1.1 | CIS 1.1: Enterprise Asset Inventory Management |
1.2 | CIS 1.2: Address Unauthorized Assets | GRCWatch |
1.3 | CIS 1.3: Active Discovery Tool for Asset Management |
1.4 | CIS 1.4: DHCP Logging for Asset Inventory |
1.5 | CIS 1.5: Passive Asset Discovery Tool | Compliance |
10.1 | CIS 10.1: Deploy Anti-Malware Software | GRCWatch |
10.2 | CIS 10.2: Auto Anti-Malware Signature Updates |
10.3 | CIS 10.3: Disable Autorun & Autoplay for Removable Media |
10.4 | CIS 10.4: Auto Anti-Malware Scanning for Removable Media |
10.5 | CIS 10.5: Enable Anti-Exploitation Features | GRCWatch |
10.6 | CIS 10.6: Centrally Manage Anti-Malware Software |
10.7 | CIS 10.7: Behavior-Based Anti-Malware Software |
11.1 | CIS 11.1: Data Recovery Process | GRCWatch |
11.2 | CIS 11.2: Automated Backups | Compliance Guide |
11.3 | CIS 11.3: Protect Recovery Data | Compliance Guide |
11.4 | CIS 11.4: Isolated Recovery Data Backups |
11.5 | CIS 11.5: Test Data Recovery | Backup Compliance |
12.1 | CIS 12.1: Keep Network Infrastructure Current |
12.2 | CIS 12.2: Secure Network Architecture | GRCWatch |
12.3 | CIS 12.3: Secure Network Infrastructure Management |
12.4 | CIS 12.4: Architecture Diagrams & Network Documentation |
12.5 | CIS 12.5: Centralize Network AAA Authentication |
12.6 | CIS 12.6: Secure Network Management & Protocols |
12.7 | CIS 12.7: Remote Device VPN Authentication | GRCWatch |
12.8 | CIS 12.8: Dedicated Admin Computing Resources |
13.1 | CIS 13.1: Centralize Security Event Alerting | GRCWatch |
13.10 | CIS 13.10: Application Layer Filtering for SMBs |
13.11 | CIS 13.11: Tune Security Event Alerting Thresholds |
13.2 | CIS 13.2: Host-Based Intrusion Detection Solution |
13.3 | CIS 13.3: Deploy Network Intrusion Detection | GRCWatch |
13.4 | CIS 13.4: Network Traffic Filtering Between Segments |
13.5 | CIS 13.5: Remote Asset Access Control | GRCWatch |
13.6 | CIS 13.6: Network Traffic Flow Logs Collection |
13.7 | CIS 13.7: Host-Based Intrusion Prevention | GRCWatch |
13.8 | CIS 13.8: Network Intrusion Prevention Deployment |
13.9 | CIS 13.9: Port-Level Access Control | GRCWatch |
14.1 | CIS 14.1: Security Awareness Program | GRCWatch |
14.2 | CIS 14.2: Social Engineering Attack Recognition Training |
14.3 | CIS 14.3: Authentication Training for Workforce Security |
14.4 | CIS 14.4: Data Handling Training for Your Workforce |
14.5 | CIS 14.5: Train Workforce on Data Exposure Prevention |
14.6 | CIS 14.6: Security Incident Recognition & Reporting Training |
14.7 | CIS 14.7: Security Updates Training & Patch Management |
14.8 | CIS 14.8: Insecure Network Training for Workforce Security |
14.9 | CIS 14.9: Role-Specific Security Awareness Training |
15.1 | CIS 15.1: Service Provider Inventory Management |
15.2 | CIS 15.2: Service Provider Management Policy | GRCWatch |
15.3 | CIS 15.3: Classify Service Providers | GRCWatch |
15.4 | CIS 15.4: Service Provider Security Contract Requirements |
15.5 | CIS 15.5: Assess Service Providers | GRCWatch |
15.6 | CIS 15.6: Monitor Service Providers | GRCWatch |
