CIS Controls v8 Mapping To ISO - IEC 27002.2022 2022 0406 [PDF]

Zitiervorschau

This document contains mappings of the CIS Controls and Safeguards to ISO (the International Organizatio International Electrotechnical Commission) 27002:2022 - Information Security, cybersecurity and privacy pr

Contact Information CIS 31 Tech Valley Drive East Greenbush, NY 12061 518.266.3460 [email protected] Editors Thomas Sager Contributors Tony Krzyzewski

License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th the prior approval of CIS® (Center for Internet Security, Inc.).

es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-

are authorized to copy and redistribute the content as a framework for use by you, within your hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you als. Users of the CIS Controls framework are also required to refer to at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to

Mapping Methodology

Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to ISO/IEC 21002:202 Reference link for ISO/IEC 27002:2022: https://www.iso.org/standard/54533.html

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus Where the CIS Controls are written to be a single ask per safeguard, ISO/IEC 27002

The general strategy used is to identify all of the aspects within a control and attempt to discern if both item CIS Control 6.1 - Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following: • A clearly documented process, covering both new employees and changes in access.

• All relevant enteprise access control must be covered under this process, there can be no seperation whe

• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s • The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not

The relationships can be further analyzed to understand how similar or different the two defensive mitigatio The relationship column will contain one of 5 possible values: • Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.

• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS

• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat

• Intersects: Although the CIS Control and the defensive mitigation have many similarities, neither is contai awareness program and another requiring an information governance program. • No relationship: This will be represented by a blank cell. The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this < Examples:

CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to ISO/IEC 8.31

CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of ISO/IEC 7.14 "Secure disposal or re-use of

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T the relationship will often be "Subset."

Mappings are available from a variety of sources online, and different individuals may make their own deci other mapping.

If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c https://workbench.cisecurity.org/communities/94

CIS Controls Navigator

Remember to download the CIS Controls Version 8 Guide where you can learn more about: - This Version of the CIS Controls - The CIS Controls Ecosystem ("It's not about the list') - How to Get Started - Using or Transitioning from Prior Versions of the CIS Controls - Structure of the CIS Controls - Implementation Groups - Why is this Controls critical - Procedures and tools https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and mappings to multiple frameworks. https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts and voluneers! https://workbench.cisecurity.org/dashboard

CIS CIS Asset Type Control Safeguard

Security Function

1

Title

Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and corr mobile; network devices; non-computing/In infrastructure physically, virtually, remotely totality of assets that need to be monitored identifying unauthorized and unmanaged as

1

1.1

Devices

Identify

Establish and Maintain Detailed Enterprise Asset Inventory

1

1.1

Devices

Identify

Establish and Maintain Detailed Enterprise Asset Inventory

1

1.2

Devices

1

1.3

Devices

Respond Address Unauthorized Assets Detect

Utilize an Active Discovery Tool

1

1.4

Devices

Identify

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

1

1.5

Devices

Detect

Use a Passive Asset Discovery Tool

2

Inventory and Control of Software Assets

Actively manage (inventory, track, and corr network so that only authorized software is software is found and prevented from insta

2

2.1

Applications

Identify

Establish and Maintain a Software Inventory

2

2.4

Applications

Detect

Utilize Automated Software Inventory Tools

2

2.5

Applications

Protect

Allowlist Authorized Software

2

2.5

Applications

Protect

Allowlist Authorized Software

2

2.6

Applications

Protect

Allowlist Authorized Libraries

2

2.7

Applications

Protect

Allowlist Authorized Scripts

3

Data Protection

Develop processes and technical controls t

3

3.1

Data

Identify

Establish and Maintain a Data Management Process

3

3.1

Data

Identify

Establish and Maintain a Data Management Process

3

3.1

Data

Identify

Establish and Maintain a Data Management Process

3

3.2

Data

Identify

Establish and Maintain a Data Inventory

3

3.3

Data

Protect

Configure Data Access Control Lists

3

3.3

Data

Protect

Configure Data Access Control Lists

3

3.3

Data

Protect

Configure Data Access Control Lists

3

3.3

Data

Protect

Configure Data Access Control Lists

3

3.4

Data

Protect

Enforce Data Retention

3

3.5

Data

Protect

Securely Dispose of Data

3

3.5

Data

Protect

Securely Dispose of Data

3

3.5

Data

Protect

Securely Dispose of Data

3

3.6

Devices

Protect

Encrypt Data on End-User Devices

3

3.6

Devices

Protect

Encrypt Data on End-User Devices

3

3.6

Devices

Protect

Encrypt Data on End-User Devices

3

3.7

Data

Identify

Establish and Maintain a Data Classification Scheme

3

3.7

Data

Identify

Establish and Maintain a Data Classification Scheme

3

3.7

Data

Identify

Establish and Maintain a Data Classification Scheme

3

3.7

Data

Identify

Establish and Maintain a Data Classification Scheme

3

3.7

Data

Identify

Establish and Maintain a Data Classification Scheme

3

3.8

Data

Identify

Document Data Flows

3

3.9

Data

Protect

Encrypt Data on Removable Media

3

3.9

Data

Protect

Encrypt Data on Removable Media

3

3.10

Data

Protect

Encrypt Sensitive Data in Transit

3

3.11

Data

Protect

Encrypt Sensitive Data at Rest

3

3.12

Network

Protect

Segment Data Processing and Storage Based on Sensitivity

3

3.12

Network

Protect

Segment Data Processing and Storage Based on Sensitivity

3

3.13

Data

Protect

Deploy a Data Loss Prevention Solution

3

3.13

Data

Protect

Deploy a Data Loss Prevention Solution

3

3.14

Data

Detect

Log Sensitive Data Access

4

Secure Configuration of Enterprise Assets a

Establish and maintain the secure configura mobile; network devices; non-computing/Io applications).

