CIS V8153
CIS Controls v8
Requirements in this framework
- Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
- Safeguard 1.2: Address Unauthorized Assets
- Safeguard 1.3: Utilize an Active Discovery Tool
- Safeguard 1.4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
- Safeguard 1.5: Use a Passive Asset Discovery Tool
- Safeguard 10.1: Deploy and Maintain Anti-Malware Software
- Safeguard 10.2: Configure Automatic Anti-Malware Signature Updates
- Safeguard 10.3: Disable Autorun and Autoplay for Removable Media
- Safeguard 10.4: Configure Automatic Anti-Malware Scanning of Removable Media
- Safeguard 10.5: Enable Anti-Exploitation Features
- Safeguard 10.6: Centrally Manage Anti-Malware Software
- Safeguard 10.7: Use Behavior-Based Anti-Malware Software
- Safeguard 11.1: Establish and Maintain a Data Recovery Process
- Safeguard 11.2: Perform Automated Backups
- Safeguard 11.3: Protect Recovery Data
- Safeguard 11.4: Establish and Maintain an Isolated Instance of Recovery Data
- Safeguard 11.5: Test Data Recovery
- Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date
- Safeguard 12.2: Establish and Maintain a Secure Network Architecture
- Safeguard 12.3: Securely Manage Network Infrastructure
- Safeguard 12.4: Establish and Maintain Architecture Diagram(s)
- Safeguard 12.5: Centralize Network Authentication, Authorization, and Auditing (AAA)
- Safeguard 12.6: Use of Secure Network Management and Communication Protocols
- Safeguard 12.7: Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure
- Safeguard 12.8: Establish and Maintain Dedicated Computing Resources For all Administrative Work
- Safeguard 13.1: Centralize Security Event Alerting
- Safeguard 13.10: Perform Application Layer Filtering
- Safeguard 13.11: Tune Security Event Alerting Thresholds
- Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution
- Safeguard 13.3: Deploy a Network Intrusion Detection Solution
- Safeguard 13.4: Perform Traffic Filtering Between Network Segments
- Safeguard 13.5: Manage Access Control for Remote Assets
- Safeguard 13.6: Collect Network Traffic Flow Logs
- Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution
- Safeguard 13.8: Deploy a Network Intrusion Prevention Solution
- Safeguard 13.9: Deploy Port-Level Access Control
- Safeguard 14.1: Establish and Maintain a Security Awareness Program
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks
- Safeguard 14.3: Train Workforce Members on Authentication Best Practices
- Safeguard 14.4: Train Workforce on Data Handling Best Practices
- Safeguard 14.5: Train Workforce Members on Causes of Unintentional Data Exposure
- Safeguard 14.6: Train Workforce Members on Recognizing and Reporting Security Incidents
- Safeguard 14.7: Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
- Safeguard 14.8: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
- Safeguard 14.9: Conduct Role-Specific Security Awareness and Skills Training
- Safeguard 15.1: Establish and Maintain an Inventory of Service Providers
- Safeguard 15.2: Establish and Maintain a Service Provider Management Policy
- Safeguard 15.3: Classify Service Providers
- Safeguard 15.4: Ensure Service Provider Contracts Include Security Requirements
- Safeguard 15.5: Assess Service Providers
- Safeguard 15.6: Monitor Service Providers
- Safeguard 15.7: Securely Decommission Service Providers
- Safeguard 16.1: Establish and Maintain a Secure Application Development Process
- Safeguard 16.10: Apply Secure Design Principles in Application Architectures
- Safeguard 16.11: Leverage Vetted Modules or Services for Application Security Components
- Safeguard 16.12: Implement Code-Level Security Checks
- Safeguard 16.13: Conduct Application Penetration Testing
- Safeguard 16.14: Conduct Threat Modeling
- Safeguard 16.2: Establish and Maintain a Process to Accept and Address Software Vulnerabilities
- Safeguard 16.3: Perform Root Cause Analysis on Security Vulnerabilities
- Safeguard 16.4: Establish and Manage an Inventory of Third-Party Software Components
- Safeguard 16.5: Use Up-to-Date and Trusted Third-Party Software Components
- Safeguard 16.6: Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
- Safeguard 16.7: Use Standard Hardening Configuration Templates for Application Infrastructure
- Safeguard 16.8: Separate Production and Non-Production Systems
- Safeguard 16.9: Train Developers in Application Security Concepts and Secure Coding
- Safeguard 17.1: Designate Personnel to Manage Incident Handling
- Safeguard 17.2: Establish and Maintain Contact Information for Reporting Security Incidents
- Safeguard 17.3: Establish and Maintain an Enterprise Process for Reporting Incidents
- Safeguard 17.4: Establish and Maintain an Incident Response Process
