CIS Controls v8.1
Critical Security Controls for Effective Cyber Defense
Showing 130 safeguards in IG2
For organizations with greater risk exposure or more resources
1 — Inventory and Control of Enterprise Assets (4 safeguards)
2 — Inventory and Control of Software Assets (6 safeguards)
3 — Data Protection (12 safeguards)
3.1Establish and Maintain a Data Management Process
3.2Establish and Maintain a Data Inventory
3.3Configure Data Access Control Lists
3.4Enforce Data Retention
3.5Securely Dispose of Data
3.6Encrypt Data on End-User Devices
3.7Establish and Maintain a Data Classification Scheme
3.8Document Data Flows
3.9Encrypt Data on Removable Media
3.10Encrypt Sensitive Data in Transit
3.11Encrypt Sensitive Data at Rest
3.12Segment Data Processing and Storage Based on Sensitivity
4 — Secure Configuration of Enterprise Assets and Software (11 safeguards)
4.1Establish and Maintain a Secure Configuration Process
4.2Establish and Maintain a Secure Configuration Process for Network Infrastructure
4.3Configure Automatic Session Locking on Enterprise Assets
4.4Implement and Manage a Firewall on Servers
4.5Implement and Manage a Firewall on End-User Devices
4.6Securely Manage Enterprise Assets and Software
4.7Manage Default Accounts on Enterprise Assets and Software
4.8Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
4.9Configure Trusted DNS Servers on Enterprise Assets
4.10Enforce Automatic Device Lockout on Portable End-User Devices
4.11Enforce Remote Wipe Capability on Portable End-User Devices
5 — Account Management (6 safeguards)
6 — Access Control Management (7 safeguards)
6.1Establish an Access Granting Process
6.2Establish an Access Revoking Process
6.3Require MFA for Externally-Exposed Applications
6.4Require MFA for Remote Network Access
6.5Require MFA for Administrative Access
6.6Establish and Maintain an Inventory of Authentication and Authorization Systems
6.7Centralize Access Control
7 — Continuous Vulnerability Management (7 safeguards)
7.1Establish and Maintain a Vulnerability Management Process
7.2Establish and Maintain a Remediation Process
7.3Perform Automated Operating System Patch Management
7.4Perform Automated Application Patch Management
7.5Perform Automated Vulnerability Scans of Internal Enterprise Assets
7.6Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
7.7Remediate Detected Vulnerabilities
8 — Audit Log Management (11 safeguards)
8.1Establish and Maintain an Audit Log Management Process
8.2Collect Audit Logs
8.3Ensure Adequate Audit Log Storage
8.4Standardize Time Synchronization
8.5Collect Detailed Audit Logs
8.6Collect DNS Query Audit Logs
8.7Collect URL Request Audit Logs
8.8Collect Command-Line Audit Logs
8.9Centralize Audit Logs
8.10Retain Audit Logs
8.11Conduct Audit Log Reviews
9 — Email and Web Browser Protections (6 safeguards)
10 — Malware Defenses (7 safeguards)
10.1Deploy and Maintain Anti-Malware Software
10.2Configure Automatic Anti-Malware Signature Updates
10.3Disable Autorun and Autoplay for Removable Media
10.4Configure Automatic Anti-Malware Scanning of Removable Media
10.5Enable Anti-Exploitation Features
10.6Centrally Manage Anti-Malware Software
10.7Use Behavior-Based Anti-Malware Software
11 — Data Recovery (5 safeguards)
12 — Network Infrastructure Management (7 safeguards)
12.1Ensure Network Infrastructure is Up-to-Date
12.2Establish and Maintain a Secure Network Architecture
12.3Securely Manage Network Infrastructure
12.4Establish and Maintain Architecture Diagram(s)
12.5Centralize Network Authentication, Authorization, and Auditing (AAA)
12.6Use of Secure Network Management and Communication Protocols
12.7Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
13 — Network Monitoring and Defense (6 safeguards)
14 — Security Awareness and Skills Training (9 safeguards)
14.1Establish and Maintain a Security Awareness Program
14.2Train Workforce Members to Recognize Social Engineering Attacks
14.3Train Workforce Members on Authentication Best Practices
14.4Train Workforce on Data Handling Best Practices
14.5Train Workforce Members on Causes of Unintentional Data Exposure
14.6Train Workforce Members on Recognizing and Reporting Security Incidents
14.7Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
14.8Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
14.9Conduct Role-Specific Security Awareness and Skills Training
15 — Service Provider Management (4 safeguards)
16 — Application Software Security (11 safeguards)
16.1Establish and Maintain a Secure Application Development Process
16.2Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3Perform Root Cause Analysis on Security Vulnerabilities
16.4Establish and Manage an Inventory of Third-Party Software Components
16.5Use Up-to-Date and Trusted Third-Party Software Components
16.6Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7Use Standard Hardening Configuration Templates for Application Infrastructure
16.8Separate Production and Non-Production Systems
16.9Train Developers in Application Security Concepts and Secure Coding
16.10Apply Secure Design Principles in Application Architectures
16.11Leverage Vetted Modules or Services for Application Security Components
17 — Incident Response Management (8 safeguards)
17.1Designate Personnel to Manage Incident Handling
17.2Establish and Maintain Contact Information for Reporting Security Incidents
17.3Establish and Maintain an Enterprise Process for Reporting Incidents
17.4Establish and Maintain an Incident Response Process
17.5Assign Key Roles and Responsibilities
17.6Define Mechanisms for Communicating During Incident Response
17.7Conduct Routine Incident Response Exercises
17.8Conduct Post-Incident Reviews