4

4.1

Applications

Protect

Establish and Maintain a Secure Configuration Process

4

4.1

Applications

Protect

Establish and Maintain a Secure Configuration Process

4

4.2

Network

Protect

Establish and Maintain a Secure Configuration Process for Network Infrastructure

4

4.3

Users

Protect

Configure Automatic Session Locking on Enterprise Assets

4

4.3

Users

Protect

Configure Automatic Session Locking on Enterprise Assets

4

4.4

Devices

Protect

Implement and Manage a Firewall on Servers

4

4.5

Devices

Protect

Implement and Manage a Firewall on End-User Devices

4

4.5

Devices

Protect

Implement and Manage a Firewall on End-User Devices

4

4.7

Users

Protect

Manage Default Accounts on Enterprise Assets and Software

4

4.7

Users

Protect

Manage Default Accounts on Enterprise Assets and Software

4

4.8

Devices

Protect

Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

4

4.9

Devices

Protect

Configure Trusted DNS Servers on Enterprise Assets

Enforce Automatic Device Respond Lockout on Portable End-User Devices

4

4.10

Devices

4

4.11

Devices

Protect

Enforce Remote Wipe Capability on Portable EndUser Devices

4

4.11

Devices

Protect

Enforce Remote Wipe Capability on Portable EndUser Devices

Protect

Separate Enterprise Workspaces on Mobile EndUser Devices

Protect

Separate Enterprise Workspaces on Mobile EndUser Devices

4

4

4.12

4.12

Devices

Devices

5

Account Management

Use processes and tools to assign and man administrator accounts, as well as service a

5

5.1

Users

Identify

Establish and Maintain an Inventory of Accounts

5

5.2

Users

Protect

Use Unique Passwords

5

5.3

Users

5

5.4

Users

Respond Disable Dormant Accounts Protect

Restrict Administrator Privileges to Dedicated Administrator Accounts

5

5.4

Users

Protect

Restrict Administrator Privileges to Dedicated Administrator Accounts

5

5.5

Users

Identify

Establish and Maintain an Inventory of Service Accounts

5

5.5

Users

Identify

Establish and Maintain an Inventory of Service Accounts

5

5.6

Users

Protect

Centralize Account Management

6

Access Control Management

Use processes and tools to create, assign, administrator, and service accounts for ent

6

6.1

Users

Protect

Establish an Access Granting Process

6

6.1

Users

Protect

Establish an Access Granting Process

6

6.1

Users

Protect

Establish an Access Granting Process

6

6.2

Users

Protect

Establish an Access Revoking Process

6

6.2

Users

Protect

Establish an Access Revoking Process

6

6.2

Users

Protect

Establish an Access Revoking Process

6

6.3

Users

Protect

Require MFA for ExternallyExposed Applications

6

6.4

Users

Protect

Require MFA for Remote Network Access

6

6.5

Users

Protect

Require MFA for Administrative Access

6

6.6

Users

Identify

Establish and Maintain an Inventory of Authentication and Authorization Systems

6

6.7

Users

Protect

Centralize Access Control

6

6.8

Data

Protect

Define and Maintain RoleBased Access Control

6

6.8

Data

Protect

Define and Maintain RoleBased Access Control

6

6.8

Data

Protect

Define and Maintain RoleBased Access Control

6

6.8

Data

Protect

Define and Maintain RoleBased Access Control

7

Continuous Vulnerability Management

Develop a plan to continuously assess and infrastructure, in order to remediate, and m private industry sources for new threat and Establish and Maintain a Vulnerability Management Process

7

7.1

Applications

Protect

7

7.2

Applications

Respond

7

7.3

Applications

Protect

Perform Automated Operating System Patch Management

7

7.4

Applications

Protect

Perform Automated Application Patch Management

7

7.5

Applications

Identify

Perform Automated Vulnerability Scans of Internal Enterprise Assets Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets

7

7.6

Applications

Identify

7

7.7

Applications

Respond

8

Establish and Maintain a Remediation Process

Remediate Detected Vulnerabilities

Audit Log Management

Collect, alert, review, and retain audit logs o attack.

Protect

Establish and Maintain an Audit Log Management Process

8

8.1

Network

8

8.1

Network

8

8.2

Network

Detect

Collect Audit Logs

8

8.2

Network

Detect

Collect Audit Logs

8

8.3

Network

Protect

Ensure Adequate Audit Log Storage

8

8.4

Network

Protect

Standardize Time Synchronization

8

8.5

Network

Detect

Collect Detailed Audit Logs

8

8.5

Network

Detect

Collect Detailed Audit Logs

8

8.6

Network

Detect

Collect DNS Query Audit Logs

8

8.7

Network

Detect

Collect URL Request Audit Logs

8

8.8

Devices

Detect

Collect Command-Line Audit Logs

8

8.9

Network

Detect

Centralize Audit Logs

Establish and Maintain an Audit Log Management Process

8

8.10

Network

Protect

Retain Audit Logs

8

8.11

Network

Detect

Conduct Audit Log Reviews

8

8.12

Data

Detect

Collect Service Provider Logs

9

Email and Web Browser Protections

Improve protections and detections of threa attackers to manipulate human behavior thr 9

