0% found this document useful (0 votes)

88 views130 pages

CIS Controls v8 Mapping To NCSC Cyber Assessment Framework 2 2023

Uploaded by

Ka Mi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

88 views130 pages

CIS Controls v8 Mapping To NCSC Cyber Assessment Framework 2 2023

Uploaded by

Ka Mi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 130

This document contains mappings of the CIS Critical Security Controls (CIS Controls) and CIS Safeguards t

Cyber Assessment Framework v3.1

Last updated January 2023
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editor
Thomas Sager
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-

are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to National Cyber Sec
Reference link for NCSC Cyber Assessment Framework v3.1: https://www.ncsc.gov.uk/files/Cyber-Assess

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one control will Contribute
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item

CIS Control 6.1 - Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
Remember to download the CIS Controls Version 8 Guide where you can learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
CIS Security
CIS Safeguard Asset Type
Control Function
1

1 1.1 Devices Identify

1 1.2 Devices Respond

1 1.3 Devices Detect

1 1.4 Devices Identify

1 1.5 Devices Detect

2
2 2.1 Applications Identify

2 2.2 Applications Identify

2 2.3 Applications Respond

2 2.4 Applications Detect

2 2.5 Applications Protect

2 2.6 Applications Protect

2 2.7 Applications Protect

3 3.1 Data Identify

3 3.2 Data Identify

3 3.3 Data Protect

3 3.4 Data Protect

3 3.5 Data Protect

3 3.6 Devices Protect

3 3.7 Data Identify

3 3.8 Data Identify

3 3.9 Data Protect

3 3.10 Data Protect

3 3.11 Data Protect

3 3.12 Network Protect

3 3.13 Data Protect

3 3.14 Data Detect

4
4 4.1 Applications Protect

4 4.1 Applications Protect

4 4.2 Network Protect

4 4.3 Users Protect

4 4.4 Devices Protect

4 4.5 Devices Protect

4 4.6 Network Protect

4 4.7 Users Protect

4 4.8 Devices Protect

4 4.9 Devices Protect

4 4.10 Devices Respond

4 4.11 Devices Protect

4 4.12 Devices Protect

5 5.1 Users Identify

5 5.2 Users Protect

5 5.3 Users Respond

5 5.4 Users Protect

5 5.5 Users Identify

5 5.6 Users Protect

6 6.1 Users Protect

6 6.2 Users Protect

6 6.3 Users Protect

6 6.4 Users Protect

6 6.5 Users Protect

6 6.6 Users Identify

6 6.7 Users Protect

6 6.8 Data Protect

7 7.1 Applications Protect

7 7.2 Applications Respond

7 7.3 Applications Protect

7 7.4 Applications Protect

7 7.5 Applications Identify

7 7.6 Applications Identify

7 7.7 Applications Respond

8 8.1 Network Protect

8 8.2 Network Detect

8 8.3 Network Protect

8 8.4 Network Protect

8 8.5 Network Detect

8 8.6 Network Detect

8 8.7 Network Detect

8 8.8 Devices Detect

8 8.9 Network Detect

8 8.10 Network Protect

8 8.11 Network Detect

8 8.12 Data Detect

9 9.1 Applications Protect

9 9.2 Network Protect

9 9.3 Network Protect

9 9.4 Applications Protect

9 9.5 Network Protect

9 9.6 Network Protect

9 9.7 Network Protect

10
10 10.1 Devices Protect

10 10.2 Devices Protect

10 10.3 Devices Protect

10 10.4 Devices Detect

10 10.5 Devices Protect

10 10.6 Devices Protect

10 10.7 Devices Detect

11 11.1 Data Recover

11 11.2 Data Recover

11 11.3 Data Protect

11 11.4 Data Recover

11 11.5 Data Recover

12 12.1 Network Protect

12 12.2 Network Protect

12 12.3 Network Protect

12 12.4 Network Identify

12 12.5 Network Protect

12 12.6 Network Protect

12 12.7 Devices Protect

12 12.8 Devices Protect

13 13.1 Network Detect

13 13.2 Devices Detect

13 13.3 Network Detect

13 13.4 Network Protect

13 13.5 Devices Protect

13 13.6 Network Detect

13 13.7 Devices Protect

13 13.8 Network Protect

13 13.9 Devices Protect

13 13.10 Network Protect

13 13.11 Network Detect

14 14.1 N/A Protect

14 14.2 N/A Protect

14 14.3 N/A Protect

14 14.4 N/A Protect

14 14.5 N/A Protect

14 14.6 N/A Protect

14 14.7 N/A Protect

14 14.8 N/A Protect

14 14.9 N/A Protect

15 15.1 N/A Identify

15 15.2 N/A Identify

15 15.3 N/A Identify

15 15.4 N/A Protect

15 15.5 N/A Identify

15 15.6 Data Detect

15 15.7 Data Protect

16 16.1 Applications Protect

16 16.2 Applications Protect

16 16.3 Applications Protect

16 16.4 Applications Protect

16 16.5 Applications Protect

16 16.6 Applications Protect

16 16.7 Applications Protect

16 16.8 Applications Protect

16 16.9 Applications Protect

16 16.10 Applications Protect

16 16.11 Applications Protect

16 16.12 Applications Protect

16 16.13 Applications Protect

16 16.14 Applications Protect

17
17 17.1 N/A Respond

17 17.2 N/A Respond

17 17.3 N/A Respond

17 17.4 N/A Respond

17 17.5 N/A Respond

17 17.6 N/A Respond

17 17.7 N/A Recover

17 17.8 N/A Recover

17 17.9 N/A Recover

18 18.1 N/A Identify

18 18.2 Network Identify

18 18.3 Network Protect

18 18.4 Network Protect

18 18.5 N/A Identify

Title

Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including p
mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected t
infrastructure physically, virtually, remotely, and those within cloud environments, to accurately kn
totality of assets that need to be monitored and protected within the enterprise. This will also suppo
identifying unauthorized and unmanaged assets to remove or remediate.

Establish and Maintain Detailed

Enterprise Asset Inventory

Address Unauthorized Assets

Utilize an Active Discovery Tool

Use Dynamic Host

Configuration Protocol (DHCP)
Logging to Update Enterprise
Asset Inventory

Use a Passive Asset Discovery

Tool

Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) o
network so that only authorized software is installed and can execute, and that unauthorized and u
software is found and prevented from installation or execution.
Establish and Maintain a
Software Inventory

Ensure Authorized Software is

Currently Supported

Address Unauthorized Software

Utilize Automated Software

Inventory Tools

Allowlist Authorized Software

Allowlist Authorized Libraries

Allowlist Authorized Scripts

Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose

Establish and Maintain a Data

Management Process
Establish and Maintain a Data
Inventory

Establish and Maintain a Data

Inventory

Configure Data Access Control

Lists

Configure Data Access Control

Lists

Enforce Data Retention

Securely Dispose of Data

Encrypt Data on End-User

Devices
Establish and Maintain a Data
Classification Scheme

Document Data Flows

Encrypt Data on Removable

Media

Encrypt Sensitive Data in

Transit

Encrypt Sensitive Data at Rest

Segment Data Processing and

Storage Based on Sensitivity

Deploy a Data Loss Prevention

Solution

Log Sensitive Data Access

Secure Configuration of Enterprise Assets and Software

Establish and maintain the secure configuration of enterprise assets (end-user devices, including p
mobile; network devices; non-computing/IoT devices; and servers) and software (operating system
applications).
Establish and Maintain a
Secure Configuration Process

Establish and Maintain a

Secure Configuration Process

Establish and Maintain a

Secure Configuration Process
for Network Infrastructure

Configure Automatic Session

Locking on Enterprise Assets

Implement and Manage a

Firewall on Servers

Implement and Manage a

Firewall on End-User Devices

Securely Manage Enterprise

Assets and Software

Manage Default Accounts on

Enterprise Assets and Software

Uninstall or Disable
Unnecessary Services on
Enterprise Assets and Software

Configure Trusted DNS Servers

on Enterprise Assets

Enforce Automatic Device

Lockout on Portable End-User
Devices
Enforce Remote Wipe
Capability on Portable End-User
Devices

Separate Enterprise
Workspaces on Mobile End-
User Devices

Account Management

Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
administrator accounts, as well as service accounts, to enterprise assets and software.

