CIS

Summary

The Center for Internet Security Controls are a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory and policy frameworks. The version used in this section is CIS Controls v8.

Definitions

Definition	Requirements
CIS-2_1. Establish and maintain a software inventory	262. Verify third-party components
CIS-2_5. Allowlist authorized software	041. Scan files for malicious code
CIS-2_7. Allowlist authorized scripts	186. Use the principle of least privilege 265. Restrict access to critical processes
CIS-3_3. Configure data access control lists	176. Restrict system objects 096. Set user's required privileges
CIS-3_6. Encrypt data on end-user devices	147. Use pre-existent mechanisms
CIS-3_10. Encrypt sensitive data in transit	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
CIS-3_11. Encrypt sensitive data at rest	134. Store passwords with salt 185. Encrypt sensitive information
CIS-3_12. Segment data processing and storage based on sensitivity	259. Segment the organization network
CIS-4_1. Establish and maintain a secure configuration process	213. Allow geographic location 221. Disconnect unnecessary input devices 062. Define standard configurations
CIS-4_2. Establish and maintain a secure configuration process for network infrastructure	221. Disconnect unnecessary input devices 062. Define standard configurations
CIS-4_3. Configure automatic session locking on enterprise assets	023. Terminate inactive user sessions
CIS-4_4. Implement and manage a firewall on servers	273. Define a fixed security suite
CIS-4_5. Implement and manage a firewall on end-user devices	255. Allow access only to the necessary ports
CIS-4_7. Manage default accounts on enterprise assets and software	142. Change system default credentials
CIS-4_8. Uninstall or disable unnecessary services on enterprise assets and software	221. Disconnect unnecessary input devices 255. Allow access only to the necessary ports
CIS-5_1. Establish and maintain an inventory of accounts	095. Define users with privileges
CIS-5_2. Use unique passwords	143. Unique access credentials
CIS-5_3. Disable dormant accounts	130. Limit password lifespan 144. Remove inactive accounts periodically
CIS-5_5. Establish and maintain an inventory of service accounts	154. Eliminate backdoors
CIS-6_2. Establish an access revoking process	034. Manage user accounts
CIS-6_4. Require MFA for remote network access	181. Transmit data using secure protocols
CIS-6_5. Require MFA for administrative access	181. Transmit data using secure protocols
CIS-7_3. Perform automated operating system patch management	353. Schedule firmware updates
CIS-7_4. Perform automated application patch management	262. Verify third-party components
CIS-8_2. Collect audit logs	075. Record exceptional events in logs
CIS-8_4. Standardize time synchronization	363. Synchronize system clocks
CIS-8_5. Collect detailed audit logs	376. Register severity level 377. Store logs based on valid regulation 378. Use of log management system 075. Record exceptional events in logs 079. Record exact occurrence time of events
CIS-9_2. Use DNS filtering services	258. Filter website content 259. Segment the organization network
CIS-9_4. Restrict unnecessary or unauthorized browser and email client extensions	266. Disable insecure functionalities
CIS-9_6. Block unnecessary file types	118. Inspect attachments
CIS-9_7. Deploy and maintain email server anti-malware protections	116. Disable images of unknown origin
CIS-10_6. Centrally manage anti-malware software	273. Define a fixed security suite
CIS-12_2. Establish and maintain a secure network architecture	249. Locate access points
CIS-12_6. Use of secure network management and communication protocols	257. Access based on user credentials
CIS-13_4. Perform traffic filtering between network segments	273. Define a fixed security suite
CIS-13_9. Deploy port-level access control	253. Restrict network access 257. Access based on user credentials 088. Request client certificates
CIS-13_10. Perform application layer filtering	273. Define a fixed security suite 062. Define standard configurations
CIS-16_1. Establish and maintain a secure application development process	158. Use a secure programming language
CIS-16_4. Establish and manage an inventory of third-Party software components	262. Verify third-party components
CIS-16_5. Use up-to-date and trusted third-party software components	262. Verify third-party components
CIS-16_10. Apply secure design principles in application architectures	152. Reuse database connections 173. Discard unsafe inputs 284. Define maximum number of connections
CIS-16_11. Leverage vetted modules or services for application security components	147. Use pre-existent mechanisms

Last updated

2023/09/18