2025-06-13 17:45:22 +02:00
|
|
|
|
Safeguard ID,Name,Description
|
|
|
|
|
|
1.1,Establish and Maintain Detailed Enterprise Asset Inventory,Inventory and Control of Enterprise Assets
|
|
|
|
|
|
1.2,Address Unauthorized Assets,Inventory and Control of Enterprise Assets
|
|
|
|
|
|
1.3,Utilize an Active Discovery Tool,Inventory and Control of Enterprise Assets
|
|
|
|
|
|
1.4,Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory,Inventory and Control of Enterprise Assets
|
|
|
|
|
|
1.5,Use a Passive Asset Discovery Tool,Inventory and Control of Enterprise Assets
|
|
|
|
|
|
2.1,Establish and Maintain a Software Inventory,Inventory and Control of Software Assets
|
|
|
|
|
|
2.2,Ensure Authorized Software is Currently Supported,Inventory and Control of Software Assets
|
|
|
|
|
|
2.3,Address Unauthorized Software,Inventory and Control of Software Assets
|
|
|
|
|
|
2.4,Utilize Automated Software Inventory Tools,Inventory and Control of Software Assets
|
|
|
|
|
|
2.5,Allowlist Authorized Software,Inventory and Control of Software Assets
|
|
|
|
|
|
2.6,Allowlist Authorized Libraries,Inventory and Control of Software Assets
|
|
|
|
|
|
2.7,Allowlist Authorized Scripts,Inventory and Control of Software Assets
|
|
|
|
|
|
3.1,Establish and Maintain a Data Management Process,Data Protection
|
|
|
|
|
|
3.2,Establish and Maintain a Data Inventory,Data Protection
|
|
|
|
|
|
3.3,Configure Data Access Control Lists,Data Protection
|
|
|
|
|
|
3.4,Enforce Data Retention,Data Protection
|
|
|
|
|
|
3.5,Securely Dispose of Data,Data Protection
|
|
|
|
|
|
3.6,Encrypt Data on End-User Devices,Data Protection
|
|
|
|
|
|
3.7,Establish and Maintain a Data Classification Scheme,Data Protection
|
|
|
|
|
|
3.8,Document Data Flows,Data Protection
|
|
|
|
|
|
3.9,Encrypt Data on Removable Media,Data Protection
|
|
|
|
|
|
3.10,Encrypt Sensitive Data in Transit,Data Protection
|
|
|
|
|
|
3.11,Encrypt Sensitive Data At Rest,Data Protection
|
|
|
|
|
|
3.12,Segment Data Processing and Storage Based on Sensitivity,Data Protection
|
|
|
|
|
|
3.13,Deploy a Data Loss Prevention Solution,Data Protection
|
|
|
|
|
|
3.14,Log Sensitive Data Access,Data Protection
|
|
|
|
|
|
4.1,Establish and Maintain a Secure Configuration Process,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.2,Establish and Maintain a Secure Configuration Process for Network Infrastructure,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.3,Configure Automatic Session Locking on Enterprise Assets,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.4,Implement and Manage a Firewall on Servers,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.5,Implement and Manage a Firewall on End-User Devices,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.6,Securely Manage Enterprise Assets and Software,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.7,Manage Default Accounts on Enterprise Assets and Software,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.8,Uninstall or Disable Unnecessary Services on Enterprise Assets and Applications,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.9,Configure Trusted Domain Name System (DNS) Servers on Enterprise Assets,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.10,Enforce Automatic Device Lockout on Portable End-User Devices,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.11,Enforce Remote Wipe Capability on Portable End-User Devices,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