15.7 | CIS 15.7: Secure Service Provider Decommissioning |
16.1 | CIS 16.1: Secure Application Development Process |
16.10 | CIS 16.10: Secure Design Principles in Application Architectures |
16.11 | CIS 16.11: Vetted Application Security Modules |
16.12 | CIS 16.12: Code-Level Security Checks Implementation |
16.13 | CIS 16.13: Application Penetration Testing | GRCWatch |
16.14 | CIS 16.14: Threat Modeling for Secure Development |
16.2 | CIS 16.2: Software Vulnerability Management Process |
16.3 | CIS 16.3: Root Cause Analysis for Security Vulnerabilities |
16.4 | CIS 16.4: Application Inventory Management | GRCWatch |
16.5 | CIS 16.5: Third-Party Component Management & Vulnerability Control |
16.6 | CIS 16.6: Vulnerability Severity Rating System |
16.7 | CIS 16.7: Standard Hardening Configuration Templates |
16.8 | CIS 16.8: Separate Production & Non-Production Systems |
16.9 | CIS 16.9: Developer Application Security Training |
17.1 | CIS 17.1: Designate Incident Handling Personnel |
17.2 | CIS 17.2: Establish Security Incident Reporting Contacts |
17.3 | CIS 17.3: Enterprise Incident Reporting Process |
17.4 | CIS 17.4: Incident Response Process | GRCWatch |
17.5 | CIS 17.5: Assign Key Roles and Responsibilities |
17.6 | CIS 17.6: Incident Response Communication Mechanisms |
17.7 | CIS 17.7: Routine Incident Response Exercises |
17.8 | CIS 17.8: Post-Incident Reviews for Compliance |
17.9 | CIS 17.9: Security Incident Thresholds | GRCWatch |
18.1 | CIS 18.1: Penetration Testing Program | GRCWatch |
18.2 | CIS 18.2: External Penetration Testing | GRCWatch |
18.3 | CIS 18.3: Remediate Penetration Test Findings |
18.4 | CIS 18.4: Validate Security Measures | Penetration Testing |
18.5 | CIS 18.5: Internal Penetration Testing | GRCWatch |
2.1 | CIS 2.1: Software Inventory Management for SMBs |
2.2 | CIS 2.2: Ensure Authorized Software is Currently Supported |
2.3 | CIS 2.3: Remove Unauthorized Software | GRCWatch |
2.4 | CIS 2.4: Automated Software Inventory Tools | GRCWatch |
2.5 | CIS 2.5: Allowlist Authorized Software | GRCWatch |
2.6 | CIS 2.6: Allowlist Authorized Libraries | GRCWatch |
2.7 | CIS 2.7: Allowlist Authorized Scripts | GRCWatch |
3.1 | CIS 3.1: Data Management Process | GRCWatch |
3.10 | CIS 3.10: Encrypt Sensitive Data in Transit | GRCWatch |
3.11 | CIS 3.11: Encrypt Sensitive Data at Rest | Compliance Guide |
3.12 | CIS 3.12: Data Segmentation by Sensitivity | GRCWatch |
3.13 | CIS 3.13: Deploy Data Loss Prevention Solution |
3.14 | CIS 3.14: Log Sensitive Data Access | Compliance Guide |
3.2 | CIS 3.2: Data Inventory | GRCWatch |
3.3 | CIS 3.3: Data Access Control Lists | GRCWatch |
3.4 | CIS 3.4: Enforce Data Retention Policy | GRCWatch |
3.5 | CIS 3.5: Secure Data Disposal | GRCWatch |
3.6 | CIS 3.6: Encrypt Data on End-User Devices | Compliance Guide |
3.7 | CIS 3.7: Data Classification Scheme | GRCWatch |
3.8 | CIS 3.8: Document Data Flows | Compliance Guide |
3.9 | CIS 3.9: Encrypt Data on Removable Media |
