Created
February 8, 2022 18:12
-
-
Save opexxx/c3a529c532d7fe9e0584ebc0eec673ea to your computer and use it in GitHub Desktop.
CISTOP20_to_SOGP2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CIS TOP 20 SOGP 2020 | |
| Reference Sub-Control Reference Topic | |
| CSC 1-1 Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory. SM2.6 Asset Registers | |
| CSC 1-1 Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory. PA1.1 Hardware Lifecycle Management | |
| CSC 1-1 Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory. PA1.5 Specialised Computing Equipment and Devices | |
| CSC 1-2 Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory. SM2.6 Asset Registers | |
| CSC 1-2 Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory. PA1.1 Hardware Lifecycle Management | |
| CSC 1-3 Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory. PA1.1 Hardware Lifecycle Management | |
| CSC 1-3 Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory. TM1.2 Security Event Logging | |
| CSC 1-3 Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory. TM1.3 Security Event Management | |
| CSC 1-4 Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not. SM2.6 Asset Registers | |
| CSC 1-4 Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not. PA1.1 Hardware Lifecycle Management | |
| CSC 1-5 Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. SM2.6 Asset Registers | |
| CSC 1-5 Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. PA1.1 Hardware Lifecycle Management | |
| CSC 1-6 Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner. SM2.6 Asset Registers | |
| CSC 1-6 Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner. PA1.1 Hardware Lifecycle Management | |
| CSC 1-7 Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. SY1.1 Computer and Network Installations | |
| CSC 1-7 Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. NC1.1 Network Device Configuration | |
| CSC 1-8 Use client certificates to authenticate hardware assets connecting to the organization's trusted network. SY1.1 Computer and Network Installations | |
| CSC 2-1 Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system. SM2.6 Asset Registers | |
| CSC 2-1 Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system. SD2.3 Software Acquisition | |
| CSC 2-1 Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system. BA1.1 Business Application Protection | |
| CSC 2-2 Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. SM2.6 Asset Registers | |
| CSC 2-2 Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. PA1.2 Workstation Configuration | |
| CSC 2-2 Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. PA2.1 Mobile Device Protection | |
| CSC 2-2 Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. PA2.2 Enterprise Mobility Management | |
| CSC 2-2 Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. PA2.3 Mobile Applications Management | |
| CSC 2-2 Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. TS1.2 Malware Protection Activities | |
| CSC 2-3 Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems. SM2.6 Asset Registers | |
| CSC 2-3 Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems. SD2.3 Software Acquisition | |
| CSC 2-3 Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems. BA1.1 Business Application Protection | |
| CSC 2-3 Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems. SY1.2 Server Configuration | |
| CSC 2-4 The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization. SM2.6 Asset Registers | |
| CSC 2-4 The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization. SD2.3 Software Acquisition | |
| CSC 2-4 The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization. SY1.2 Server Configuration | |
| CSC 2-5 The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location. SM2.6 Asset Registers | |
| CSC 2-5 The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location. SD2.3 Software Acquisition | |
| CSC 2-5 The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location. SY1.2 Server Configuration | |
| CSC 2-6 Ensure that unauthorized software is either removed or the inventory is updated in a timely manner. SM2.6 Asset Registers | |
| CSC 2-6 Ensure that unauthorized software is either removed or the inventory is updated in a timely manner. SD2.3 Software Acquisition | |
| CSC 2-6 Ensure that unauthorized software is either removed or the inventory is updated in a timely manner. BA1.1 Business Application Protection | |
| CSC 2-7 Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. PA1.2 Workstation Configuration | |
| CSC 2-7 Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. PA2.1 Mobile Device Protection | |
| CSC 2-7 Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. SD2.3 Software Acquisition | |
| CSC 2-7 Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. BA1.1 Business Application Protection | |
| CSC 2-8 The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load into a system process. PA1.2 Workstation Configuration | |
| CSC 2-8 The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load into a system process. PA2.2 Enterprise Mobility Management | |
| CSC 2-9 The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system. PA1.2 Workstation Configuration | |
| CSC 2-9 The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system. PA2.2 Enterprise Mobility Management | |
| CSC 2-10 Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization. BA1.1 Business Application Protection | |
| CSC 2-10 Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization. SY1.1 Computer and Network Installations | |
| CSC 2-10 Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization. SY1.3 Virtualisation | |
| CSC 3-1 Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems. NC1.1 Network Device Configuration | |
| CSC 3-1 Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems. SC2.2 Core Cloud Security Controls | |
| CSC 3-1 Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems. TM1.1 Technical Vulnerability Management | |
| CSC 3-2 Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested. TM1.1 Technical Vulnerability Management | |
| CSC 3-3 Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses. TM1.1 Technical Vulnerability Management | |
| CSC 3-4 Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. TM1.1 Technical Vulnerability Management | |
| CSC 3-5 Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. TM1.1 Technical Vulnerability Management | |
| CSC 3-6 "Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. | |
| " TM1.1 Technical Vulnerability Management | |
| CSC 3-6 "Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. | |
| " TM1.3 Security Event Management | |
| CSC 3-6 "Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. | |
| " TM1.4 Threat Intelligence | |
| CSC 3-6 "Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. | |
| " AS2.1 Security Audit Management | |
| CSC 3-6 "Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. | |
| " AS2.3 Security Audit Process - Fieldwork | |
| CSC 3-7 Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities. TM1.1 Technical Vulnerability Management | |
| CSC 4-1 Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. SA1.1 Access Control | |
| CSC 4-1 Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. SA1.2 User Authorisation | |
| CSC 4-1 Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. SC2.2 Core Cloud Security Controls | |
| CSC 4-1 Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. AS2.1 Security Audit Management | |
| CSC 4-2 Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. PA1.2 Workstation Configuration | |
| CSC 4-2 Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. PA1.3 Office Equipment | |
| CSC 4-2 Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. PA1.5 Specialised Computing Equipment and Devices | |
| CSC 4-2 Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. PA2.1 Mobile Device Protection | |
| CSC 4-2 Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. SY1.2 Server Configuration | |
