0% found this document useful (0 votes)

123 views156 pages

82185300

The document provides instructions for completing an initial assessment of an organization's security controls based on the Critical Security Controls. It describes the assessment tool which evaluates responses to questions about each control to determine overall maturity levels. The tool generates scores and charts to measure progress and identify areas for improvement.

Uploaded by

allenchi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

123 views156 pages

82185300

Uploaded by

allenchi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 156

Critical Security Controls Initial Assessmen

Instructions - Read me first.

The purpose for this tool is to provide organizations with a simple tool for performing an initial assessment of their information
Security Controls and the Council on Cybersecurity. Any questions about how this tool works or suggestions can be directed to
complete the answers to the drop down menu questions lists on the pages labeled CSC #1 - CSC #20. By choosing a drop down
generate scores and maturity level based on the answers to each question. Based on the answers to each question, the dashbo
scores for the organization as a whole. These scores can therefore be used to measure the organization's progress and what pe
in the long term organizations would deploy tools that would automate the collection of this information, but in the meanwhile
organization's maturity level.

Field Definitions
ID This is the ID number of the specific critical security control sub-control reference as included i
Category This is the critical control category as defined by the Critical Security Controls documentation.
Critical Security Control Detail This is the detail behind each specific sub-control as defined by the Critical Security Controls do
EOF Function This standards for "Executive Order Framework (EOF)" function. These functions were defined
Sensor or Baseline This is the type of technical system or baseline that we believe is necessary in order to implem
Policy Approved This question determines whether the organization currently has a policy defined that indicate
Control Implemented This question determines whether or not the organization currently has implemented this sub
Control Automated This question determines whether or not the organization currently has automated the implem
Control Reported to Business This question determines whether or not the organization is reporting this sub control to busin
ls Initial Assessment Tool (v5.0b)

assessment of their information assurance maturity level based on the controls defined by the Critical
r suggestions can be directed to info@auditscripts.com. In order to use this tool, the assessor must only
C #20. By choosing a drop down choice for each critical control, the assessment tool will automatically
ers to each question, the dashboard worksheet will automatically populate with the overall maturity level
anization's progress and what percentage of the Critical Security Controls they are currently following. Ideally
nformation, but in the meanwhile, this tool can be used to help start the process of manually assessing the

b-control reference as included in the Critical Security Controls documentation.

curity Controls documentation.
y the Critical Security Controls documentation.
n. These functions were defined by NIST in the EOF and act as control characteristics.
is necessary in order to implement the specific sub control.
as a policy defined that indicates that they should be implementing the defined sub control.
ently has implemented this sub control and to what degree the control has been implemented.
ently has automated the implementation of this sub control and to what degree the control has been automat
porting this sub control to business representatives and to what degree the control has been reported.
Critical Security Controls Initial Assessment To

Maturity level: Desription: Score:

Level One Policies Complete 0.00 Maturity Leve
Level Two Controls 1-5 Implemented 0.00 1.00
Level Three All Controls Implemented 0.00 0.80
Level Four All Controls Automated 0.00 0.60
Level Five All Controls Reported 0.00 0.40
0.20
Maturity Rating*: 0 0.00
0.00 0.00

*Rating is on a 0-5 scale. Pol i ci es Compl ete Control s 1-5 Impl emented Al l Con

Total Completion (by CSC)

100%
90%
80%
70%
60%
50%
40%
30%
20%
10% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
0%

Policy Completion (by CSC)

100%
90%
80%
70%
60%
50%
40%
30%
20%
10% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
0%

Implementation Completion (by CSC)

100%
90%
80%
70%
60%
50%
40%
30%
20%
10% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
0%
50%
40%
30%
20%
10% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
0%

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 Inte

tial Assessment Tool (v5.0b)

Maturity Level Aggregate Scores

0.00 0.00 0.00 0.00

Control s 1-5 Impl emented Al l Control s Impl emented Al l Control s Automated Al l Control s Reported

etion (by CSC)

0% 0% 0% 0% 0% 0% 0% 0% 0% 0%

etion (by CSC)

0% 0% 0% 0% 0% 0% 0% 0% 0% 0%

ompletion (by CSC)

0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
0% 0% 0% 0% 0% 0% 0% 0% 0% 0%

Attribution-ShareAlike 4.0 International License.

Critical Security Control #1

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

1.1 QW Deploy an automated asset inventory discovery tool and use it to build a preliminary
asset inventory of systems connected to an organization’s public and private
network(s). Both active tools that scan through network address ranges and passive
tools that identify hosts based on analyzing their traffic should be employed.
Deploy dynamic host configuration protocol (DHCP) server logging, and utilize a system
1.2 QW to improve the asset inventory and help detect unknown systems through this DHCP
information.
1.3 QW Ensure that all equipment acquisitions automatically update the inventory system as
new, approved devices are connected to the network.

