From 9297ba288f4f6c05044b502c45b6e3c9a10fd694 Mon Sep 17 00:00:00 2001 From: Lou DeGenaro Date: Fri, 21 Feb 2025 15:26:41 -0500 Subject: [PATCH] update controls set Signed-off-by: Lou DeGenaro --- catalogs/cis-v8/catalog.json | 2215 +++++----------------------------- profiles/cis-v8/profile.json | 32 +- 2 files changed, 328 insertions(+), 1919 deletions(-) diff --git a/catalogs/cis-v8/catalog.json b/catalogs/cis-v8/catalog.json index 7f46442..0a96699 100644 --- a/catalogs/cis-v8/catalog.json +++ b/catalogs/cis-v8/catalog.json @@ -22,47 +22,47 @@ }, "controls":[ { - "id":"cisc-1", - "title":"Inventory and Control of Enterprise Assets", + "id":"cisc-3", + "title":"Data Protection", "props":[ { "name":"label", - "value":"CIS Control 1" + "value":"CIS Control 3" }, { "name":"sort-id", - "value":"cisc-01" + "value":"cisc-03" } ], "parts":[ { - "id":"cisc-1_stmt", + "id":"cisc-3_stmt", "name":"statement", - "prose":"Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/Internet of Things (IoT) devices; and servers) connected to the infrastructure, physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate." + "prose":"Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data." }, { - "id":"cisc-1_gdn", + "id":"cisc-3_gdn", "name":"guidance", - "prose":"Enterprises cannot defend what they do not know they have. Managed control of all enterprise assets also plays a critical role in security monitoring, incident response, system backup, and recovery. Enterprises should know what data is critical to them, and proper asset management will help identify those enterprise assets that hold or manage this critical data, so appropriate security controls can be applied.\n\nExternal attackers are continuously scanning the internet address space of target enterprises, premise-based or in the cloud, identifying possibly unprotected assets attached to enterprises’ networks. Attackers can take advantage of new assets that are installed, yet not securely configured and patched. Internally, unidentified assets can also have weak security configurations that can make them vulnerable to web or email-based malware; and adversaries can leverage weak security configurations for traversing the network, once they are inside.\n\nAdditional assets that connect to the enterprise’s network (e.g., demonstration systems, temporary test systems, guest networks, etc.) should be identified and\/or isolated, in order to prevent adversarial access from affecting the security of enterprise operations.\n\nLarge, complex, dynamic enterprises understandably struggle with the challenge of managing intricate, fast-changing environments. However, attackers have shown the ability, patience, and willingness to “inventory and control” our enterprise assets at very large scale in order to support their opportunities.\n\nAnother challenge is that portable end-user devices will periodically join a network and then disappear, making the inventory of currently available assets very dynamic. Likewise, cloud environments and virtual machines can be difficult to track in asset inventories when they are shut down or paused. Another benefit of complete enterprise asset management is supporting incident response. Both when investigating the origination of network traffic from an asset on the network, and to be able to identify all potentially vulnerable, or impacted, assets of similar type or location during an incident." + "prose":"Data is no longer only contained within an enterprise’s border, it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services who might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire lifecycle. These privacy rules can be complicated for multi-national enterprises, of any size, however there are fundamentals that can apply to all.\n\nOnce attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to find and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their environment because they are not monitoring data outflows.\n\nWhile many attacks occur on the network, others involve physical theft of portable end-user devices, attacks on service providers or other partners holding sensitive data. Other sensitive enterprise assets may also include non-computing devices that provide management and control of physical systems, such as Supervisory Control and Data Acquisition (SCADA) systems.\n\nThe enterprise’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error. The adoption of data encryption, both in transit and at rest, can provide mitigation against data compromise, and more importantly, is a regulatory requirement for most controlled data." } ], "controls":[ { - "id":"cisc-1.1", - "title":"Establish and Maintain Detailed Enterprise Asset Inventory", + "id":"cisc-3.1", + "title":"Establish and Maintain a Data Management Process", "props":[ { "name":"label", - "value":"CIS Safeguard 1.1" + "value":"CIS Safeguard 3.1" }, { "name":"sort-id", - "value":"cisc-01.01" + "value":"cisc-03.01" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" + "value":"data" }, { "name":"security-function", @@ -87,33 +87,33 @@ ], "parts":[ { - "id":"cisc-1.1_stmt", + "id":"cisc-3.1_stmt", "name":"statement", - "prose":"Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing\/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently." + "prose":"Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." } ] }, { - "id":"cisc-1.2", - "title":"Address Unauthorized Assets", + "id":"cisc-3.2", + "title":"Establish and Maintain a Data Inventory", "props":[ { "name":"label", - "value":"CIS Safeguard 1.2" + "value":"CIS Safeguard 3.2" }, { "name":"sort-id", - "value":"cisc-01.02" + "value":"cisc-03.02" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" + "value":"data" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"respond" + "value":"identify" }, { "name":"implementation-group", @@ -139,33 +139,38 @@ ], "parts":[ { - "id":"cisc-1.2_stmt", + "id":"cisc-3.2_stmt", "name":"statement", - "prose":"Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset." + "prose":"Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data." } ] }, { - "id":"cisc-1.3", - "title":"Utilize an Active Discovery Tool", + "id":"cisc-3.3", + "title":"Configure Data Access Control Lists", "props":[ { "name":"label", - "value":"CIS Safeguard 1.3" + "value":"CIS Safeguard 3.3" }, { "name":"sort-id", - "value":"cisc-01.03" + "value":"cisc-03.03" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" + "value":"data" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"detect" + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" }, { "name":"implementation-group", @@ -179,87 +184,58 @@ } ], "links":[ + { + "href":"cisc-3.2", + "rel":"dependency" + }, { "href":"cisc-4.1", "rel":"dependency" + }, + { + "href":"cisc-5.1", + "rel":"dependency" } ], "parts":[ { - "id":"cisc-1.3_stmt", + "id":"cisc-3.3_stmt", "name":"statement", - "prose":"Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently." + "prose":"Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications." } ] }, { - "id":"cisc-1.4", - "title":"Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory", + "id":"cisc-3.4", + "title":"Enforce Data Retention", "props":[ { "name":"label", - "value":"CIS Safeguard 1.4" + "value":"CIS Safeguard 3.4" }, { "name":"sort-id", - "value":"cisc-01.04" + "value":"cisc-03.04" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" + "value":"data" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" + "value":"protect" }, { "name":"implementation-group", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" + "value":"1" }, { "name":"implementation-group", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-1.4_stmt", - "name":"statement", - "prose":"Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently." - } - ] - }, - { - "id":"cisc-1.5", - "title":"Use a Passive Asset Discovery Tool", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 1.5" - }, - { - "name":"sort-id", - "value":"cisc-01.05" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"detect" + "value":"2" }, { "name":"implementation-group", @@ -269,107 +245,61 @@ ], "links":[ { - "href":"cisc-4.2", + "href":"cisc-3.1", "rel":"dependency" }, { - "href":"cisc-12.4", + "href":"cisc-3.2", "rel":"dependency" } ], "parts":[ { - "id":"cisc-1.5_stmt", + "id":"cisc-3.4_stmt", "name":"statement", - "prose":"Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently." + "prose":"Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines." } ] } ] }, { - "id":"cisc-2", - "title":"Inventory and Control of Software Assets", + "id":"cisc-4", + "title":"Secure Configuration of Enterprise Assets and Software", "props":[ { "name":"label", - "value":"CIS Control 2" + "value":"CIS Control 4" }, { "name":"sort-id", - "value":"cisc-02" + "value":"cisc-04" } ], "parts":[ { - "id":"cisc-2_stmt", + "id":"cisc-4_stmt", "name":"statement", - "prose":"Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution." + "prose":"Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/IoT devices; and servers) and software (operating systems and applications)." }, { - "id":"cisc-2_gdn", + "id":"cisc-4_gdn", "name":"guidance", - "prose":"A complete software inventory is a critical foundation for preventing attacks. Attackers continuously scan target enterprises looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install backdoor programs and bots that give the attacker long-term control of the system. Attackers can also use this access to move laterally through the network. One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of software assets, an enterprise cannot determine if they have vulnerable software, or if there are potential licensing violations.\n\nEven if a patch is not yet available, a complete software inventory list allows an enterprise to guard against known attacks until the patch is released. Some sophisticated attackers use “zero-day exploits”, which take advantage of previously unknown vulnerabilities that have yet to have a patch released by the software vendor. Depending on the severity of the exploit, an enterprise can implement temporary mitigation measures to guard against attacks until the patch is released.\n\nManagement of software assets is also important to identify unnecessary security risks. An enterprise should review their software inventory to identify any enterprise assets running software that is not needed for business purposes. For example, an enterprise asset may come installed with default software that creates a potential security risk and provides no benefit to the enterprise. It is critical to inventory, understand, assess, and manage all software connected to an enterprise’s infrastructure." + "prose":"As delivered from manufacturers and resellers, the default configurations for enterprise assets and software are normally geared towards ease-of-deployment and ease-of-use rather than security. Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can all be exploitable if left in their default state. Further, these security configuration updates need to be managed and maintained over the life cycle of enterprise assets and software. Configuration updates need to be tracked and approved through configuration management workflow process to maintain a record that can be reviewed for compliance, leveraged for incident response, and to support audits. This CIS Control is important to on-premises devices, as well as remote devices, network devices, and cloud environments.\n\nService providers play a key role in modern infrastructures, especially for smaller enterprises. They often are not set up by default in the most secure configuration to provide flexibility for their customers to apply their own security policies. Therefore, the presence of default accounts or passwords, excessive access, or unnecessary services are common in default configurations. These could introduce weaknesses that are under the responsibility of the enterprise that is using the software, rather than the service provider. This extends to ongoing management and updates, as some Platform as a Service (PaaS) only extend to the operating system, so patching and updating hosted applications are under the responsibility of the enterprise.