| CSC 4-2 Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. NC1.1 Network Device Configuration | |
| CSC 4-2 Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. NC1.6 Remote Maintenance | |
| CSC 4-3 Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities. SA1.1 Access Control | |
| CSC 4-3 Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities. SA1.7 Sign-on Process | |
| CSC 4-3 Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities. SY1.2 Server Configuration | |
| CSC 4-4 Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system. SA1.1 Access Control | |
| CSC 4-4 Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system. SA1.2 User Authorisation | |
| CSC 4-4 Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system. SA1.3 Access Control Mechanisms | |
| CSC 4-4 Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system. SA1.4 Access Control Mechanisms – Password | |
| CSC 4-5 Use multi-factor authentication and encrypted channels for all administrative account access. SA1.1 Access Control | |
| CSC 4-5 Use multi-factor authentication and encrypted channels for all administrative account access. SA1.3 Access Control Mechanisms | |
| CSC 4-5 Use multi-factor authentication and encrypted channels for all administrative account access. SA1.4 Access Control Mechanisms – Password | |
| CSC 4-5 Use multi-factor authentication and encrypted channels for all administrative account access. SA1.5 Access Control Mechanisms – Token | |
| CSC 4-5 Use multi-factor authentication and encrypted channels for all administrative account access. SA1.6 Access Control Mechanisms – Biometric | |
| CSC 4-6 Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the Internet. SA1.1 Access Control | |
| CSC 4-6 Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the Internet. SA1.5 Access Control Mechanisms – Token | |
| CSC 4-7 Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the Internet. PA1.2 Workstation Configuration | |
| CSC 4-7 Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the Internet. SY1.2 Server Configuration | |
| CSC 4-8 Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. SA1.1 Access Control | |
| CSC 4-8 Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. TM1.2 Security Event Logging | |
| CSC 4-9 Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account. TM1.2 Security Event Logging | |
| CSC 4-9 Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account. TM1.3 Security Event Management | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. PA1.1 Hardware Lifecycle Management | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. PA1.2 Workstation Configuration | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. PA1.3 Office Equipment | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. PA1.6 Industrial Control Systems | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. PA2.1 Mobile Device Protection | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. SD2.8 Installation Process | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. SY1.1 Computer and Network Installations | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. SY1.2 Server Configuration | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. SY1.3 Virtualisation | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. SY1.4 Network Storage Systems | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. NC1.1 Network Device Configuration | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. NC2.2 Collaboration Platforms | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. NC2.3 Voice Communication Services | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. SC2.2 Core Cloud Security Controls | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. TS1.7 Digital Rights Management | |
| CSC 5-1 Maintain documented security configuration standards for all authorized operating systems and software. TS2.3 Public Key Infrastructure | |
| CSC 5-2 Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. PA1.2 Workstation Configuration | |
| CSC 5-2 Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. PA1.6 Industrial Control Systems | |
| CSC 5-2 Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. SY1.1 Computer and Network Installations | |
| CSC 5-2 Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. SY1.2 Server Configuration | |
| CSC 5-2 Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. SY2.4 Change Management | |
| CSC 5-2 Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. NC1.5 Firewalls | |
| CSC 5-3 Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible. SY2.4 Change Management | |
| CSC 5-4 Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. SY2.4 Change Management | |
| CSC 5-4 Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. NC1.6 Remote Maintenance | |
| CSC 5-5 Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. PA1.1 Hardware Lifecycle Management | |
| CSC 5-5 Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. BA2.2 Protection of Spreadsheets | |
| CSC 5-5 Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. BA2.3 Protection of Databases | |
| CSC 5-5 Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. SA1.1 Access Control | |
| CSC 5-5 Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. SY2.4 Change Management | |
| CSC 5-5 Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. TM1.2 Security Event Logging | |
| CSC 5-5 Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. TM1.3 Security Event Management | |
| CSC 6-1 Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent. TM1.2 Security Event Logging | |
| CSC 6-2 Ensure that local logging has been enabled on all systems and networking devices. NC1.1 Network Device Configuration | |
| CSC 6-2 Ensure that local logging has been enabled on all systems and networking devices. NC1.4 External Network Connections | |
| CSC 6-2 Ensure that local logging has been enabled on all systems and networking devices. TM1.2 Security Event Logging | |
| CSC 6-3 Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. TM1.2 Security Event Logging | |
| CSC 6-4 Ensure that all systems that store logs have adequate storage space for the logs generated. TM1.2 Security Event Logging | |
| CSC 6-5 Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. TM1.2 Security Event Logging | |
| CSC 6-5 Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. TM1.4 Threat Intelligence | |
| CSC 6-6 Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis. SM2.3 Security Operations Centre (SOC) | |
| CSC 6-6 Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis. TM1.2 Security Event Logging | |
| CSC 6-6 Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis. TM1.3 Security Event Management | |
| CSC 6-7 On a regular basis, review logs to identify anomalies or abnormal events. SM2.3 Security Operations Centre (SOC) | |
| CSC 6-7 On a regular basis, review logs to identify anomalies or abnormal events. AS1.3 Security Monitoring and Reporting | |
| CSC 6-7 On a regular basis, review logs to identify anomalies or abnormal events. AS2.5 Security Audit Process - Monitoring | |
| CSC 6-8 On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise. SM2.3 Security Operations Centre (SOC) | |
| CSC 6-8 On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise. TM1.2 Security Event Logging | |
| CSC 6-8 On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise. TM1.3 Security Event Management | |
| CSC 7-1 Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. PA1.2 Workstation Configuration | |
| CSC 7-1 Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. PA2.3 Mobile Applications Management | |
| CSC 7-1 Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. NC1.1 Network Device Configuration | |
| CSC 7-2 Uninstall or disable any unauthorized browser or email client plugins or add-on applications. PA1.2 Workstation Configuration | |
| CSC 7-2 Uninstall or disable any unauthorized browser or email client plugins or add-on applications. BA1.2 Web Application Protection | |
