32 KiB
32 KiB
CIS 18 Controls Cheatsheet
Overview
The CIS Controls are a prioritized set of safeguards to mitigate the most prevalent cyber-attacks against systems and networks. This cheatsheet provides a quick reference to the 18 CIS Controls (v8), implementation guidance, and mappings to major frameworks.
CIS Controls Summary
| # | Control | Category | Purpose |
|---|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | Basic | Know what's on your network |
| 2 | Inventory and Control of Software Assets | Basic | Know what's running on your network |
| 3 | Data Protection | Basic | Protect sensitive information |
| 4 | Secure Configuration of Enterprise Assets and Software | Basic | Reduce the attack surface |
| 5 | Account Management | Basic | Manage access rights |
| 6 | Access Control Management | Basic | Limit user privileges |
| 7 | Continuous Vulnerability Management | Foundational | Find and fix vulnerabilities |
| 8 | Audit Log Management | Foundational | Collect and review logs |
| 9 | Email and Web Browser Protections | Foundational | Secure common attack vectors |
| 10 | Malware Defenses | Foundational | Block and detect malicious code |
| 11 | Data Recovery | Foundational | Plan for the worst |
| 12 | Network Infrastructure Management | Foundational | Secure network devices |
| 13 | Network Monitoring and Defense | Foundational | Detect and prevent attacks |
| 14 | Security Awareness and Skills Training | Foundational | Human firewall |
| 15 | Service Provider Management | Foundational | Secure your supply chain |
| 16 | Application Software Security | Foundational | Develop secure applications |
| 17 | Incident Response Management | Organizational | Prepare and practice |
| 18 | Penetration Testing | Organizational | Test your defenses |
Detailed Controls with Implementation Guidance
CIS Control 1: Inventory and Control of Enterprise Assets
| Safeguard | Description | Implementation |
|---|---|---|
| 1.1 | Establish Asset Inventory | Use automated tools (CMDB, network scanning, etc.) |
| 1.2 | Address Unauthorized Assets | Implement NAC or 802.1x port security |
| 1.3 | Utilize DHCP Logging | Configure DHCP servers to log lease information |
| 1.4 | Use Dynamic Host Configuration Protocol (DHCP) | Standardize IP assignment |
| 1.5 | Use a Passive Asset Discovery Tool | Deploy passive monitoring tools |
Key Tools:
- Network scanners (Nmap, Nessus)
- Asset management systems (ServiceNow, Lansweeper)
- NAC solutions (Cisco ISE, FortiNAC)
- CMDB systems
Framework Mappings:
- NIST CSF: ID.AM-1, ID.AM-2, ID.AM-5
- ISO 27001: A.8.1.1, A.8.1.2
- NIST 800-53: CM-8, PM-5
- GDPR: Article 30
CIS Control 2: Inventory and Control of Software Assets
| Safeguard | Description | Implementation |
|---|---|---|
| 2.1 | Establish Software Inventory | Deploy software inventory tools |
| 2.2 | Ensure Authorized Software is Currently Supported | Track EOL/EOS dates |
| 2.3 | Address Unauthorized Software | Implement application whitelisting |
| 2.4 | Utilize Automated Software Inventory Tools | Use agent-based inventory tools |
| 2.5 | Allow Only Authorized Software | Implement application control |
| 2.6 | Allow Only Authorized Libraries | Control libraries and dependencies |
| 2.7 | Allow Only Authorized Scripts | Implement script control (PowerShell, etc.) |
Key Tools:
- Software inventory tools (Microsoft SCCM, Lansweeper)
- Application whitelisting (AppLocker, Carbon Black)
- Package managers with inventory capabilities
- Script control (PowerShell execution policies)
Framework Mappings:
- NIST CSF: ID.AM-2, PR.DS-6, PR.IP-1
- ISO 27001: A.12.6.2, A.8.1.1, A.8.1.2
- NIST 800-53: CM-7, CM-8, SA-4
- PCI DSS: 2.4, 6.2
CIS Control 3: Data Protection
| Safeguard | Description | Implementation |
|---|---|---|
| 3.1 | Establish Data Management Process | Implement data classification |
| 3.2 | Establish Data Inventory | Document sensitive data locations |