\n\nEven after a strong initial configuration is developed and applied, it must be continually managed to avoid degrading security as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked,” to allow the installation of new software or to support new operational requirements." } ], "controls":[ { - "id":"cisc-2.1", - "title":"Establish and Maintain a Software Inventory", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 2.1" - }, - { - "name":"sort-id", - "value":"cisc-02.01" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"applications" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "parts":[ - { - "id":"cisc-2.1_stmt", - "name":"statement", - "prose":"Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install\/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently." - } - ] - }, - { - "id":"cisc-2.2", - "title":"Ensure Authorized Software is Currently Supported", + "id":"cisc-4.1", + "title":"Establish and Maintain a Secure Configuration Process", "props":[ { "name":"label", - "value":"CIS Safeguard 2.2" + "value":"CIS Safeguard 4.1" }, { "name":"sort-id", - "value":"cisc-02.02" + "value":"cisc-04.01" }, { "name":"asset-type", @@ -379,7 +309,7 @@ { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" + "value":"protect" }, { "name":"implementation-group", @@ -405,33 +335,33 @@ ], "parts":[ { - "id":"cisc-1.2_stmt", + "id":"cisc-4.1_stmt", "name":"statement", - "prose":"Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently." + "prose":"Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing\/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." } ] }, { - "id":"cisc-2.3", - "title":"Address Unauthorized Software", + "id":"cisc-4.2", + "title":"Establish and Maintain a Secure Configuration Process for Network Infrastructure", "props":[ { "name":"label", - "value":"CIS Safeguard 2.3" + "value":"CIS Safeguard 4.2" }, { "name":"sort-id", - "value":"cisc-02.03" + "value":"cisc-04.02" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"applications" + "value":"network" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"respond" + "value":"protect" }, { "name":"implementation-group", @@ -450,10 +380,6 @@ } ], "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, { "href":"cisc-2.1", "rel":"dependency" @@ -461,84 +387,38 @@ ], "parts":[ { - "id":"cisc-2.3_stmt", + "id":"cisc-4.2_stmt", "name":"statement", - "prose":"Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently." + "prose":"Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." } ] }, { - "id":"cisc-2.4", - "title":"Utilize Automated Software Inventory Tools", + "id":"cisc-4.3", + "title":"Configure Automatic Session Locking on Enterprise Assets", "props":[ { "name":"label", - "value":"CIS Safeguard 2.4" + "value":"CIS Safeguard 4.3" }, { "name":"sort-id", - "value":"cisc-02.04" + "value":"cisc-04.03" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"applications" + "value":"users" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"detect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" + "value":"protect" }, { "name":"implementation-group", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.3", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-2.4_stmt", - "name":"statement", - "prose":"Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software." - } - ] - }, - { - "id":"cisc-2.5", - "title":"Allowlist Authorized Software", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 2.5" - }, - { - "name":"sort-id", - "value":"cisc-02.05" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"applications" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" + "value":"1" }, { "name":"implementation-group", @@ -561,44 +441,45 @@ "rel":"dependency" }, { - "href":"cisc-2.3", - "rel":"dependency" - }, - { - "href":"cisc-4.1", + "href":"cisc-2.1", "rel":"dependency" } ], "parts":[ { - "id":"cisc-2.5_stmt", + "id":"cisc-4.3_stmt", "name":"statement", - "prose":"Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently." + "prose":"Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes." } ] }, { - "id":"cisc-2.6", - "title":"Allowlist Authorized Libraries", + "id":"cisc-4.4", + "title":"Implement and Manage a Firewall on Servers", "props":[ { "name":"label", - "value":"CIS Safeguard 2.6" + "value":"CIS Safeguard 4.4" }, { "name":"sort-id", - "value":"cisc-02.06" + "value":"cisc-04.04" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"applications" + "value":"devices" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", "value":"protect" }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, { "name":"implementation-group", "ns":"https:\/\/cisecurity.org\/ns\/oscal", @@ -610,1573 +491,49 @@ "value":"3" } ], - "links":[ - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-2.5", - "rel":"dependency" - }, - { - "href":"cisc-4.2", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-2.6_stmt", - "name":"statement", - "prose":"Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc. files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently." - } - ] - }, - { - "id":"cisc-2.7", - "title":"Allowlist Authorized Scripts", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 2.7" - }, - { - "name":"sort-id", - "value":"cisc-02.07" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"applications" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-2.7_stmt", - "name":"statement", - "prose":"Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc. files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently." - } - ] - } - ] - }, - { - "id":"cisc-3", - "title":"Data Protection", - "props":[ - { - "name":"label", - "value":"CIS Control 3" - }, - { - "name":"sort-id", - "value":"cisc-03" - } - ], - "parts":[ - { - "id":"cisc-3_stmt", - "name":"statement", - "prose":"Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data." - }, - { - "id":"cisc-3_gdn", - "name":"guidance", - "prose":"Data is no longer only contained within an enterprise’s border, it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services who might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire lifecycle. These privacy rules can be complicated for multi-national enterprises, of any size, however there are fundamentals that can apply to all.\n\nOnce attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to find and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their environment because they are not monitoring data outflows.