12 KiB
12 KiB
| 1 | Safeguard ID | Name | Description | ||
|---|---|---|---|---|---|
| 2 | 1.1 | Establish and Maintain Detailed Enterprise Asset Inventory | Inventory and Control of Enterprise Assets | ||
| 3 | 1.2 | Address Unauthorized Assets | Inventory and Control of Enterprise Assets | ||
| 4 | 1.3 | Utilize an Active Discovery Tool | Inventory and Control of Enterprise Assets | ||
| 5 | 1.4 | Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory | Inventory and Control of Enterprise Assets | ||
| 6 | 1.5 | Use a Passive Asset Discovery Tool | Inventory and Control of Enterprise Assets | ||
| 7 | 2.1 | Establish and Maintain a Software Inventory | Inventory and Control of Software Assets | ||
| 8 | 2.2 | Ensure Authorized Software is Currently Supported | Inventory and Control of Software Assets | ||
| 9 | 2.3 | Address Unauthorized Software | Inventory and Control of Software Assets | ||
| 10 | 2.4 | Utilize Automated Software Inventory Tools | Inventory and Control of Software Assets | ||
| 11 | 2.5 | Allowlist Authorized Software | Inventory and Control of Software Assets | ||
| 12 | 2.6 | Allowlist Authorized Libraries | Inventory and Control of Software Assets | ||
| 13 | 2.7 | Allowlist Authorized Scripts | Inventory and Control of Software Assets | ||
| 14 | 3.1 | Establish and Maintain a Data Management Process | Data Protection | ||
| 15 | 3.2 | Establish and Maintain a Data Inventory | Data Protection | ||
| 16 | 3.3 | Configure Data Access Control Lists | Data Protection | ||
| 17 | 3.4 | Enforce Data Retention | Data Protection | ||
| 18 | 3.5 | Securely Dispose of Data | Data Protection | ||
| 19 | 3.6 | Encrypt Data on End-User Devices | Data Protection | ||
| 20 | 3.7 | Establish and Maintain a Data Classification Scheme | Data Protection | ||
| 21 | 3.8 | Document Data Flows | Data Protection | ||
| 22 | 3.9 | Encrypt Data on Removable Media | Data Protection | ||
| 23 | 3.10 | Encrypt Sensitive Data in Transit | Data Protection | ||
| 24 | 3.11 | Encrypt Sensitive Data At Rest | Data Protection | ||
| 25 | 3.12 | Segment Data Processing and Storage Based on Sensitivity | Data Protection | ||
| 26 | 3.13 | Deploy a Data Loss Prevention Solution | Data Protection | ||
| 27 | 3.14 | Log Sensitive Data Access | Data Protection | ||
| 28 | 4.1 | Establish and Maintain a Secure Configuration Process | Secure Configuration of Enterprise Assets and Software | ||
| 29 | 4.2 | Establish and Maintain a Secure Configuration Process for Network Infrastructure | Secure Configuration of Enterprise Assets and Software | ||
| 30 | 4.3 | Configure Automatic Session Locking on Enterprise Assets | Secure Configuration of Enterprise Assets and Software | ||
| 31 | 4.4 | Implement and Manage a Firewall on Servers | Secure Configuration of Enterprise Assets and Software | ||
| 32 | 4.5 | Implement and Manage a Firewall on End-User Devices | Secure Configuration of Enterprise Assets and Software | ||
| 33 | 4.6 | Securely Manage Enterprise Assets and Software | Secure Configuration of Enterprise Assets and Software | ||
| 34 | 4.7 | Manage Default Accounts on Enterprise Assets and Software | Secure Configuration of Enterprise Assets and Software | ||
| 35 | 4.8 | Uninstall or Disable Unnecessary Services on Enterprise Assets and Applications | Secure Configuration of Enterprise Assets and Software | ||
| 36 | 4.9 | Configure Trusted Domain Name System (DNS) Servers on Enterprise Assets | Secure Configuration of Enterprise Assets and Software | ||
| 37 | 4.10 | Enforce Automatic Device Lockout on Portable End-User Devices | Secure Configuration of Enterprise Assets and Software | ||