| 3.3 | Configure Data Access Control Lists | Implement need-to-know permissions |
| 3.4 | Enforce Data Retention | Deploy automated policies |
| 3.5 | Securely Delete Data | Implement secure deletion tools |
| 3.6 | Encrypt Data on End-User Devices | Deploy full-disk encryption |
| 3.7 | Establish Data Classification | Define sensitivity levels |
| 3.8 | Document Data Flows | Map how data moves through systems |
| 3.9 | Encrypt Data in Transit | Implement TLS for communications |
| 3.10 | Encrypt Sensitive Data at Rest | Deploy database/storage encryption |
| 3.11 | Encrypt Sensitive Data in Use | Utilize privacy-preserving technologies |
| 3.12 | Segment Data Processing and Storage | Separate sensitive data environments |
| 3.13 | Deploy a Data Loss Prevention Solution | Implement DLP tools |
| 3.14 | Log Sensitive Data Access | Monitor access to classified data |
Key Tools:
- DLP solutions (Symantec, Digital Guardian)
- Encryption tools (BitLocker, VeraCrypt)
- Data classification tools (Microsoft AIP, Titus)
- Access monitoring tools
Framework Mappings:
- NIST CSF: PR.DS-1, PR.DS-2, PR.DS-5, PR.PT-2
- ISO 27001: A.8.2.1, A.8.2.2, A.8.2.3, A.10.1.1
- NIST 800-53: SC-8, SC-28, MP-2, MP-3, MP-4
- GDPR: Articles 5, 6, 25, 32
- PCI DSS: 3.1, 3.2, 3.4, 3.5, 3.6
CIS Control 4: Secure Configuration of Enterprise Assets and Software
| Safeguard | Description | Implementation |
|---|---|---|
| 4.1 | Establish Secure Configuration Process | Document hardening standards |
| 4.2 | Establish Secure Configuration Management | Use secure baselines |
| 4.3 | Configure Automatic Session Locking | Set screen timeout policies |
| 4.4 | Implement Strong Authentication | Use MFA where possible |
| 4.5 | Implement Secure Boot | Enable secure boot on systems |
| 4.6 | Securely Manage Enterprise Assets | Use trusted software/images |
| 4.7 | Manage Default Accounts | Change defaults, disable when possible |
| 4.8 | Uninstall or Disable Unnecessary Services | Remove unneeded services |
| 4.9 | Configure Trusted DNS Servers | Use secure DNS providers |
| 4.10 | Enforce Secure Configuration | Monitor and enforce compliance |
| 4.11 | Apply Host-Based Firewalls | Deploy on all endpoints |
| 4.12 | Separate Management Network | Isolate management traffic |
Key Tools:
- Configuration management (Chef, Puppet, Ansible)
- Secure configuration scanners (CIS-CAT, Nessus)
- Group Policy/MDM solutions
- Baseline management tools
Framework Mappings:
- NIST CSF: PR.IP-1, PR.PT-3
- ISO 27001: A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4
- NIST 800-53: CM-2, CM-6, CM-7, IA-5
- PCI DSS: 2.2, 2.3, 2.6
CIS Control 5: Account Management
| Safeguard | Description | Implementation |
|---|---|---|
| 5.1 | Establish Account Management Process | Document user lifecycle |
| 5.2 | Use Unique Passwords | Implement password policies |
| 5.3 | Disable Dormant Accounts | Auto-disable after inactivity |
| 5.4 | Restrict Administrator Privileges | Limit admin accounts |
| 5.5 | Establish Account Monitoring | Alert on suspicious activities |
| 5.6 | Centralize Account Management | Use directory services |
| 5.7 | Implement MFA for Privileged Users | Require strong auth for admins |
| 5.8 | Implement MFA for Remote Network Access | Secure VPN/external connections |
| 5.9 | Implement MFA for Internet-Accessible Services | Protect external services |
Key Tools:
- Identity Management (Active Directory, Okta)
- Privileged Access Management (CyberArk, BeyondTrust)
- MFA solutions (Duo, RSA)
- Account monitoring tools
Framework Mappings:
- NIST CSF: PR.AC-1, PR.AC-4, PR.AC-7
- ISO 27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6
- NIST 800-53: AC-2, AC-3, AC-6, IA-2, IA-5
- PCI DSS: 7.1, 7.2, 8.1, 8.2, 8.3
CIS Control 6: Access Control Management
| Safeguard | Description | Implementation |
|---|---|---|
| 6.1 | Establish Access Control Management Process | Define access request/approval process |
| 6.2 | Establish Access Revoking Process | Document termination procedures |