\n\nWhile many attacks occur on the network, others involve physical theft of portable end-user devices, attacks on service providers or other partners holding sensitive data. Other sensitive enterprise assets may also include non-computing devices that provide management and control of physical systems, such as Supervisory Control and Data Acquisition (SCADA) systems.\n\nThe enterprise’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error. The adoption of data encryption, both in transit and at rest, can provide mitigation against data compromise, and more importantly, is a regulatory requirement for most controlled data." - } - ], - "controls":[ - { - "id":"cisc-3.1", - "title":"Establish and Maintain a Data Management Process", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.1" - }, - { - "name":"sort-id", - "value":"cisc-03.01" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "parts":[ - { - "id":"cisc-3.1_stmt", - "name":"statement", - "prose":"Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." - } - ] - }, - { - "id":"cisc-3.2", - "title":"Establish and Maintain a Data Inventory", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.2" - }, - { - "name":"sort-id", - "value":"cisc-03.02" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.2_stmt", - "name":"statement", - "prose":"Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data." - } - ] - }, - { - "id":"cisc-3.3", - "title":"Configure Data Access Control Lists", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.3" - }, - { - "name":"sort-id", - "value":"cisc-03.03" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-3.2", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - }, - { - "href":"cisc-5.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.3_stmt", - "name":"statement", - "prose":"Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications." - } - ] - }, - { - "id":"cisc-3.4", - "title":"Enforce Data Retention", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.4" - }, - { - "name":"sort-id", - "value":"cisc-03.04" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-3.1", - "rel":"dependency" - }, - { - "href":"cisc-3.2", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.4_stmt", - "name":"statement", - "prose":"Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines." - } - ] - }, - { - "id":"cisc-3.5", - "title":"Securely Dispose of Data", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.5" - }, - { - "name":"sort-id", - "value":"cisc-03.05" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-3.1", - "rel":"dependency" - }, - { - "href":"cisc-3.2", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.5_stmt", - "name":"statement", - "prose":"Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity." - } - ] - }, - { - "id":"cisc-3.6", - "title":"Encrypt Data on End-User Devices", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.6" - }, - { - "name":"sort-id", - "value":"cisc-03.06" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.6_stmt", - "name":"statement", - "prose":"Encrypt data on end-user devices containing sensitive data. Example implementations can include, Windows BitLocker®, Apple FileVault®, Linux® dm-crypt." - } - ] - }, - { - "id":"cisc-3.7", - "title":"Establish and Maintain a Data Classification Scheme", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.7" - }, - { - "name":"sort-id", - "value":"cisc-03.07" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-3.1", - "rel":"dependency" - }, - { - "href":"cisc-3.2", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.7_stmt", - "name":"statement", - "prose":"Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive”, “Confidential” and “Public”, and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard." - } - ] - }, - { - "id":"cisc-3.8", - "title":"Document Data Flows", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.8" - }, - { - "name":"sort-id", - "value":"cisc-03.08" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-3.1", - "rel":"dependency" - }, - { - "href":"cisc-3.2", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.8_stmt", - "name":"statement", - "prose":"Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise?s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." - } - ] - }, - { - "id":"cisc-3.9", - "title":"Encrypt Data on Removable Media", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.9" - }, - { - "name":"sort-id", - "value":"cisc-03.09" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.9_stmt", - "name":"statement", - "prose":"Encrypt data on removable media." - } - ] - }, - { - "id":"cisc-3.10", - "title":"Encrypt Sensitive Data in Transit", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.10" - }, - { - "name":"sort-id", - "value":"cisc-03.10" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-3.2", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.10_stmt", - "name":"statement", - "prose":"Encrypt sensitive data in transit. Example implementations can include, Transport Layer Security (TLS) and Open Secure Shell (OpenSSH)." - } - ] - }, - { - "id":"cisc-3.11", - "title":"Encrypt Sensitive Data At Rest", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.11" - }, - { - "name":"sort-id", - "value":"cisc-03.11" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.11_stmt", - "name":"statement", - "prose":"Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data." - } - ] - }, - { - "id":"cisc-3.12", - "title":"Segment Data Processing and Storage Based on Sensitivity", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.12" - }, - { - "name":"sort-id", - "value":"cisc-03.12" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"network" - }, - { - "name":"security-function", - "ns":"nhttps:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-3.2", - "rel":"dependency" - }, - { - "href":"cisc-12.4", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.12_stmt", - "name":"statement", - "prose":"Segment data processing and storage, based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data." - } - ] - }, - { - "id":"cisc-3.13", - "title":"Segment Data Processing and Storage Based on