| CSC 7-2 Uninstall or disable any unauthorized browser or email client plugins or add-on applications. SY2.1 Service Level Agreements | |
| CSC 7-3 Ensure that only authorized scripting languages are able to run in all web browsers and email clients. BA1.2 Web Application Protection | |
| CSC 7-3 Ensure that only authorized scripting languages are able to run in all web browsers and email clients. SY1.2 Server Configuration | |
| CSC 7-3 Ensure that only authorized scripting languages are able to run in all web browsers and email clients. NC2.1 Email | |
| CSC 7-3 Ensure that only authorized scripting languages are able to run in all web browsers and email clients. TS1.3 Malware Protection Software | |
| CSC 7-4 Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not. TS1.5 Intrusion Detection | |
| CSC 7-4 Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not. TS1.6 Data Leakage Prevention | |
| CSC 7-5 Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default. TS1.5 Intrusion Detection | |
| CSC 7-5 Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default. TS1.6 Data Leakage Prevention | |
| CSC 7-6 Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems. SY2.2 Performance Monitoring | |
| CSC 7-6 Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems. NC1.5 Firewalls | |
| CSC 7-6 Log all URL requests from each of the organization's systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems. TS1.2 Malware Protection Activities | |
| CSC 7-7 Use Domain Name System (DNS) filtering services to help block access to known malicious domains. NC1.5 Firewalls | |
| CSC 7-7 Use Domain Name System (DNS) filtering services to help block access to known malicious domains. TS1.2 Malware Protection Activities | |
| CSC 7-7 Use Domain Name System (DNS) filtering services to help block access to known malicious domains. TS1.3 Malware Protection Software | |
| CSC 7-7 Use Domain Name System (DNS) filtering services to help block access to known malicious domains. TM1.3 Security Event Management | |
| CSC 7-8 To lower the chance of spoofed or modified emails from valid domains, implement Domain based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. NC2.1 Email | |
| CSC 7-9 Block all email attachments entering the organization's email gateway if the file types are unnecessary for the organization's business. NC2.1 Email | |
| CSC 7-9 Block all email attachments entering the organization's email gateway if the file types are unnecessary for the organization's business. TS1.2 Malware Protection Activities | |
| CSC 7-9 Block all email attachments entering the organization's email gateway if the file types are unnecessary for the organization's business. TS1.3 Malware Protection Software | |
| CSC 7-10 Use sandboxing to analyze and block inbound email attachments with malicious behavior. NC2.1 Email | |
| CSC 7-10 Use sandboxing to analyze and block inbound email attachments with malicious behavior. TS1.2 Malware Protection Activities | |
| CSC 7-10 Use sandboxing to analyze and block inbound email attachments with malicious behavior. TS1.3 Malware Protection Software | |
| CSC 8-1 Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization's workstations and servers. TS1.2 Malware Protection Activities | |
| CSC 8-1 Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization's workstations and servers. TS1.3 Malware Protection Software | |
| CSC 8-2 Ensure that the organization's anti-malware software updates its scanning engine and signature database on a regular basis. TS1.2 Malware Protection Activities | |
| CSC 8-2 Ensure that the organization's anti-malware software updates its scanning engine and signature database on a regular basis. TS1.3 Malware Protection Software | |
| CSC 8-3 Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. PA1.2 Workstation Configuration | |
| CSC 8-3 Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. PA2.1 Mobile Device Protection | |
| CSC 8-3 Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. SY1.2 Server Configuration | |
| CSC 8-4 Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. PM1.3 Employee-owned Devices | |
| CSC 8-4 Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. PA1.4 Portable Storage Devices | |
| CSC 8-4 Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. SY1.2 Server Configuration | |
| CSC 8-4 Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. TS1.2 Malware Protection Activities | |
| CSC 8-4 Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. TS1.3 Malware Protection Software | |
| CSC 8-5 Configure devices to not auto-run content from removable media. PM1.3 Employee-owned Devices | |
| CSC 8-5 Configure devices to not auto-run content from removable media. PA1.2 Workstation Configuration | |
| CSC 8-5 Configure devices to not auto-run content from removable media. PA1.4 Portable Storage Devices | |
| CSC 8-5 Configure devices to not auto-run content from removable media. PA2.1 Mobile Device Protection | |
| CSC 8-5 Configure devices to not auto-run content from removable media. SY1.2 Server Configuration | |
| CSC 8-6 Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting. TS1.2 Malware Protection Activities | |
| CSC 8-6 Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting. TS1.3 Malware Protection Software | |
| CSC 8-6 Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting. TM1.2 Security Event Logging | |
| CSC 8-7 Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains. TM1.3 Security Event Management | |
| CSC 8-8 Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash. TM1.2 Security Event Logging | |
| CSC 8-8 Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash. AS2.1 Security Audit Management | |
| CSC 9-1 Associate active ports, services, and protocols to the hardware assets in the asset inventory. PA1.1 Hardware Lifecycle Management | |
| CSC 9-1 Associate active ports, services, and protocols to the hardware assets in the asset inventory. SY2.4 Change Management | |
| CSC 9-2 Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system. PA1.2 Workstation Configuration | |
| CSC 9-2 Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system. PA2.1 Mobile Device Protection | |
| CSC 9-2 Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system. SY1.1 Computer and Network Installations | |
| CSC 9-2 Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system. NC1.1 Network Device Configuration | |
| CSC 9-2 Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system. NC1.5 Firewalls | |
| CSC 9-3 Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system. BA1.1 Business Application Protection | |
| CSC 9-3 Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system. TM1.1 Technical Vulnerability Management | |
| CSC 9-4 Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. PA1.2 Workstation Configuration | |
| CSC 9-4 Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. PA2.3 Mobile Applications Management | |
| CSC 9-4 Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. BA1.2 Web Application Protection | |
| CSC 9-4 Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. NC1.1 Network Device Configuration | |
| CSC 9-4 Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. NC1.5 Firewalls | |
| CSC 9-5 Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged. BA1.2 Web Application Protection | |
| CSC 10-1 Ensure that all system data is automatically backed up on a regular basis. PA1.2 Workstation Configuration | |
| CSC 10-1 Ensure that all system data is automatically backed up on a regular basis. PA2.1 Mobile Device Protection | |
| CSC 10-1 Ensure that all system data is automatically backed up on a regular basis. SY1.1 Computer and Network Installations | |
| CSC 10-1 Ensure that all system data is automatically backed up on a regular basis. SY1.2 Server Configuration | |
| CSC 10-1 Ensure that all system data is automatically backed up on a regular basis. SY2.3 Backup | |
| CSC 10-2 Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. PA1.2 Workstation Configuration | |