| 6.3 | Require MFA for Externally-Exposed Applications | Protect public-facing services |
| 6.4 | Require MFA for Remote Network Access | Secure remote connections |
| 6.5 | Require MFA for Administrative Access | Use strong auth for all privileged actions |
| 6.6 | Establish An Access Governance Process | Implement periodic reviews |
| 6.7 | Centralize Access Control | Use single access platform |
| 6.8 | Define Acceptable Use | Create policy for proper system use |
| 6.9 | Control Credential Disclosure | Protect secrets |
Key Tools:
- Role-based access control systems
- Identity Governance solutions (SailPoint, Saviynt)
- Access certification tools
- PAM solutions
Framework Mappings:
- NIST CSF: PR.AC-1, PR.AC-3, PR.AC-4
- ISO 27001: A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1
- NIST 800-53: AC-1, AC-2, AC-3, AC-5, AC-6, AC-17
- PCI DSS: 7.1, 7.2, 8.3
CIS Control 7: Continuous Vulnerability Management
| Safeguard | Description | Implementation |
|---|---|---|
| 7.1 | Establish Vulnerability Management Process | Define scanning schedule |
| 7.2 | Establish a Remediation Process | Document patching procedures |
| 7.3 | Perform Automated Operating System Patch Management | Use patch management tools |
| 7.4 | Perform Automated Application Patch Management | Automate app updates |
| 7.5 | Perform Automated Vulnerability Scans | Schedule regular scans |
| 7.6 | Remediate Detected Vulnerabilities | Track and manage fixes |
| 7.7 | Utilize Industry-Recommended Vulnerability Sources | Subscribe to advisory feeds |
Key Tools:
- Vulnerability scanners (Nessus, Qualys, OpenVAS)
- Patch management (WSUS, SCCM, Ivanti)
- Vulnerability management platforms
- Threat intelligence feeds
Framework Mappings:
- NIST CSF: ID.RA-1, ID.RA-2, PR.IP-12
- ISO 27001: A.12.6.1, A.12.6.2, A.14.2.3
- NIST 800-53: RA-3, RA-5, SI-2
- PCI DSS: 6.1, 6.2, 11.2
CIS Control 8: Audit Log Management
| Safeguard | Description | Implementation |
|---|---|---|
| 8.1 | Establish Audit Log Management | Define logging strategy |
| 8.2 | Collect Audit Logs | Configure logging for all assets |
| 8.3 | Ensure Adequate Audit Log Storage | Size storage appropriately |
| 8.4 | Standardize Time Synchronization | Implement NTP |
| 8.5 | Collect Detailed Audit Logs | Capture comprehensive events |
| 8.6 | Collect DNS Query Logs | Monitor DNS activity |
| 8.7 | Collect URL Request Logs | Track web browsing |
| 8.8 | Collect Command-Line Audit Logs | Monitor command execution |
| 8.9 | Centralize Audit Logs | Aggregate to SIEM |
| 8.10 | Retain Audit Logs | Define retention period |
| 8.11 | Conduct Audit Log Reviews | Regular log analysis |
| 8.12 | Collect Service Provider Logs | Include cloud services |
Key Tools:
- SIEM solutions (Splunk, ELK Stack, QRadar)
- Log aggregation tools (NXLog, Syslog-ng)
- NTP servers
- Log storage solutions
Framework Mappings:
- NIST CSF: PR.PT-1, DE.CM-1, DE.CM-3, DE.CM-7
- ISO 27001: A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4
- NIST 800-53: AU-2, AU-3, AU-6, AU-7, AU-8, AU-9, AU-11, AU-12
- PCI DSS: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7
CIS Control 9: Email and Web Browser Protections
| Safeguard | Description | Implementation |
|---|---|---|
| 9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | Keep updated |
| 9.2 | Use DNS Filtering Services | Block malicious domains |
| 9.3 | Maintain Network-Based URL Filters | Implement web filtering |
| 9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | Control plugins |
| 9.5 | Implement DMARC | Enable email authentication |
| 9.6 | Block Unnecessary File Types | Filter risky attachments |
| 9.7 | Deploy and Maintain Email Server Anti-Malware Protections | Scan emails for threats |
Key Tools:
- Secure email gateways (Proofpoint, Mimecast)
- DNS filtering (Cisco Umbrella, Quad9)
- Web proxies (Zscaler, Blue Coat)
- Email authentication (DKIM, SPF, DMARC)
Framework Mappings:
- NIST CSF: PR.DS-6, PR.DS-7, DE.CM-5