| 38 | 4.11 | Enforce Remote Wipe Capability on Portable End-User Devices | Secure Configuration of Enterprise Assets and Software | ||
| 39 | 4.12 | Separate Enterprise Workspaces on Mobile End-User Devices | Secure Configuration of Enterprise Assets and Software | ||
| 40 | 5.1 | Establish and Maintain an Inventory of Accounts | Account Management | ||
| 41 | 5.2 | Use Unique Passwords | Account Management | ||
| 42 | 5.3 | Disable Dormant Accounts | Account Management | ||
| 43 | 5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts | Account Management | ||
| 44 | 5.5 | Establish and Maintain an Inventory of Service Accounts | Account Management | ||
| 45 | 5.6 | Centralize Account Management | Account Management | ||
| 46 | 6.1 | Establish an Access Granting Process | Access Control Management | ||
| 47 | 6.2 | Establish an Access Revolving Process | Access Control Management | ||
| 48 | 6.3 | Require MFA for Externally-Exposed Applications | Access Control Management | ||
| 49 | 6.4 | Require MFA for Remote Network Access | Access Control Management | ||
| 50 | 6.5 | Require MFA for Administrative Access | Access Control Management | ||
| 51 | 6.6 | Establish and Maintain an Inventory of Authentication and Authorization Systems | Access Control Management | ||
| 52 | 6.7 | Centralize Access Control | Access Control Management | ||
| 53 | 6.8 | Define and Maintain Role-Based Access Control | Access Control Management | ||
| 54 | 7.1 | Establish and Maintain a Vulnerability Management Process | Continuous Vulnerability Management | ||
| 55 | 7.2 | Establish and Maintain a Remediation Process | Continuous Vulnerability Management | ||
| 56 | 7.3 | Perform Automated Operating System Patch Management | Continuous Vulnerability Management | ||
| 57 | 7.4 | Perform Automated Application Patch Management | Continuous Vulnerability Management | ||
| 58 | 7.5 | Perform Automated Vulnerability Scans of Internal Enterprise Assets | Continuous Vulnerability Management | ||
| 59 | 7.6 | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets | Continuous Vulnerability Management | ||
| 60 | 7.7 | Remediate Detected Vulnerabilities | Continuous Vulnerability Management | ||
| 61 | 8.1 | Establish and Maintain an Audit Log Management Process | Audit Log Management | ||
| 62 | 8.2 | Collect Audit Logs | Audit Log Management | ||
| 63 | 8.3 | Ensure Adequate Audit Log Storage | Audit Log Management | ||
| 64 | 8.4 | Standardize Time Synchronization | Audit Log Management | ||
| 65 | 8.5 | Collect Detailed Audit Logs | Audit Log Management | ||
| 66 | 8.6 | Collect DNS Query Audit Logs | Audit Log Management | ||
| 67 | 8.7 | Collect URL Request Audit Logs | Audit Log Management | ||
| 68 | 8.8 | Collect Command-Line Audit Logs | Audit Log Management | ||
| 69 | 8.9 | Centralize Audit Logs | Audit Log Management | ||
| 70 | 8.10 | Retain Audit Logs | Audit Log Management | ||
| 71 | 8.11 | Conduct Audit Log Reviews | Audit Log Management | ||
| 72 | 8.12 | Collect Service Provider Logs | Audit Log Management | ||
| 73 | 9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | Email and Web Browser Protections | ||
| 74 | 9.2 | Use DNS Filtering Services | Email and Web Browser Protections | ||
| 75 | 9.3 | Maintain and Enforce Network-Based URL Filters | Email and Web Browser Protections | ||
| 76 | 9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | Email and Web Browser Protections | ||
| 77 | 9.5 | Implement DMARC | Email and Web Browser Protections | ||
| 78 | 9.6 | Block Unnecessary File Types | Email and Web Browser Protections | ||
| 79 | 9.7 | Deploy and Maintain Email Server Anti-Malware Protections | Email and Web Browser Protections | ||
| 80 | 10.1 | Deploy and Maintain Anti-Malware Software | Malware Defenses | ||