9.1

Applications

Protect

Ensure Use of Only Fully Supported Browsers and Email Clients

9

9.2

Network

Protect

Use DNS Filtering Services

9

9.3

Network

Protect

Maintain and Enforce NetworkBased URL Filters

9

9.3

Network

Protect

Maintain and Enforce NetworkBased URL Filters

9

9.4

Applications

Protect

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

9

9.5

Network

Protect

Implement DMARC

9

9.6

Network

Protect

Block Unnecessary File Types

9

9.7

Network

Protect

Deploy and Maintain Email Server Anti-Malware Protections

10

Malware Defenses

Prevent or control the installation, spread, a enterprise assets. Deploy and Maintain AntiMalware Software Deploy and Maintain AntiMalware Software Configure Automatic AntiMalware Signature Updates

10

10.1

Devices

Protect

10

10.1

Devices

Protect

10

10.2

Devices

Protect

10

10.3

Devices

Protect

Disable Autorun and Autoplay for Removable Media

10

10.4

Devices

Detect

Configure Automatic AntiMalware Scanning of Removable Media

10

10.4

Devices

Detect

Configure Automatic AntiMalware Scanning of Removable Media

10

10.5

Devices

Protect

Enable Anti-Exploitation Features

10

10.6

Devices

Protect

10

10.7

Devices

Detect

11

Centrally Manage Anti-Malware Software Use Behavior-Based AntiMalware Software Data Recovery

Establish and maintain data recovery practi and trusted state.

11

11.1

Data

Recover

Establish and Maintain a Data Recovery Process 

11

11.2

Data

Recover Perform Automated Backups 

11

11.3

Data

Protect

Protect Recovery Data

11

11.3

Data

Protect

Protect Recovery Data

11

11.4

Data

Establish and Maintain an Recover Isolated Instance of Recovery Data 

11

11.5

Data

Recover Test Data Recovery

Network Infrastructure Management

12

Establish, implement, and actively manage attackers from exploiting vulnerable networ

12

12.1

Network

Protect

Ensure Network Infrastructure is Up-to-Date

12

12.2

Network

Protect

Establish and Maintain a Secure Network Architecture

12

12.3

Network

Protect

Securely Manage Network Infrastructure

12

12.4

Network

Identify

Establish and Maintain Architecture Diagram(s)

12

12.5

Network

Protect

Centralize Network Authentication, Authorization, and Auditing (AAA)

12

12.6

Network

Protect

Use of Secure Network Management and Communication Protocols 

12

12

12

12

12

12.7

12.7

12.7

12.8

12.8

Devices

Devices

Devices

Devices

Devices

Protect

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Protect

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Protect

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Protect

Establish and Maintain Dedicated Computing Resources for All Administrative Work

Protect

Establish and Maintain Dedicated Computing Resources for All Administrative Work Network Monitoring and Defense

13

Operate processes and tooling to establish against security threats across the enterpri

13

13.1

Network

Detect

Centralize Security Event Alerting

13

13.2

Devices

Detect

Deploy a Host-Based Intrusion Detection Solution

13

13.3

Network

Detect

Deploy a Network Intrusion Detection Solution

13

13.3

Network

Detect

Deploy a Network Intrusion Detection Solution

13

13.4

Network

Protect

Perform Traffic Filtering Between Network Segments

13

13.4

Network

Protect

Perform Traffic Filtering Between Network Segments

13

13.5

Devices

Protect

Manage Access Control for Remote Assets

13

13.5

Devices

Protect

Manage Access Control for Remote Assets

13

13.5

Devices

Protect

Manage Access Control for Remote Assets

13

13.6

Network

Detect

Collect Network Traffic Flow Logs

13

13.6

Network

Detect

Collect Network Traffic Flow Logs

13

13.7

Devices

Protect

Deploy a Host-Based Intrusion Prevention Solution

13

13.8

Network

Protect

Deploy a Network Intrusion Prevention Solution

13

13.9

Devices

Protect

Deploy Port-Level Access Control

13

13.10

Network

Protect

Perform Application Layer Filtering

13

13.11

Network

Detect

Tune Security Event Alerting Thresholds

14

Security Awareness and Skills Training

Establish and maintain a security awarenes conscious and properly skilled to reduce cy

14

14.1

N/A

Protect

Establish and Maintain a Security Awareness Program

14

14.2

N/A

Protect

Train Workforce Members to Recognize Social Engineering Attacks

14

14.3

N/A

Protect

Train Workforce Members on Authentication Best Practices

14

14.4

N/A

Protect

Train Workforce on Data Handling Best Practices

14

14

14

14.5

14.6

14.7

N/A

N/A

N/A

Protect

Train Workforce Members on Causes of Unintentional Data Exposure

Protect

Train Workforce Members on Recognizing and Reporting Security Incidents

Protect

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

14

14.8

N/A

Protect

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

14

14.9

N/A

Protect

Conduct Role-Specific Security Awareness and Skills Training

15

Service Provider Management

Develop a process to evaluate service prov critical IT platforms or processes, to ensure appropriately. 15

15.1

N/A

Identify

Establish and Maintain an Inventory of Service Providers

15

15.2

N/A

Identify

Establish and Maintain a Service Provider Management Policy

15

15.2

N/A

Identify

Establish and Maintain a Service Provider Management Policy

15

15.2

N/A

Identify

Establish and Maintain a Service Provider Management Policy

15

15.2

N/A

Identify

Establish and Maintain a Service Provider Management Policy

15

15.2

N/A

Identify

Establish and Maintain a Service Provider Management Policy

15

15.3

N/A

Identify

Classify Service Providers

15

15.4

N/A

Protect

Ensure Service Provider Contracts Include Security Requirements

Protect

Ensure Service Provider Contracts Include Security Requirements

15

15.4

N/A

15

15.4

N/A

Protect

Ensure Service Provider Contracts Include Security Requirements

15

15.5

N/A

Identify

Assess Service Providers

15

15.5

N/A

Identify

Assess Service Providers

15

15.5

N/A

Identify

Assess Service Providers

15

15.6

Data

Detect

Monitor Service Providers

15

15.6

Data

Detect

Monitor Service Providers

15

15.6

Data

Detect

Monitor Service Providers

15

15.6

Data

Detect

Monitor Service Providers

15

15.7

Data

Protect

Securely Decommission Service Providers

15

15.7

Data

Protect

Securely Decommission Service Providers

16

Application Software Security

Manage the security life cycle of in-house d remediate security weaknesses before they