4.12,Separate Enterprise Workspaces on Mobile End-User Devices,Secure Configuration of Enterprise Assets and Software
|
|
|
|
|
|
5.1,Establish and Maintain an Inventory of Accounts,Account Management
|
|
|
|
|
|
5.2,Use Unique Passwords,Account Management
|
|
|
|
|
|
5.3,Disable Dormant Accounts,Account Management
|
|
|
|
|
|
5.4,Restrict Administrator Privileges to Dedicated Administrator Accounts,Account Management
|
|
|
|
|
|
5.5,Establish and Maintain an Inventory of Service Accounts,Account Management
|
|
|
|
|
|
5.6,Centralize Account Management,Account Management
|
|
|
|
|
|
6.1,Establish an Access Granting Process,Access Control Management
|
|
|
|
|
|
6.2,Establish an Access Revolving Process,Access Control Management
|
|
|
|
|
|
6.3,Require MFA for Externally-Exposed Applications,Access Control Management
|
|
|
|
|
|
6.4,Require MFA for Remote Network Access,Access Control Management
|
|
|
|
|
|
6.5,Require MFA for Administrative Access,Access Control Management
|
|
|
|
|
|
6.6,Establish and Maintain an Inventory of Authentication and Authorization Systems,Access Control Management
|
|
|
|
|
|
6.7,Centralize Access Control,Access Control Management
|
|
|
|
|
|
6.8,Define and Maintain Role-Based Access Control,Access Control Management
|
|
|
|
|
|
7.1,Establish and Maintain a Vulnerability Management Process,Continuous Vulnerability Management
|
|
|
|
|
|
7.2,Establish and Maintain a Remediation Process,Continuous Vulnerability Management
|
|
|
|
|
|
7.3,Perform Automated Operating System Patch Management,Continuous Vulnerability Management
|
|
|
|
|
|
7.4,Perform Automated Application Patch Management,Continuous Vulnerability Management
|
|
|
|
|
|
7.5,Perform Automated Vulnerability Scans of Internal Enterprise Assets,Continuous Vulnerability Management
|
|
|
|
|
|
7.6,Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets,Continuous Vulnerability Management
|
|
|
|
|
|
7.7,Remediate Detected Vulnerabilities,Continuous Vulnerability Management
|
|
|
|
|
|
8.1,Establish and Maintain an Audit Log Management Process,Audit Log Management
|
|
|
|
|
|
8.2,Collect Audit Logs,Audit Log Management
|
|
|
|
|
|
8.3,Ensure Adequate Audit Log Storage,Audit Log Management
|
|
|
|
|
|
8.4,Standardize Time Synchronization,Audit Log Management
|
|
|
|
|
|
8.5,Collect Detailed Audit Logs,Audit Log Management
|
|
|
|
|
|
8.6,Collect DNS Query Audit Logs,Audit Log Management
|
|
|
|
|
|
8.7,Collect URL Request Audit Logs,Audit Log Management
|
|
|
|
|
|
8.8,Collect Command-Line Audit Logs,Audit Log Management
|
|
|
|
|
|
8.9,Centralize Audit Logs,Audit Log Management
|
|
|
|
|
|
8.10,Retain Audit Logs,Audit Log Management
|
|
|
|
|
|
8.11,Conduct Audit Log Reviews,Audit Log Management
|
|
|
|
|
|
8.12,Collect Service Provider Logs,Audit Log Management
|
|
|
|
|
|
9.1,Ensure Use of Only Fully Supported Browsers and Email Clients,Email and Web Browser Protections
|
|
|
|
|
|
9.2,Use DNS Filtering Services,Email and Web Browser Protections
|
|
|
|
|
|
9.3,Maintain and Enforce Network-Based URL Filters,Email and Web Browser Protections
|
|
|
|
|
|
9.4,Restrict Unnecessary or Unauthorized Browser and Email Client Extensions,Email and Web Browser Protections
|
|
|
|
|
|
9.5,Implement DMARC,Email and Web Browser Protections
|
|
|
|
|
|
9.6,Block Unnecessary File Types,Email and Web Browser Protections
|
|
|
|
|
|
9.7,Deploy and Maintain Email Server Anti-Malware Protections,Email and Web Browser Protections
|
|
|
|
|
|
10.1,Deploy and Maintain Anti-Malware Software,Malware Defenses
|
|
|
|
|
|