| CSC 10-2 Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. PA2.1 Mobile Device Protection | |
| CSC 10-2 Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. SY1.1 Computer and Network Installations | |
| CSC 10-2 Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. SY1.2 Server Configuration | |
| CSC 10-2 Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. SY2.3 Backup | |
| CSC 10-3 Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working. SY2.3 Backup | |
| CSC 10-4 Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services. SY2.3 Backup | |
| CSC 10-5 Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination. SY2.3 Backup | |
| CSC 11-1 Maintain documented security configuration standards for all authorized network devices. SY2.4 Change Management | |
| CSC 11-1 Maintain documented security configuration standards for all authorized network devices. NC1.1 Network Device Configuration | |
| CSC 11-1 Maintain documented security configuration standards for all authorized network devices. NC1.5 Firewalls | |
| CSC 11-2 All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. SM2.6 Asset Registers | |
| CSC 11-2 All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. SY2.4 Change Management | |
| CSC 11-2 All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. NC1.1 Network Device Configuration | |
| CSC 11-2 All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. NC1.5 Firewalls | |
| CSC 11-3 Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered. SM2.6 Asset Registers | |
| CSC 11-3 Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered. PA1.1 Hardware Lifecycle Management | |
| CSC 11-3 Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered. BA1.1 Business Application Protection | |
| CSC 11-4 Install the latest stable version of any security related updates on all network devices. SY1.1 Computer and Network Installations | |
| CSC 11-4 Install the latest stable version of any security related updates on all network devices. SY1.2 Server Configuration | |
| CSC 11-4 Install the latest stable version of any security related updates on all network devices. SY1.4 Network Storage Systems | |
| CSC 11-4 Install the latest stable version of any security related updates on all network devices. NC1.1 Network Device Configuration | |
| CSC 11-4 Install the latest stable version of any security related updates on all network devices. NC1.5 Firewalls | |
| CSC 11-4 Install the latest stable version of any security related updates on all network devices. TM1.1 Technical Vulnerability Management | |
| CSC 11-5 Manage all network devices using multi-factor authentication and encrypted sessions. SA1.1 Access Control | |
| CSC 11-5 Manage all network devices using multi-factor authentication and encrypted sessions. SY1.1 Computer and Network Installations | |
| CSC 11-5 Manage all network devices using multi-factor authentication and encrypted sessions. NC1.1 Network Device Configuration | |
| CSC 11-5 Manage all network devices using multi-factor authentication and encrypted sessions. NC1.4 External Network Connections | |
| CSC 11-5 Manage all network devices using multi-factor authentication and encrypted sessions. NC1.5 Firewalls | |
| CSC 11-5 Manage all network devices using multi-factor authentication and encrypted sessions. SC2.2 Core Cloud Security Controls | |
| CSC 11-5 Manage all network devices using multi-factor authentication and encrypted sessions. TS1.7 Digital Rights Management | |
| CSC 11-5 Manage all network devices using multi-factor authentication and encrypted sessions. TS2.3 Public Key Infrastructure | |
| CSC 11-6 Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet. BA1.1 Business Application Protection | |
| CSC 11-6 Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet. SA1.1 Access Control | |
| CSC 11-6 Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet. SY1.1 Computer and Network Installations | |
| CSC 11-6 Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet. NC1.1 Network Device Configuration | |
| CSC 11-6 Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet. NC1.6 Remote Maintenance | |
| CSC 11-7 Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices. PA1.3 Office Equipment | |
| CSC 11-7 Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices. SY1.1 Computer and Network Installations | |
| CSC 11-7 Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices. NC1.3 Wireless Access | |
| CSC 11-7 Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices. TS1.1 Security Architecture | |
| CSC 12-1 Maintain an up-to-date inventory of all of the organization's network boundaries. SM2.6 Asset Registers | |
| CSC 12-1 Maintain an up-to-date inventory of all of the organization's network boundaries. PA1.1 Hardware Lifecycle Management | |
| CSC 12-1 Maintain an up-to-date inventory of all of the organization's network boundaries. SY1.2 Server Configuration | |
| CSC 12-1 Maintain an up-to-date inventory of all of the organization's network boundaries. NC1.1 Network Device Configuration | |
| CSC 12-1 Maintain an up-to-date inventory of all of the organization's network boundaries. NC1.4 External Network Connections | |
| CSC 12-2 Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary. PA2.3 Mobile Applications Management | |
| CSC 12-2 Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary. NC1.4 External Network Connections | |
| CSC 12-3 Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries. SA2.3 Customer Connections | |
| CSC 12-3 Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries. NC1.4 External Network Connections | |
| CSC 12-3 Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries. NC1.5 Firewalls | |
| CSC 12-3 Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries. TS1.5 Intrusion Detection | |
| CSC 12-4 Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries. NC1.1 Network Device Configuration | |
| CSC 12-4 Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries. NC1.5 Firewalls | |
| CSC 12-5 Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries. TS1.5 Intrusion Detection | |
| CSC 12-5 Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries. TM1.2 Security Event Logging | |
| CSC 12-6 Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization's network boundaries. SY1.1 Computer and Network Installations | |
| CSC 12-6 Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization's network boundaries. NC1.4 External Network Connections | |
| CSC 12-6 Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization's network boundaries. TS1.5 Intrusion Detection | |
| CSC 12-7 Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization's network boundaries. PA2.3 Mobile Applications Management | |
| CSC 12-7 Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization's network boundaries. TS1.5 Intrusion Detection | |
| CSC 12-7 Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization's network boundaries. TM1.5 Cyber Attack Protection | |
| CSC 12-8 Enable the collection of NetFlow and logging data on all network boundary devices. NC1.4 External Network Connections | |
| CSC 12-8 Enable the collection of NetFlow and logging data on all network boundary devices. TM1.3 Security Event Management | |
| CSC 12-8 Enable the collection of NetFlow and logging data on all network boundary devices. TM1.4 Threat Intelligence | |
| CSC 12-9 Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. PM1.3 Employee-owned Devices | |
| CSC 12-9 Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. PA2.3 Mobile Applications Management | |
| CSC 12-9 Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. NC1.4 External Network Connections | |
| CSC 12-9 Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. NC2.2 Collaboration Platforms | |
| CSC 12-9 Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. TS1.2 Malware Protection Activities | |
| CSC 12-9 Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. TS1.3 Malware Protection Software | |
| CSC 12-9 Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. TS1.6 Data Leakage Prevention | |
