| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Category | CIS Safeguard # | NIST Security Function | CIS Safeguard Title | CIS Safeguard Description | Type | ||||||||||||||||||||
2 | Identify | |||||||||||||||||||||||||
3 | Know Your Environment | 1.1 | Identify | Establish and Maintain Detailed Enterprise Asset Inventory | Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. | Foundational | ||||||||||||||||||||
4 | 2.1 | Identify | Establish and Maintain a Software Inventory | Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. | Foundational | |||||||||||||||||||||
5 | 2.2 | Identify | Ensure Authorized Software is Currently Supported | Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. | Actionable | |||||||||||||||||||||
6 | 3.1 | Identify | Establish and Maintain a Data Management Process | Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | Foundational | |||||||||||||||||||||
7 | 5.1 | Identify | Establish and Maintain an Inventory of Accounts | Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. | Foundational | |||||||||||||||||||||
8 | Protect | |||||||||||||||||||||||||
9 | Secure Configurations | 4.1 | Protect | Establish and Maintain a Secure Configuration Process | Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | Foundational | ||||||||||||||||||||
10 | 4.2 | Protect | Establish and Maintain a Secure Configuration Process for Network Infrastructure | Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | Foundational | |||||||||||||||||||||
11 | 4.4 | Protect | Implement and Manage a Firewall on Servers | Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. | Actionable | |||||||||||||||||||||
12 | 4.7 | Protect | Manage Default Accounts on Enterprise Assets and Software | Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. | Actionable | |||||||||||||||||||||
13 | Account and Access Management | 5.2 | Protect | Use Unique Passwords | Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. | Actionable | ||||||||||||||||||||
14 | 5.3 | Protect | Disable Dormant Accounts | Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. | Actionable | |||||||||||||||||||||
15 | 5.4 | Protect | Restrict Administrator Privileges to Dedicated Administrator Accounts | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. | Actionable | |||||||||||||||||||||
16 | 6.1 | Protect | Establish an Access Granting Process | Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. | Foundational | |||||||||||||||||||||
17 | 6.2 | Protect | Establish an Access Revoking Process | Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. | Foundational | |||||||||||||||||||||
18 | 6.3 | Protect | Require MFA for Externally-Exposed Applications | Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. | Actionable | |||||||||||||||||||||
19 | 6.4 | Protect | Require MFA for Remote Network Access | Require MFA for remote network access. | Actionable | |||||||||||||||||||||
20 | 6.5 | Protect | Require MFA for Administrative Access | Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. | Actionable | |||||||||||||||||||||
21 | Vulnerability Management Planning | 7.1 | Protect | Establish and Maintain a Vulnerability Management Process | Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | Foundational | ||||||||||||||||||||
22 | 7.2 | Protect | Establish and Maintain a Remediation Process | Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. | Foundational | |||||||||||||||||||||
23 | 7.3 | Protect | Perform Automated Operating System Patch Management | Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. | Actionable | |||||||||||||||||||||
24 | 7.4 | Protect | Perform Automated Application Patch Management | Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. | Actionable | |||||||||||||||||||||
25 | 12.1 | Protect | Ensure Network Infrastructure is Up-to-Date | Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. | Actionable | |||||||||||||||||||||
26 | Malware Defense | 9.1 | Protect | Ensure Use of Only Fully Supported Browsers and Email Clients | Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. | Actionable | ||||||||||||||||||||
27 | 9.2 | Protect | Use DNS Filtering Services | Use DNS filtering services on all enterprise assets to block access to known malicious domains. | Actionable | |||||||||||||||||||||
28 | 10.1 | Protect | Deploy and Maintain Anti-Malware Software | Deploy and maintain anti-malware software on all enterprise assets. | Actionable | |||||||||||||||||||||
29 | 10.2 | Protect | Configure Automatic Anti-Malware Signature Updates | Configure automatic updates for anti-malware signature files on all enterprise assets. | Actionable | |||||||||||||||||||||
30 | 10.3 | Protect | Disable Autorun and Autoplay for Removable Media | Disable autorun and autoplay auto-execute functionality for removable media. | Actionable | |||||||||||||||||||||
31 | Security Awareness & Skills Training | 14.1 | Protect | Establish and Maintain a Security Awareness Program | Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. | Foundational | ||||||||||||||||||||
32 | 14.2 | Protect | Train Workforce Members to Recognize Social Engineering Attacks | Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating. | Actionable | |||||||||||||||||||||
33 | 14.6 | Protect | Train Workforce Members on Recognizing and Reporting Security Incidents | Train workforce members to be able to recognize a potential incident and be able to report such an incident. | Actionable | |||||||||||||||||||||
34 | Detect | |||||||||||||||||||||||||
35 | Respond | |||||||||||||||||||||||||
36 | Data Recovery & Incident Response | 17.1 | Respond | Designate Personnel to Manage Incident Handling | Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. | Actionable | ||||||||||||||||||||
37 | 17.2 | Respond | Establish and Maintain Contact Information for Reporting Security Incidents | Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. | Actionable | |||||||||||||||||||||
38 | 17.3 | Respond | Establish and Maintain an Enterprise Process for Reporting Incidents | Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. | Foundational | |||||||||||||||||||||
39 | 8.1 | Respond | Establish and Maintain an Audit Log Management Process | Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | Foundational | |||||||||||||||||||||
40 | 8.2 | Respond | Collect Audit Logs | Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. | Actionable | |||||||||||||||||||||
41 | 8.3 | Respond | Ensure Adequate Audit Log Storage | Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. | Actionable | |||||||||||||||||||||
42 | Recover | |||||||||||||||||||||||||
43 | Data Recovery & Incident Response | 11.1 | Recover | Establish and Maintain a Data Recovery Process | Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. | Foundational | ||||||||||||||||||||
44 | 11.2 | Recover | Perform Automated Backups | Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. | Actionable | |||||||||||||||||||||
45 | 11.3 | Recover | Protect Recovery Data | Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. | Actionable | |||||||||||||||||||||
46 | 11.4 | Recover | Establish and Maintain an Isolated Instance of Recovery Data | Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. | Actionable | |||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||