16

16.1

Applications

Protect

Establish and Maintain a Secure Application Development Process

16

16.1

Applications

Protect

Establish and Maintain a Secure Application Development Process

16

16.1

Applications

Protect

Establish and Maintain a Secure Application Development Process

16

16.1

Applications

Protect

Establish and Maintain a Secure Application Development Process

16

16.2

Applications

Protect

Establish and Maintain a Process to Accept and Address Software Vulnerabilities

16

16.3

Applications

Protect

Perform Root Cause Analysis on Security Vulnerabilities

16

16.4

Applications

Protect

Establish and Manage an Inventory of Third-Party Software Components

16

16.4

Applications

Protect

Establish and Manage an Inventory of Third-Party Software Components

16

16.5

Applications

Protect

Use Up-to-Date and Trusted Third-Party Software Components

16

16.6

Applications

Protect

Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

16

16.7

Applications

Protect

Use Standard Hardening Configuration Templates for Application Infrastructure

16

16.8

Applications

Protect

Separate Production and NonProduction Systems

16

16.9

Applications

Protect

Train Developers in Application Security Concepts and Secure Coding

16

16.10

Applications

Protect

Apply Secure Design Principles in Application Architectures

16

16.11

Applications

Protect

Leverage Vetted Modules or Services for Application Security Components

16

16.11

Applications

Protect

Leverage Vetted Modules or Services for Application Security Components

16

16.12

Applications

Protect

16

16.12

Applications

Protect

16

16.12

Applications

Protect

Implement Code-Level Security Checks Implement Code-Level Security Checks Implement Code-Level Security Checks

16

16.13

Applications

Protect

Conduct Application Penetration Testing

16

16.13

Applications

Protect

Conduct Application Penetration Testing

16

16.14

Applications

Protect

Conduct Threat Modeling

17

Incident Response Management

Establish a program to develop and maintai defined roles, training, and communications

Designate Personnel to Manage Incident Handling

17

17.1

N/A

Respond

17

17.2

N/A

Establish and Maintain Contact Respond Information for Reporting Security Incidents

N/A

Establish and Maintain Contact Respond Information for Reporting Security Incidents

17

17.2

17

17.2

N/A

Establish and Maintain Contact Respond Information for Reporting Security Incidents

17

17.2

N/A

Establish and Maintain Contact Respond Information for Reporting Security Incidents

17

17.3

N/A

Establish and Maintain an Respond Enterprise Process for Reporting Incidents

17

17.4

N/A

Respond

Establish and Maintain an Incident Response Process

17

17.4

N/A

Respond

Establish and Maintain an Incident Response Process

17

17.5

N/A

Respond

Assign Key Roles and Responsibilities

17

17.5

N/A

Respond

Assign Key Roles and Responsibilities

17

17.6

N/A

Define Mechanisms for Respond Communicating During Incident Response

17

17.7

N/A

Recover

Conduct Routine Incident Response Exercises

17

17.8

N/A

Recover Conduct Post-Incident Reviews

17

17.8

N/A

Recover Conduct Post-Incident Reviews

17

17.9

N/A

Recover

Establish and Maintain Security Incident Thresholds

17

17.9

N/A

Recover

Establish and Maintain Security Incident Thresholds

18

Penetration Testing

Test the effectiveness and resiliency of ente controls (people, processes, and technolog

18

18.1

N/A

Identify

Establish and Maintain a Penetration Testing Program

18

18.2

Network

Identify

Perform Periodic External Penetration Tests

18

18.3

Network

Protect

Remediate Penetration Test Findings

18

18.4

Network

Protect

Validate Security Measures

18

18.5

N/A

Identify

Perform Periodic Internal Penetration Tests

Description

l of Enterprise Assets

entory, track, and correct) all enterprise assets (end-user devices, including portable and ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the ally, virtually, remotely, and those within cloud environments, to accurately know the need to be monitored and protected within the enterprise. This will also support zed and unmanaged assets to remove or remediate. Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently. Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.

l of Software Assets

entory, track, and correct) all software (operating systems and applications) on the authorized software is installed and can execute, and that unauthorized and unmanaged d prevented from installation or execution. Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

nd technical controls to identify, classify, securely handle, retain, and dispose of data.

Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity. Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity.

Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Encrypt data on removable media.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory. Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory. Log sensitive data access, including modification and disposal.

of Enterprise Assets and Software

in the secure configuration of enterprise assets (end-user devices, including portable and ces; non-computing/IoT devices; and servers) and software (operating systems and Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts. Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data. Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.

ools to assign and manage authorization to credentials for user accounts, including ts, as well as service accounts, to enterprise assets and software. Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. Centralize account management through a directory or identity service.

ools to create, assign, manage, and revoke access credentials and privileges for user, rvice accounts for enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.

Require MFA for remote network access. Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

ility Management

ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s er to remediate, and minimize, the window of opportunity for attackers. Monitor public and ces for new threat and vulnerability information. Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.

Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

and retain audit logs of events that could help detect, understand, or recover from an

Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when s Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. Collect DNS query audit logs on enterprise assets, where appropriate and supported. Collect URL request audit logs on enterprise assets, where appropriate and supported. Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals. Centralize, to the extent possible, audit log collection and retention across enterprise assets.

Retain audit logs across enterprise assets for a minimum of 90 days.

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.

ser Protections

and detections of threats from email and web vectors, as these are opportunities for ate human behavior through direct engagement. Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. Use DNS filtering services on all enterprise assets to block access to known malicious domains. Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. Block unnecessary file types attempting to enter the enterprise’s email gateway. Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.

e installation, spread, and execution of malicious applications, code, or scripts on Deploy and maintain anti-malware software on all enterprise assets. Deploy and maintain anti-malware software on all enterprise assets. Configure automatic updates for anti-malware signature files on all enterprise assets. Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Configure anti-malware software to automatically scan removable media. Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™. Centrally manage anti-malware software. Use behavior-based anti-malware software.

in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.

, and actively manage (track, report, correct) network devices, in order to prevent ting vulnerable network services and access points. Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported networkas-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Securely manage network infrastructure. Example implementations include versioncontrolled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS. Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Centralize network AAA. Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access.

nd tooling to establish and maintain comprehensive network monitoring and defense ats across the enterprise’s network infrastructure and user base. Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. Perform traffic filtering between network segments, where appropriate.

Perform traffic filtering between network segments, where appropriate. Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date antimalware software installed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are up-todate. Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date antimalware software installed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are up-todate. Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date antimalware software installed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are up-todate. Collect network traffic flow logs and/or network traffic to review and alert upon from network devices. Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.

Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

Tune security event alerting thresholds monthly, or more frequently.

and Skills Training

in a security awareness program to influence behavior among the workforce to be security rly skilled to reduce cybersecurity risks to the enterprise. Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.  Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.

Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to report such an incident. 

Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, (OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles.

evaluate service providers who hold sensitive data, or are responsible for an enterprise’s r processes, to ensure these providers are protecting those platforms and data Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements.

Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.

Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems. Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems.

Security

ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and eaknesses before they can impact the enterprise. Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise. Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill of materials,” as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported.  Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill of materials,” as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported.  Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening.

Maintain separate environments for production and non-production systems. Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.

Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.  Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.  Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses.

anagement

o develop and maintain an incident response capability (e.g., policies, plans, procedures, g, and communications) to prepare, detect, and quickly respond to an attack. Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.

Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum.

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action.

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard.

s and resiliency of enterprise assets through identifying and exploiting weaknesses in cesses, and technology), and simulating the objectives and actions of an attacker.

Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.

