CIS Controls
CIS Critical Security Controls
A prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. Controls are grouped into Implementation Groups (IG1, IG2, IG3).
Basic Cyber Hygiene
Inventory and Control of Enterprise Assets
Actively manage all enterprise assets connected to the infrastructure to accurately know the totality of assets that need to be monitored and protected.
Inventory and Control of Software Assets
Actively manage all software on the network so that only authorized software is installed and can execute, and unauthorized/unmanaged software is found and prevented from installation or execution.
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets and software to reduce the attack surface.
Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, administrator accounts, and service accounts to enterprise assets and software.
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts.
Foundational
Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets to remediate and minimize the window of opportunity for attackers.
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Network Infrastructure Management
Establish, implement, and actively manage network devices to prevent attackers from exploiting vulnerable network services and access points.
Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats.
Organizational
Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks.
Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes.
Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Incident Response Management
Establish a program to develop and maintain an incident response capability to prepare, detect, contain, and eradicate attacks.
Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, process, and technology).