CIS Controls v8.1
Critical Security Controls for Effective Cyber Defense
Showing 153 safeguards in IG3
For organizations with mature security programs facing sophisticated threats
1 — Inventory and Control of Enterprise Assets (5 safeguards)
2 — Inventory and Control of Software Assets (7 safeguards)
3 — Data Protection (14 safeguards)
3.1Establish and Maintain a Data Management Process
3.2Establish and Maintain a Data Inventory
3.3Configure Data Access Control Lists
3.4Enforce Data Retention
3.5Securely Dispose of Data
3.6Encrypt Data on End-User Devices
3.7Establish and Maintain a Data Classification Scheme
3.8Document Data Flows
3.9Encrypt Data on Removable Media
3.10Encrypt Sensitive Data in Transit
3.11Encrypt Sensitive Data at Rest
3.12Segment Data Processing and Storage Based on Sensitivity
3.13Deploy a Data Loss Prevention Solution
3.14Log Sensitive Data Access
4 — Secure Configuration of Enterprise Assets and Software (12 safeguards)
4.1Establish and Maintain a Secure Configuration Process
4.2Establish and Maintain a Secure Configuration Process for Network Infrastructure
4.3Configure Automatic Session Locking on Enterprise Assets
4.4Implement and Manage a Firewall on Servers
4.5Implement and Manage a Firewall on End-User Devices
4.6Securely Manage Enterprise Assets and Software
4.7Manage Default Accounts on Enterprise Assets and Software
4.8Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
4.9Configure Trusted DNS Servers on Enterprise Assets
4.10Enforce Automatic Device Lockout on Portable End-User Devices
4.11Enforce Remote Wipe Capability on Portable End-User Devices
4.12Separate Enterprise Workspaces on Mobile End-User Devices
5 — Account Management (6 safeguards)
6 — Access Control Management (8 safeguards)
6.1Establish an Access Granting Process
6.2Establish an Access Revoking Process
6.3Require MFA for Externally-Exposed Applications
6.4Require MFA for Remote Network Access
6.5Require MFA for Administrative Access
6.6Establish and Maintain an Inventory of Authentication and Authorization Systems
6.7Centralize Access Control
6.8Define and Maintain Role-Based Access Control
7 — Continuous Vulnerability Management (7 safeguards)
7.1Establish and Maintain a Vulnerability Management Process
7.2Establish and Maintain a Remediation Process
7.3Perform Automated Operating System Patch Management
7.4Perform Automated Application Patch Management
7.5Perform Automated Vulnerability Scans of Internal Enterprise Assets
7.6Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
7.7Remediate Detected Vulnerabilities
8 — Audit Log Management (12 safeguards)
8.1Establish and Maintain an Audit Log Management Process
8.2Collect Audit Logs
8.3Ensure Adequate Audit Log Storage
8.4Standardize Time Synchronization
8.5Collect Detailed Audit Logs
8.6Collect DNS Query Audit Logs
8.7Collect URL Request Audit Logs
8.8Collect Command-Line Audit Logs
8.9Centralize Audit Logs
8.10Retain Audit Logs
8.11Conduct Audit Log Reviews
8.12Collect Service Provider Logs
9 — Email and Web Browser Protections (7 safeguards)
9.1Ensure Use of Only Fully Supported Browsers and Email Clients
9.2Use DNS Filtering Services
9.3Maintain and Enforce Network-Based URL Filters
9.4Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
9.5Implement DMARC
9.6Block Unnecessary File Types
9.7Deploy and Maintain Email Server Anti-Malware Protections
10 — Malware Defenses (7 safeguards)
10.1Deploy and Maintain Anti-Malware Software
10.2Configure Automatic Anti-Malware Signature Updates
10.3Disable Autorun and Autoplay for Removable Media
10.4Configure Automatic Anti-Malware Scanning of Removable Media
10.5Enable Anti-Exploitation Features
10.6Centrally Manage Anti-Malware Software
10.7Use Behavior-Based Anti-Malware Software
11 — Data Recovery (5 safeguards)
12 — Network Infrastructure Management (8 safeguards)
12.1Ensure Network Infrastructure is Up-to-Date
12.2Establish and Maintain a Secure Network Architecture
12.3Securely Manage Network Infrastructure
12.4Establish and Maintain Architecture Diagram(s)
12.5Centralize Network Authentication, Authorization, and Auditing (AAA)
12.6Use of Secure Network Management and Communication Protocols
12.7Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
12.8Establish and Maintain Dedicated Computing Resources for All Administrative Work
13 — Network Monitoring and Defense (11 safeguards)
13.1Centralize Security Event Alerting
13.2Deploy a Host-Based Intrusion Detection Solution
13.3Deploy a Network Intrusion Detection Solution
13.4Perform Traffic Filtering Between Network Segments
13.5Manage Access Control for Remote Assets
13.6Collect Network Traffic Flow Logs
13.7Deploy a Host-Based Intrusion Prevention Solution
13.8Deploy a Network Intrusion Prevention Solution
13.9Deploy Port-Level Access Control
13.10Perform Application Layer Filtering
13.11Tune Security Event Alerting Thresholds
14 — Security Awareness and Skills Training (9 safeguards)
14.1Establish and Maintain a Security Awareness Program
14.2Train Workforce Members to Recognize Social Engineering Attacks
14.3Train Workforce Members on Authentication Best Practices
14.4Train Workforce on Data Handling Best Practices
14.5Train Workforce Members on Causes of Unintentional Data Exposure
14.6Train Workforce Members on Recognizing and Reporting Security Incidents
14.7Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
14.8Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
14.9Conduct Role-Specific Security Awareness and Skills Training
15 — Service Provider Management (7 safeguards)
15.1Establish and Maintain an Inventory of Service Providers
15.2Establish and Maintain a Service Provider Management Policy
15.3Classify Service Providers
15.4Ensure Service Provider Contracts Include Security Requirements
15.5Assess Service Providers
15.6Monitor Service Providers
15.7Securely Decommission Service Providers
16 — Application Software Security (14 safeguards)
16.1Establish and Maintain a Secure Application Development Process
16.2Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3Perform Root Cause Analysis on Security Vulnerabilities
16.4Establish and Manage an Inventory of Third-Party Software Components
16.5Use Up-to-Date and Trusted Third-Party Software Components
16.6Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7Use Standard Hardening Configuration Templates for Application Infrastructure
16.8Separate Production and Non-Production Systems
16.9Train Developers in Application Security Concepts and Secure Coding
16.10Apply Secure Design Principles in Application Architectures
16.11Leverage Vetted Modules or Services for Application Security Components
16.12Implement Code-Level Security Checks
16.13Conduct Application Penetration Testing
16.14Conduct Threat Modeling
17 — Incident Response Management (9 safeguards)
17.1Designate Personnel to Manage Incident Handling
17.2Establish and Maintain Contact Information for Reporting Security Incidents
17.3Establish and Maintain an Enterprise Process for Reporting Incidents
17.4Establish and Maintain an Incident Response Process
17.5Assign Key Roles and Responsibilities
17.6Define Mechanisms for Communicating During Incident Response
17.7Conduct Routine Incident Response Exercises
17.8Conduct Post-Incident Reviews
17.9Establish and Maintain Security Incident Thresholds