Maintain an asset inventory of all systems connected to the network and the network
devices themselves, recording at least the network addresses, machine name(s),
purpose of each system, an asset owner responsible for each device, and the
1.4 V/A department associated with each device. The inventory should include every system
that has an Internet protocol (IP) address on the network, including but not limited to
desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.),
printers, storage area networks, Voice Over-IP telephones, multi-homed addresses,
virtual addresses, etc. The asset inventory created must also include data on whether
the device is a portable and/or personal device. Devices such as mobile phones,
tablets, laptops, and other portable electronic devices that store or process data must
be identified, regardless of whether they are attached to the organization’s network.
Deploy network level authentication via 802.1x to limit and control which devices can
1.5 C/H be connected to the network. The 802.1x must be tied into the inventory data to
determine authorized versus unauthorized systems.
Deploy network access control (NAC) to monitor authorized systems so if attacks occur,
1.6 C/H the impact can be remediated by moving the untrusted system to a virtual local area
network that has minimal access.
1.7 ADV Utilize client certificates to validate and authenticate systems prior to connecting to the
private network.

This work
Security Control #1: Inventory of Authorized and Unauthorized Devices

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Identify Active Device Discovery System No Policy

Identify Passive Device Discovery System No Policy

Detect Log Management System / SIEM No Policy

Identify Asset Inventory System No Policy

Prevent Network Access Control (NAC) No Policy

Prevent Public Key Infrastructure (PKI) No Policy

All Policies Approved:

All Controls Implemented:
All Controls Automated:
All Controls Reported:
Total Percentage Complete:
Preventive Controls Implemented:
Preventive Controls Automated:
Preventive Controls Reported:
Detective Controls Implemented:
Detective Controls Automated:
Detective Controls Reported:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
thorized Devices

Completion Reporting Completion

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Control #2:

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Deploy application whitelisting technology that allows systems to run software only if it
is included on the whitelist and prevents execution of all other software on the system.
The whitelist may be very extensive (as is available from commercial whitelist vendors),
2.1 QW so that users are not inconvenienced when using common software. Or, for some
special-purpose systems (which require only a small number of programs to achieve
their needed business functionality), the whitelist may be quite narrow. When
protecting systems with customized software that may be seen as difficult to whitelist,
use item 8 below (isolating the custom software in a virtual operating system that does
not retain infections.).

Devise a list of authorized software and version that is required in the enterprise for
2.2 QW each type of system, including servers, workstations, and laptops of various kinds and
uses. This list should be monitored by file integrity checking tools to validate that the
authorized software has not been modified.

Perform regular scanning for unauthorized software and generate alerts when it is
discovered on a system. A strict change-control process should also be implemented
2.3 QW to control any changes or installation of software to any systems on the network. This
includes alerting when unrecognized binaries (executable files, DLL’s and other
libraries, etc.) are found on a system, even inside of compressed archives. This
includes checking for unrecognized or altered versions of software by comparing file
hash values (attackers often utilize altered versions of known software to perpetrate
attacks, and file hash comparisons will reveal the compromised software components).
Deploy software inventory tools throughout the organization covering each of the
operating system types in use, including servers, workstations, and laptops. The
2.4 QW software inventory system should track the version of the underlying operating system
as well as the applications installed on it. Furthermore, the tool should record not only
the type of software installed on each system, but also its version number and patch
level.
2.5 V/A The software inventory systems must be tied into the hardware asset inventory so all
devices and associated software are tracked from a single location.
2.6 C/H
Dangerous file types (e.g., .exe, .zip, .msi) should be closely monitored and/or blocked.
Virtual machines and/or air-gapped systems should be used to isolate and run
2.7 ADV applications that are required for business operations but based on higher risk should
not be installed within a networked environment.
2.8 ADV Configure client workstations with non-persistent, virtualized operating environments
that can be quickly and easily restored to a trusted snapshot on a periodic basis.
Deploy software that only provides signed software ID tags. A software identification
2.9 ADV tag is an XML file that is installed alongside software and uniquely identifies the
software, providing data for software inventory and asset management.

This work is
curity Control #2: Inventory of Authorized and Unauthorized Software

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Prevent Software Whitelisting System No Policy

Identify Software Application Inventory No Policy

Monitor File Integrity Assessment No Policy

Monitor Software Application Inventory No Policy

Monitor Software Whitelisting System No Policy

Identify Software Application Inventory No Policy

Identify Software Inventory System No Policy

Identify Asset Inventory System No Policy

Prevent Software Whitelisting System No Policy

Prevent OS Virtualization System No Policy

Identify Software Inventory System No Policy

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
horized Software

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Control #3

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Establish and ensure the use of standard secure configurations of your operating
systems. Standardized images should represent hardened versions of the underlying
3.1 QW operating system and the applications installed on the system. Hardening typically
includes: removal of unnecessary accounts (including service accounts), disabling or
removal of unnecessary services, configuring non-executable stacks and heaps,
applying patches, closing open and unused network ports, implementing intrusion
detection systems and/or intrusion prevention systems, and use of host-based
firewalls. These images should be validated and refreshed on a regular basis to update
their security configuration in light of recent vulnerabilities and attack vectors.

Implement automated patching tools and processes for both applications and for
3.2 QW operating system software. When outdated systems can no longer be patched, update
to the latest version of application software. Remove outdated, older, and unused
software from the system.