Establish and Maintain an

Inventory of Accounts

Use Unique Passwords

Disable Dormant Accounts

Restrict Administrator Privileges

to Dedicated Administrator
Accounts

Establish and Maintain an

Inventory of Service Accounts

Centralize Account
Management
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
administrator, and service accounts for enterprise assets and software.

Establish an Access Granting

Process

Establish an Access Revoking

Process
Require MFA for Externally-
Exposed Applications

Require MFA for Remote

Network Access

Require MFA for Administrative

Access

Require MFA for Administrative

Access
Establish and Maintain an
Inventory of Authentication and
Authorization Systems

Centralize Access Control

Define and Maintain Role-

Based Access Control

Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the e
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monito
private industry sources for new threat and vulnerability information.

Establish and Maintain a

Vulnerability Management
Process

Establish and Maintain a

Vulnerability Management
Process

Establish and Maintain a

Remediation Process

Establish and Maintain a

Remediation Process
Perform Automated Operating
System Patch Management
Perform Automated Application
Patch Management
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Remediate Detected
Vulnerabilities
Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
attack.

Establish and Maintain an Audit

Log Management Process

Establish and Maintain an Audit

Log Management Process

Collect Audit Logs

Ensure Adequate Audit Log

Storage

Standardize Time
Synchronization

Collect Detailed Audit Logs

Collect DNS Query Audit Logs

Collect URL Request Audit
Logs
Collect Command-Line Audit
Logs
Centralize Audit Logs

Retain Audit Logs

Conduct Audit Log Reviews

Collect Service Provider Logs

Email and Web Browser Protections

Improve protections and detections of threats from email and web vectors, as these are opportunit
attackers to manipulate human behavior through direct engagement.

Ensure Use of Only Fully

Supported Browsers and Email
Clients

Use DNS Filtering Services

Maintain and Enforce Network-

Based URL Filters

Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions

Implement DMARC

Block Unnecessary File Types

Deploy and Maintain Email
Server Anti-Malware
Protections
Malware Defenses

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
enterprise assets.
Deploy and Maintain Anti-
Malware Software

Configure Automatic Anti-

Malware Signature Updates

Disable Autorun and Autoplay

for Removable Media
Configure Automatic Anti-
Malware Scanning of
Removable Media

Enable Anti-Exploitation
Features

Centrally Manage Anti-Malware

Software

Use Behavior-Based Anti-

Malware Software
Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
and trusted state.

Establish and Maintain a Data

Recovery Process

Establish and Maintain a Data

Recovery Process

Perform Automated Backups

Protect Recovery Data

Establish and Maintain an
Isolated Instance of Recovery
Data

Test Data Recovery

Network Infrastructure
Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
attackers from exploiting vulnerable network services and access points.

Ensure Network Infrastructure is

Up-to-Date

Establish and Maintain a

Secure Network Architecture

Establish and Maintain a

Secure Network Architecture

Securely Manage Network

Infrastructure

Establish and Maintain

Architecture Diagram(s)

Centralize Network
Authentication, Authorization,
and Auditing (AAA)

Establish and Maintain

Dedicated Computing
Resources for All Administrative
Work

Network Monitoring and

Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and d
against security threats across the enterprise’s network infrastructure and user base.

Centralize Security Event

Alerting

Centralize Security Event

Alerting

Centralize Security Event

Alerting

Centralize Security Event

Alerting

Deploy a Host-Based Intrusion

Detection Solution

Deploy a Network Intrusion

Detection Solution

Perform Traffic Filtering

Between Network Segments
Manage Access Control for
Remote Assets

Collect Network Traffic Flow

Logs

Deploy a Host-Based Intrusion

Prevention Solution

Deploy a Network Intrusion

Prevention Solution

Deploy Port-Level Access

Control

Perform Application Layer

Filtering
Tune Security Event Alerting
Thresholds
Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce t
conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Establish and Maintain a

Security Awareness Program

Train Workforce Members to

Recognize Social Engineering
Attacks
Train Workforce Members on
Authentication Best Practices

Train Workforce on Data

Handling Best Practices
Train Workforce Members on
Causes of Unintentional Data
Exposure

Train Workforce Members on

Recognizing and Reporting
Security Incidents

Train Workforce on How to

Identify and Report if Their
Enterprise Assets are Missing
Security Updates

Train Workforce on the Dangers

of Connecting to and
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific Security

Awareness and Skills Training

Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
critical IT platforms or processes, to ensure these providers are protecting those platforms and dat
appropriately.

Establish and Maintain an

Inventory of Service Providers

Establish and Maintain a

Service Provider Management
Policy

Classify Service Providers

Ensure Service Provider
Contracts Include Security
Requirements

Assess Service Providers

Monitor Service Providers

Securely Decommission
Service Providers

Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
remediate security weaknesses before they can impact the enterprise.

Establish and Maintain a

Secure Application
Development Process

Establish and Maintain a

Secure Application
Development Process
Establish and Maintain a
Process to Accept and Address
Software Vulnerabilities

Perform Root Cause Analysis

on Security Vulnerabilities

Establish and Manage an

Inventory of Third-Party
Software Components

Use Up-to-Date and Trusted

Third-Party Software
Components

Establish and Maintain a

Severity Rating System and
Process for Application
Vulnerabilities

Use Standard Hardening

Configuration Templates for
Application Infrastructure

Separate Production and Non-

Production Systems
Train Developers in Application
Security Concepts and Secure
Coding

Apply Secure Design Principles

in Application Architectures

Leverage Vetted Modules or

Services for Application
Security Components

Implement Code-Level Security

Checks

Conduct Application Penetration

Testing

Conduct Threat Modeling

Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, p
defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Designate Personnel to Manage
Incident Handling

Establish and Maintain Contact

Information for Reporting
Security Incidents

Establish and Maintain an

Enterprise Process for
Reporting Incidents

Establish and Maintain an

Incident Response Process

Establish and Maintain an

Incident Response Process

Assign Key Roles and

Responsibilities

Assign Key Roles and

Responsibilities

Define Mechanisms for

Communicating During Incident
Response
Conduct Routine Incident
Response Exercises

Conduct Post-Incident Reviews

Establish and Maintain Security

Incident Thresholds

Penetration Testing

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
controls (people, processes, and technology), and simulating the objectives and actions of an attac

Establish and Maintain a

Penetration Testing Program

Perform Periodic External

Penetration Tests

Remediate Penetration Test

Findings

Validate Security Measures

Perform Periodic Internal

Penetration Tests
Description

l of Enterprise Assets

entory, track, and correct) all enterprise assets (end-user devices, including portable and
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to be monitored and protected within the enterprise. This will also support
zed and unmanaged assets to remove or remediate.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud environments. Additionally, it includes assets that are regularly connected
to the enterprise’s network infrastructure, even if they are not under control of the
enterprise. Review and update the inventory of all enterprise assets bi-annually, or
more frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.
Establish and maintain a detailed inventory of all licensed software installed on
enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or
more frequently.

Ensure that only currently supported software is designated as authorized in the

software inventory for enterprise assets. If software is unsupported, yet necessary for
the fulfillment of the enterprise’s mission, document an exception detailing mitigating
controls and residual risk acceptance. For any unsupported software without an
exception documentation, designate as unauthorized. Review the software list to verify
software support at least monthly, or more frequently.

Ensure that unauthorized software is either removed from use on enterprise assets or
receives a documented exception. Review monthly, or more frequently.

Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

nd technical controls to identify, classify, securely handle, retain, and dispose of data.

Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.

Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory
annually, at a minimum, with a priority on sensitive data.

Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems,
databases, and applications.

Retain data according to the enterprise’s data management process. Data retention
must include both minimum and maximum timelines.

Securely dispose of data as outlined in the enterprise’s data management process.

Ensure the disposal process and method are commensurate with the data sensitivity.

Securely dispose of data as outlined in the enterprise’s data management process.

Ensure the disposal process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations
can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.

Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport

Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.

Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.

Log sensitive data access, including modification and disposal.

of Enterprise Assets and Software

in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15
minutes. For mobile end-user devices, the period must not exceed 2 minutes.

Implement and manage a firewall on servers, where supported. Example

implementations include a virtual firewall, operating system firewall, or a third-party
firewall agent.

