Skip to main content

CIS

logo

Summary

The Center for Internet Security Controls are a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory and policy frameworks. The version used in this section is CIS Controls v8.

Definitions

DefinitionRequirements
2_1. Establish and maintain a software inventory
262. Verify third-party components
2_5. Allowlist authorized software
041. Scan files for malicious code
2_7. Allowlist authorized scripts
186. Use the principle of least privilege
265. Restrict access to critical processes
3_3. Configure data access control lists
096. Set user's required privileges
176. Restrict system objects
3_6. Encrypt data on end-user devices
147. Use pre-existent mechanisms
3_10. Encrypt sensitive data in transit
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
3_11. Encrypt sensitive data at rest
134. Store passwords with salt
185. Encrypt sensitive information
3_12. Segment data processing and storage based on sensitivity
259. Segment the organization network
4_1. Establish and maintain a secure configuration process
062. Define standard configurations
213. Allow geographic location
221. Disconnect unnecessary input devices
4_2. Establish and maintain a secure configuration process for network infrastructure
062. Define standard configurations
221. Disconnect unnecessary input devices
4_3. Configure automatic session locking on enterprise assets
023. Terminate inactive user sessions
4_4. Implement and manage a firewall on servers
273. Define a fixed security suite
4_5. Implement and manage a firewall on end-user devices
255. Allow access only to the necessary ports
4_7. Manage default accounts on enterprise assets and software
142. Change system default credentials
4_8. Uninstall or disable unnecessary services on enterprise assets and software
221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
5_1. Establish and maintain an inventory of accounts
095. Define users with privileges
5_2. Use unique passwords
143. Unique access credentials
5_3. Disable dormant accounts
130. Limit password lifespan
144. Remove inactive accounts periodically
5_5. Establish and maintain an inventory of service accounts
154. Eliminate backdoors
6_2. Establish an access revoking process
034. Manage user accounts
6_4. Require MFA for remote network access
181. Transmit data using secure protocols
6_5. Require MFA for administrative access
181. Transmit data using secure protocols
7_3. Perform automated operating system patch management
353. Schedule firmware updates
7_4. Perform automated application patch management
262. Verify third-party components
8_2. Collect audit logs
075. Record exceptional events in logs
8_4. Standardize time synchronization
363. Synchronize system clocks
8_5. Collect detailed audit logs
075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
9_2. Use DNS filtering services
258. Filter website content
259. Segment the organization network
9_4. Restrict unnecessary or unauthorized browser and email client extensions
266. Disable insecure functionalities
9_6. Block unnecessary file types
118. Inspect attachments
9_7. Deploy and maintain email server anti-malware protections
116. Disable images of unknown origin
10_6. Centrally manage anti-malware software
273. Define a fixed security suite
12_2. Establish and maintain a secure network architecture
249. Locate access points
12_6. Use of secure network management and communication protocols
257. Access based on user credentials
13_4. Perform traffic filtering between network segments
273. Define a fixed security suite
13_9. Deploy port-level access control
088. Request client certificates
253. Restrict network access
257. Access based on user credentials
13_10. Perform application layer filtering
062. Define standard configurations
273. Define a fixed security suite
16_1. Establish and maintain a secure application development process
158. Use a secure programming language
16_4. Establish and manage an inventory of third-Party software components
262. Verify third-party components
16_5. Use up-to-date and trusted third-party software components
262. Verify third-party components
16_10. Apply secure design principles in application architectures
152. Reuse database connections
173. Discard unsafe inputs
284. Define maximum number of connections
16_11. Leverage vetted modules or services for application security components
147. Use pre-existent mechanisms
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.