IG1

IG2

IG3

Relationship

Control #

Control Title

X

X

X

Subset

5.9

Inventory of information and other associated assets

X

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

X

X

X

X

X

X

X

Subset

5.9

Inventory of information and other associated assets

X

Subset

8.7

Protection against malware

X

X

Subset

8.19

Installation of software on operational systems

X

X

Subset

8.19

Installation of software on operational systems

X

X

X

X

X

X

X

X

X

Subset

5.10

Acceptable use of information and other associated assets

X

X

X

Subset

5.9

Inventory of information and other associated assets

X

X

X

Subset

8.1

User endpoint devices

X

X

X

Subset

5.9

Inventory of information and other associated assets

X

X

X

Subset

5.10

Acceptable use of information and other associated assets

X

X

X

Subset

5.15

Access control

X

X

X

Subset

8.3

Information access restriction

X

X

X

Subset

8.4

Access to source code

X

X

X

Subset

5.33

Protection of records

X

X

X

Subset

5.10

Acceptable use of information and other associated assets

X

X

X

Subset

7.10

Storage media

X

X

X

Subset

7.14

Secure disposal or re-use of equipment

X

X

X

Subset

6.7

Remote working

X

X

X

Subset

7.10

Storage media

X

X

X

Subset

8.1

User endpoint devices

X

X

Subset

5.9

Inventory of information and other associated assets

X

X

Subset

5.12

Classification of information

X

X

Subset

5.13

Labelling of information

X

X

Subset

5.33

Protection of records

X

X

Subset

8.12

Data leakage prevention

X

X

Subset

5.14

Information transfer

X

X

Subset

5.14

Information transfer

X

X

X

Subset

7.10

Storage media

X

X

Subset

5.14

Information transfer

X

X

Subset

5.33

Protection of records

X

X

Subset

8.20

Networks security

X

X

Subset

8.22

Segregation of networks

X

Subset

5.14

Information transfer

X

Subset

8.12

Data leakage prevention

X

Subset

8.15

Logging

X

Subset

8.1

User endpoint devices

X

X

X

X

Subset

8.9

Configuration management

X

X

X

Subset

8.9

Configuration management

X

X

X

Subset

8.5

Secure authentication

X

X

X

Subset

8.9

Configuration management

X

X

X

X

X

X

Subset

6.7

Remote working

X

X

X

Subset

8.1

User endpoint devices

X

X

X

Subset

8.9

Configuration management

X

X

X

Subset

8.2

Privileged access rights

X

X

Subset

8.9

Configuration management

X

X

X

X

Subset

8.5

Secure authentication

X

X

Equivalent

8.10

Information Deletion

X

X

Subset

8.1

User endpoint devices

X

Subset

6.7

Remote working

X

Subset

8.1

User endpoint devices

X

X

X

Subset

5.16

Identity management

X

X

X

Subset

5.17

Authentication information

X

X

X

Subset

X

X

X

Subset

5.15

Access control

X

X

X

Subset

8.2

Privileged access rights

X

X

Subset

5.15

Access control

X

X

Subset

8.18

Use of privileged utility programs

X

X

Subset

5.15

Access Control

X

X

X

Subset

5.15

Access control

X

X

X

Subset

5.16

Identity management

X

X

X

Subset

5.18

Access rights

X

X

X

Subset

5.16

Identity management

X

X

X

Subset

5.18

Access rights

X

X

X

Subset

6.5

Responsibilities after termination or change of employment

X

X

X

Subset

5.15

Access Control

X

X

X

Subset

6.7

Remote working

X

X

X

Subset

8.2

Privileged access rights

X

X

Subset

8.5

Secure authentication

X

X

Subset

5.18

Access rights

X

Superset

5.3

Segregation of duties

X

Subset

5.15

Access control

X

Subset

8.2

Privileged access rights

X

Subset

8.3

Information access restriction

X

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

X

Equivalent

8.15

Logging

x

x

x

Subset

8.15

Logging

X

X

X

Subset

8.15

Logging

X

X

X

Subset

8.20

Networks security

X

X

X

Subset

8.6

Capacity management

X

X

Equivalent

8.17

Clock synchronization

X

X

Subset

5.28

Collection of evidence

X

X

Subset

8.15

Logging

X

X

Subset

X

X

Subset

X

X

Subset

8.15

Logging

X

X

X

X

Subset

5.28

Collection of evidence

X

X

Subset

5.25

Assessment and decision on information security events

X

Subset

X

X

X

Subset

8.1

User endpoint devices

X

X

X

Subset

8.23

Web filtering

X

X

Subset

8.7

Protection against malware

X

X

Subset

8.23

Web filtering

X

X

X

X

X

X Subset

8.7

Protection against malware

X

X

X

X

Subset

8.1

User endpoint devices

X

X

X

Subset

8.7

Protection against malware

X

X

X

Subset

8.7

Protection against malware

X

X

X

Subset

7.10

Storage media

X

X

Subset

7.10

Storage media

X

X

Subset

8.7

Protection against malware

X

X

Subset

8.7

Protection against malware

X

X

Subset

8.7

Protection against malware

X

X

Subset

8.1

User endpoint devices

X

X

Subset

8.13

Information backup

X

X

X

X

Subset

8.13

Information backup

X

X

X

Subset

8.12

Data leakage prevention

X

X

X

Subset

8.13

Information backup

X

X

X

Subset

8.13

Information backup

X

X

Subset

8.13

Information backup

X

X

X

X

Subset

8.22

Segregation of networks

X

X

Subset

8.21

Security of network services

X

X

X

X

X

X

Subset

8.21

Security of network services

X

X

X

Subset

6.7

Remote working

X

X

Subset

8.1

User endpoint devices

X

X

Subset

8.21

Security of network services

X

Subset

8.2

Privileged access rights

X

Subset

8.22

Segregation of networks

X

X

Subset

8.15

Logging

X

X

Subset

8.16

Monitoring activities

X

X

Subset

8.16

Monitoring activities

X

X

Subset

8.21

Security of network services

X

X

Subset

8.16

Monitoring activities

X

X

Subset

8.22

Segregation of networks

X

X

Subset

6.7

Remote working

X

X

Subset

8.1

User endpoint devices

X

X

Subset

8.3

Information access restriction

X

X

Subset

8.15

Logging

X

X

Subset

8.16

Monitoring activities

X

Subset

8.8

Management of Technical Vulnerabilities

X

Subset

8.8

Management of Technical Vulnerabilities

X

Subset

8.8

Management of Technical Vulnerabilities

X

Subset

8.8

Management of Technical Vulnerabilities

X

Subset

5.7

Threat intellgigence

X

X

X

Equivalent

6.3

Information security awareness, education and training

X

X

X

Subset

8.7

Protection against malware

6.3

Information security awareness, education and training

5.10

Acceptable use of information and other associated assets

X

X

X

X

X

X

Subset

X

X

X

Subset

6.3

Information security awareness, education and training

X

X

X

Subset

6.8

Information security event reporting

X

X

X

subset

6.3

Information security awareness, education and training

X

X

X

Subset

6.3

Information security awareness, education and training

X

X

X

Subset

6.3

Information security awareness, education and training

X

X

Subset

5.19

Information security in supplier relationships

X

X

Subset

5.1

Policies for information security

X

X

Subset

5.10

Acceptable use of information and other associated assets

X

X

Subset

5.19

Information security in supplier relationships

X

X

Subset

5.20

Addressing information security within supplier agreements

X

X

Subset

5.23

Information security for use of cloud services

X

X

Subset

5.19

Information security in supplier relationships

X

X

Subset

5.20

Addressing information security within supplier agreements

5.21

Managing information security in the ICT supply chain

X

X

Subset

X

X

Subset

5.23

Information security for use of cloud services

X

Subset

5.19

Information security in supplier relationships

X

Subset

5.22

Monitoring, review and change management of supplier services

X

Subset

5.23

Information security for use of cloud services

X

Subset

5.19

Information security in supplier relationships

5.20

Addressing information security within supplier agreements

5.21

Managing information security in the ICT supply chain

5.22

Monitoring, review and change management of supplier services

X

X

X

Subset

Subset

Subset

X

Subset

5.19

Information security in supplier relationships

X

Subset

5.20

Addressing information security within supplier agreements

X

X

Subset

5.8

Information security in project management

X

X

Superset

8.4

Access to source code

X

X

Superset

8.25

Secure development life cycle

X

X

Superset

8.28

Secure coding

X

X

Subset

8.8

Management of Technical vulnerabilities

X

X

Subset

8.8

Management of Technical vulnerabilities

X

X

Subset

8.26

Application security requirements

X

X

Subset

8.30

Outsourced development

X

X

Subset

8.26

Application security requirements

X

X

Subset

8.8

Management of Technical vulnerabilities

X

X

Subset

8.8

Management of Technical vulnerabilities

X

X

Equivalent

8.31

Separation of development, test and production environments

X

X

Subset

8.28