| CSC 12-10 Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. PM1.3 Employee-owned Devices | |
| CSC 12-10 Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. PA2.3 Mobile Applications Management | |
| CSC 12-10 Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. NC1.4 External Network Connections | |
| CSC 12-10 Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. NC1.5 Firewalls | |
| CSC 12-10 Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. TS1.2 Malware Protection Activities | |
| CSC 12-10 Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. TS1.3 Malware Protection Software | |
| CSC 12-10 Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. TS1.6 Data Leakage Prevention | |
| CSC 12-11 Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. SA1.3 Access Control Mechanisms | |
| CSC 12-11 Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. SA1.5 Access Control Mechanisms – Token | |
| CSC 12-11 Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. NC1.4 External Network Connections | |
| CSC 12-11 Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. NC1.6 Remote Maintenance | |
| CSC 12-11 Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. SC2.2 Core Cloud Security Controls | |
| CSC 12-12 Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices. PM1.3 Employee-owned Devices | |
| CSC 12-12 Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices. PM1.4 Remote Working | |
| CSC 12-12 Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices. PA2.1 Mobile Device Protection | |
| CSC 12-12 Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices. PA2.3 Mobile Applications Management | |
| CSC 13-1 Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider. SM2.6 Asset Registers | |
| CSC 13-1 Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider. IM1.1 Information Classification and Handling | |
| CSC 13-1 Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider. BA1.1 Business Application Protection | |
| CSC 13-2 Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed. IM1.1 Information Classification and Handling | |
| CSC 13-2 Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed. SY1.1 Computer and Network Installations | |
| CSC 13-2 Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed. TS1.1 Security Architecture | |
| CSC 13-3 Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals. NC1.4 External Network Connections | |
| CSC 13-3 Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals. TS1.6 Data Leakage Prevention | |
| CSC 13-4 Only allow access to authorized cloud storage or email providers. PA2.1 Mobile Device Protection | |
| CSC 13-4 Only allow access to authorized cloud storage or email providers. NC2.1 Email | |
| CSC 13-4 Only allow access to authorized cloud storage or email providers. SC2.1 Cloud Security Management | |
| CSC 13-4 Only allow access to authorized cloud storage or email providers. TS1.5 Intrusion Detection | |
| CSC 13-4 Only allow access to authorized cloud storage or email providers. TS1.6 Data Leakage Prevention | |
| CSC 13-5 Monitor all traffic leaving the organization and detect any unauthorized use of encryption. SM2.3 Security Operations Centre (SOC) | |
| CSC 13-5 Monitor all traffic leaving the organization and detect any unauthorized use of encryption. NC1.4 External Network Connections | |
| CSC 13-5 Monitor all traffic leaving the organization and detect any unauthorized use of encryption. NC1.5 Firewalls | |
| CSC 13-5 Monitor all traffic leaving the organization and detect any unauthorized use of encryption. TM1.2 Security Event Logging | |
| CSC 13-6 Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. PM1.3 Employee-owned Devices | |
| CSC 13-6 Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. PA1.4 Portable Storage Devices | |
| CSC 13-6 Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. PA1.5 Specialised Computing Equipment and Devices | |
| CSC 13-6 Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. PA2.1 Mobile Device Protection | |
| CSC 13-6 Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. PA2.3 Mobile Applications Management | |
| CSC 13-6 Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. SY1.4 Network Storage Systems | |
| CSC 13-7 If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained. PA1.4 Portable Storage Devices | |
| CSC 13-7 If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained. PA2.1 Mobile Device Protection | |
| CSC 13-8 Configure systems not to write data to external removable media, if there is no business need for supporting such devices. PA1.4 Portable Storage Devices | |
| CSC 13-8 Configure systems not to write data to external removable media, if there is no business need for supporting such devices. PA2.1 Mobile Device Protection | |
| CSC 13-9 If USB storage devices are required, all data stored on such devices must be encrypted while at rest. PA1.3 Office Equipment | |
| CSC 13-9 If USB storage devices are required, all data stored on such devices must be encrypted while at rest. PA1.4 Portable Storage Devices | |
| CSC 14-1 Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs). BA1.1 Business Application Protection | |
| CSC 14-1 Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs). SY1.1 Computer and Network Installations | |
| CSC 14-1 Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs). SY2.1 Service Level Agreements | |
| CSC 14-1 Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs). SC2.2 Core Cloud Security Controls | |
| CSC 14-2 Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities. BA1.1 Business Application Protection | |
| CSC 14-2 Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities. SY1.1 Computer and Network Installations | |
| CSC 14-2 Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities. SY2.1 Service Level Agreements | |
| CSC 14-2 Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities. NC1.5 Firewalls | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. PA1.3 Office Equipment | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. SD1.2 System Development Environments | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. BA1.1 Business Application Protection | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. SY1.1 Computer and Network Installations | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. SY1.3 Virtualisation | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. SY1.4 Network Storage Systems | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. SY2.1 Service Level Agreements | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. NC1.1 Network Device Configuration | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. NC1.3 Wireless Access | |
| CSC 14-3 Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. NC2.3 Voice Communication Services | |
| CSC 14-4 Encrypt all sensitive information in transit. BA1.2 Web Application Protection | |
| CSC 14-4 Encrypt all sensitive information in transit. SA2.1 Customer Access Arrangements | |
| CSC 14-4 Encrypt all sensitive information in transit. SA2.3 Customer Connections | |
| CSC 14-4 Encrypt all sensitive information in transit. SY1.1 Computer and Network Installations | |
| CSC 14-4 Encrypt all sensitive information in transit. SY2.1 Service Level Agreements | |
| CSC 14-4 Encrypt all sensitive information in transit. SY2.3 Backup | |
| CSC 14-4 Encrypt all sensitive information in transit. NC1.3 Wireless Access | |
| CSC 14-4 Encrypt all sensitive information in transit. NC1.4 External Network Connections | |
| CSC 14-4 Encrypt all sensitive information in transit. NC1.5 Firewalls | |
| CSC 14-4 Encrypt all sensitive information in transit. NC2.1 Email | |
| CSC 14-4 Encrypt all sensitive information in transit. NC2.2 Collaboration Platforms | |
| CSC 14-4 Encrypt all sensitive information in transit. NC2.3 Voice Communication Services | |
| CSC 14-4 Encrypt all sensitive information in transit. SC2.2 Core Cloud Security Controls | |
| CSC 14-5 Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory. SM2.6 Asset Registers | |