- ISO 27001: A.13.1.1, A.13.1.2
- NIST 800-53: SC-7, SC-8
- PCI DSS: 1.3, 4.1, 5.1, 5.3
CIS Control 10: Malware Defenses
| Safeguard | Description | Implementation |
|---|---|---|
| 10.1 | Deploy and Maintain Anti-Malware Software | Install on all endpoints |
| 10.2 | Configure Automatic Anti-Malware Signature Updates | Enable auto-updates |
| 10.3 | Disable Autorun and Autoplay for Removable Media | Prevent auto-execution |
| 10.4 | Configure Automatic Anti-Malware Scanning | Schedule regular scans |
| 10.5 | Enable Anti-Exploitation Features | Use OS security features |
| 10.6 | Centrally Manage Anti-Malware Software | Deploy management console |
| 10.7 | Use Behavior-Based Anti-Malware Software | Implement advanced protection |
Key Tools:
- Endpoint protection platforms (CrowdStrike, Symantec, Microsoft Defender)
- Application whitelisting
- Behavioral analysis tools
- Anti-exploitation (EMET, Windows Defender Exploit Guard)
Framework Mappings:
- NIST CSF: DE.CM-4, DE.CM-5, PR.DS-5
- ISO 27001: A.12.2.1
- NIST 800-53: SI-3, SI-4, SI-8
- PCI DSS: 5.1, 5.2, 5.3
CIS Control 11: Data Recovery
| Safeguard | Description | Implementation |
|---|---|---|
| 11.1 | Establish Data Recovery Process | Document backup procedures |
| 11.2 | Perform Automated Backups | Schedule regular backups |
| 11.3 | Protect Recovery Data | Secure backup infrastructure |
| 11.4 | Establish Secure Recovery Process | Document restoration procedures |
| 11.5 | Test Data Recovery | Regular restore testing |
Key Tools:
- Backup solutions (Veeam, Veritas, Commvault)
- Cloud backup (AWS Backup, Azure Backup)
- Immutable storage
- Air-gapped backups
Framework Mappings:
- NIST CSF: PR.IP-4, RC.RP-1
- ISO 27001: A.12.3.1, A.17.1.2, A.17.1.3
- NIST 800-53: CP-9, CP-10
- PCI DSS: 9.5, 9.6, 9.7, 12.10.1
CIS Control 12: Network Infrastructure Management
| Safeguard | Description | Implementation |
|---|---|---|
| 12.1 | Ensure Network Infrastructure is Up-to-Date | Patch networking devices |
| 12.2 | Establish Network Infrastructure Management Process | Document procedures |
| 12.3 | Securely Manage Network Infrastructure | Use secure protocols |
| 12.4 | Establish and Maintain Dedicated, Secure Management Network | Separate management plane |
| 12.5 | Centralize Network Authentication, Authorization, and Auditing | Implement AAA |
| 12.6 | Use Standard Secure Signaling and Transport Protocols | Secure communications |
| 12.7 | Ensure Remote Devices Utilize a VPN | Secure remote connections |
| 12.8 | Establish and Maintain Dedicated Computing Resources for Critical Networks | Segment sensitive functions |
Key Tools:
- Network management platforms (Cisco, Aruba, Juniper)
- AAA servers (RADIUS, TACACS+)
- Network configuration management
- VPN solutions
Framework Mappings:
- NIST CSF: PR.AC-5, PR.PT-4
- ISO 27001: A.13.1.1, A.13.1.3
- NIST 800-53: AC-17, AC-18, IA-3, SC-7, SC-8
- PCI DSS: 1.1, 1.2, 1.3, 2.2
CIS Control 13: Network Monitoring and Defense
| Safeguard | Description | Implementation |
|---|---|---|
| 13.1 | Centralize Security Event Alerting | Implement SIEM |
| 13.2 | Deploy a Host-Based IDS or IPS | Install endpoint detection |
| 13.3 | Deploy a Network-Based IDS, IPS or NDR | Monitor network traffic |
| 13.4 | Perform Traffic Filtering | Deploy firewalls |
| 13.5 | Manage Access Control for Remote Assets | Control remote connections |
| 13.6 | Collect Network Traffic Flow Logs | Capture NetFlow |
| 13.7 | Deploy a Network-Based DLP | Monitor for data exfiltration |
| 13.8 | Deploy a Network-Based Sandbox | Analyze suspicious files |
| 13.9 | Deploy Port-Level Access Control | Implement 802.1X |
| 13.10 | Perform Application Layer Filtering | Use web application firewalls |
| 13.11 | Tune Security Event Alerting Thresholds | Reduce false positives |
Key Tools:
- Network IDS/IPS (Suricata, Snort, Cisco)
- SIEM solutions (Splunk, QRadar)
- NDR solutions (Darktrace, ExtraHop)
- NetFlow analyzers
- Next-gen firewalls
