CIS Logo
tagline: Confidence in the Connected World

CIS Controls Implementation Groups

  • The following page shows a dynamic list of CIS Sub-Controls that can be filtered according to Implementation Groups & regulatory frameworks.
  • To filter by Implementation Group, simply select the checkbox for the Implementation Group. The filter will be automatically applied.
  • To filter by regulatory frameworks, select from the dropdown the framework you'd like to filter by, select filters, then hit. Finally click "Apply {framework_name} Filter". More than one of these can be applied concurrently.
  • Additional Sub-Controls can be added to or deselected from filtered results. To add more, scroll to the bottom of results and click "View Hidden Sub-Controls", then select. To remove, deselect the checkboxes of those you wish to remove, then hit "Remove Unchecked CIS Sub-Controls". This functionality will only become available after an initial filter has been applied.
  • Filters for regulatory frameworks and Implementation Groups can be applied concurrently. However, once "Filter by Checked CIS Sub-Controls" is clicked, the results become dependent upon whether or not each Sub-Control is individually checked.
  • All Sub-Controls within IG (Implementation Group) 1 will also be a part of IG 2 and IG 3. All Sub-Controls within IG 2 will also be within IG 3. The IG's for each Sub-Control are signified by one or more colored dots.
CIS Control CIS
Sub-Control
Title Asset Type Implementation Groups
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

CIS Control 1 - Inventory and Control of Hardware Assets

  • Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
1 Devices
1.1

Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets
1 Devices
1.2

Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets
1 Devices
1.3

Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets
1 Devices
1.4

Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.

NIST Groups:

ID.AM-1
Physical devices and systems within the organization are inventoried
PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.8.1.1
Inventory of assets
1 Devices
1.5

Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.

NIST Groups:

PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.8.1.1
Inventory of assets
1 Devices
1.6

Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.

NIST Groups:

PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.11.2.5
Removal of assets
1 Devices
1.7

Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.

NIST Groups:

PR.AC-1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

ISO 27001 Groups:

A.9.1.2
Access to networks and network services
A.13.1.1
Network Controls
1 Devices
1.8

Use client certificates to authenticate hardware assets connecting to the organization's trusted network.

NIST Groups:

PR.AC-6
Identities are proofed and bound to credentials and asserted in interactions

ISO 27001 Groups:

A.13.1.1
Network Controls

CIS Control 2 - Inventory and Control of Software Assets

  • Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
2 Applications
2.1

Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.

NIST Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried

ISO 27001 Groups:

A.8.1.1
Inventory of assets
2 Applications
2.2

Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.

NIST Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried
2 Applications
2.3

Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
2 Applications
2.4

The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.

NIST Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried

ISO 27001 Groups:

A.8.1.1
Inventory of assets
2 Applications
2.5

The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.

NIST Groups:

ID.AM-1
Physical devices and systems within the organization are inventoried
ID.AM-2
Software platforms and applications within the organization are inventoried
2 Applications
2.6

Ensure that unauthorized software is either removed or the inventory is updated in a timely manner

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.12.5.1
Installation of software on operational systems
A.12.6.2
Restrictions on software installation
2 Applications
2.7

Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.DS-6
Integrity checking mechanisms are used to verify software, firmware, and information integrity
2 Applications
2.8

The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.DS-6
Integrity checking mechanisms are used to verify software, firmware, and information integrity
2 Applications
2.9

The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc.) are allowed to run on a system.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.DS-6
Integrity checking mechanisms are used to verify software, firmware, and information integrity
2 Applications
2.10

Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization.

CIS Control 3 - Continuous Vulnerability Management

  • Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
3 Applications
3.1

Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.

NIST Groups:

DE.CM-8
Vulnerability scans are performed
ID.RA-1
Asset vulnerabilities are identified and documented
3 Applications
3.2

Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.

NIST Groups:

DE.CM-8
Vulnerability scans are performed
3 Users
3.3

Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.

3 Applications
3.4

Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.

3 Applications
3.5

Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

3 Applications
3.6

Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.

3 Applications
3.7

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

NIST Groups:

ID.RA-5
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
PR.IP-12
A vulnerability management plan is developed and implemented
RS.MI-3
Newly identified vulnerabilities are mitigated or documented as accepted risks

ISO 27001 Groups:

A.12.6.1
Management of technical vulnerabilities

CIS Control 4 - Controlled Use of Administrative Privileges

  • The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
4 Users
4.1

Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.

NIST Groups:

PR.AC-1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
4 Users
4.2

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

NIST Groups:

PR.AC-1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

ISO 27001 Groups:

A.9.4.3
Password management system
4 Users
4.3

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

NIST Groups:

PR.AC-4
Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

ISO 27001 Groups:

A.9.2.3
Management of privileged access rights
4 Users
4.4

Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.

