 3.13 | Data | Protect | Deploy a Data Loss Prevention Solution | Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory. | x | |||||||||||||||||||
30 | 3 | 3.14 | Data | Detect | Log Sensitive Data Access | Log sensitive data access, including modification and disposal. | x | |||||||||||||||||||
31 | 4 | Secure Configuration of Enterprise Assets and Software | Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). | |||||||||||||||||||||||
32 | 4 | 4.1 | Applications | Protect | Establish and Maintain a Secure Configuration Process | Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | x | x | x | |||||||||||||||||
33 | 4 | 4.2 | Network | Protect | Establish and Maintain a Secure Configuration Process for Network Infrastructure | Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | x | x | x | |||||||||||||||||
34 | 4 | 4.3 | Users | Protect | Configure Automatic Session Locking on Enterprise Assets | Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. | x | x | x | |||||||||||||||||
35 | 4 | 4.4 | Devices | Protect | Implement and Manage a Firewall on Servers | Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. | x | x | x | |||||||||||||||||
36 | 4 | 4.5 | Devices | Protect | Implement and Manage a Firewall on End-User Devices | Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. | x | x | x | |||||||||||||||||
37 | 4 | 4.6 | Network | Protect | Securely Manage Enterprise Assets and Software | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. | x | x | x | |||||||||||||||||
38 | 4 | 4.7 | Users | Protect | Manage Default Accounts on Enterprise Assets and Software | Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. | x | x | x | |||||||||||||||||
39 | 4 | 4.8 | Devices | Protect | Uninstall or Disable Unnecessary Services on Enterprise Assets and Software | Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. | x | x | ||||||||||||||||||
40 | 4 | 4.9 | Devices | Protect | Configure Trusted DNS Servers on Enterprise Assets | Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. | x | x | ||||||||||||||||||
41 | 4 | 4.10 | Devices | Respond | Enforce Automatic Device Lockout on Portable End-User Devices | Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts. | x | x | ||||||||||||||||||
42 | 4 | 4.11 | Devices | Protect | Enforce Remote Wipe Capability on Portable End-User Devices | Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. | x | x | ||||||||||||||||||
43 | 4 | 4.12 | Devices | Protect | Separate Enterprise Workspaces on Mobile End-User Devices | Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data. | x | |||||||||||||||||||
44 | 5 | Account Management | Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. | |||||||||||||||||||||||
45 | 5 | 5.1 | Users | Identify | Establish and Maintain an Inventory of Accounts | Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. | x | x | x | |||||||||||||||||
46 | 5 | 5.2 | Users | Protect | Use Unique Passwords | Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. | x | x | x | |||||||||||||||||
47 | 5 | 5.3 | Users | Respond | Disable Dormant Accounts | Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. | x | x | x | |||||||||||||||||
48 | 5 | 5.4 | Users | Protect | Restrict Administrator Privileges to Dedicated Administrator Accounts | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. | x | x | x | |||||||||||||||||
49 | 5 | 5.5 | Users | Identify | Establish and Maintain an Inventory of Service Accounts | Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. | x | x | ||||||||||||||||||
50 | 5 | 5.6 | Users | Protect | Centralize Account Management | Centralize account management through a directory or identity service. | x | x | ||||||||||||||||||
51 | 6 | Access Control Management | Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. | |||||||||||||||||||||||
52 | 6 | 6.1 | Users | Protect | Establish an Access Granting Process | Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. | x | x | x | |||||||||||||||||
53 | 6 | 6.2 | Users | Protect | Establish an Access Revoking Process | Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. | x | x | x | |||||||||||||||||
54 | 6 | 6.3 | Users | Protect | Require MFA for Externally-Exposed Applications | Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. | x | x | x | |||||||||||||||||
55 | 6 | 6.4 | Users | Protect | Require MFA for Remote Network Access | Require MFA for remote network access. | x | x | x | |||||||||||||||||
56 | 6 | 6.5 | Users | Protect | Require MFA for Administrative Access | Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. | x | x | x | |||||||||||||||||
57 | 6 | 6.6 | Users | Identify | Establish and Maintain an Inventory of Authentication and Authorization Systems | Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. | x | x | ||||||||||||||||||
58 | 6 | 6.7 | Users | Protect | Centralize Access Control | Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. | x | x | ||||||||||||||||||
59 | 6 | 6.8 | Data | Protect | Define and Maintain Role-Based Access Control | Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. | x | |||||||||||||||||||
60 | 7 | Continuous Vulnerability Management | Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. | |||||||||||||||||||||||
61 | 7 | 7.1 | Applications | Protect | Establish and Maintain a Vulnerability Management Process | Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | x | x | x | |||||||||||||||||
62 | 7 | 7.2 | Applications | Respond | Establish and Maintain a Remediation Process | Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. | x | x | x | |||||||||||||||||
63 | 7 | 7.3 | Applications | Protect | Perform Automated Operating System Patch Management | Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. | x | x | x | |||||||||||||||||