Framework Mappings:
- NIST CSF: DE.AE-1, DE.AE-2, DE.AE-3, DE.CM-1, DE.CM-7
- ISO 27001: A.12.4.1, A.13.1.1, A.13.1.2
- NIST 800-53: SI-4, AU-6
- PCI DSS: 10.6, 11.4, 11.5
CIS Control 14: Security Awareness and Skills Training
| Safeguard | Description | Implementation |
|---|---|---|
| 14.1 | Establish Security Awareness Program | Document training strategy |
| 14.2 | Train Workforce Members | Implement regular training |
| 14.3 | Train Workforce on Authentication Best Practices | Password/MFA education |
| 14.4 | Train Workforce on Data Handling Best Practices | Sensitive data procedures |
| 14.5 | Train Workforce on Causes of Unintentional Data Exposure | Prevent mistakes |
| 14.6 | Train Workforce on Recognizing and Reporting Security Incidents | Incident reporting process |
| 14.7 | Train Workforce on How to Identify and Report Phishing Attacks | Phishing recognition |
| 14.8 | Train Workforce on Secure Use of Social Media | Social media risks |
| 14.9 | Train Workforce on Secure Use of Mobile Devices | Mobile security |
Key Tools:
- Security awareness platforms (KnowBe4, Proofpoint)
- Phishing simulation tools
- Learning management systems
- Training content providers
Framework Mappings:
- NIST CSF: PR.AT-1, PR.AT-2, PR.AT-5
- ISO 27001: A.7.2.2, A.7.2.3
- NIST 800-53: AT-1, AT-2, AT-3
- PCI DSS: 12.6, 12.6.1, 12.6.2
CIS Control 15: Service Provider Management
| Safeguard | Description | Implementation |
|---|---|---|
| 15.1 | Establish Service Provider Management Process | Document vendor management |
| 15.2 | Establish Service Provider Requirements | Define security expectations |
| 15.3 | Monitor Service Provider Compliance | Regular reviews |
| 15.4 | Ensure Service Provider Contracts Include Security Requirements | Contract requirements |
| 15.5 | Assess Service Providers | Due diligence process |
| 15.6 | Monitor Service Provider Security | Ongoing validation |
| 15.7 | Securely Decommission Service Providers | Offboarding process |
Key Tools:
- Vendor risk management platforms
- Contract management systems
- Security questionnaires
- Continuous monitoring tools
Framework Mappings:
- NIST CSF: ID.SC-1, ID.SC-2, ID.SC-3, ID.SC-4, ID.SC-5
- ISO 27001: A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
- NIST 800-53: SA-9, SA-12
- PCI DSS: 12.8, 12.8.1-5, 12.9
CIS Control 16: Application Software Security
| Safeguard | Description | Implementation |
|---|---|---|
| 16.1 | Establish Application Security Program | Document SDLC security |
| 16.2 | Perform Application Classification | Assess application criticality |
| 16.3 | Implement Secure Software Development Practices | Secure coding standards |
| 16.4 | Establish a Secure Software Development Lifecycle | Include security in SDLC |
| 16.5 | Use Up-to-Date and Trusted Third-Party Components | Manage dependencies |
| 16.6 | Establish Secure Coding Practices | Developer guidelines |
| 16.7 | Use Standard Hardening Configuration Templates | Application hardening |
| 16.8 | Separate Production and Non-Production Systems | Environment segregation |
| 16.9 | Train Developers in Application Security Concepts and Secure Coding | Developer education |
| 16.10 | Apply Secure Design Principles in Application Architectures | Security architecture |
| 16.11 | Leverage Vetted Modules or Services | Use proven components |
| 16.12 | Implement Code-Level Security Checks | SAST/DAST |
| 16.13 | Conduct Application Penetration Testing | Security testing |
| 16.14 | Conduct Threat Modeling | Identify attack vectors |
Key Tools:
- SAST tools (SonarQube, Checkmarx)
- DAST tools (OWASP ZAP, Burp Suite)
- Dependency scanners (OWASP Dependency-Check)
- SCA tools (Snyk, Black Duck)
Framework Mappings:
- NIST CSF: PR.DS-7, PR.IP-2
- ISO 27001: A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.5, A.14.2.6, A.14.2.8
- NIST 800-53: SA-3, SA-4, SA-8, SA-11, SA-15, SA-16
- PCI DSS: 6.3, 6.4, 6.5, 6.6
CIS Control 17: Incident Response Management
| Safeguard | Description | Implementation |
|---|---|---|
| 17.1 | Establish Incident Response Process | Document IR plan |
| 17.2 | Establish and Maintain Contact Information for Reporting Security Incidents | Define escalation paths |
| 17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents | Report procedures |
| 17.4 | Establish and Maintain An Incident Response Process | IR workflows |
| 17.5 | Assign Key Roles and Responsibilities | Define IR team |
| 17.6 | Define Mechanisms for Communicating During Incident Response | Communication plans |
| 17.7 | Conduct Routine Incident Response Exercises | Tabletop exercises |
| 17.8 | Conduct Post-Incident Reviews | Lessons learned process |
| 17.9 | Establish and Maintain Security Incident Thresholds | Event classification |
Key Tools:
- Incident response platforms (TheHive, RTIR)
- Digital forensics tools
- Threat intelligence platforms
- Communication platforms
Framework Mappings:
- NIST CSF: RS.RP-1, RS.CO-1, RS.AN-1, RS.MI-1, RS.MI-2, RC.RP-1
- ISO 27001: A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A.16.1.6, A.16.1.7
- NIST 800-53: IR-1, IR-2, IR-3, IR-4, IR-5, IR-6, IR-7, IR-8
- PCI DSS: 12.10, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6
CIS Control 18: Penetration Testing
| Safeguard | Description | Implementation |
|---|---|---|
| 18.1 | Establish Penetration Testing Program | Document testing strategy |
| 18.2 | Perform Regular External Penetration Tests | Test external perimeter |
| 18.3 | Perform Regular Internal Penetration Tests | Test internal network |
| 18.4 | Validate Security Measures | Verify control effectiveness |
| 18.5 | Document Penetration Testing Results | Report all findings |
| 18.6 | Test Critical Systems and Services | Focus on key assets |
| 18.7 | Remediate Penetration Test Findings | Fix identified issues |
| 18.8 | Use Qualified Penetration Testers | Engage skilled professionals |
| 18.9 | Conduct Application Penetration Testing | Test web applications |
| 18.10 | Conduct Physical Penetration Testing | Test physical security |
Key Tools:
- Penetration testing tools (Metasploit, Nmap, Burp Suite)
- Vulnerability scanners (Nessus, OpenVAS)
- Social engineering tools (SET, Gophish)
- Physical penetration testing equipment
Framework Mappings:
- NIST CSF: ID.RA-1, DE.CM-8
- ISO 27001: A.14.2.8, A.18.2.1, A.18.2.3
- NIST 800-53: CA-8, RA-5, SA-11
- PCI DSS: 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4
Framework Mapping Matrix
| CIS Control | NIST CSF | ISO 27001 | NIST 800-53 | PCI DSS | HIPAA | GDPR |
|---|---|---|---|---|---|---|
| 1. Inventory and Control of Enterprise Assets | ID.AM-1, ID.AM-2 | A.8.1.1, A.8.1.2 | CM-8, PM-5 | 2.4, 9.9, 11.1 | §164.310(d) | Art 30, 32 |
| 2. Inventory and Control of Software Assets | ID.AM-2, PR.DS-6 | A.12.6.2, A.8.1.1 | CM-7, CM-8 | 2.4, 6.2 | §164.310(d) | Art 30 |
| 3. Data Protection | PR.DS-1, PR.DS-2, PR.DS-5 | A.8.2.1-3, A.10.1.1 | SC-8, SC-28, MP-2-4 | 3.1-6, 4.1-2 | §164.312(a)(2)(iv) | Art 5, 6, 25, 32 |
| 4. Secure Configuration of Enterprise Assets and Software | PR.IP-1, PR.PT-3 | A.12.1.2, A.14.2.2-4 | CM-2, CM-6, CM-7 | 2.2, 2.3, 2.6 | §164.310(c) | Art 25, 32 |
| 5. Account Management | PR.AC-1, PR.AC-4, PR.AC-7 | A.9.2.1-6 | AC-2, AC-3, AC-6, IA-2, IA-5 | 7.1, 7.2, 8.1-3 | §164.308(a)(3), §164.308(a)(4) | Art 25, 32 |
| 6. Access Control Management | PR.AC-1, PR.AC-3, PR.AC-4 | A.9.1.1-2, A.9.2.3, A.9.4.1 | AC-1-6, AC-17 | 7.1, 7.2, 8.3 | §164.308(a)(4) | Art 25, 32 |
| 7. Continuous Vulnerability Management | ID.RA-1, ID.RA-2, PR.IP-12 | A.12.6.1-2, A.14.2.3 | RA-3, RA-5, SI-2 | 6.1, 6.2, 11.2 | §164.308(a)(1)(ii)(A) | Art 32 |
| 8. Audit Log Management | PR.PT-1, DE.CM-1, DE.CM-3 | A.12.4.1-4 | AU-2-3, AU-6-12 | 10.1-7 | §164.308(a)(1)(ii)(D), §164.312(b) | Art 30, 32 |
| 9. Email and Web Browser Protections | PR.DS-6, PR.DS-7, DE.CM-5 | A.13.1.1-2 | SC-7, SC-8 | 1.3, 4.1, 5.1, 5.3 | §164.308(a)(5)(ii)(B) | Art 32 |
| 10. Malware Defenses | DE.CM-4, DE.CM-5, PR.DS-5 | A.12.2.1 | SI-3, SI-4, SI-8 | 5.1-3 | §164.308(a)(5)(ii)(B) | Art 32 |
| 11. Data Recovery | PR.IP-4, RC.RP-1 | A.12.3.1, A.17.1.2-3 | CP-9, CP-10 | 9.5-7, 12.10.1 | §164.308(a)(7) | Art 32 |
| 12. Network Infrastructure Management | PR.AC-5, PR.PT-4 | A.13.1.1, A.13.1.3 | AC-17-18, IA-3, SC-7-8 | 1.1-3, 2.2 | §164.312(a)(1) | Art 32 |
| 13. Network Monitoring and Defense | DE.AE-1-3, DE.CM-1, DE.CM-7 | A.12.4.1, A.13.1.1-2 | SI-4, AU-6 | 10.6, 11.4, 11.5 | §164.308(a)(1)(ii)(D), §164.312(b) | Art 32 |
| 14. Security Awareness and Skills Training | PR.AT-1, PR.AT-2, PR.AT-5 | A.7.2.2-3 | AT-1, AT-2, AT-3 | 12.6, 12.6.1-2 | §164.308(a)(5) | Art 32, 39 |
| 15. Service Provider Management | ID.SC-1-5 | A.15.1.1-3, A.15.2.1-2 | SA-9, SA-12 | 12.8, 12.8.1-5, 12.9 | §164.308(b) | Art 28, 32 |
| 16. Application Software Security | PR.DS-7, PR.IP-2 | A.14.1.1, A.14.2.1-2, A.14.2.5-6, A.14.2.8 | SA-3-4, SA-8, SA-11, SA-15-16 | 6.3-6 | §164.312(a)(1) | Art 25, 32 |
| 17. Incident Response Management | RS.RP-1, RS.CO-1, RS.AN-1, RS.MI-1-2, RC.RP-1 | A.16.1.1-7 | IR-1-8 | 12.10, 12.10.1-6 | §164.308(a)(6) | Art 33, 34 |
| 18. Penetration Testing | ID.RA-1, DE.CM-8 | A.14.2.8, A.18.2.1, A.18.2.3 | CA-8, RA-5, SA-11 | 11.3, 11.3.1-4 | §164.308(a)(8) | Art 32 |
Implementation Priorities by Organization Size
Small Organizations (Limited Resources)
Essential Controls to Implement First:
- CIS Control 1: Inventory and Control of Enterprise Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Data Protection (focus on encryption)
- CIS Control 4: Secure Configuration (basic hardening)
- CIS Control 5: Account Management (focus on privileged accounts)
- CIS Control 7: Continuous Vulnerability Management (basic patching)
- CIS Control 10: Malware Defenses (endpoint protection)
- CIS Control 11: Data Recovery (basic backup strategy)
- CIS Control 14: Security Awareness Training (basic program)
Implementation Tips:
- Use free/open source tools where possible
- Focus on cloud-based security solutions with minimal infrastructure
- Implement managed security services for areas requiring expertise
- Prioritize protecting the most critical systems and data
- Consider outsourcing complex controls
Medium Organizations (Moderate Resources)
Implementation Order:
- Implement all Basic controls (1-6) thoroughly
- Implement Foundational controls (7-16) with focus on:
- CIS Control 7: Continuous Vulnerability Management
- CIS Control 8: Audit Log Management
- CIS Control 10: Malware Defenses
- CIS Control 11: Data Recovery
- CIS Control 12: Network Infrastructure Management
- CIS Control 13: Network Monitoring and Defense
- Begin implementing Organizational controls (17-18)
Implementation Tips:
- Establish formal security program with dedicated resources
- Implement automation where possible
- Consider hybrid of in-house and outsourced security services
- Establish metrics to measure control effectiveness
Large Organizations (Significant Resources)
Implementation Approach:
- Implement all 18 CIS Controls comprehensively
- Focus on automation and integration
- Establish continuous monitoring and improvement
- Customize controls for industry-specific requirements
- Implement advanced capabilities within each control
Implementation Tips:
- Develop custom security architecture aligned with controls
- Implement defense-in-depth strategy
- Establish centralized security operations capability
- Integrate controls with risk management program
- Establish control validation and testing program
Implementation Challenges and Solutions
| Challenge | Description | Potential Solutions |
|---|---|---|
| Resource Constraints | Limited budget, staff, or time | Start with critical controls, use free tools, consider managed services |
| Technical Complexity | Some controls require specialized expertise | Outsource complex controls, invest in training, use simplified solutions |