Secure coding

X

X

Subset

8.27

Secure system architecture and engineering principles

X

X

Superset

8.25

Secure development life cycle

X

X

Subset

8.26

Application security requirements

X

Subset

8.25

Secure development life cycle

X

Subset

8.28

Secure coding

X

Subset

8.29

Security testing in development and acceptance

X

Subset

8.8

Management of Technical vulnerabilities

X

Subset

8.29

Security testing in development and acceptance

X

Subset

8.29

Security testing in development and acceptance

X

X

X

Subset

5.24

Information security incident management planning and preparation

X

X

X

Superset

5.5

Contact with authorities

X

X

X

Subset

5.6

Contact with special interest groups

X

X

X

Subset

5.20

Addressing information security within supplier agreements

X

X

X

Subset

5.24

Information security incident management planning and preparation

X

X

X

Equivalent

6.8

Information security event reporting

X

X

Subset

5.24

Information security incident management planning and preparation

X

X

Subset

5.26

Response to information security incidents

X

X

Subset

5.2

Information security roles and responsibilities

X

X

Subset

5.24

Information security incident management planning and preparation

X

X

Subset

5.24

Information security incident management planning and preparation

X

X

Subset

5.30

ICT readiness for business continuity

X

X

Subset

5.24

Information security incident management planning and preparation

X

X

Subset

5.27

Learning from information security incidents

X

Subset

5.24

Information security incident management planning and preparation

X

Subset

5.25

Assessment and decision on information security events

X

X

Subset

8.8

Management of Technical vulnerabilities

X

X

Subset

8.8

Management of technical vulnerabilities

X

X

Subset

8.8

Management of Technical vulnerabilities

X

Subset

8.8

Management of Technical vulnerabilities

X

Subset

8.8

Management of Technical vulnerabilities

Control Text

An inventory of information and other associated assets, including owners, should be developed and maintained.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

An inventory of information and other associated assets, including owners, should be developed and maintained.

Protection against malware should be implemented and supported by appropriate user awareness. Procedures and measures should be implemented to securely manage software installation on operational systems. Procedures and measures should be implemented to securely manage software installation on operational systems.

Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

An inventory of information and other associated assets, including owners, should be developed and maintained.

Information stored on, processed by or accessible via user endpoint devices should be protected.

An inventory of information and other associated assets, including owners, should be developed and maintained. Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. Access to information and other associated assets should be restricted in accordance with the established topicspecific policy on access control. Read and write access to source code, development tools and software libraries should be appropriately managed. Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. Storage media should be managed through its life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. Storage media should be managed through its life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. Information stored on, processed by or accessible via user endpoint devices should be protected.

An inventory of information and other associated assets, including owners, should be developed and maintained.

Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization. Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.

Storage media should be managed through its life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. Networks and network devices should be secured, managed and controlled to protect information in systems and applications. Groups of information services, users and information systems should be segregated in the organization’s networks. Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

Information stored on, processed by or accessible via user endpoint devices should be protected.

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. Information stored on, processed by or accessible via user endpoint devices should be protected. Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. The allocation and use of privileged access rights should be restricted and managed. Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. Information stored in information systems, devices or in any other storage media should be deleted when no longer required. Information stored on, processed by or accessible via user endpoint devices should be protected. Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. Information stored on, processed by or accessible via user endpoint devices should be protected.

The full life cycle of identities should be managed. Allocation and management of authentication information should be controlled by a management process, including advising personnel of appropriate handling of authentication information.

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

The allocation and use of privileged access rights should be restricted and managed. Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled. Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. The full life cycle of identities should be managed. Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. The full life cycle of identities should be managed. Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. The allocation and use of privileged access rights should be restricted and managed. Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. Conflicting duties and areas of responsibility should be segregated.

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

The allocation and use of privileged access rights should be restricted and managed.

Access to information and other associated assets should be restricted in accordance with the established topicspecific policy on access control.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. Networks and network devices should be secured, managed and controlled to protect information in systems and applications. The use of resources should be monitored and adjusted in line with current and expected capacity requirements. The clocks of information processing systems used by the organization should be synchronized to approved time sources. The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. The organization should assess information security events and decide if they are to be categorized as information security incidents.

Information stored on, processed by or accessible via user endpoint devices should be protected. Access to external websites should be managed to reduce exposure to malicious content. Protection against malware should be implemented and supported by appropriate user awareness.

Access to external websites should be managed to reduce exposure to malicious content.

Protection against malware should be implemented and supported by appropriate user awareness.

Information stored on, processed by or accessible via user endpoint devices should be protected. Protection against malware should be implemented and supported by appropriate user awareness. Protection against malware should be implemented and supported by appropriate user awareness. Storage media should be managed through its life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. Storage media should be managed through its life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. Protection against malware should be implemented and supported by appropriate user awareness. Protection against malware should be implemented and supported by appropriate user awareness. Protection against malware should be implemented and supported by appropriate user awareness. Information stored on, processed by or accessible via user endpoint devices should be protected.

Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Groups of information services, users and information systems should be segregated in the organization’s networks. Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.

Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

Information stored on, processed by or accessible via user endpoint devices should be protected.

Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. The allocation and use of privileged access rights should be restricted and managed. Groups of information services, users and information systems should be segregated in the organization’s networks.