10.2,Configure Automatic Anti-Malware Signature Updates,Malware Defenses
|
|
|
|
|
|
10.3,Disable Autorun and Autoplay for Removable Media,Malware Defenses
|
|
|
|
|
|
10.4,Configure Automatic Anti-Malware Scanning of Removable Media,Malware Defenses
|
|
|
|
|
|
10.5,Enable Anti-Exploitation Features,Malware Defenses
|
|
|
|
|
|
10.6,Centrally Manage Anti-Malware Software,Malware Defenses
|
|
|
|
|
|
10.7,Use Behavior-Based Anti-Malware Software,Malware Defenses
|
|
|
|
|
|
11.1,Establish and Maintain a Data Recovery Process,Data Recovery
|
|
|
|
|
|
11.2,Perform Automated Backups,Data Recovery
|
|
|
|
|
|
11.3,Protect Recovery Data,Data Recovery
|
|
|
|
|
|
11.4,Establish and Maintain an Isolated Instance of Recovery Data,Data Recovery
|
|
|
|
|
|
11.5,Test Data Recovery,Data Recovery
|
|
|
|
|
|
12.1,Ensure Network Infrastructure is Up-to-Date,Network Infrastructure Management
|
|
|
|
|
|
12.2,Establish and Maintain a Secure Network Architecture,Network Infrastructure Management
|
|
|
|
|
|
12.3,Securely Manage Network Infrastructure,Network Infrastructure Management
|
|
|
|
|
|
12.4,Establish and Maintain Architecture Diagram(s),Network Infrastructure Management
|
|
|
|
|
|
12.5,Centralize Network Authentication, Authorization, and Auditing (AAA),Network Infrastructure Management
|
|
|
|
|
|
12.6,Use of Secure Network Management and Communication Protocols,Network Infrastructure Management
|
|
|
|
|
|
12.7,Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure,Network Infrastructure Management
|
|
|
|
|
|
12.8,Establish and Maintain Dedicated Computing Resources For All Administrative Work,Network Infrastructure Management
|
|
|
|
|
|
13.1,Centralize Security Event Alerting,Network Monitoring and Defense
|
|
|
|
|
|
13.2,Deploy a Host-Based Intrusion Detection Solution,Network Monitoring and Defense
|
|
|
|
|
|
13.3,Deploy a Network Intrusion Detection Solution,Network Monitoring and Defense
|
|
|
|
|
|
13.4,Perform Traffic Filtering Between Network Segments,Network Monitoring and Defense
|
|
|
|
|
|
13.5,Manage Access Control for Remote Assets,Network Monitoring and Defense
|
|
|
|
|
|
13.6,Collect Network Traffic Flow Logs,Network Monitoring and Defense
|
|
|
|
|
|
13.7,Deploy a Host-Based Intrusion Prevention Solution,Network Monitoring and Defense
|
|
|
|
|
|
13.8,Deploy a Network Intrusion Prevention Solution,Network Monitoring and Defense
|
|
|
|
|
|
13.9,Deploy Port-Level Access Control,Network Monitoring and Defense
|
|
|
|
|
|
13.10,Perform Application Layer Filtering,Network Monitoring and Defense
|
|
|
|
|
|
13.11,Tune Security Event Alerting Thresholds,Network Monitoring and Defense
|
|
|
|
|
|
14.1,Establish and Maintain a Security Awareness Program,Security Awareness and Skills Training
|
|
|
|
|
|
14.2,Train Workforce Members to Recognize Social Engineering Attacks,Security Awareness and Skills Training
|
|
|
|
|
|
14.3,Train Workforce Members on Authentication Best Practices,Security Awareness and Skills Training
|
|
|
|
|
|
14.4,Train Workforce on Data Handling Best Practices,Security Awareness and Skills Training
|
|
|
|
|
|
14.5,Train Workforce Members on Causes of Unintentional Data Exposure,Security Awareness and Skills Training
|
|
|
|
|
|
14.6,Train Workforce Members on Recognizing and Reporting Security Incidents,Security Awareness and Skills Training
|
|
|
|
|
|
14.7,Train Workforce on How to Identify and Report if their Enterprise Assets are Missing Security Updates,Security Awareness and Skills Training
|
|
|
|
|
|
14.8,Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks,Security Awareness and Skills Training