| 81 | 10.2 | Configure Automatic Anti-Malware Signature Updates | Malware Defenses | ||
| 82 | 10.3 | Disable Autorun and Autoplay for Removable Media | Malware Defenses | ||
| 83 | 10.4 | Configure Automatic Anti-Malware Scanning of Removable Media | Malware Defenses | ||
| 84 | 10.5 | Enable Anti-Exploitation Features | Malware Defenses | ||
| 85 | 10.6 | Centrally Manage Anti-Malware Software | Malware Defenses | ||
| 86 | 10.7 | Use Behavior-Based Anti-Malware Software | Malware Defenses | ||
| 87 | 11.1 | Establish and Maintain a Data Recovery Process | Data Recovery | ||
| 88 | 11.2 | Perform Automated Backups | Data Recovery | ||
| 89 | 11.3 | Protect Recovery Data | Data Recovery | ||
| 90 | 11.4 | Establish and Maintain an Isolated Instance of Recovery Data | Data Recovery | ||
| 91 | 11.5 | Test Data Recovery | Data Recovery | ||
| 92 | 12.1 | Ensure Network Infrastructure is Up-to-Date | Network Infrastructure Management | ||
| 93 | 12.2 | Establish and Maintain a Secure Network Architecture | Network Infrastructure Management | ||
| 94 | 12.3 | Securely Manage Network Infrastructure | Network Infrastructure Management | ||
| 95 | 12.4 | Establish and Maintain Architecture Diagram(s) | Network Infrastructure Management | ||
| 96 | 12.5 | Centralize Network Authentication | Authorization | and Auditing (AAA) | Network Infrastructure Management |
| 97 | 12.6 | Use of Secure Network Management and Communication Protocols | Network Infrastructure Management | ||
| 98 | 12.7 | Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure | Network Infrastructure Management | ||
| 99 | 12.8 | Establish and Maintain Dedicated Computing Resources For All Administrative Work | Network Infrastructure Management | ||
| 100 | 13.1 | Centralize Security Event Alerting | Network Monitoring and Defense | ||
| 101 | 13.2 | Deploy a Host-Based Intrusion Detection Solution | Network Monitoring and Defense | ||
| 102 | 13.3 | Deploy a Network Intrusion Detection Solution | Network Monitoring and Defense | ||
| 103 | 13.4 | Perform Traffic Filtering Between Network Segments | Network Monitoring and Defense | ||
| 104 | 13.5 | Manage Access Control for Remote Assets | Network Monitoring and Defense | ||
| 105 | 13.6 | Collect Network Traffic Flow Logs | Network Monitoring and Defense | ||
| 106 | 13.7 | Deploy a Host-Based Intrusion Prevention Solution | Network Monitoring and Defense | ||
| 107 | 13.8 | Deploy a Network Intrusion Prevention Solution | Network Monitoring and Defense | ||
| 108 | 13.9 | Deploy Port-Level Access Control | Network Monitoring and Defense | ||
| 109 | 13.10 | Perform Application Layer Filtering | Network Monitoring and Defense | ||
| 110 | 13.11 | Tune Security Event Alerting Thresholds | Network Monitoring and Defense | ||
| 111 | 14.1 | Establish and Maintain a Security Awareness Program | Security Awareness and Skills Training | ||
| 112 | 14.2 | Train Workforce Members to Recognize Social Engineering Attacks | Security Awareness and Skills Training | ||
| 113 | 14.3 | Train Workforce Members on Authentication Best Practices | Security Awareness and Skills Training | ||
| 114 | 14.4 | Train Workforce on Data Handling Best Practices | Security Awareness and Skills Training | ||
| 115 | 14.5 | Train Workforce Members on Causes of Unintentional Data Exposure | Security Awareness and Skills Training | ||
| 116 | 14.6 | Train Workforce Members on Recognizing and Reporting Security Incidents | Security Awareness and Skills Training | ||
| 117 | 14.7 | Train Workforce on How to Identify and Report if their Enterprise Assets are Missing Security Updates | Security Awareness and Skills Training | ||
