Skip to main content

CIS

logo

Summary

The Center for Internet Security Controls are a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory and policy frameworks. The version used in this section is CIS Controls v8.

Definitions

DefinitionRequirements
2_1. Establish and maintain a software inventory262. Verify third-party components
2_5. Allowlist authorized software041. Scan files for malicious code
2_7. Allowlist authorized scripts186. Use the principle of least privilege
265. Restrict access to critical processes
3_3. Configure data access control lists096. Set user's required privileges
176. Restrict system objects
3_6. Encrypt data on end-user devices147. Use pre-existent mechanisms
3_10. Encrypt sensitive data in transit181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
3_11. Encrypt sensitive data at rest134. Store passwords with salt
185. Encrypt sensitive information
3_12. Segment data processing and storage based on sensitivity259. Segment the organization network
4_1. Establish and maintain a secure configuration process062. Define standard configurations
213. Allow geographic location
221. Disconnect unnecessary input devices
4_2. Establish and maintain a secure configuration process for network infrastructure062. Define standard configurations
221. Disconnect unnecessary input devices
4_3. Configure automatic session locking on enterprise assets023. Terminate inactive user sessions
4_4. Implement and manage a firewall on servers273. Define a fixed security suite
4_5. Implement and manage a firewall on end-user devices255. Allow access only to the necessary ports
4_7. Manage default accounts on enterprise assets and software142. Change system default credentials
4_8. Uninstall or disable unnecessary services on enterprise assets and software221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
5_1. Establish and maintain an inventory of accounts095. Define users with privileges
5_2. Use unique passwords143. Unique access credentials
5_3. Disable dormant accounts130. Limit password lifespan
144. Remove inactive accounts periodically
5_5. Establish and maintain an inventory of service accounts154. Eliminate backdoors
6_2. Establish an access revoking process034. Manage user accounts
6_4. Require MFA for remote network access181. Transmit data using secure protocols
6_5. Require MFA for administrative access181. Transmit data using secure protocols
7_3. Perform automated operating system patch management353. Schedule firmware updates
7_4. Perform automated application patch management262. Verify third-party components
8_2. Collect audit logs075. Record exceptional events in logs
8_4. Standardize time synchronization363. Synchronize system clocks
8_5. Collect detailed audit logs075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
9_2. Use DNS filtering services258. Filter website content
259. Segment the organization network
9_4. Restrict unnecessary or unauthorized browser and email client extensions266. Disable insecure functionalities
9_6. Block unnecessary file types118. Inspect attachments
9_7. Deploy and maintain email server anti-malware protections116. Disable images of unknown origin
10_6. Centrally manage anti-malware software273. Define a fixed security suite
12_2. Establish and maintain a secure network architecture249. Locate access points
12_6. Use of secure network management and communication protocols 257. Access based on user credentials
13_4. Perform traffic filtering between network segments273. Define a fixed security suite
13_9. Deploy port-level access control088. Request client certificates
253. Restrict network access
257. Access based on user credentials
13_10. Perform application layer filtering062. Define standard configurations
273. Define a fixed security suite
16_1. Establish and maintain a secure application development process158. Use a secure programming language
16_4. Establish and manage an inventory of third-Party software components262. Verify third-party components
16_5. Use up-to-date and trusted third-party software components262. Verify third-party components
16_10. Apply secure design principles in application architectures152. Reuse database connections
173. Discard unsafe inputs
284. Define maximum number of connections
16_11. Leverage vetted modules or services for application security components147. Use pre-existent mechanisms