| CSC 14-5 Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory. SY1.4 Network Storage Systems | |
| CSC 14-5 Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory. SY2.3 Backup | |
| CSC 14-5 Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory. TS2.1 Cryptographic Solutions | |
| CSC 14-5 Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory. TS2.3 Public Key Infrastructure | |
| CSC 14-6 Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. SA1.3 Access Control Mechanisms | |
| CSC 14-6 Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. SY1.4 Network Storage Systems | |
| CSC 14-7 Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when the data is copied off a system. TS1.6 Data Leakage Prevention | |
| CSC 14-7 Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when the data is copied off a system. TS1.7 Digital Rights Management | |
| CSC 14-8 Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information. TS1.6 Data Leakage Prevention | |
| CSC 14-9 Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). SM2.3 Security Operations Centre (SOC) | |
| CSC 14-9 Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). TM1.2 Security Event Logging | |
| CSC 14-9 Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). TM1.3 Security Event Management | |
| CSC 15-1 Maintain an inventory of authorized wireless access points connected to the wired network. SM2.6 Asset Registers | |
| CSC 15-1 Maintain an inventory of authorized wireless access points connected to the wired network. PA1.1 Hardware Lifecycle Management | |
| CSC 15-1 Maintain an inventory of authorized wireless access points connected to the wired network. NC1.3 Wireless Access | |
| CSC 15-2 Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connected to the wired network. NC1.3 Wireless Access | |
| CSC 15-3 Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points connected to the network. TS1.5 Intrusion Detection | |
| CSC 15-4 Disable wireless access on devices that do not have a business purpose for wireless access. PM1.3 Employee-owned Devices | |
| CSC 15-4 Disable wireless access on devices that do not have a business purpose for wireless access. PA1.2 Workstation Configuration | |
| CSC 15-4 Disable wireless access on devices that do not have a business purpose for wireless access. PA2.3 Mobile Applications Management | |
| CSC 15-4 Disable wireless access on devices that do not have a business purpose for wireless access. NC1.3 Wireless Access | |
| CSC 15-5 Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks. PM1.3 Employee-owned Devices | |
| CSC 15-5 Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks. PA1.2 Workstation Configuration | |
| CSC 15-5 Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks. PA2.3 Mobile Applications Management | |
| CSC 15-5 Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks. NC1.3 Wireless Access | |
| CSC 15-6 Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. PA1.2 Workstation Configuration | |
| CSC 15-6 Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. PA2.1 Mobile Device Protection | |
| CSC 15-6 Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. PA2.3 Mobile Applications Management | |
| CSC 15-6 Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. SY1.2 Server Configuration | |
| CSC 15-7 Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit. NC1.3 Wireless Access | |
| CSC 15-8 Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication. NC2.3 Voice Communication Services | |
| CSC 15-9 Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication (NFC)], unless such access is required for a business purpose. PA1.2 Workstation Configuration | |
| CSC 15-9 Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication (NFC)], unless such access is required for a business purpose. PA2.1 Mobile Device Protection | |
| CSC 15-9 Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication (NFC)], unless such access is required for a business purpose. SY1.2 Server Configuration | |
| CSC 15-10 Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly. PA1.4 Portable Storage Devices | |
| CSC 15-10 Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly. NC1.3 Wireless Access | |
| CSC 16-1 Maintain an inventory of each of the organization's authentication systems, including those located on-site or at a remote service provider. SM2.6 Asset Registers | |
| CSC 16-1 Maintain an inventory of each of the organization's authentication systems, including those located on-site or at a remote service provider. PA1.1 Hardware Lifecycle Management | |
| CSC 16-1 Maintain an inventory of each of the organization's authentication systems, including those located on-site or at a remote service provider. SA1.1 Access Control | |
| CSC 16-1 Maintain an inventory of each of the organization's authentication systems, including those located on-site or at a remote service provider. SA1.2 User Authorisation | |
| CSC 16-2 Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems. SC2.1 Cloud Security Management | |
| CSC 16-2 Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems. TS1.4 Identity and Access Management | |
| CSC 16-3 Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider. SA1.1 Access Control | |
| CSC 16-3 Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider. SA1.3 Access Control Mechanisms | |
| CSC 16-3 Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider. SA1.4 Access Control Mechanisms – Password | |
| CSC 16-3 Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider. SA1.5 Access Control Mechanisms – Token | |
| CSC 16-3 Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider. SA1.6 Access Control Mechanisms – Biometric | |
| CSC 16-3 Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider. SA2.3 Customer Connections | |
| CSC 16-3 Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider. SC2.2 Core Cloud Security Controls | |
| CSC 16-4 Encrypt or hash with a salt all authentication credentials when stored. SA1.7 Sign-on Process | |
| CSC 16-4 Encrypt or hash with a salt all authentication credentials when stored. TS2.1 Cryptographic Solutions | |
| CSC 16-5 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. SA1.4 Access Control Mechanisms – Password | |
| CSC 16-5 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. SA1.5 Access Control Mechanisms – Token | |
| CSC 16-5 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. SA1.7 Sign-on Process | |
| CSC 16-5 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. NC1.1 Network Device Configuration | |
| CSC 16-5 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. TS2.1 Cryptographic Solutions | |
| CSC 16-5 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. TS2.2 Cryptographic Key Management | |
| CSC 16-6 Maintain an inventory of all accounts organized by authentication system. PA1.1 Hardware Lifecycle Management | |
| CSC 16-6 Maintain an inventory of all accounts organized by authentication system. SA1.1 Access Control | |
| CSC 16-6 Maintain an inventory of all accounts organized by authentication system. SA1.2 User Authorisation | |
| CSC 16-7 Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts, instead of deleting accounts, allows preservation of audit trails. SA1.1 Access Control | |
| CSC 16-7 Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts, instead of deleting accounts, allows preservation of audit trails. SA1.2 User Authorisation | |
| CSC 16-8 Disable any account that cannot be associated with a business process or business owner. SA1.1 Access Control | |
| CSC 16-8 Disable any account that cannot be associated with a business process or business owner. SA1.2 User Authorisation | |
| CSC 16-9 Automatically disable dormant accounts after a set period of inactivity. SA1.1 Access Control | |
| CSC 16-9 Automatically disable dormant accounts after a set period of inactivity. SA1.2 User Authorisation | |
| CSC 16-10 Ensure that all accounts have an expiration date that is monitored and enforced. SA1.7 Sign-on Process | |