|
|
|
|
|
|
14.9,Conduct Role-Specific Security Awareness and Skills Training,Security Awareness and Skills Training
|
|
|
|
|
|
15.1,Establish and Maintain an Inventory of Service Providers,Service Provider Management
|
|
|
|
|
|
15.2,Establish and Maintain a Service Provider Management Policy,Service Provider Management
|
|
|
|
|
|
15.3,Classify Service Providers,Service Provider Management
|
|
|
|
|
|
15.4,Ensure Service Provider Contracts Include Security Requirements,Service Provider Management
|
|
|
|
|
|
15.5,Assess Service Providers,Service Provider Management
|
|
|
|
|
|
15.6,Monitor Service Providers,Service Provider Management
|
|
|
|
|
|
15.7,Securely Decommission Service Providers,Service Provider Management
|
|
|
|
|
|
16.1,Establish and Maintain a Secure Application Development Process,Application Software Security
|
|
|
|
|
|
16.2,Establish and Maintain a Process to Accept and Address Software Vulnerabilities,Application Software Security
|
|
|
|
|
|
16.3,Perform Root Cause Analysis on Security Vulnerabilities,Application Software Security
|
|
|
|
|
|
16.4,Establish and Manage an Inventory of Third-Party Software Components,Application Software Security
|
|
|
|
|
|
16.5,Use Up-to-Date and Trusted Third-Party Software Components,Application Software Security
|
|
|
|
|
|
16.6,Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities,Application Software Security
|
|
|
|
|
|
16.7,Use Standard Hardening Configuration Templates for Application Infrastructure,Application Software Security
|
|
|
|
|
|
16.8,Separate Production and Non-Production Systems,Application Software Security
|
|
|
|
|
|
16.9,Train Developers in Application Security Concepts and Secure Coding,Application Software Security
|
|
|
|
|
|
16.10,Apply Secure Design Principles in Application Architectures,Application Software Security
|
|
|
|
|
|
16.11,Leverage Vetted Modules or Services for Application Security Components,Application Software Security
|
|
|
|
|
|
16.12,Implement Code-Level Security Checks,Application Software Security
|
|
|
|
|
|
16.13,Conduct Application Penetration Testing,Application Software Security
|
|
|
|
|
|
16.14,Conduct Threat Modeling,Application Software Security
|
|
|
|
|
|
17.1,Designate Personnel to Manage Incident Handling,Incident Response Management
|
|
|
|
|
|
17.2,Establish and Maintain Contact Information for Reporting Security Incidents,Incident Response Management
|
|
|
|
|
|
17.3,Establish and Maintain an Enterprise Process for Reporting Incidents,Incident Response Management
|
|
|
|
|
|
17.4,Establish and Maintain an Incident Response Process,Incident Response Management
|
|
|
|
|
|
17.5,Assign Key Roles and Responsibilities,Incident Response Management
|
|
|
|
|
|
17.6,Define Mechanisms for Communicating During Incident Response,Incident Response Management
|
|
|
|
|
|
17.7,Conduct Routine Incident Response Exercises,Incident Response Management
|
|
|
|
|
|
17.8,Conduct Post-Incident Reviews,Incident Response Management
|
|
|
|
|
|
17.9,Establish and Maintain Security Incident Thresholds,Incident Response Management
|
|
|
|
|
|
18.1,Establish and Maintain a Penetration Testing Program,Penetration Testing
|
|
|
|
|
|
18.2,Perform Periodic External Penetration Tests,Penetration Testing
|
|
|
|
|
|
18.3,Remediate Penetration Test Findings,Penetration Testing
|
|
|
|
|
|
18.4,Validate Security Measures,Penetration Testing
|
|
|
|
|
|
18.5,Perform Periodic Internal Penetration Tests,Penetration Testing
|