ISO 27001 Groups:

A.9.4.3
Password management system
4 Users
4.5

Use multi-factor authentication and encrypted channels for all administrative account access.

NIST Groups:

PR.AC-7
Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
4 Users
4.6

Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading e-mail, composing documents, or browsing the Internet.

4 Users
4.7

Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities.

NIST Groups:

PR.PT-3
The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
4 Users
4.8

Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.12.4.3
Administrator and operator logs
4 Users
4.9

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.9.4.2
Secure log-on procedures

CIS Control 5 - Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

  • Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
5 Applications
5.1

Maintain documented, standard security configuration standards for all authorized operating systems and software.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.8.1.3
Acceptable use of assets
A.14.2.5
Secure system engineering principles
5 Applications
5.2

Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
5 Applications
5.3

Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
5 Applications
5.4

Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.

5 Applications
5.5

Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.

NIST Groups:

DE.CM-8
Vulnerability scans are performed

CIS Control 6 - Maintenance, Monitoring and Analysis of Audit Logs

  • Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
6 Network
6.1

Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.

ISO 27001 Groups:

A.12.4.4
Clock synchronization
6 Network
6.2

Ensure that local logging has been enabled on all systems and networking devices.

NIST Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors
PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

ISO 27001 Groups:

A.12.4.1
Event logging
6 Network
6.3

Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

NIST Groups:

PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
6 Network
6.4

Ensure that all systems that store logs have adequate storage space for the logs generated.

NIST Groups:

PR.DS-4
Adequate capacity to ensure availability is maintained
6 Network
6.5

Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.

NIST Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors
PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
6 Network
6.6

Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.

NIST Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors
6 Network
6.7

On a regular basis, review logs to identify anomalies or abnormal events.

NIST Groups:

DE.AE-2
Detected events are analyzed to understand attack targets and methods
DE.AE-3
Event data are collected and correlated from multiple sources and sensors
PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
RS.AN-1
Notifications from detection systems are investigated 

ISO 27001 Groups:

A.12.4.3
Administrator and operator logs
6 Network
6.8

On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.

NIST Groups:

DE.AE-5
Incident alert thresholds are established

CIS Control 7 - Email and Web Browser Protections

  • Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems.
7 Applications
7.1

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.8.1.3
Acceptable use of assets
7 Applications
7.2

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.12.6.2
Restrictions on software installation
7 Applications
7.3

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
7 Network
7.4

Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.13.1.1
Network Controls
7 Network
7.5

Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
7 Network
7.6

Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.

NIST Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors
7 Network
7.7

Use DNS filtering services to help block access to known malicious domains.

NIST Groups:

DE.CM-1
The network is monitored to detect potential cybersecurity events
DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.12.2.1
Controls against malware
A.13.1.1
Network Controls
7 Network
7.8

To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the Domain Keys Identified Mail(DKIM) standards.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.13.2.3
Electronic messaging
7 Network
7.9

Block all e-mail attachments entering the organization's email gateway if the file types are unnecessary for the organization's business.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.13.1.1
Network Controls
7 Network
7.10

Use sandboxing to analyze and block inbound email attachments with malicious behavior.

NIST Groups:

DE.CM-4
Malicious code is detected

ISO 27001 Groups:

A.12.2.1
Controls against malware

CIS Control 8 - Malware Defenses

  • Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
8 Devices
8.1

Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization's workstations and servers.

NIST Groups:

DE.CM-4
Malicious code is detected

ISO 27001 Groups:

A.12.2.1
Controls against malware
8 Devices
8.2

Ensure that the organization's anti-malware software updates its scanning engine and signature database on a regular basis.

NIST Groups:

DE.CM-4
Malicious code is detected

ISO 27001 Groups:

A.12.2.1
Controls against malware
8 Devices
8.3

Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
8 Devices
8.4

Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.

NIST Groups:

DE.CM-4
Malicious code is detected

ISO 27001 Groups:

A.12.2.1
Controls against malware
8 Devices
8.5

Configure devices to not auto-run content from removable media.

NIST Groups:

PR.PT-2
Removable media is protected and its use restricted according to policy

ISO 27001 Groups:

A.12.2.1
Controls against malware
8 Devices
8.6

Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting.

NIST Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors

ISO 27001 Groups:

A.12.2.1
Controls against malware
A.12.4.1
Event logging
8 Network
8.7

Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.

NIST Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors
DE.CM-1
The network is monitored to detect potential cybersecurity events

ISO 27001 Groups:

A.12.4.1
Event logging
8 Devices
8.8

Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.