| CSC 16-11 Automatically lock workstation sessions after a standard period of inactivity. PM2.2 Security Awareness Messages | |
| CSC 16-11 Automatically lock workstation sessions after a standard period of inactivity. PA1.2 Workstation Configuration | |
| CSC 16-11 Automatically lock workstation sessions after a standard period of inactivity. SY1.2 Server Configuration | |
| CSC 16-12 Monitor attempts to access deactivated accounts through audit logging. SM2.3 Security Operations Centre (SOC) | |
| CSC 16-12 Monitor attempts to access deactivated accounts through audit logging. SA1.1 Access Control | |
| CSC 16-12 Monitor attempts to access deactivated accounts through audit logging. AS1.3 Security Monitoring and Reporting | |
| CSC 16-13 Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and duration. SM2.3 Security Operations Centre (SOC) | |
| CSC 16-13 Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and duration. LC1.1 Local Environment Profile | |
| CSC 17-1 Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. SM2.1 Security Workforce | |
| CSC 17-1 Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. PM1.2 Ownership and Responsibilities | |
| CSC 17-1 Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. PM2.1 Security Awareness Programme | |
| CSC 17-1 Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. PM2.3 Security Education/Training | |
| CSC 17-1 Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. BA2.2 Protection of Spreadsheets | |
| CSC 17-2 Deliver training to address the skills gap identified to positively impact workforce members' security behavior. PM2.3 Security Education/Training | |
| CSC 17-3 Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous and engaging manner. PM2.1 Security Awareness Programme | |
| CSC 17-3 Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous and engaging manner. PM2.2 Security Awareness Messages | |
| CSC 17-4 Ensure that the organization's security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements. PM2.1 Security Awareness Programme | |
| CSC 17-4 Ensure that the organization's security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements. PM2.2 Security Awareness Messages | |
| CSC 17-5 Train workforce members on the importance of enabling and utilizing secure authentication. PM2.1 Security Awareness Programme | |
| CSC 17-5 Train workforce members on the importance of enabling and utilizing secure authentication. PM2.2 Security Awareness Messages | |
| CSC 17-5 Train workforce members on the importance of enabling and utilizing secure authentication. PM2.3 Security Education/Training | |
| CSC 17-6 Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls. PM2.1 Security Awareness Programme | |
| CSC 17-6 Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls. PM2.2 Security Awareness Messages | |
| CSC 17-6 Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls. PM2.3 Security Education/Training | |
| CSC 17-7 Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information. PM2.1 Security Awareness Programme | |
| CSC 17-7 Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information. PM2.2 Security Awareness Messages | |
| CSC 17-7 Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information. PM2.3 Security Education/Training | |
| CSC 17-8 Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email. PM2.1 Security Awareness Programme | |
| CSC 17-8 Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email. PM2.2 Security Awareness Messages | |
| CSC 17-8 Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email. PM2.3 Security Education/Training | |
| CSC 17-9 Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident. PM2.1 Security Awareness Programme | |
| CSC 17-9 Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident. PM2.2 Security Awareness Messages | |
| CSC 17-9 Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident. PM2.3 Security Education/Training | |
| CSC 18-1 Establish secure coding practices appropriate to the programming language and development environment being used. PM2.3 Security Education/Training | |
| CSC 18-1 Establish secure coding practices appropriate to the programming language and development environment being used. SD2.2 System Design | |
| CSC 18-1 Establish secure coding practices appropriate to the programming language and development environment being used. SD2.4 System Build | |
| CSC 18-1 Establish secure coding practices appropriate to the programming language and development environment being used. SY1.3 Virtualisation | |
| CSC 18-2 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. SD2.2 System Design | |
| CSC 18-2 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. SD2.4 System Build | |
| CSC 18-2 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. SD2.6 Code Review | |
| CSC 18-2 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. BA1.1 Business Application Protection | |
| CSC 18-2 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. BA1.2 Web Application Protection | |
| CSC 18-2 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. BA2.1 EUDA Development | |
| CSC 18-2 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. BA2.2 Protection of Spreadsheets | |
| CSC 18-2 For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. AS1.2 Security Testing | |
| CSC 18-3 Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations. SD2.3 Software Acquisition | |
| CSC 18-3 Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations. SD2.7 System Promotion Criteria | |
| CSC 18-4 Only use up-to-date and trusted third-party components for the software developed by the organization. PM2.3 Security Education/Training | |
| CSC 18-4 Only use up-to-date and trusted third-party components for the software developed by the organization. SD2.3 Software Acquisition | |
| CSC 18-4 Only use up-to-date and trusted third-party components for the software developed by the organization. SD2.4 System Build | |
| CSC 18-5 Use only standardized, currently accepted, and extensively reviewed encryption algorithms. SD2.3 Software Acquisition | |
| CSC 18-5 Use only standardized, currently accepted, and extensively reviewed encryption algorithms. SD2.4 System Build | |
| CSC 18-5 Use only standardized, currently accepted, and extensively reviewed encryption algorithms. TS2.1 Cryptographic Solutions | |
| CSC 18-6 Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. PM2.3 Security Education/Training | |
| CSC 18-6 Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. BA2.1 EUDA Development | |
| CSC 18-7 Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software. SD2.3 Software Acquisition | |
| CSC 18-7 Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software. SD2.4 System Build | |
| CSC 18-7 Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software. SD2.5 System Testing | |
| CSC 18-7 Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software. SD2.6 Code Review | |
| CSC 18-7 Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software. BA2.1 EUDA Development | |
| CSC 18-8 Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group. SD2.5 System Testing | |
| CSC 18-8 Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group. SD2.6 Code Review | |
| CSC 18-8 Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group. SD2.7 System Promotion Criteria | |
| CSC 18-8 Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group. BA2.1 EUDA Development | |
| CSC 18-9 Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments. SD1.2 System Development Environments | |
| CSC 18-10 Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed. BA1.1 Business Application Protection | |
| CSC 18-10 Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed. BA1.2 Web Application Protection | |
| CSC 18-10 Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed. NC1.5 Firewalls | |