- Safeguard 17.5: Assign Key Roles and Responsibilities
- Safeguard 17.6: Define Mechanisms for Communicating During Incident Response
- Safeguard 17.7: Conduct Routine Incident Response Exercises
- Safeguard 17.8: Conduct Post-Incident Reviews
- Safeguard 17.9: Establish and Maintain Security Incident Thresholds
- Safeguard 18.1: Establish and Maintain a Penetration Testing Program
- Safeguard 18.2: Perform Periodic External Penetration Tests
- Safeguard 18.3: Remediate Penetration Test Findings
- Safeguard 18.4: Validate Security Measures
- Safeguard 18.5: Perform Periodic Internal Penetration Tests
- Safeguard 2.1: Establish and Maintain a Software Inventory
- Safeguard 2.2: Ensure Authorized Software is Currently Supported
- Safeguard 2.3: Address Unauthorized Software
- Safeguard 2.4: Utilize Automated Software Inventory Tools
- Safeguard 2.5: Allowlist Authorized Software
- Safeguard 2.6: Allowlist Authorized Libraries
- Safeguard 2.7: Allowlist Authorized Scripts
- Safeguard 3.1: Establish and Maintain a Data Management Process
- Safeguard 3.10: Encrypt Sensitive Data in Transit
- Safeguard 3.11: Encrypt Sensitive Data at Rest
- Safeguard 3.12: Segment Data Processing and Storage Based on Sensitivity
- Safeguard 3.13: Deploy a Data Loss Prevention Solution
- Safeguard 3.14: Log Sensitive Data Access
- Safeguard 3.2: Establish and Maintain a Data Inventory
- Safeguard 3.3: Configure Data Access Control Lists
- Safeguard 3.4: Enforce Data Retention
- Safeguard 3.5: Securely Dispose of Data
- Safeguard 3.6: Encrypt Data on End-User Devices
- Safeguard 3.7: Establish and Maintain a Data Classification Scheme
- Safeguard 3.8: Document Data Flows
- Safeguard 3.9: Encrypt Data on Removable Media
- Safeguard 4.1: Establish and Maintain a Secure Configuration Process
- Safeguard 4.10: Enforce Automatic Device Lockout on Portable End-User Devices
- Safeguard 4.11: Enforce Remote Wipe Capability on Portable End-User Devices
- Safeguard 4.12: Separate Enterprise Workspaces on Mobile End-User Devices
- Safeguard 4.2: Establish and Maintain a Secure Configuration Process for Network Infrastructure
- Safeguard 4.3: Configure Automatic Session Locking on Enterprise Assets
- Safeguard 4.4: Implement and Manage a Firewall on Servers
- Safeguard 4.5: Implement and Manage a Firewall on End-User Devices
- Safeguard 4.6: Securely Manage Enterprise Assets and Software
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software
- Safeguard 4.8: Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
- Safeguard 4.9: Configure Trusted DNS Servers on Enterprise Assets
- Safeguard 5.1: Establish and Maintain an Inventory of Accounts
- Safeguard 5.2: Use Unique Passwords
- Safeguard 5.3: Disable Dormant Accounts
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts
- Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts
- Safeguard 5.6: Centralize Account Management
- Safeguard 6.1: Establish an Access Granting Process
- Safeguard 6.2: Establish an Access Revoking Process
- Safeguard 6.3: Require MFA for Externally-Exposed Applications
- Safeguard 6.4: Require MFA for Remote Network Access
- Safeguard 6.5: Require MFA for Administrative Access
- Safeguard 6.6: Establish and Maintain an Inventory of Authentication and Authorization Systems
- Safeguard 6.7: Centralize Access Control
- Safeguard 6.8: Define and Maintain Role-Based Access Control
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process
- Safeguard 7.2: Establish and Maintain a Remediation Process
- Safeguard 7.3: Perform Automated Operating System Patch Management
- Safeguard 7.4: Perform Automated Application Patch Management
- Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets
- Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
- Safeguard 7.7: Remediate Detected Vulnerabilities
- Safeguard 8.1: Establish and Maintain an Audit Log Management Process
- Safeguard 8.10: Retain Audit Logs
- Safeguard 8.11: Conduct Audit Log Reviews
- Safeguard 8.12: Collect Service Provider Logs
- Safeguard 8.2: Collect Audit Logs
- Safeguard 8.3: Ensure Adequate Audit Log Storage
- Safeguard 8.4: Standardize Time Synchronization
- Safeguard 8.5: Collect Detailed Audit Logs
- Safeguard 8.6: Collect DNS Query Audit Logs
- Safeguard 8.7: Collect URL Request Audit Logs
- Safeguard 8.8: Collect Command-Line Audit Logs
- Safeguard 8.9: Centralize Audit Logs
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients
- Safeguard 9.2: Use DNS Filtering Services
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters
- Safeguard 9.4: Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
- Safeguard 9.5: Implement DMARC
- Safeguard 9.6: Block Unnecessary File Types
- Safeguard 9.7: Deploy and Maintain Email Server Anti-Malware Protections