NIST Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors

ISO 27001 Groups:

A.12.14.1
Event logging

CIS Control 9 - Limitation and Control of Network Ports, Protocols, and Services

  • Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.
9 Devices
9.1

Associate active ports, services and protocols to the hardware assets in the asset inventory.

ISO 27001 Groups:

A.13.1.2
Security of network services
9 Devices
9.2

Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.13.1.3
Segregation in networks
9 Devices
9.3

Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.

NIST Groups:

DE.CM-8
Vulnerability scans are performed

ISO 27001 Groups:

A.13.1.1
Network Controls
9 Devices
9.4

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.13.1.1
Network Controls
9 Devices
9.5

Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

CIS Control 10 - Data Recovery Capabilities

  • The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
10 Data
10.1

Ensure that all system data is automatically backed up on a regular basis.

NIST Groups:

PR.IP-4
Backups of information are conducted, maintained, and tested

ISO 27001 Groups:

A.12.3.1
Information backup
10 Data
10.2

Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system.

NIST Groups:

PR.IP-4
Backups of information are conducted, maintained, and tested
10 Data
10.3

Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.

NIST Groups:

PR.DS-6
Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.IP-4
Backups of information are conducted, maintained, and tested

ISO 27001 Groups:

A.12.3.1
Information backup
10 Data
10.4

Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.

NIST Groups:

PR.DS-1
Data-at-rest is protected
10 Data
10.5

Ensure that all backups have at least one backup destination that is not continuously addressable through operating system calls.

NIST Groups:

PR.DS-1
Data-at-rest is protected
PR.PT-5
Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations

CIS Control 11 - Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

  • Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
11 Network
11.1

Maintain standard, documented security configuration standards for all authorized network devices.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
11 Network
11.2

All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.

NIST Groups:

ID.AM-3
Organizational communication and data flows are mapped
11 Network
11.3

Compare all network device configuration against approved security configurations defined for each network device in use and alert when any deviations are discovered.

NIST Groups:

DE.CM-8
Vulnerability scans are performed
PR.IP-3
Configuration change control processes are in place

ISO 27001 Groups:

A.12.1.2
Change management
11 Network
11.4

Install the latest stable version of any security-related updates on all network devices.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
11 Network
11.5

Manage all network devices using multi-factor authentication and encrypted sessions.

NIST Groups:

PR.AC-7
Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
11 Network
11.6

Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading e-mail, composing documents, or surfing the Internet.

NIST Groups:

PR.AC-5
Network integrity is protected (e.g., network segregation, network segmentation)
11 Network
11.7

Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.

NIST Groups:

PR.AC-5
Network integrity is protected (e.g., network segregation, network segmentation)

ISO 27001 Groups:

A.13.1.3
Segregation in networks

CIS Control 12 - Boundary Defense

  • Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
12 Network
12.1

Maintain an up-to-date inventory of all of the organization's network boundaries.

NIST Groups:

ID.AM-4
External information systems are catalogued
12 Network
12.2

Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.

NIST Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
ID.AM-4
External information systems are catalogued

ISO 27001 Groups:

A.13.1.1
Network Controls
12 Network
12.3

Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries,.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.13.1.1
Network Controls
12 Network
12.4

Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries.

NIST Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.13.1.1
Network Controls
12 Network
12.5

Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.

NIST Groups:

DE.CM-1
The network is monitored to detect potential cybersecurity events
12 Network
12.6

Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization's network boundaries.

NIST Groups:

DE.CM-1
The network is monitored to detect potential cybersecurity events

ISO 27001 Groups:

A.13.1.1
Network Controls
12 Network
12.7

Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization's network boundaries.

NIST Groups:

DE.CM-1
The network is monitored to detect potential cybersecurity events

ISO 27001 Groups:

A.13.1.1
Network Controls
12 Network
12.8

Enable the collection of NetFlow and logging data on all network boundary devices.

NIST Groups:

DE.CM-1
The network is monitored to detect potential cybersecurity events

ISO 27001 Groups:

A.13.1.1
Network Controls
12 Network
12.9

Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.

NIST Groups:

DE.CM-1
The network is monitored to detect potential cybersecurity events
DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.13.1.1
Network Controls
12 Network
12.10

Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.

NIST Groups:

DE.CM-1
The network is monitored to detect potential cybersecurity events
DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
12 Users
12.11

Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication.

NIST Groups:

PR.AC-3
Remote access is managed

ISO 27001 Groups:

A.9.4.2
Secure log-on procedures
12 Devices
12.12

Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices.

NIST Groups:

PR.AC-3
Remote access is managed
PR.MA-2
Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

ISO 27001 Groups:

A.9.4.2
Secure log-on procedures

CIS Control 13 - Data Protection

  • The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
13