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. Groups of information services, users and information systems should be segregated in the organization’s networks. Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

Information stored on, processed by or accessible via user endpoint devices should be protected.

Access to information and other associated assets should be restricted in accordance with the established topicspecific policy on access control. Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information relating to information security threats should be collected and analysed to produce threat intelligence.

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topicspecific policies and procedures, as relevant for their job function. Protection against malware should be implemented and supported by appropriate user awareness. Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topicspecific policies and procedures, as relevant for their job function. Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topicspecific policies and procedures, as relevant for their job function. The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topicspecific policies and procedures, as relevant for their job function. Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topicspecific policies and procedures, as relevant for their job function. Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topicspecific policies and procedures, as relevant for their job function.

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services. Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship. Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements. Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

Processes and procedures should be defined and implemented to manage information security risks associated with the ICT products and services supply chain.

Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services. Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship. Processes and procedures should be defined and implemented to manage information security risks associated with the ICT products and services supply chain. The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services. Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

Information security should be integrated into project management.

Read and write access to source code, development tools and software libraries should be appropriately managed.

Rules for the secure development of software and systems should be established and applied.

Secure coding principles should be applied to software development.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information security requirements should be identified, specified and approved when developing or acquiring applications.

The organization should direct, monitor and review the activities related to outsourced system development.

Information security requirements should be identified, specified and approved when developing or acquiring applications.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Development, testing and production environments should be separated and secured.

Secure coding principles should be applied to software development.

Principles for engineering secure systems to be established, documented, maintained and applied to any information system development activities.

Rules for the secure development of software and systems should be established and applied.

Information security requirements should be identified, specified and approved when developing or acquiring applications.

Rules for the secure development of software and systems should be established and applied. Secure coding principles should be applied to software development. Security testing processes should be defined and implemented in the development life cycle.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Security testing processes should be defined and implemented in the development life cycle.

Security testing processes should be defined and implemented in the development life cycle.

The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. The organization should establish and maintain contact with relevant authorities.

The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

Information security incidents should be responded to in accordance with the documented procedures. Information security roles and responsibilities should be defined and allocated according to the organization needs. The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. Knowledge gained from information security incidents should be used to strengthen and improve the information security controls. The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. The organization should assess information security events and decide if they are to be categorized as information security incidents.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

ISO/IEC Control #

Control Title

5.4 Management responsibilities 5.7 Threat intelligence 5.29 Information security during disruption 5.31 Legislation, regulations and statutory and contractual requirements 5.32 Intellectual property rights 5.34 Privacy and protection of PII 5.35 Independent review of information security 5.36 Conformance with policies, rules and standards for information security 5.37 Documented operating procedures 6.1 Screening 6.2 Terms and conditions of employment 6.4 Disciplinary process 6.6 Confidentiality or non-disclosure agreements 7.1 Physical security perimeters 7.2 Physical entry 7.3 Securing offices, rooms and facilities 7.4 Physical security monitoring 7.5 Protecting against physical and environmental threats 7.6 Working in secure areas 7.7 Clear desk and clear screen 7.8 Equipment siting and protection 7.9 Security of assets off-premises 7.11 Supporting utilities 7.12 Cabling security 7.13 Equipment maintenance 7.14 Secure disposal or re-use of equipment 8.10 Information deletion 8.11 Data masking 8.14 Redundancy of information processing facilities 8.24 Use of cryptography 8.32 Change management

8.33 Test information

Management should require all personnel to apply information security in accordance with the established procedures of the organization. Information relating to information security threats should be collected and analysed to produce threat intel The organization should plan how to maintain information security at an appropriate level during disruption Legislation, regulations and statutory and contractual requirements relevant to information security and the should be identified, documented and kept up to date. The organization should implement appropriate procedures to protect intellectual property rights. The organization should identify and meet the requirements regarding the preservation of privacy and prot regulations and contractual requirements. The organization’s approach to managing information security and its implementation including people, pro independently at planned intervals, or when significant changes occur. Conformance with the organization’s information security policy, topic-specific policies, rules and standards Operating procedures for information processing facilities should be documented and made available to pe

Background verification checks on all candidates to become personnel should be carried out prior to joinin consideration applicable laws, regulations and ethics and be proportional to the business requirements, the the perceived risks. The employment contractual agreements should state the personnel’s and the organization’s responsibilitie A disciplinary process should be formalized and communicated to take actions against personnel and othe information security policy violation. Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of inform reviewed and signed by personnel and other relevant interested parties. Security perimeters should be defined and used to protect areas that contain information and other associa Secure areas should be protected by appropriate entry controls and access points. Physical security for offices, rooms and facilities should be designed and implemented. Premises should be continuously monitored for unauthorized physical access. Protection against physical and environmental threats, such as natural disasters and other intentional or un designed and implemented. Security measures for working in secure areas should be designed and implemented. Clear desk rules for papers and removable storage media and clear screen rules for information processin enforced. Equipment should be sited securely and protected. Off-site assets should be protected. Information processing facilities should be protected from power failures and other disruptions caused by f Cables carrying power, data or supporting information services should be protected from interception, inter Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information. Items of equipment containing storage media should be verified to ensure that any sensitive data and licen overwritten prior to disposal or re-use. Information stored in information systems, devices or in any other storage media should be deleted when n Data masking should be used in accordance with the organization’s topic-specific policy on access control requirements, taking applicable legislation into consideration. Information processing facilities should be implemented with redundancy sufficient to meet availability requ Rules for the effective use of cryptography, including cryptographic key management, should be defined an Changes to information processing facilities and information systems should be subject to change manage

Test information should be appropriately selected, protected and managed.