Implement and manage a host-based firewall or port-filtering tool on end-user devices,

with a default-deny rule that drops all traffic except those services and ports that are
explicitly allowed.
Securely manage enterprise assets and software. Example implementations include
managing configuration through version-controlled-infrastructure-as-code and
accessing administrative interfaces over secure network protocols, such as Secure
Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless
operationally essential.
Manage default accounts on enterprise assets and software, such as root,
administrator, and other pre-configured vendor accounts. Example implementations
can include: disabling default accounts or making them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as

an unused file sharing service, web application module, or service function.

Configure trusted DNS servers on enterprise assets. Example implementations

include: configuring assets to use enterprise-controlled DNS servers and/or reputable
externally accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of local failed

authentication attempts on portable end-user devices, where supported. For laptops,
do not allow more than 20 failed authentication attempts; for tablets and smartphones,
no more than 10 failed authentication attempts. Example implementations include
Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.

Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.

ools to assign and manage authorization to credentials for user accounts, including
ts, as well as service accounts, to enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using MFA and a 14-character
password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise
assets. Conduct general computing activities, such as internet browsing, email, and
productivity suite use, from the user’s primary, non-privileged account.

Establish and maintain an inventory of service accounts. The inventory, at a minimum,

must contain department owner, review date, and purpose. Perform service account
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.

ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to enterprise
assets upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise
assets, whether managed on-site or through a third-party provider.

Require MFA for all administrative access accounts, where supported, on all enterprise
assets, whether managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization
systems, including those hosted on-site or at a remote service provider. Review and
update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.

Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.

Establish and maintain a documented vulnerability management process for enterprise

assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Establish and maintain a documented vulnerability management process for enterprise

assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Establish and maintain a risk-based remediation strategy documented in a remediation

process, with monthly, or more frequent, reviews.

Establish and maintain a risk-based remediation strategy documented in a remediation

process, with monthly, or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch
management on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch
management on a monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or
more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.

Perform automated vulnerability scans of externally-exposed enterprise assets using a

SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a
monthly, or more frequent, basis, based on the remediation process.

and retain audit logs of events that could help detect, understand, or recover from an

Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.

Standardize time synchronization. Configure at least two synchronized time sources

across enterprise assets, where supported.

Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit
logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets.

Retain audit logs across enterprise assets for a minimum of 90 days.

Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include
collecting authentication and authorization events, data creation and disposal events,
and user management events.
ser Protections

and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.

Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through
the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary

browser or email client plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment
scanning and/or sandboxing.

e installation, spread, and execution of malicious applications, code, or scripts on

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible,

such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit
Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident

Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data. Review
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Perform automated backups of in-scope enterprise assets. Run backups weekly, or

more frequently, based on the sensitivity of the data.

Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through offline, cloud,
or off-site systems or services.

Test backup recovery quarterly, or more frequently, for a sampling of in-scope

enterprise assets.

, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.

Ensure network infrastructure is kept up-to-date. Example implementations include

running the latest stable release of software and/or using currently supported network-
as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
to verify software support.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Securely manage network infrastructure. Example implementations include version-

controlled-infrastructure-as-code, and the use of secure network protocols, such as
SSH and HTTPS.

Establish and maintain architecture diagram(s) and/or other network system

documentation. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.
Establish and maintain dedicated computing resources, either physically or logically
separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.

Establish and maintain dedicated computing resources, either physically or logically

separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.

nd tooling to establish and maintain comprehensive network monitoring and defense

ats across the enterprise’s network infrastructure and user base.

Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

Deploy a host-based intrusion detection solution on enterprise assets, where

appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where
appropriate and/or supported. Example implementations include use of an Endpoint
Detection and Response (EDR) client or host-based IPS agent.

Deploy a network intrusion prevention solution, where appropriate. Example

implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user
and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy,
application layer firewall, or gateway.

Tune security event alerting thresholds monthly, or more frequently.

and Skills Training

in a security awareness program to influence behavior among the workforce to be security

rly skilled to reduce cybersecurity risks to the enterprise.

Establish and maintain a security awareness program. The purpose of a security

awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a
minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing,

pre-texting, and tailgating.

Train workforce members on authentication best practices. Example topics include

MFA, password composition, and credential management.

Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
and desk best practices, such as locking their screen when they step away from their
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure.
Example topics include mis-delivery of sensitive data, losing a portable end-user
device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to

report such an incident.

Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
training must include guidance to ensure that all users securely configure their home
network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations

include secure system administration courses for IT professionals, (OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.

evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data

Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.

Classify service providers. Classification consideration may include one or more

characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could impact
this Safeguard.
Ensure service provider contracts include security requirements. Example
requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.

Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider

management policy. Monitoring may include periodic reassessment of service provider
compliance, monitoring service provider release notes, and dark web monitoring.

Securely decommission service providers. Example considerations include user and

service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.
Security
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and
eaknesses before they can impact the enterprise.

Establish and maintain a secure application development process. In the process,

address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software
vulnerabilities, including providing a means for external entities to report. The process
is to include such items as: a vulnerability handling policy that identifies reporting
process, responsible party for handling vulnerability reports, and a process for intake,
assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that

helps to set expectations for outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities,

root cause analysis is the task of evaluating underlying issues that create
vulnerabilities in code, and allows development teams to move beyond just fixing
individual vulnerabilities as they arise.

Establish and manage an updated inventory of third-party components used in

development, often referred to as a “bill of materials,” as well as components slated for
future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported.

Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.

Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.

Use standard, industry-recommended hardening configuration templates for

application infrastructure components. This includes underlying servers, databases,
and web servers, and applies to cloud containers, Platform as a Service (PaaS)
components, and SaaS components. Do not allow in-house developed software to
weaken configuration hardening.

Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct
training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles

include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
turning off unprotected ports and services, removing unnecessary programs and files,
and renaming or removing default accounts.

Leverage vetted modules or services for application security components, such as

identity management, encryption, and auditing and logging. Using platform features in
critical security functions will reduce developers’ workload and minimize the likelihood
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.

Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.

Conduct application penetration testing. For critical applications, authenticated

penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.

Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is
conducted through specially trained individuals who evaluate the application design
and gauge security risks for each entry point and access level. The goal is to map out
the application, architecture, and infrastructure in a structured way to understand its
weaknesses.

anagement

o develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using
a third-party vendor, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.

Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.

Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.

Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Determine which primary and secondary mechanisms will be used to communicate

and report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security incident. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel
involved in the incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows. Conduct testing on an annual basis, at a minimum.

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence

through identifying lessons learned and follow-up action.

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence

through identifying lessons learned and follow-up action.

Establish and maintain security incident thresholds, including, at a minimum,

differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.

s and resiliency of enterprise assets through identifying and exploiting weaknesses in

cesses, and technology), and simulating the objectives and actions of an attacker.

Establish and maintain a penetration testing program appropriate to the size,

complexity, and maturity of the enterprise. Penetration testing program characteristics
include scope, such as network, web application, Application Programming Interface
(API), hosted services, and physical premise controls; frequency; limitations, such as
acceptable hours, and excluded attack types; point of contact information; remediation,
such as how findings will be routed internally; and retrospective requirements.

Perform periodic external penetration tests based on program requirements, no less

than annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires
specialized skills and experience and must be conducted through a qualified party. The
testing may be clear box or opaque box.