| CSC 18-11 For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested. BA1.1 Business Application Protection | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. SM2.3 Security Operations Centre (SOC) | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. TM1.3 Security Event Management | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. TM1.5 Cyber Attack Protection | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. TM2.1 Security Incident Management Framework | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. TM2.2 Security Incident Management Process | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. TM2.3 Emergency Fixes | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. TM2.4 Forensic Investigations | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. BC1.4 Crisis Management | |
| CSC 19-1 Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management. BC2.3 Business Continuity Testing | |
| CSC 19-2 Assign job titles and duties for handling computer and network incidents to specific individuals, and ensure tracking and documentation throughout the incident through resolution. TM2.1 Security Incident Management Framework | |
| CSC 19-2 Assign job titles and duties for handling computer and network incidents to specific individuals, and ensure tracking and documentation throughout the incident through resolution. TM2.2 Security Incident Management Process | |
| CSC 19-2 Assign job titles and duties for handling computer and network incidents to specific individuals, and ensure tracking and documentation throughout the incident through resolution. BC1.4 Crisis Management | |
| CSC 19-3 Designate management personnel, as well as backups, who will support the incident handling process by acting in key decision-making roles. TM2.1 Security Incident Management Framework | |
| CSC 19-3 Designate management personnel, as well as backups, who will support the incident handling process by acting in key decision-making roles. TM2.2 Security Incident Management Process | |
| CSC 19-4 Devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. TM2.1 Security Incident Management Framework | |
| CSC 19-4 Devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. TM2.2 Security Incident Management Process | |
| CSC 19-4 Devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. BC1.4 Crisis Management | |
| CSC 19-5 Assemble and maintain information on third party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners. TM2.1 Security Incident Management Framework | |
| CSC 19-5 Assemble and maintain information on third party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners. TM2.2 Security Incident Management Process | |
| CSC 19-5 Assemble and maintain information on third party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners. BC1.4 Crisis Management | |
| CSC 19-6 Publish information for all workforce members, regarding reporting computer anomalies and incidents, to the incident handling team. Such information should be included in routine employee awareness activities. PM2.2 Security Awareness Messages | |
| CSC 19-6 Publish information for all workforce members, regarding reporting computer anomalies and incidents, to the incident handling team. Such information should be included in routine employee awareness activities. TM2.1 Security Incident Management Framework | |
| CSC 19-6 Publish information for all workforce members, regarding reporting computer anomalies and incidents, to the incident handling team. Such information should be included in routine employee awareness activities. TM2.2 Security Incident Management Process | |
| CSC 19-7 Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real-world threats. Exercises should test communication channels, decision making, and incident responder's technical capabilities using tools and data available to them. BC1.4 Crisis Management | |
| CSC 19-7 Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real-world threats. Exercises should test communication channels, decision making, and incident responder's technical capabilities using tools and data available to them. BC2.3 Business Continuity Testing | |
| CSC 19-7 Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real-world threats. Exercises should test communication channels, decision making, and incident responder's technical capabilities using tools and data available to them. AS1.2 Security Testing | |
| CSC 19-8 Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. IR2.2 Business Impact Assessment | |
| CSC 19-8 Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. BC1.4 Crisis Management | |
| CSC 19-8 Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. BC2.1 Business Continuity Planning | |
| CSC 19-8 Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. BC2.3 Business Continuity Testing | |
| CSC 20-1 Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. SC2.2 Core Cloud Security Controls | |
| CSC 20-1 Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. AS1.2 Security Testing | |
| CSC 20-1 Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. AS2.3 Security Audit Process - Fieldwork | |
| CSC 20-2 Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. PA1.1 Hardware Lifecycle Management | |
| CSC 20-2 Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. SD2.3 Software Acquisition | |
| CSC 20-2 Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. AS1.2 Security Testing | |
| CSC 20-2 Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. AS2.1 Security Audit Management | |
| CSC 20-2 Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. AS2.2 Security Audit Process - Planning | |
| CSC 20-2 Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. AS2.3 Security Audit Process - Fieldwork | |
| CSC 20-3 Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively. BC1.4 Crisis Management | |
| CSC 20-3 Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively. AS1.2 Security Testing | |
| CSC 20-3 Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively. AS2.2 Security Audit Process - Planning | |
| CSC 20-4 Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, emails or documents containing passwords or other information critical to system operation. TM2.1 Security Incident Management Framework | |
| CSC 20-4 Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, emails or documents containing passwords or other information critical to system operation. TM2.2 Security Incident Management Process | |
| CSC 20-4 Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, emails or documents containing passwords or other information critical to system operation. BC1.4 Crisis Management | |
| CSC 20-4 Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, emails or documents containing passwords or other information critical to system operation. AS1.2 Security Testing | |
| CSC 20-4 Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, emails or documents containing passwords or other information critical to system operation. AS2.2 Security Audit Process - Planning | |
| CSC 20-5 Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems. SD1.2 System Development Environments | |
| CSC 20-5 Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems. AS1.2 Security Testing | |
| CSC 20-5 Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems. AS2.1 Security Audit Management | |
| CSC 20-6 Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts. SC2.2 Core Cloud Security Controls | |
| CSC 20-6 Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts. TM1.1 Technical Vulnerability Management | |
| CSC 20-6 Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts. AS2.2 Security Audit Process - Planning | |
| CSC 20-7 Wherever possible, ensure that Red Team results are documented using open, machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that results can be compared over time. AS2.1 Security Audit Management | |
| CSC 20-8 Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over. TM1.1 Technical Vulnerability Management | |
| CSC 20-8 Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over. AS2.1 Security Audit Management |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment