CIS Critical Security Controls v7

Reference Details

Name: CIS Critical Security Controls v7

Reference Items

ControlDescription
1Inventory and Control of Hardware Assets
1.1Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory.
1.2Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory.
1.3Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory.
1.4Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.
1.5Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.
1.6Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.
1.7Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.
1.8Use client certificates to authenticate hardware assets connecting to the organization's trusted network.
2Inventory and Control of Software Assets
2.1Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.
2.2Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.
2.3Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.
2.4The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.
2.5The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.
2.6Ensure that unauthorized software is either removed or the inventory is updated in a timely manner
2.7Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.
2.8The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load into a system process.
2.9The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.
2.10Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization.
3Continuous Vulnerability Management
3.1Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.
3.2Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.
3.3Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.
3.4Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
3.5Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
3.6Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.
3.7Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
4Controlled Use of Administrative Privileges
4.1Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.
4.2Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
4.3Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.
4.4Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.
4.5Use multi-factor authentication and encrypted channels for all administrative account access.
4.6Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading e-mail, composing documents, or browsing the Internet.
4.7Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities.
4.8Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
4.9Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
5Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
5.1Maintain documented, standard security configuration standards for all authorized operating systems and software.
5.2Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.
5.3Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.
5.4Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
5.5Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.
6Maintenance, Monitoring and Analysis of Audit Logs
6.1Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.
6.2Ensure that local logging has been enabled on all systems and networking devices.
6.3Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
6.4Ensure that all systems that store logs have adequate storage space for the logs generated.
6.5Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.