| Legacy Systems | Older systems may not support modern security | Implement compensating controls, isolate legacy systems, prioritize replacement |
| Organizational Resistance | User pushback to security measures | Focus on user experience, demonstrate business value, executive sponsorship |
| Lack of Visibility | Incomplete view of environment | Implement asset discovery tools, start with known assets, incremental improvement |
| Monitoring Fatigue | Too many alerts, not enough analysts | Tune detections, prioritize alerts, automate responses where possible |
| Integration Challenges | Making tools work together | Select integration-friendly solutions, use APIs, standardize data formats |
| Measuring Effectiveness | Difficulty proving control value | Establish baseline metrics, track improvements, use maturity models |
CIS Controls Implementation Roadmap
Phase 1: Foundation (Months 1-3)
- Complete initial asset inventory (CIS 1, 2)
- Implement basic account controls (CIS 5)
- Deploy endpoint protection (CIS 10)
- Establish backup solution (CIS 11)
- Begin security awareness program (CIS 14)
Phase 2: Basic Security Posture (Months 4-6)
- Implement secure configurations (CIS 4)
- Establish vulnerability management (CIS 7)
- Deploy basic log management (CIS 8)
- Secure email and web browsing (CIS 9)
- Document incident response procedures (CIS 17)
Phase 3: Enhanced Protection (Months 7-12)
- Implement data protection controls (CIS 3)
- Enhance access control (CIS 6)
- Secure network infrastructure (CIS 12)
- Deploy network monitoring (CIS 13)
- Review vendor security (CIS 15)
Phase 4: Advanced Capabilities (Months 13-18)
- Implement application security (CIS 16)
- Conduct penetration testing (CIS 18)
- Enhance and refine all controls
- Establish metrics and reporting
- Integrate with risk management
Key Performance Indicators by Control
| Control | Key Metrics | Target Values |
|---|---|---|
| 1. Inventory | % of assets inventoried, Unauthorized device detection time | >95% inventoried, <24h detection |
| 2. Software Inventory | % of software inventoried, % of unauthorized software | >95% inventoried, <2% unauthorized |
| 3. Data Protection | % of sensitive data encrypted, data loss incidents | >99% encrypted, 0 incidents |
| 4. Secure Configuration | % of systems with secure baseline, configuration drift rate | >95% compliant, <5% drift |
| 5. Account Management | % of accounts reviewed, dormant account count | 100% reviewed annually, <5% dormant |
| 6. Access Control | Excessive privilege rate, access review completion | <5% with excessive rights, 100% reviewed |
| 7. Vulnerability Management | Mean time to patch critical vulnerabilities, scan coverage | <7 days MTTR, >98% coverage |
| 8. Audit Logging | Logging coverage, log retention compliance | >98% coverage, 100% retention compliance |
| 9. Email/Web Protection | Phishing simulation success rate, malware blocked | <5% click rate, >99% block rate |
| 10. Malware Defense | Endpoint protection coverage, detection time | >99% coverage, <1 hour detection |
| 11. Data Recovery | Backup success rate, recovery time objective achievement | >99% success, 100% RTO met |
| 12. Network Management | Network device compliance, unauthorized change rate | >98% compliance, <1% unauthorized |
| 13. Network Monitoring | Alert triage time, true positive rate | <30 min triage, >80% true positive |
| 14. Security Training | Training completion rate, knowledge assessment scores | >95% completion, >85% score |
| 15. Service Providers | % of providers assessed, contract compliance | 100% assessed, 100% compliant |
| 16. Application Security | % of apps security tested, critical vulnerability remediation | 100% critical apps tested, <7 days remediation |
| 17. Incident Response | Mean time to respond, exercise completion | <4 hours MTTR, ≥2 exercises annually |
| 18. Penetration Testing | Test coverage, findings remediation rate | 100% critical systems, >95% remediation |