4.1 | CIS 4.1: Secure Configuration Process for Enterprise Assets |
4.10 | CIS 4.10: Automatic Device Lockout for Portable Devices |
4.11 | CIS 4.11: Remote Wipe for Portable Devices | GRCWatch |
4.12 | CIS 4.12: Mobile Enterprise Workspace Separation |
4.2 | CIS 4.2: Secure Network Configuration Process |
4.3 | CIS 4.3: Automatic Session Locking Configuration |
4.4 | CIS 4.4: Implement & Manage Server Firewalls |
4.5 | CIS 4.5: Host Firewall & Port Filtering for Endpoints |
4.6 | CIS 4.6: Securely Manage Enterprise Assets & Software |
4.7 | CIS 4.7: Manage Default Accounts on Enterprise Assets |
4.8 | CIS 4.8: Disable Unnecessary Services | Compliance Guide |
4.9 | CIS 4.9: Configure Trusted DNS Servers | GRCWatch |
5.1 | CIS 5.1: Account Inventory Management for SMBs |
5.2 | CIS 5.2: Unique Passwords for Enterprise Assets |
5.3 | CIS 5.3: Disable Dormant Accounts | Compliance Guide |
5.4 | CIS 5.4: Restrict Administrator Privileges | GRCWatch |
5.5 | CIS 5.5: Service Account Inventory Management |
5.6 | CIS 5.6: Centralize Account Management | GRCWatch |
6.1 | CIS 6.1: Automated Access Granting Process |
6.2 | CIS 6.2: Automated Access Revoking Process | GRCWatch |
6.3 | CIS 6.3: MFA for External Applications | Compliance Guide |
6.4 | CIS 6.4: MFA for Remote Network Access | GRCWatch |
6.5 | CIS 6.5: MFA for Administrative Access | GRCWatch |
6.6 | CIS 6.6: Authentication & Authorization Inventory |
6.7 | CIS 6.7: Centralize Access Control | GRCWatch |
6.8 | CIS 6.8: Role-Based Access Control | GRCWatch |
7.1 | CIS 7.1: Vulnerability Management Process | GRCWatch |
7.2 | CIS 7.2: Establish & Maintain Remediation Process |
7.3 | CIS 7.3: Automated OS Patch Management for SMBs |
7.4 | CIS 7.4: Automated Application Patch Management |
7.5 | CIS 7.5: Automated Vulnerability Scans | GRCWatch |
7.6 | CIS 7.6: Automated Vulnerability Scans for External Assets |
7.7 | CIS 7.7: Remediate Detected Vulnerabilities | GRCWatch |
8.1 | CIS 8.1: Audit Log Management Process | Compliance Guide |
8.10 | CIS 8.10: Retain Audit Logs for 90+ Days |
8.11 | CIS 8.11: Audit Log Reviews for Threat Detection |
8.12 | CIS 8.12: Collect Service Provider Logs | GRCWatch |
8.2 | CIS 8.2: Collect Audit Logs | Compliance Guide |
8.3 | CIS 8.3: Audit Log Storage Compliance |
8.4 | CIS 8.4: Time Synchronization for Compliance |
8.5 | CIS 8.5: Collect Detailed Audit Logs | GRCWatch |
8.6 | CIS 8.6: DNS Query Audit Logs for Malicious Domain Detection |
8.7 | CIS 8.7: URL Request Audit Logs | Malicious Site Detection |
8.8 | CIS 8.8: Command-Line Audit Logs Collection |
8.9 | CIS 8.9: Centralize Audit Logs | GRCWatch |
9.1 | CIS 9.1: Enforce Supported Browsers & Email Clients |
9.2 | CIS Control 9.2: DNS Filtering Services for Malware Protection |
9.3 | CIS 9.3: Network URL Filtering | GRCWatch |
9.4 | CIS 9.4: Restrict Browser & Email Extensions | Compliance |
9.5 | CIS 9.5: Implement DMARC for Email Security |
9.6 | CIS 9.6: Block Unnecessary File Types | Email Security |
9.7 | CIS 9.7: Email Server Anti-Malware Protections |