Remediate penetration test findings based on the enterprise’s policy for remediation
scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify
rulesets and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less
than annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship IGP # IGP Title

X X X Subset A3.a Asset Management

X X X Subset B2.b Device Management

X X

X
X X X Subset A3.a Asset Management

X X X

X X X Subset B4.c Secure Management

X X

X X Subset B4.b Secure Configuration

X X

X X X Subset B3.a Understanding Data

X X X Subset A3.a Asset Management

X X X Subset B3.a Understanding Data

Identity Verification,
X X X Subset B2.a Authentication and
Authorisation

X X X Subset B3.a Understanding Data

X X X

X X X Subset A3.a Asset Management

X X X Equivalent B3.e Media / Equipment Sanitisatio

X X X
X X Subset B3.a Understanding Data

X X Subset B3.a Understanding Data

X X Subset B3.d Mobile Data

X X Equivalent B3.b Data in Transit

X X Equivalent B3.c Stored Data

X X Subset B4.a Secure by Design

X Subset B2.c Privileged User Management

X X X Subset B1.a Policy and Process Developm

X X X Subset B4.b Secure Configuration

X X X

X X

X X
X X Subset B3.d Mobile Data

X Subset B3.d Mobile Data

X X X Subset B2.c Privileged User Management

X X X

X X X Subset B2.c Privileged User Management

X X

X X X Subset B2.d Identity and Access Managem

X X X

X X X Subset B2.a Identity Verification, Authenti

X X X Subset B2.c Privileged User Management

X X

X Subset B2.a Identity Verification, Authenti

X X X Subset B1.a Policy and Process Developm

X X X Subset B4.d Vulnerability Management

X X X Subset B1.a Policy and Process Developm

X X X Subset B4.d Vulnerability Management

X X X

X X

X X X Superset C1.b Securing Logs

X X X Subset C1.c Generating Alerts

X X X

X X Subset C1.b Securing Logs

X X Subset B2.c Privileged User Management

X X
X X

X X
X X Subset C1.e Monitoring Tools and Skills

X X

X X Subset C1.c Generating Alerts

X X X

X X

X
X X X Subset B4.c Secure Management

X X X Subset C1.d Identifying Security Incidents

X X X

X X

X X Subset C1.e Monitoring Tools and Skills

X X

X X X Subset B5.a Resilience Preparation

X X X Subset B5.c Backups

X X X
X X X

X X Subset B5.c Backups

X X X

X X Subset B4.a Secure by Design

X X Subset B5.b Design for Resilience

X X Subset B4.c Secure Management

X X

Identity Verification,
X X Subset B2.a Authentication and
Authorisation
X Subset B2.b Device Management

X Subset B4.c Secure Management

X X Subset C1.a Monitoring Coverage

X X Subset C1.c Generating Alerts

X X Subset C1.d Identifying Security Incidents

X X Subset C1.e Monitoring Tools and Skills

X X

X X
Identity Verification,
X X Subset B2.a Authentication and
Authorisation

X X

X X X Equivalent B6.b Cyber Security Training

X X X

X X X
X X X

X X X

X X Subset B6.b Cyber Security Training

X X X

X X Subset A4.a Supply Chain

X X
X X Subset A4.a Supply Chain

X X Subset B1.a Policy and Process Developm

X X Subset B4.a Secure by Design

X X

X X Subset B4.a Secure by Design

X X
X X

X X Subset B4.a Secure by Design

X X

X
X X X

X X X

X X Subset B5.a Resilience Preparation

X X Equivalent D1.a Response Plan

X X Subset A1.b Roles and Responsibilities

X X Subset D1.b Response and Recovery Capab

X X
X X Equivalent D1.c Testing and Exercising

X X Equivalent D2.a Incident Root Cause Analysis

X X Subset D2.b Using Incidents to Drive Impr

X X

X
Description

Everything required to deliver, maintain or support

networks and information systems necessary for the
operation of essential functions is determined and
understood. This includes data, people and systems, as
well as any supporting infrastructure (such as power or
cooling).

You fully know and have trust in the devices that are used
to access your networks, information systems and data
that support your essential function.
Everything required to deliver, maintain or support
networks and information systems necessary for the
operation of essential functions is determined and
understood. This includes data, people and systems, as
well as any supporting infrastructure (such as power or
cooling).

You manage your organisation's network and information

systems that support the operation of essential functions
to enable and maintain security.

You securely configure the network and information

systems that support the operation of essential functions.

You have a good understanding of data important to the

operation of the essential function, where it is stored,
where it travels and how unavailability or unauthorised
access, modification or deletion would adversely impact
the essential function. This also applies to third parties
storing or accessing data important to the operation of
essential functions.
Everything required to deliver, maintain or support
networks and information systems necessary for the
operation of essential functions is determined and
understood. This includes data, people and systems, as
well as any supporting infrastructure (such as power or
cooling).

You have a good understanding of data important to the

You robustly verify, authenticate and authorise access to

the networks and information systems supporting your
essential function.

You have a good understanding of data important to the

Everything required to deliver, maintain or support

You appropriately sanitise media and equipment holding

data important to the operation of the essential function
You have a good understanding of data important to the
operation of the essential function, where it is stored,
where it travels and how unavailability or unauthorised
access, modification or deletion would adversely impact
the essential function. This also applies to third parties
storing or accessing data important to the operation of
essential functions.

You have a good understanding of data important to the

You have protected data important to the operation of the

essential function on mobile devices.
You have protected the transit of data important to the
operation of the essential function. This includes the
transfer of data to third parties.

You have protected stored data important to the operation

of the essential function.

You design security into the network and information

You closely manage privileged user access to networks

and information systems supporting the essential function.
You have developed and continue to improve a set of
cyber security and resilience policies and processes that
manage and mitigate the risk of adverse impact on the
essential function.

You securely configure the network and information

systems that support the operation of essential functions.

You securely configure the network and information

systems that support the operation of essential functions.
You have protected data important to the operation of the
essential function on mobile devices.

You have protected data important to the operation of the

essential function on mobile devices.

You closely manage privileged user access to networks

and information systems supporting the essential function.

You closely manage privileged user access to networks

and information systems supporting the essential function.

You assure good management and maintenance of

identity and access control for your networks and
information systems supporting the essential function.

You assure good management and maintenance of

identity and access control for your networks and
information systems supporting the essential function.
You robustly verify, authenticate and authorise access to
the networks and information systems supporting your
essential function.

You robustly verify, authenticate and authorise access to

the networks and information systems supporting your
essential function.
You closely manage privileged user access to networks
and information systems supporting the essential function.

You robustly verify, authenticate and authorise access to

the networks and information systems supporting your
essential function.

You have developed and continue to improve a set of

cyber security and resilience policies and processes that
manage and mitigate the risk of adverse impact on the
essential function.

You manage known vulnerabilities in your network and

information systems to prevent adverse impact on the
essential function.

You have developed and continue to improve a set of

cyber security and resilience policies and processes that
manage and mitigate the risk of adverse impact on the
essential function.

You manage known vulnerabilities in your network and

information systems to prevent adverse impact on the
essential function.
You hold logging data securely and grant read access
only to accounts with business need. No employee should
ever need to modify or delete logging data within an
agreed retention period, after which it should be deleted.

Evidence of potential security incidents contained in your

monitoring data is reliably identified and triggers alerts.

You hold logging data securely and grant read access

only to accounts with business need. No employee should
ever need to modify or delete logging data within an
agreed retention period, after which it should be deleted.

You closely manage privileged user access to networks

and information systems supporting the essential function.
Monitoring staff skills, tools and roles, including any that
are outsourced, should reflect governance and reporting
requirements, expected threats and the complexities of
the network or system data they need to use. Monitoring
staff have knowledge of the essential functions they need
to protect.

Evidence of potential security incidents contained in your

monitoring data is reliably identified and triggers alerts.
You manage your organisation's network and information
systems that support the operation of essential functions
to enable and maintain security.

You contextualise alerts with knowledge of the threat and

your systems, to identify those security incidents that
require some form of response.

Monitoring staff skills, tools and roles, including any that

You are prepared to restore the operation of your

essential function following adverse impact.

You hold accessible and secured current backups of data

and information needed to recover operation of your
essential function

You hold accessible and secured current backups of data

and information needed to recover operation of your
essential function
You hold accessible and secured current backups of data
and information needed to recover operation of your
essential function

You design security into the network and information

You design the network and information systems

supporting your essential function to be resilient to cyber
security incidents. Systems are appropriately segregated
and resource limitations are mitigated.

You manage your organisation's network and information

systems that support the operation of essential functions
to enable and maintain security.

You robustly verify, authenticate and authorise access to

the networks and information systems supporting your
essential function.
You fully know and have trust in the devices that are used
to access your networks, information systems and data
that support your essential function.

You manage your organisation's network and information

systems that support the operation of essential functions
to enable and maintain security.

The data sources that you include in your monitoring allow

for timely identification of security events which might
affect the operation of your essential function.

Evidence of potential security incidents contained in your

monitoring data is reliably identified and triggers alerts.

You contextualise alerts with knowledge of the threat and

your systems, to identify those security incidents that
require some form of response.

Monitoring staff skills, tools and roles, including any that

are outsourced, should reflect governance and reporting
requirements, expected threats and the complexities of
the network or system data they need to use. Monitoring
staff have knowledge of the essential functions they need
to protect.
You robustly verify, authenticate and authorise access to
the networks and information systems supporting your
essential function.

The people who support the operation of your essential

function are appropriately trained in cyber security. A
range of approaches to cyber security training, awareness
and communications are employed.
The people who support the operation of your essential
function are appropriately trained in cyber security. A
range of approaches to cyber security training, awareness
and communications are employed.

The organisation understands and manages security risks

to networks and information systems supporting the
operation of essential functions that arise as a result of
dependencies on external suppliers. This includes
ensuring that appropriate measures are employed where
third party services are used.
The organisation understands and manages security risks
to networks and information systems supporting the
operation of essential functions that arise as a result of
dependencies on external suppliers. This includes
ensuring that appropriate measures are employed where
third party services are used.

You have developed and continue to improve a set of

cyber security and resilience policies and processes that
manage and mitigate the risk of adverse impact on the
essential function.

You design security into the network and information

systems that support the operation of essential functions.
You minimise their attack surface and ensure that the
operation of the essential function should not be impacted
by the exploitation of any single vulnerability.
You design security into the network and information
systems that support the operation of essential functions.
You minimise their attack surface and ensure that the
operation of the essential function should not be impacted
by the exploitation of any single vulnerability.
You design security into the network and information
systems that support the operation of essential functions.
You minimise their attack surface and ensure that the
operation of the essential function should not be impacted
by the exploitation of any single vulnerability.
You are prepared to restore the operation of your
essential function following adverse impact.

You have an up-to-date incident response plan that is

grounded in a thorough risk assessment that takes
account of your essential function and covers a range of
incident scenarios.
Your organisation has established roles and
responsibilities for the security of networks and
information systems at all levels, with clear and well-
understood channels for communicating and escalating
risks.
You have the capability to enact your incident response
plan, including effective limitation of impact on the
operation of your essential function. During an incident,
you have access to timely information on which to base
your response decisions.
Your organisation carries out exercises to test response
plans, using past incidents that affected your (and other)
organisation, and scenarios that draw on threat
intelligence and your risk assessment.

When an incident occurs, steps must be taken to

understand its root causes and ensure appropriate
remediating action is taken.
Your organisation uses lessons learned from incidents to
improve your security measures.
The following Indicators of Good Practice (IGP's) are NOT mapped to the CIS Controls
A1.a Board Direction

A1.c Decision-making

A2.a Risk Management Process

A2.b Assurance

B1.b Policy and Process Implementation

B6.a Cyber Security Culture

C2.a System Abnormalities for Attack Detection

C2.b Proactive Attack Discovery

(IGP's) areYou
NOT mapped
have to the
effective CIS Controls
organisational security management led at board level and articulated clearly in corresponding
policies.
You have senior-level accountability for the security of networks and information systems, and delegate decision-
making authority appropriately and effectively. Risks to network and information systems related to the operation of
essential functions are considered in the context of other organisational risks.
Your organisation has effective internal processes for managing risks to the security of network and information
systems related to the operation of essential functions and communicating associated activities.
You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant
to essential functions.
You have successfully implemented your security policies and processes and can demonstrate the security benefits
achieved.
You develop and pursue a positive cyber security culture.
You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity
that is otherwise hard to identify.
You use an informed understanding of more sophisticated attack methods and of normal system behaviour to
monitor proactively for malicious activity.
The following CIS Safeguards are NOT mapped to the Cyber Assessment Framework
1.3

1.4

1.5

2.2

2.4

2.6

2.7

3.4

3.6

3.13

4.3

4.4

4.5

4.6

4.7

4.8

4.9

4.10
5.2

5.3

5.5

5.6

6.3

6.6

6.7
7.3
7.4

7.5

7.6

7.7

8.2
8.3
8.6
8.7

8.8

8.10

8.12

9.1

9.2

9.3

9.4

9.5

9.6
9.7
10.3
10.4

10.5
10.7
11.3

11.4

12.1

12.4

12.5

12.6

13.2

13.3

13.4
13.6

13.7

13.8

13.9

13.10
13.11
14.2

14.3

14.4

14.5

14.6

14.7

14.8

15.1

15.3
15.5

15.6

15.7

16.2

16.3

16.4

16.5

16.6

16.8

16.9

16.11

16.12

16.13
16.14

17.1

17.2

17.3

17.6

17.9

18.1

18.2

18.3

18.4

18.5
The following CIS Safeguards are NOT mapped to the Cyber Assessment Framework

Utilize an Active Discovery Tool

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Use a Passive Asset Discovery Tool

Ensure Authorized Software is Currently Supported

Utilize Automated Software Inventory Tools

Allowlist Authorized Libraries

Allowlist Authorized Scripts

Enforce Data Retention

Encrypt Data on End-User Devices

Deploy a Data Loss Prevention Solution

Configure Automatic Session Locking on Enterprise Assets

Implement and Manage a Firewall on Servers

Implement and Manage a Firewall on End-User Devices

Securely Manage Enterprise Assets and Software

Manage Default Accounts on Enterprise Assets and Software

Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Configure Trusted DNS Servers on Enterprise Assets

Enforce Automatic Device Lockout on Portable End-User Devices

Use Unique Passwords
Disable Dormant Accounts

Establish and Maintain an Inventory of Service Accounts

Centralize Account Management

Require MFA for Externally-Exposed Applications

Establish and Maintain an Inventory of Authentication and Authorization Systems

Centralize Access Control
Perform Automated Operating System Patch Management
Perform Automated Application Patch Management

Perform Automated Vulnerability Scans of Internal Enterprise Assets

Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets

Remediate Detected Vulnerabilities

Collect Audit Logs
Ensure Adequate Audit Log Storage
Collect DNS Query Audit Logs
Collect URL Request Audit Logs

Collect Command-Line Audit Logs

Retain Audit Logs

Collect Service Provider Logs

Ensure Use of Only Fully Supported Browsers and Email Clients

Use DNS Filtering Services

Maintain and Enforce Network-Based URL Filters

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email Server Anti-Malware Protections
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media

Enable Anti-Exploitation Features

Use Behavior-Based Anti-Malware Software
Protect Recovery Data

Establish and Maintain an Isolated Instance of Recovery Data

Ensure Network Infrastructure is Up-to-Date

Establish and Maintain Architecture Diagram(s)

Centralize Network Authentication, Authorization, and Auditing (AAA)

Use of Secure Network Management and Communication Protocols

Deploy a Host-Based Intrusion Detection Solution

Deploy a Network Intrusion Detection Solution

Perform Traffic Filtering Between Network Segments
Collect Network Traffic Flow Logs

Deploy a Host-Based Intrusion Prevention Solution

Deploy a Network Intrusion Prevention Solution

Deploy Port-Level Access Control

Perform Application Layer Filtering
Tune Security Event Alerting Thresholds
Train Workforce Members to Recognize Social Engineering Attacks

Train Workforce Members on Authentication Best Practices

Train Workforce on Data Handling Best Practices

Train Workforce Members on Causes of Unintentional Data Exposure

Train Workforce Members on Recognizing and Reporting Security Incidents

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Establish and Maintain an Inventory of Service Providers

Classify Service Providers

Assess Service Providers

Monitor Service Providers

Securely Decommission Service Providers

Establish and Maintain a Process to Accept and Address Software Vulnerabilities

Perform Root Cause Analysis on Security Vulnerabilities

Establish and Manage an Inventory of Third-Party Software Components

Use Up-to-Date and Trusted Third-Party Software Components

Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
Separate Production and Non-Production Systems

Train Developers in Application Security Concepts and Secure Coding

Leverage Vetted Modules or Services for Application Security Components

Implement Code-Level Security Checks

Conduct Application Penetration Testing

Conduct Threat Modeling

Designate Personnel to Manage Incident Handling

Establish and Maintain Contact Information for Reporting Security Incidents

Establish and Maintain an Enterprise Process for Reporting Incidents

Define Mechanisms for Communicating During Incident Response

Establish and Maintain Security Incident Thresholds

Establish and Maintain a Penetration Testing Program

Perform Periodic External Penetration Tests

Remediate Penetration Test Findings

Validate Security Measures

Perform Periodic Internal Penetration Tests

Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discove
execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpris
inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to upda
enterprise’s asset inventory at least weekly, or more frequently.

Ensure that only currently supported software is designated as authorized in the software inventory for enterprise as
software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailin
controls and residual risk acceptance. For any unsupported software without an exception documentation, designate
unauthorized. Review the software list to verify software support at least monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documenta
installed software.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are
load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually,
frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as
specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annuall
frequently.
Retain data according to the enterprise’s data management process. Data retention must include both minimum and
timelines.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLoc
FileVault®, Linux® dm-crypt.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data sto
processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, a
the enterprise's sensitive data inventory.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose op
systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minute
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, o
system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that d
traffic except those services and ports that are explicitly allowed.

Securely manage enterprise assets and software. Example implementations include managing configuration through
controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Se
(SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telne
Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured v
accounts. Example implementations can include: disabling default accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service
application module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
controlled DNS servers and/or reputable externally accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on porta
user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and
smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune
and Apple® Configuration Profile maxFailedAttempts.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-characte
for accounts using MFA and a 14-character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department own
date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurrin
at a minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MF
directory service or SSO provider is a satisfactory implementation of this Safeguard.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those ho
or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
Centralize access control
Perform operating systemfor all enterprise
updates assetsassets
on enterprise through a directory
through servicepatch
automated or SSO provider, where
management supported.
on a monthly, or mo
basis.
Perform application updates on enterprise assets through automated patch management on a monthly, or more freq
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct
authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability
tool. Perform scans on a monthly, or more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis,
the remediation
Collect process.
audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled acros
assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
administrative terminals.
Retain audit logs across enterprise assets for a minimum of 90 days.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
events, data creation and disposal events, and user management events.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest
browsers and email clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious o
websites. Example implementations include category-based filtering, reputation-based filtering, or through the use o
Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, ex
and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, st
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execu
Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Ga
Use behavior-based
Protect recovery dataanti-malware software.
with equivalent controls to the original data. Reference encryption or data separation, based o
requirements.
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling b
destinations through offline, cloud, or off-site systems or services.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more
to verify software support.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update doc
annually, or when significant enterprise changes occur that could impact this Safeguard.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) En
greater).
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations inc
of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Exam
implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Ne
Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocol
certificates, and may incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or ga
Tune security event alerting thresholds monthly, or more frequently.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password composition, and
management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This al
training workforce members on clear screen and desk best practices, such as locking their screen when they step aw
their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets s
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-deliver
sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterpr
If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their
network infrastructure.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
classification(s), and designate an enterprise contact for each service provider. Review and update the inventory an
when significant enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more characteristics, such as data sensit
volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classif
annually, or when significant enterprise changes occur that could impact this Safeguard.
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope m
based on classification(s), and may include review of standardized assessment reports, such as Service Organizatio
(SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other ap
rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may inclu
reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account deactivation, te
data flows, and secure disposal of enterprise data within service provider systems.

Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a me
external entities to report. The process is to include such items as: a vulnerability handling policy that identifies repo
process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and
testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for mea
timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or w
significant enterprise changes occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to set expectations for
stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just
individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often referred to as a “
materials,” as well as components slated for future use. This inventory is to include any risks that each third-party co
could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate
component is still
Use up-to-date and supported.
trusted third-party software components. When possible, choose established and proven framew
libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software fo
vulnerabilities before use.

Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing t
which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for
code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk manageme
ensure the most severe bugs are fixed first. Review and update the system and process annually.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific developmen
environment and responsibilities. Training can include general security principles and application security standard p
Conduct training at least annually and design in a way to promote security within the development team, and build a
security among the developers.
Leverage vetted modules or services for application security components, such as identity management, encryption
auditing and logging. Using platform features in critical security functions will reduce developers’ workload and minim
likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identifica
authentication, and authorization and make those mechanisms available to applications. Use only standardized, curr
accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create a
secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are bein
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to
business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the sk
tester to manually manipulate an application as an authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design fla
design, before code is created. It is conducted through specially trained individuals who evaluate the application des
gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and i
in a structured way to understand its weaknesses.

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Ma
personnel are responsible for the coordination and documentation of incident response and recovery efforts and can
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designa
one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise
occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may in
internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Inform
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that informat
date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes rep
timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the
publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could im
Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can
during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safe
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and
Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc
annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterpr
Penetration testing program characteristics include scope, such as network, web application, Application Programm
(API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and exclude
types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requ
Perform periodic external penetration tests based on program requirements, no less than annually. External penetra
must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing req
specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to dete
techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may b
or opaque box.
Principle: A1 Governance
A1.a

A1.b

A1.c

Principle: A2 Risk Management

A2.a
A2.b

Principle: A3 Asset Management

A3.a

Principle: A4 Supply Chain

A4.a

Principle: B1 Service Protection Policies and Processes

B1.a
B1.b

Principle: B2 Identity and Access Control

B2.a

B2.b
B2.c

B2.d

Principle: B3 Data Security

B3.a
B3.b
B3.c
B3.d
B3.e

Principle: B4 System Security

B4.a
B4.b

B4.c
B4.d

Principle: B5 Resilient Networks and Systems

B5.a

B5.b
B5.c

Principle: B6 Staff Awareness and Training

B6.a

B6.b

Principle: C1 Security Monitoring

C1.a

C1.b
C1.c
C1.d

C1.e

Principle: C2 Proactive Security Event Discovery

C2.a

C2.b

Principle: D1 Response and Recovery Planning

D1.a
D1.b

D1.c

Principle: D2 Lessons Learned

D2.a
D2.b
Board Direction

Roles and Responsibilities

Decision-making

Risk Management Process

Assurance

Asset Management

Supply Chain

Policy and Process Development

Policy and Process Implementation

Identity Verification, Authentication and Authorisation

Device Management
Privileged User Management

Identity and Access Management (IdAM)

Understanding Data
Data in Transit
Stored Data
Mobile Data
Media / Equipment Sanitisation

Secure by Design
Secure Configuration

Secure Management
Vulnerability Management

Resilience Preparation

Design for Resilience

Backups

Cyber Security Culture

Cyber Security Training

Monitoring Coverage

Securing Logs
Generating Alerts
Identifying Security Incidents

Monitoring Tools and Skills

System Abnormalities for Attack Detection

Proactive Attack Discovery

Response Plan
Response and Recovery Capability

Testing and Exercising

Incident Root Cause Analysis

Using Incidents to Drive Improvements
The organisation has appropriate management policies and processes in place to govern its approach to the securit
information systems.
You have effective organisational security management led at board level and articulated clearly in corresponding po
Your organisation has established roles and responsibilities for the security of networks and information systems at
and well-understood channels for communicating and escalating risks.
You have senior-level accountability for the security of networks and information systems, and delegate decision-ma
appropriately and effectively. Risks to network and information systems related to the operation of essential function
the context of other organisational risks.
The organisation takes appropriate steps to identify, assess and understand security risks to the network and inform
supporting the operation of essential functions. This includes an overall organisational approach to risk managemen
Your organisation has effective internal processes for managing risks to the security of network and information syst
operation of essential functions and communicating associated activities.
You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant
Everything required to deliver, maintain or support networks and information systems necessary for the operation of
determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such
Everything required to deliver, maintain or support networks and information systems necessary for the operation of
determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such
The organisation understands and manages security risks to networks and information systems supporting the oper
functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measu
where third party services are used.
The organisation understands and manages security risks to networks and information systems supporting the oper
functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measu
where third party services are used.
The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its
securing systems and data that support operation of essential functions.
You have developed and continue to improve a set of cyber security and resilience policies and processes that man
risk of adverse impact on the essential function.
You have successfully
The organisation implemented
understands, your security
documents policiesaccess
and manages and processes andand
to networks caninformation
demonstrate the security
systems benefits
supporting the
essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authe
authorised.
You robustly verify, authenticate and authorise access to the networks and information systems supporting your ess
You fully know and have trust in the devices that are used to access your networks, information systems and data th
essential function.
You closely manage privileged user access to networks and information systems supporting the essential function.
You assure good management and maintenance of identity and access control for your networks and information sy
essential function.

Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or dele
an adverse impact on essential functions. Such protection extends to the means by which authorised users, devices
critical data necessary for the operation of essential functions. It also covers information that would assist an attacke
details of networks and information systems.
You have a good understanding of data important to the operation of the essential function, where it is stored, where
unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This als
parties
You have storing or accessing
protected data
the transit of important to thetooperation
data important of essential
the operation functions.function. This includes the transfer
of the essential
parties.
You have protected stored data important to the operation of the essential function.
You have protected data important to the operation of the essential function on mobile devices.
You appropriately sanitise media and equipment holding data important to the operation of the essential function
Network and information systems and technology critical for the operation of essential functions are protected from c
organisational understanding of risk to essential functions informs the use of robust and reliable protective security m
effectively limit opportunities for attackers to compromise networks and systems.
You design security into the network and information systems that support the operation of essential functions. You
surface and ensure that the operation of the essential function should not be impacted by the exploitation of any sing
You securely configure the network and information systems that support the operation of essential functions.
You manage your organisation's network and information systems that support the operation of essential functions t
maintain security.
You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essen
The organisation builds resilience against cyber-attack and system failure into the design, implementation, operation
systems that support the operation of essential functions.
You are prepared to restore the operation of your essential function following adverse impact.
You design the network and information systems supporting your essential function to be resilient to cyber security i
are appropriately segregated and resource limitations are mitigated.
You hold accessible and secured current backups of data and information needed to recover operation of your esse
Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation t
network and information systems supporting the operation of essential functions.
You develop and pursue a positive cyber security culture.
The people who support the operation of your essential function are appropriately trained in cyber security. A range
cyber security training, awareness and communications are employed.
The organisation monitors the security status of the networks and systems supporting the operation of essential func
detect potential security problems and to track the ongoing effectiveness of protective security measures.
The data sources that you include in your monitoring allow for timely identification of security events which might affe
your essential function.
You hold logging data securely and grant read access only to accounts with business need. No employee should ev
delete logging data within an agreed retention period, after which it should be deleted.
Evidence of potential
You contextualise security
alerts incidents contained
with knowledge in your
of the threat and monitoring datatoisidentify
your systems, reliablythose
identified and incidents
security triggers alerts.
that requ
response.
Monitoring staff skills, tools and roles, including any that are outsourced, should reflect governance and reporting req
threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the
they need to protect.
The organisation detects, within networks and information systems, malicious activity affecting, or with the potential
operation of essential functions even when the activity evades standard signature based security prevent/detect solu
standard solutions are not deployable).
You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity
hard to identify.
You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monit
malicious activity.
There are well-defined and tested incident management processes in place, that aim to ensure continuity of essentia
event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also
You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of
function and covers a range of incident scenarios.
You have the capability to enact your incident response plan, including effective limitation of impact on the operation
function. During an incident, you have access to timely information on which to base your response decisions.
Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) or
scenarios that draw on threat intelligence and your risk assessment.
When an incident occurs, steps are taken to understand its root causes and to ensure appropriate remediating actio
against future incidents.
When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating ac
Your organisation uses lessons learned from incidents to improve your security measures.

CIS Controls v8 Mapping To ISO - IEC 27002.2022 2 2023
100% (1)
CIS Controls v8 Mapping To ISO - IEC 27002.2022 2 2023
105 pages
CIS Controls v8.1 Mapping To NIST CSF v2.0 6-24-2024 Final 1
No ratings yet
CIS Controls v8.1 Mapping To NIST CSF v2.0 6-24-2024 Final 1
92 pages
CIS Controls v8.1 Mapping To NIS2 Directive 2 2025
No ratings yet
CIS Controls v8.1 Mapping To NIS2 Directive 2 2025
228 pages
CIS Controls v8 Mapping To PCI DSS v4.0 9 2023
No ratings yet
CIS Controls v8 Mapping To PCI DSS v4.0 9 2023
168 pages
CIS Controls v8 234to ASD Essential Eight 2 2023
No ratings yet
CIS Controls v8 234to ASD Essential Eight 2 2023
107 pages
CIS Controls Guide v8.1.2 0325 v2
No ratings yet
CIS Controls Guide v8.1.2 0325 v2
146 pages
CIS Controls v8.1 Roadmap To The CIS Critical Security Controls 2024 1
No ratings yet
CIS Controls v8.1 Roadmap To The CIS Critical Security Controls 2024 1
18 pages
CIS Controls Version 8.1!6!24 2024
No ratings yet
CIS Controls Version 8.1!6!24 2024
46 pages
CIS Controls v8 Mapping To ISO - IEC 27002.2022 2022 0406
100% (4)
CIS Controls v8 Mapping To ISO - IEC 27002.2022 2022 0406
121 pages
CIS Controls v8.1 Mapping To NIST CSF v2.0 6 24 2024 Final 1
No ratings yet
CIS Controls v8.1 Mapping To NIST CSF v2.0 6 24 2024 Final 1
117 pages
CIS Controls v8.1 Mapping To NIST SP 800 53 Rev 5 Moderate and Low Ba
No ratings yet
CIS Controls v8.1 Mapping To NIST SP 800 53 Rev 5 Moderate and Low Ba
268 pages
CIS Controls v8 Mapping To HIPAA 2 2023
No ratings yet
CIS Controls v8 Mapping To HIPAA 2 2023
144 pages
NYS Cyber Security Toolkit
100% (1)
NYS Cyber Security Toolkit
112 pages
Technical Proposal - Supply of X-Ray Scanning Devices For Baggage and Parcels - ZATCA
No ratings yet
Technical Proposal - Supply of X-Ray Scanning Devices For Baggage and Parcels - ZATCA
95 pages
CIS Controls v8 Mapping To ISACA COBIT 19 2 2023
No ratings yet
CIS Controls v8 Mapping To ISACA COBIT 19 2 2023
148 pages
CIS Controls v8 Mapping To SOC2 1 2024
No ratings yet
CIS Controls v8 Mapping To SOC2 1 2024
144 pages
CIS Critical Security Controls (Center For Internet Security) (Z-Library)
No ratings yet
CIS Critical Security Controls (Center For Internet Security) (Z-Library)
96 pages
CIS Controls v8.1 Mapping To 800 171 Rev2 7 2024 1
No ratings yet
CIS Controls v8.1 Mapping To 800 171 Rev2 7 2024 1
104 pages
CIS Controls v8 NEW MAPPING To ISO - IEC 27001.2022 2 2023
No ratings yet
CIS Controls v8 NEW MAPPING To ISO - IEC 27001.2022 2 2023
109 pages
CIS Controls v8 Mapping To Microsoft Azure Security Benchmarkv3 2 202
No ratings yet
CIS Controls v8 Mapping To Microsoft Azure Security Benchmarkv3 2 202
224 pages
CIS Controls Version 8.1 Change Log 2024-06-24 Final Revised 1
No ratings yet
CIS Controls Version 8.1 Change Log 2024-06-24 Final Revised 1
169 pages
CIS Controls Version 8.1.2 Change Log March 2025
No ratings yet
CIS Controls Version 8.1.2 Change Log March 2025
164 pages
CIS Controls v8 Change Log Final
100% (1)
CIS Controls v8 Change Log Final
222 pages
CIS RAM v2.1 For IG1 Workbook.22.05
No ratings yet
CIS RAM v2.1 For IG1 Workbook.22.05
174 pages
CIS Controls v8 Mapping To NIST SP 800 53 Rev 5 Moderate and Low Base
No ratings yet
CIS Controls v8 Mapping To NIST SP 800 53 Rev 5 Moderate and Low Base
264 pages
CIS Controls v8 Mapping To ISACA COBIT 19 V21.10.spreadsheets
100% (1)
CIS Controls v8 Mapping To ISACA COBIT 19 V21.10.spreadsheets
88 pages
CIS Controls v8 Mapping To SOC2 2 2023
100% (1)
CIS Controls v8 Mapping To SOC2 2 2023
68 pages
CIS CAS Controls Tenable
No ratings yet
CIS CAS Controls Tenable
190 pages
CIS Controls v8 Mapping To PCI v3.2.1 Final 08-19-2021
100% (1)
CIS Controls v8 Mapping To PCI v3.2.1 Final 08-19-2021
113 pages
CIS Controls v8.1 Mapping To PCI DSS v4.0!6!2024!07!15
No ratings yet
CIS Controls v8.1 Mapping To PCI DSS v4.0!6!2024!07!15
172 pages
CIS Controls v8 Mapping To SOC2!2!2023
No ratings yet
CIS Controls v8 Mapping To SOC2!2!2023
152 pages
CIS Controls v8 Mapping To UK NCSC Cyber Assessment Framework v3.1 - 8-16-2022
No ratings yet
CIS Controls v8 Mapping To UK NCSC Cyber Assessment Framework v3.1 - 8-16-2022
115 pages
CIS Controls v8 Mapping To CSF 2.0 February 2024
No ratings yet
CIS Controls v8 Mapping To CSF 2.0 February 2024
100 pages
The Antivirus Hacker's Handbook
From Everand
The Antivirus Hacker's Handbook
Joxean Koret
No ratings yet
CIS Controls v8 Mapping To 800 171 Rev 2 5 24 2021
No ratings yet
CIS Controls v8 Mapping To 800 171 Rev 2 5 24 2021
81 pages
CIS Controls v8 Mapping To CMMC v2 0 4 2023
No ratings yet
CIS Controls v8 Mapping To CMMC v2 0 4 2023
154 pages
CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0
No ratings yet
CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0
106 pages
CIS Controls v8.1 Mapping To DORA 1 2025
No ratings yet
CIS Controls v8.1 Mapping To DORA 1 2025
116 pages
CIS Controls v8.1 Mapping To CSA Cloud Controls Matrix v4 2024 07 19
No ratings yet
CIS Controls v8.1 Mapping To CSA Cloud Controls Matrix v4 2024 07 19
133 pages
CIS Controls v8 Change Log
No ratings yet
CIS Controls v8 Change Log
222 pages
CIS Controls v8 Mapping To NIST CSF FINAL 06 11 2021
No ratings yet
CIS Controls v8 Mapping To NIST CSF FINAL 06 11 2021
111 pages
CIS Controls v8 Mapping To PCI DSS v40
No ratings yet
CIS Controls v8 Mapping To PCI DSS v40
151 pages
Controles de Seguridad Críticos de CIS
No ratings yet
Controles de Seguridad Críticos de CIS
144 pages
CIS Controls v8 CMMC Mapping 5-24-2021
No ratings yet
CIS Controls v8 CMMC Mapping 5-24-2021
118 pages
CIS Controls v8 CMMC Mapping
No ratings yet
CIS Controls v8 CMMC Mapping
122 pages
CIS Controls v7.1 Mapping PCI DSS V1.0.a
No ratings yet
CIS Controls v7.1 Mapping PCI DSS V1.0.a
126 pages
CIS Controls v8 Mapping To CSA Cloud Controls Matrix v4 2 2023
No ratings yet
CIS Controls v8 Mapping To CSA Cloud Controls Matrix v4 2 2023
119 pages
CIS Controls v8.1 Mapping To ISO - IEC 27001.2022 6 2024 07 15
No ratings yet
CIS Controls v8.1 Mapping To ISO - IEC 27001.2022 6 2024 07 15
105 pages
CIS Controls v8 Mapping To NERC CIP 2 2023
No ratings yet
CIS Controls v8 Mapping To NERC CIP 2 2023
180 pages
Data Management Policy Template For CIS Control 3
No ratings yet
Data Management Policy Template For CIS Control 3
18 pages
Blockchain Technology Unit I II III Notes
No ratings yet
Blockchain Technology Unit I II III Notes
43 pages
CIS Controls v8 Mapping To SOC2 Final 08-19-2021
No ratings yet
CIS Controls v8 Mapping To SOC2 Final 08-19-2021
105 pages
Cis Controls v8 Mapping To Nist CSF Final 06-11-2021
No ratings yet
Cis Controls v8 Mapping To Nist CSF Final 06-11-2021
111 pages
CIS Controls v8 Mapping To ASD Essential Eight 2 2023
No ratings yet
CIS Controls v8 Mapping To ASD Essential Eight 2 2023
107 pages
CIS Controls v8 Mapping To 800 171 Rev 2 2 2023
No ratings yet
CIS Controls v8 Mapping To 800 171 Rev 2 2 2023
96 pages
CSC-MASTER-VER 6.0 CIS Critical Security Controls 10.15.2015
No ratings yet
CSC-MASTER-VER 6.0 CIS Critical Security Controls 10.15.2015
94 pages
CIS Controls v8 Mapping To ASD Essential Eight - 2-2023
No ratings yet
CIS Controls v8 Mapping To ASD Essential Eight - 2-2023
82 pages
Why Domotz Is Critical To Your Security
No ratings yet
Why Domotz Is Critical To Your Security
51 pages
SABIC CyberTrust Standard v1.0
No ratings yet
SABIC CyberTrust Standard v1.0
18 pages
Gartner It Score For Security Risk Management Sample Excerpt
No ratings yet
Gartner It Score For Security Risk Management Sample Excerpt
9 pages
1691635482591CNMP3C6KVCXSO92
No ratings yet
1691635482591CNMP3C6KVCXSO92
1 page
Critical Controls Poster 2016
No ratings yet
Critical Controls Poster 2016
2 pages
Car Rental Project
No ratings yet
Car Rental Project
23 pages
Cis Controls V7.1: Center For Internet Security
No ratings yet
Cis Controls V7.1: Center For Internet Security
5 pages
The Top Five Controls
No ratings yet
The Top Five Controls
4 pages
CIS Controls V7.1 8.5x11 Singles 2
No ratings yet
CIS Controls V7.1 8.5x11 Singles 2
4 pages
WCNA Practice Questions
50% (2)
WCNA Practice Questions
18 pages
EN EN: European Commission
No ratings yet
EN EN: European Commission
16 pages
IP Surveillance Project (Group 18)
No ratings yet
IP Surveillance Project (Group 18)
27 pages
ECSPKY Manual
No ratings yet
ECSPKY Manual
14 pages
Creating A Wordpress Blog GUIDE
No ratings yet
Creating A Wordpress Blog GUIDE
14 pages
Google: Don T Be Evil or Don T Be Good
No ratings yet
Google: Don T Be Evil or Don T Be Good
51 pages
Integration of RACS 5 Through Web Services API
No ratings yet
Integration of RACS 5 Through Web Services API
42 pages
Database Management System: Chapter 24: Database Security (Part 2)
No ratings yet
Database Management System: Chapter 24: Database Security (Part 2)
20 pages
Company Product Profile: Office Furniture
No ratings yet
Company Product Profile: Office Furniture
12 pages
Authority Class 7
No ratings yet
Authority Class 7
18 pages
Pricing Structure (Snypher)
No ratings yet
Pricing Structure (Snypher)
4 pages
Wonderful Communication, Mobile Life.: Mobile Partner User Manual
No ratings yet
Wonderful Communication, Mobile Life.: Mobile Partner User Manual
24 pages
Weekly Home Learning Plan: Grade: 4 Week: 5 Quarter: 1
100% (1)
Weekly Home Learning Plan: Grade: 4 Week: 5 Quarter: 1
4 pages
Information Security Assessment Questionnaire
No ratings yet
Information Security Assessment Questionnaire
7 pages
HHHH
No ratings yet
HHHH
2 pages
Rejected Applicants
No ratings yet
Rejected Applicants
10 pages
PRMA Registration Form
100% (2)
PRMA Registration Form
1 page
Deloitte Coverletter
No ratings yet
Deloitte Coverletter
2 pages
VTR 34 PDF
No ratings yet
VTR 34 PDF
2 pages
Fmea
No ratings yet
Fmea
5 pages
Honeywell 5877GDPK Programming Guide
No ratings yet
Honeywell 5877GDPK Programming Guide
2 pages
Commercial Network Operations Application
No ratings yet
Commercial Network Operations Application
2 pages
Exam Profile - Personal Details
No ratings yet
Exam Profile - Personal Details
1 page
Ec Notification of Compliance: Nippon Kaiji Kyokai (Netherlands) B.V
No ratings yet
Ec Notification of Compliance: Nippon Kaiji Kyokai (Netherlands) B.V
2 pages