Sensitivity", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.13" - }, - { - "name":"sort-id", - "value":"cisc-03.13" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"nhttps:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-3.2", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.13_stmt", - "name":"statement", - "prose":"Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise’s sensitive data inventory." - } - ] - }, - { - "id":"cisc-3.14", - "title":"Log Sensitive Data Access", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 3.14" - }, - { - "name":"sort-id", - "value":"cisc-03.14" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" - }, - { - "name":"security-function", - "ns":"nhttps:\/\/cisecurity.org\/ns\/oscal", - "value":"detect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-3.14_stmt", - "name":"statement", - "prose":"Log sensitive data access, including modification and disposal." - } - ] - } - ] - }, - { - "id":"cisc-4", - "title":"Secure Configuration of Enterprise Assets and Software", - "props":[ - { - "name":"label", - "value":"CIS Control 4" - }, - { - "name":"sort-id", - "value":"cisc-04" - } - ], - "parts":[ - { - "id":"cisc-4_stmt", - "name":"statement", - "prose":"Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/IoT devices; and servers) and software (operating systems and applications)." - }, - { - "id":"cisc-4_gdn", - "name":"guidance", - "prose":"As delivered from manufacturers and resellers, the default configurations for enterprise assets and software are normally geared towards ease-of-deployment and ease-of-use rather than security. Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can all be exploitable if left in their default state. Further, these security configuration updates need to be managed and maintained over the life cycle of enterprise assets and software. Configuration updates need to be tracked and approved through configuration management workflow process to maintain a record that can be reviewed for compliance, leveraged for incident response, and to support audits. This CIS Control is important to on-premises devices, as well as remote devices, network devices, and cloud environments.\n\nService providers play a key role in modern infrastructures, especially for smaller enterprises. They often are not set up by default in the most secure configuration to provide flexibility for their customers to apply their own security policies. Therefore, the presence of default accounts or passwords, excessive access, or unnecessary services are common in default configurations. These could introduce weaknesses that are under the responsibility of the enterprise that is using the software, rather than the service provider. This extends to ongoing management and updates, as some Platform as a Service (PaaS) only extend to the operating system, so patching and updating hosted applications are under the responsibility of the enterprise.\n\nEven after a strong initial configuration is developed and applied, it must be continually managed to avoid degrading security as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked,” to allow the installation of new software or to support new operational requirements." - } - ], - "controls":[ - { - "id":"cisc-4.1", - "title":"Establish and Maintain a Secure Configuration Process", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.1" - }, - { - "name":"sort-id", - "value":"cisc-04.01" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"applications" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-2.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.1_stmt", - "name":"statement", - "prose":"Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing\/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." - } - ] - }, - { - "id":"cisc-4.2", - "title":"Establish and Maintain a Secure Configuration Process for Network Infrastructure", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.2" - }, - { - "name":"sort-id", - "value":"cisc-04.02" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"network" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-2.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.2_stmt", - "name":"statement", - "prose":"Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." - } - ] - }, - { - "id":"cisc-4.3", - "title":"Configure Automatic Session Locking on Enterprise Assets", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.3" - }, - { - "name":"sort-id", - "value":"cisc-04.03" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.3_stmt", - "name":"statement", - "prose":"Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes." - } - ] - }, - { - "id":"cisc-4.4", - "title":"Implement and Manage a Firewall on Servers", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.4" - }, - { - "name":"sort-id", - "value":"cisc-04.04" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.4_stmt", - "name":"statement", - "prose":"Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent." - } - ] - }, - { - "id":"cisc-4.5", - "title":"Implement and Manage a Firewall on End-User Devices", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.5" - }, - { - "name":"sort-id", - "value":"cisc-04.05" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.5_stmt", - "name":"statement", - "prose":"Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed." - } - ] - }, - { - "id":"cisc-4.6", - "title":"Securely Manage Enterprise Assets and Software", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.6" - }, - { - "name":"sort-id", - "value":"cisc-04.06" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"network" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.6_stmt", - "name":"statement", - "prose":"Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential." - } - ] - }, - { - "id":"cisc-4.7", - "title":"Manage Default Accounts on Enterprise Assets and Software", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.7" - }, - { - "name":"sort-id", - "value":"cisc-04.07" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"potect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-5.2", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.7_stmt", - "name":"statement", - "prose":"Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable." - } - ] - }, - { - "id":"cisc-4.8", - "title":"Uninstall or Disable Unnecessary Services on