64 | 7 | 7.4 | Applications | Protect | Perform Automated Application Patch Management | Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. | x | x | x | |||||||||||||||||
65 | 7 | 7.5 | Applications | Identify | Perform Automated Vulnerability Scans of Internal Enterprise Assets | Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool. | x | x | ||||||||||||||||||
66 | 7 | 7.6 | Applications | Identify | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets | Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis. | x | x | ||||||||||||||||||
67 | 7 | 7.7 | Applications | Respond | Remediate Detected Vulnerabilities | Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. | x | x | ||||||||||||||||||
68 | 8 | Audit Log Management | Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. | |||||||||||||||||||||||
69 | 8 | 8.1 | Network | Protect | Establish and Maintain an Audit Log Management Process | Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | x | x | x | |||||||||||||||||
70 | 8 | 8.2 | Network | Detect | Collect Audit Logs | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. | x | x | x | |||||||||||||||||
71 | 8 | 8.3 | Network | Protect | Ensure Adequate Audit Log Storage | Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. | x | x | x | |||||||||||||||||
72 | 8 | 8.4 | Network | Protect | Standardize Time Synchronization | Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. | x | x | ||||||||||||||||||
73 | 8 | 8.5 | Network | Detect | Collect Detailed Audit Logs | Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. | x | x | ||||||||||||||||||
74 | 8 | 8.6 | Network | Detect | Collect DNS Query Audit Logs | Collect DNS query audit logs on enterprise assets, where appropriate and supported. | x | x | ||||||||||||||||||
75 | 8 | 8.7 | Network | Detect | Collect URL Request Audit Logs | Collect URL request audit logs on enterprise assets, where appropriate and supported. | x | x | ||||||||||||||||||
76 | 8 | 8.8 | Devices | Detect | Collect Command-Line Audit Logs | Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals. | x | x | ||||||||||||||||||
77 | 8 | 8.9 | Network | Detect | Centralize Audit Logs | Centralize, to the extent possible, audit log collection and retention across enterprise assets. | x | x | ||||||||||||||||||
78 | 8 | 8.10 | Network | Protect | Retain Audit Logs | Retain audit logs across enterprise assets for a minimum of 90 days. | x | x | ||||||||||||||||||
79 | 8 | 8.11 | Network | Detect | Conduct Audit Log Reviews | Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. | x | x | ||||||||||||||||||
80 | 8 | 8.12 | Data | Detect | Collect Service Provider Logs | Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events. | x | |||||||||||||||||||
81 | 9 | Email and Web Browser Protections | Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. | |||||||||||||||||||||||
82 | 9 | 9.1 | Applications | Protect | Ensure Use of Only Fully Supported Browsers and Email Clients | Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. | x | x | x | |||||||||||||||||
83 | 9 | 9.2 | Network | Protect | Use DNS Filtering Services | Use DNS filtering services on all enterprise assets to block access to known malicious domains. | x | x | x | |||||||||||||||||
84 | 9 | 9.3 | Network | Protect | Maintain and Enforce Network-Based URL Filters | Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. | x | x | ||||||||||||||||||
85 | 9 | 9.4 | Applications | Protect | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. | x | x | ||||||||||||||||||
86 | 9 | 9.5 | Network | Protect | Implement DMARC | To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. | x | x | ||||||||||||||||||
87 | 9 | 9.6 | Network | Protect | Block Unnecessary File Types | Block unnecessary file types attempting to enter the enterprise’s email gateway. | x | x | ||||||||||||||||||
88 | 9 | 9.7 | Network | Protect | Deploy and Maintain Email Server Anti-Malware Protections | Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing. | x | |||||||||||||||||||
89 | 10 | Malware Defenses | Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. | |||||||||||||||||||||||
90 | 10 | 10.1 | Devices | Protect | Deploy and Maintain Anti-Malware Software | Deploy and maintain anti-malware software on all enterprise assets. | x | x | x | |||||||||||||||||
91 | 10 | 10.2 | Devices | Protect | Configure Automatic Anti-Malware Signature Updates | Configure automatic updates for anti-malware signature files on all enterprise assets. | x | x | x | |||||||||||||||||
92 | 10 | 10.3 | Devices | Protect | Disable Autorun and Autoplay for Removable Media | Disable autorun and autoplay auto-execute functionality for removable media. | x | x | x | |||||||||||||||||
93 | 10 | 10.4 | Devices | Detect | Configure Automatic Anti-Malware Scanning of Removable Media | Configure anti-malware software to automatically scan removable media. | x | x | ||||||||||||||||||
94 | 10 | 10.5 | Devices | Protect | Enable Anti-Exploitation Features | Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™. | x | x | ||||||||||||||||||
95 | 10 | 10.6 | Devices | Protect | Centrally Manage Anti-Malware Software | Centrally manage anti-malware software. | x | x | ||||||||||||||||||
96 | 10 | 10.7 | Devices | Detect | Use Behavior-Based Anti-Malware Software | Use behavior-based anti-malware software. | x | x | ||||||||||||||||||
97 | 11 | Data Recovery | Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. | |||||||||||||||||||||||
98 | 11 | 11.1 | Data | Recover | Establish and Maintain a Data Recovery Process | Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | x | x | x | |||||||||||||||||
99 | 11 | 11.2 | Data | Recover | Perform Automated Backups | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. | x | x | x | |||||||||||||||||
100 | 11 | 11.3 | Data | Protect | Protect Recovery Data | Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. | x | x | x |