| 118 | 14.8 | Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks | Security Awareness and Skills Training | ||
| 119 | 14.9 | Conduct Role-Specific Security Awareness and Skills Training | Security Awareness and Skills Training | ||
| 120 | 15.1 | Establish and Maintain an Inventory of Service Providers | Service Provider Management | ||
| 121 | 15.2 | Establish and Maintain a Service Provider Management Policy | Service Provider Management | ||
| 122 | 15.3 | Classify Service Providers | Service Provider Management | ||
| 123 | 15.4 | Ensure Service Provider Contracts Include Security Requirements | Service Provider Management | ||
| 124 | 15.5 | Assess Service Providers | Service Provider Management | ||
| 125 | 15.6 | Monitor Service Providers | Service Provider Management | ||
| 126 | 15.7 | Securely Decommission Service Providers | Service Provider Management | ||
| 127 | 16.1 | Establish and Maintain a Secure Application Development Process | Application Software Security | ||
| 128 | 16.2 | Establish and Maintain a Process to Accept and Address Software Vulnerabilities | Application Software Security | ||
| 129 | 16.3 | Perform Root Cause Analysis on Security Vulnerabilities | Application Software Security | ||
| 130 | 16.4 | Establish and Manage an Inventory of Third-Party Software Components | Application Software Security | ||
| 131 | 16.5 | Use Up-to-Date and Trusted Third-Party Software Components | Application Software Security | ||
| 132 | 16.6 | Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities | Application Software Security | ||
| 133 | 16.7 | Use Standard Hardening Configuration Templates for Application Infrastructure | Application Software Security | ||
| 134 | 16.8 | Separate Production and Non-Production Systems | Application Software Security | ||
| 135 | 16.9 | Train Developers in Application Security Concepts and Secure Coding | Application Software Security | ||
| 136 | 16.10 | Apply Secure Design Principles in Application Architectures | Application Software Security | ||
| 137 | 16.11 | Leverage Vetted Modules or Services for Application Security Components | Application Software Security | ||
| 138 | 16.12 | Implement Code-Level Security Checks | Application Software Security | ||
| 139 | 16.13 | Conduct Application Penetration Testing | Application Software Security | ||
| 140 | 16.14 | Conduct Threat Modeling | Application Software Security | ||
| 141 | 17.1 | Designate Personnel to Manage Incident Handling | Incident Response Management | ||
| 142 | 17.2 | Establish and Maintain Contact Information for Reporting Security Incidents | Incident Response Management | ||
| 143 | 17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents | Incident Response Management | ||
| 144 | 17.4 | Establish and Maintain an Incident Response Process | Incident Response Management | ||
| 145 | 17.5 | Assign Key Roles and Responsibilities | Incident Response Management | ||
| 146 | 17.6 | Define Mechanisms for Communicating During Incident Response | Incident Response Management | ||
| 147 | 17.7 | Conduct Routine Incident Response Exercises | Incident Response Management | ||
| 148 | 17.8 | Conduct Post-Incident Reviews | Incident Response Management | ||
| 149 | 17.9 | Establish and Maintain Security Incident Thresholds | Incident Response Management | ||
| 150 | 18.1 | Establish and Maintain a Penetration Testing Program | Penetration Testing | ||
| 151 | 18.2 | Perform Periodic External Penetration Tests | Penetration Testing | ||
| 152 | 18.3 | Remediate Penetration Test Findings | Penetration Testing | ||
| 153 | 18.4 | Validate Security Measures | Penetration Testing | ||
| 154 | 18.5 | Perform Periodic Internal Penetration Tests | Penetration Testing |