Enterprise Assets and Software", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.8" - }, - { - "name":"sort-id", - "value":"cisc-04.08" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.8_stmt", - "name":"statement", - "prose":"Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function." - } - ] - }, - { - "id":"cisc-4.9", - "title":"Configure Trusted DNS Servers on Enterprise Assets", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.9" - }, - { - "name":"sort-id", - "value":"cisc-04.09" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.9_stmt", - "name":"statement", - "prose":"Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and\/or reputable externally accessible DNS servers." - } - ] - }, - { - "id":"cisc-4.10", - "title":"Enforce Automatic Device Lockout on Portable End-User Devices", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.10" - }, - { - "name":"sort-id", - "value":"cisc-04.10" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"respond" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.10_stmt", - "name":"statement", - "prose":"Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft? InTune Device Lock and Apple? Configuration Profile maxFailedAttempts." - } - ] - }, - { - "id":"cisc-4.11", - "title":"Enforce Remote Wipe Capability on Portable End-User Devices", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.11" - }, - { - "name":"sort-id", - "value":"cisc-04.11" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.11_stmt", - "name":"statement", - "prose":"Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise." - } - ] - }, - { - "id":"cisc-4.12", - "title":"Separate Enterprise Workspaces on Mobile End-User Devices", - "props":[ - { - "name":"label", - "value":"CIS Safeguard 4.12" - }, - { - "name":"sort-id", - "value":"cisc-04.12" - }, - { - "name":"asset-type", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"devices" - }, - { - "name":"security-function", - "ns":"nhttps:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" - }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], "links":[ { "href":"cisc-1.1", - "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - } - ], - "parts":[ - { - "id":"cisc-4.12_stmt", - "name":"statement", - "prose":"Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple? Configuration Profile or Android? Work Profile to separate enterprise applications and data from personal applications and data." - } - ] - } - ] - }, - { - "id":"cisc-5", - "title":"Account Management", - "props":[ - { - "name":"label", - "value":"CIS Control 5" - }, - { - "name":"sort-id", - "value":"cisc-05" - } - ], - "parts":[ - { - "id":"cisc-5_stmt", - "name":"statement", - "prose":"Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software." + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.4_stmt", + "name":"statement", + "prose":"Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent." + } + ] }, { - "id":"cisc-5_gdn", - "name":"guidance", - "prose":"It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through “hacking” the environment. There are many ways to covertly obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as one they use for an online account that has been compromised (in a public password dump), social engineering a user to give their password, or using malware to capture passwords or tokens in memory or over the network.\n\nAdministrative, or highly privileged, accounts are a particular target, because they allow attackers to add other accounts, or make changes to assets that could make them more vulnerable to other attacks. Service accounts are also sensitive, as they are often shared among teams, internal and external to the enterprise, and sometimes not known about, only to be revealed in standard account management audits.\n\nFinally, account logging and monitoring is a critical component of security operations. While account logging and monitoring are covered in CIS Control 8 (Audit Log Management), it is important in the development of a comprehensive Identity and Access Management (IAM) program." - } - ], - "controls":[ - { - "id":"cisc-5.1", - "title":"Establish and Maintain an Inventory of Accounts", + "id":"cisc-4.5", + "title":"Implement and Manage a Firewall on End-User Devices", "props":[ { "name":"label", - "value":"CIS Safeguard 5.1" + "value":"CIS Safeguard 4.5" }, { "name":"sort-id", - "value":"cisc-05.01" + "value":"cisc-04.05" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" + "value":"devices" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" + "value":"protect" }, { "name":"implementation-group", @@ -2195,35 +552,43 @@ } ], "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, { "href":"cisc-2.1", "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" } ], "parts":[ { - "id":"cisc-5.1_stmt", + "id":"cisc-4.5_stmt", "name":"statement", - "prose":"Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start\/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently." + "prose":"Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed." } ] }, { - "id":"cisc-5.2", - "title":"Use Unique Passwords", + "id":"cisc-4.6", + "title":"Securely Manage Enterprise Assets and Software", "props":[ { "name":"label", - "value":"CIS Safeguard 5.2" + "value":"CIS Safeguard 4.6" }, { "name":"sort-id", - "value":"cisc-05.02" + "value":"cisc-04.06" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" + "value":"network" }, { "name":"security-function", @@ -2246,25 +611,39 @@ "value":"3" } ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], "parts":[ { - "id":"cisc-5.2_stmt", + "id":"cisc-4.6_stmt", "name":"statement", - "prose":"Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA." + "prose":"Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential." } ] }, { - "id":"cisc-5.3", - "title":"Disable Dormant Accounts", + "id":"cisc-4.7", + "title":"Manage Default Accounts on Enterprise Assets and Software", "props":[ { "name":"label", - "value":"CIS Safeguard 5.3" + "value":"CIS Safeguard 4.7" }, { "name":"sort-id", - "value":"cisc-05.03" + "value":"cisc-04.07" }, { "name":"asset-type", @@ -2274,7 +653,7 @@ { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"respond" + "value":"potect" }, { "name":"implementation-group", @@ -2294,45 +673,48 @@ ], "links":[ { - "href":"cisc-5.1", + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-5.2", "rel":"dependency" } ], "parts":[ { - "id":"cisc-5.3_stmt", + "id":"cisc-4.7_stmt", "name":"statement", - "prose":"Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported" + "prose":"Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable." } ] }, { - "id":"cisc-5.4", - "title":"Restrict Administrator Privileges to Dedicated Administrator Accounts", + "id":"cisc-4.8", + "title":"Uninstall or Disable Unnecessary Services on Enterprise Assets and Software", "props":[ { "name":"label", - "value":"CIS Safeguard 5.4" + "value":"CIS Safeguard 4.8" }, { "name":"sort-id", - "value":"cisc-05.04" + "value":"cisc-04.08" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" + "value":"devices" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", "value":"protect" }, - { - "name":"implementation-group", - "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"1" - }, { "name":"implementation-group", "ns":"https:\/\/cisecurity.org\/ns\/oscal", @@ -2346,29 +728,61 @@ ], "links":[ { - "href":"cisc-5.1", + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", "rel":"dependency" } ], "parts":[ { - "id":"cisc-5.4_stmt", + "id":"cisc-4.8_stmt", "name":"statement", - "prose":"Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account." + "prose":"Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function." } ] + } + ] + }, + { + "id":"cisc-5", + "title":"Account Management", + "props":[ + { + "name":"label", + "value":"CIS Control 5" + }, + { + "name":"sort-id", + "value":"cisc-05" + } + ], + "parts":[ + { + "id":"cisc-5_stmt", + "name":"statement", + "prose":"Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software." }, { - "id":"cisc-5.5", - "title":"Establish and Maintain an Inventory of Service Accounts", + "id":"cisc-5_gdn", + "name":"guidance", + "prose":"It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through “hacking” the environment. There are many ways to covertly obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as one they use for an online account that has been compromised (in a public password dump), social engineering a user to give their password, or using malware to capture passwords or tokens in memory or over the network.\n\nAdministrative, or highly privileged, accounts are a particular target, because they allow attackers to add other accounts, or make changes to assets that could make them more vulnerable to other attacks. Service accounts are also sensitive, as they are often shared among teams, internal and external to the enterprise, and sometimes not known about, only to be revealed in standard account management audits.\n\nFinally, account logging and monitoring is a critical component of security operations. While account logging and monitoring are covered in CIS Control 8 (Audit Log Management), it is important in the development of a comprehensive Identity and Access Management (IAM) program." + } + ], + "controls":[ + { + "id":"cisc-5.1", + "title":"Establish and Maintain an Inventory of Accounts", "props":[ { "name":"label", - "value":"CIS Safeguard 5.5" + "value":"CIS Safeguard 5.1" }, { "name":"sort-id", - "value":"cisc-05.05" + "value":"cisc-05.01" }, { "name":"asset-type", @@ -2380,6 +794,11 @@ "ns":"https:\/\/cisecurity.org\/ns\/oscal", "value":"identify" }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, { "name":"implementation-group", "ns":"https:\/\/cisecurity.org\/ns\/oscal", @@ -2393,29 +812,29 @@ ], "links":[ { - "href":"cisc-6.6", + "href":"cisc-2.1", "rel":"dependency" } ], "parts":[ { - "id":"cisc-5.5_stmt", + "id":"cisc-5.1_stmt", "name":"statement", - "prose":"Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently." + "prose":"Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start\/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently." } ] }, { - "id":"cisc-5.6", - "title":"Centralize Account Management", + "id":"cisc-5.2", + "title":"Use Unique Passwords", "props":[ { "name":"label", - "value":"CIS Safeguard 5.6" + "value":"CIS Safeguard 5.2" }, { "name":"sort-id", - "value":"cisc-05.06" + "value":"cisc-05.02" }, { "name":"asset-type", @@ -2430,29 +849,24 @@ { "name":"implementation-group", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"2" + "value":"1" }, { "name":"implementation-group", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"3" - } - ], - "links":[ - { - "href":"cisc-1.1", - "rel":"dependency" + "value":"2" }, { - "href":"cisc-2.1", - "rel":"dependency" + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" } ], "parts":[ { - "id":"cisc-5.6_stmt", + "id":"cisc-5.2_stmt", "name":"statement", - "prose":"Centralize account management through a directory or identity service." + "prose":"Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA." } ] } @@ -2575,23 +989,51 @@ "prose":"Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails." } ] + } + ] + }, + { + "id":"cisc-8", + "title":"Audit Log Management", + "props":[ + { + "name":"label", + "value":"CIS Control 8" + }, + { + "name":"sort-id", + "value":"cisc-08" + } + ], + "parts":[ + { + "id":"cisc-8_stmt", + "name":"statement", + "prose":"Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack." }, { - "id":"cisc-6.3", - "title":"Require MFA for Externally-Exposed Applications", + "id":"cisc-8_gdn", + "name":"guidance", + "prose":"Log collection and analysis is critical for an enterprise’s ability to detect malicious activity quickly. Sometimes audit records are the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze them. Attackers use this knowledge to hide their location, malicious software, and activities on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target enterprise knowing.\n\nThere are two types of logs that are generally treated and often configured independently: system logs and audit logs. System logs typically provide system-level events that show various system process start\/end times, crashes, etc. These are native to systems, and take less configuration to turn on. Audit logs typically include user-level events – when a user logged in, accessed a file, etc. – and take more planning and effort to set up.\n\nLogging records are also critical for incident response. After an attack has been detected, log analysis can help enterprises understand the extent of an attack. Complete logging records can show, for example, when and how the attack occurred, what information was accessed, and if data was exfiltrated. Retention of logs is also critical in case a follow-up investigation is required or if an attack remained undetected for a long period of time." + } + ], + "controls":[ + { + "id":"cisc-8.1", + "title":"Establish and Maintain an Audit Log Management Process", "props":[ { "name":"label", - "value":"CIS Safeguard 6.3" + "value":"CIS Safeguard 8.1" }, { "name":"sort-id", - "value":"cisc-06.03" + "value":"cisc-08.01" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" + "value":"network" }, { "name":"security-function", @@ -2614,49 +1056,35 @@ "value":"3" } ], - "links":[ - { - "href":"cisc-2.1", - "rel":"dependency" - }, - { - "href":"cisc-4.1", - "rel":"dependency" - }, - { - "href":"cisc-5.1", - "rel":"dependency" - } - ], "parts":[ { - "id":"cisc-6.3_stmt", + "id":"cisc-8.1_stmt", "name":"statement", - "prose":"Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard." + "prose":"Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." } ] }, { - "id":"cisc-6.4", - "title":"Require MFA for Remote Network Access", + "id":"cisc-8.2", + "title":"Collect Audit Logs", "props":[ { "name":"label", - "value":"CIS Safeguard 6.4" + "value":"CIS Safeguard 8.2" }, { "name":"sort-id", - "value":"cisc-06.04" + "value":"cisc-08.02" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" + "value":"network" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" + "value":"detect" }, { "name":"implementation-group", @@ -2682,32 +1110,36 @@ { "href":"cisc-4.1", "rel":"dependency" + }, + { + "href":"cisc-8.1", + "rel":"dependency" } ], "parts":[ { - "id":"cisc-6.4_stmt", + "id":"cisc-8.2_stmt", "name":"statement", - "prose":"Require MFA for remote network access." + "prose":"Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets." } ] }, { - "id":"cisc-6.5", - "title":"Require MFA for Administrative Access", + "id":"cisc-8.3", + "title":"Ensure Adequate Audit Log Storage", "props":[ { "name":"label", - "value":"CIS Safeguard 6.5" + "value":"CIS Safeguard 8.3" }, { "name":"sort-id", - "value":"cisc-06.05" + "value":"cisc-08.03" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" + "value":"network" }, { "name":"security-function", @@ -2732,43 +1164,39 @@ ], "links":[ { - "href":"cisc-4.1", - "rel":"dependency" - }, - { - "href":"cisc-5.1", + "href":"cisc-1.1", "rel":"dependency" } ], "parts":[ { - "id":"cisc-6.5_stmt", + "id":"cisc-8.3_stmt", "name":"statement", - "prose":"Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider." + "prose":"Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process." } ] }, { - "id":"cisc-6.6", - "title":"Establish and Maintain an Inventory of Authentication and Authorization Systems", + "id":"cisc-8.4", + "title":"Standardize Time Synchronization", "props":[ { "name":"label", - "value":"CIS Safeguard 6.6" + "value":"CIS Safeguard 8.4" }, { "name":"sort-id", - "value":"cisc-06.06" + "value":"cisc-08.04" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" + "value":"network" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"identify" + "value":"protect" }, { "name":"implementation-group", @@ -2785,41 +1213,37 @@ { "href":"cisc-1.1", "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" } ], "parts":[ { - "id":"cisc-6.6_stmt", + "id":"cisc-8.4_stmt", "name":"statement", - "prose":"Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently." + "prose":"Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported." } ] }, { - "id":"cisc-6.7", - "title":"Centralize Access Control", + "id":"cisc-8.5", + "title":"Collect Detailed Audit Logs", "props":[ { "name":"label", - "value":"CIS Safeguard 6.7" + "value":"CIS Safeguard 8.5" }, { "name":"sort-id", - "value":"cisc-06.07" + "value":"cisc-08.05" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"users" + "value":"network" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" + "value":"detect" }, { "name":"implementation-group", @@ -2836,41 +1260,42 @@ { "href":"cisc-1.1", "rel":"dependency" - }, - { - "href":"cisc-2.1", - "rel":"dependency" } ], "parts":[ { - "id":"cisc-6.7_stmt", + "id":"cisc-8.5_stmt", "name":"statement", - "prose":"Centralize access control for all enterprise assets through a directory service or SSO provider, where supported." + "prose":"Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation." } ] }, { - "id":"cisc-6.8", - "title":"Centralize Access Control", + "id":"cisc-8.6", + "title":"Collect DNS Query Audit Logs", "props":[ { "name":"label", - "value":"CIS Safeguard 6.8" + "value":"CIS Safeguard 8.6" }, { "name":"sort-id", - "value":"cisc-06.08" + "value":"cisc-08.06" }, { "name":"asset-type", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"data" + "value":"network" }, { "name":"security-function", "ns":"https:\/\/cisecurity.org\/ns\/oscal", - "value":"protect" + "value":"detect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" }, { "name":"implementation-group", @@ -2880,15 +1305,19 @@ ], "links":[ { - "href":"cisc-5.1", + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", "rel":"dependency" } ], "parts":[ { - "id":"cisc-6.8_stmt", + "id":"cisc-8.6_stmt", "name":"statement", - "prose":"Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently." + "prose":"Collect DNS query audit logs on enterprise assets, where appropriate and supported." } ] } diff --git a/profiles/cis-v8/profile.json b/profiles/cis-v8/profile.json index 0168b57..bc5c828 100644 --- a/profiles/cis-v8/profile.json +++ b/profiles/cis-v8/profile.json @@ -13,36 +13,16 @@ "include-controls": [ { "with-ids": [ - "cisc-5", - "cisc-5.1", + "cisc-3.3", + "cisc-4.1", + "cisc-4.8", "cisc-5.2", - "cisc-5.3", - "cisc-5.4", - "cisc-5.5", - "cisc-5.6" + "cisc-6.2", + "cisc-8.5" ] } ] } - ], - "modify": { - "alters": [ - { - "control-id": "cisc-5.1", - "adds": [ - { - "position": "ending", - "parts": [ - { - "id": "cisc-5.1_my_guidance", - "name": "my_guidance", - "prose": "Test guidance" - } - ] - } - ] - } - ] - } + ] } } \ No newline at end of file