3.3 QW Limit administrative privileges to very few users who have both the knowledge
necessary to administer the operating system and a business need to modify the
configuration of the underlying operating system. This will help prevent installation of
unauthorized software and other abuses of administrator privileges.
Follow strict configuration management, building a secure image that is used to build
all new systems that are deployed in the enterprise. Any existing system that becomes
3.4 QW compromised should be re-imaged with the secure build. Regular updates or
exceptions to this image should be integrated into the organization’s change
management processes. Images should be created for workstations, servers, and other
system types used by the organization.

Store the master images on securely configured servers, validated with integrity
checking tools capable of continuous inspection, and change management to ensure
3.5 QW that only authorized changes to the images are possible. Alternatively, these master
images can be stored in offline machines, air-gapped from the production network,
with images copied via secure media to move them between the image storage servers
and the production network.
Negotiate contracts to buy systems configured securely out of the box using
3.6 V/A standardized images, which should be devised to avoid extraneous software that would
increase their attack surface and susceptibility to vulnerabilities.

Do all remote administration of servers, workstation, network devices, and similar

3.7 C/H equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do
not actively support strong encryption should only be used if they are performed over
a secondary encryption channel, such as SSL or IPSEC.

Utilize file integrity checking tools to ensure that critical system files (including sensitive
system and application executables, libraries, and configurations) have not been
altered. All alterations to such files should be automatically reported security
3.8 C/H personnel. The reporting system should have the ability to account for routine and
expected changes, highlighting unusual or unexpected alterations. For investigative
support, the reporting system should be able to show the history of configuration
changes over time and identify who made the change (including the original logged-in
account in the event of a user ID switch, such as with the su or sudo command). These
integrity checks should also identify suspicious system alterations such as owner and
permissions changes to files or directories; the use of alternate data streams which
could be used to hide malicious activities; as well as detecting the introduction of extra
files into key system areas (which could indicate malicious payloads left by attackers or
additional files inappropriately added during batch distribution processes).

Implement and test an automated configuration monitoring system that measures all
3.9 ADV secure configuration elements that can be measured through remote testing using
features such as those included with tools compliant with Security Content Automation
Protocol (SCAP), and alerts when unauthorized changes occur. This includes detecting
new listening ports, new administrative users, changes to group and local policy
objects, (where applicable), and new services running on a system.

Deploy system configuration management tools, such as Active Directory Group Policy
3.10 C/H Objects for Microsoft Windows systems or Puppet for UNIX systems that will
automatically enforce and redeploy configuration settings to systems at regularly
scheduled intervals. They should be capable of triggering redeployment of
configuration settings on a scheduled, manual, or event-driven basis.
This work is
ecurity Control #3: Secure Configurations for Hardware and Software

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Secure System Configuration No Policy

Baselines & Images

Prevent

Patch Management System No Policy

Prevent

Elevated Account System Baseline No Policy

Prevent
Secure System Configuration No Policy
Baselines & Images

Prevent

File Integrity Assessment System No Policy

Monitor

Secure System Configuration No Policy

Baselines & Images
Prevent

Secure System Configuration No Policy

Baselines & Images
Prevent

File Integrity Assessment System No Policy

Monitor

SCAP Based Vulnerability No Policy

Management System

Detect

Configuration Enforcement System No Policy

Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
re and Software

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Control #4: C

Total Completion Policy Completion Implementation Completion Preventive Control C

0% 0% 0% 0%

ID Category Critical Security Control Detail

Run automated vulnerability scanning tools against all systems on the network on a
weekly or more frequent basis and deliver prioritized lists of the most critical
vulnerabilities to each responsible system administrator along with risk scores that
compare the effectiveness of system administrators and departments in reducing risk.
4.1 QW Use a SCAP-validated vulnerability scanner that looks for both code-based
vulnerabilities (such as those described by Common Vulnerabilities and Exposures
entries) and configuration-based vulnerabilities (as enumerated by the Common
Configuration Enumeration Project).

Correlate event logs with information from vulnerability scans to fulfill two goals. First,
personnel should verify that the activity of the regular vulnerability scanning tools
4.2 QW themselves is logged. Second, personnel should be able to correlate attack detection
events with earlier vulnerability scanning results to determine whether the given
exploit was used against a target known to be vulnerable.

Perform vulnerability scanning in authenticated mode either with agents running

locally on each end system to analyze the security configuration or with remote
scanners that are given administrative rights on the system being tested. Use a
4.3 QW dedicated account for authenticated vulnerability scans, which should not be used for
any other administrative activities and should be tied to specific machines at specific IP
addresses. Ensure that only authorized employees have access to the vulnerability
management user interface and that roles are applied to each user.
Subscribe to vulnerability intelligence services in order to stay aware of emerging
exposures, and use the information gained from this subscription to update the
4.4 QW organization’s vulnerability scanning activities on at least a monthly basis.
Alternatively, ensure that the vulnerability scanning tools you use are regularly updated
with all relevant important security vulnerabilities.

Deploy automated patch management tools and software update tools for operating
system and software/applications on all systems for which such tools are available and
4.5 V/A safe. Patches should be applied to all systems, even systems that are properly air
gapped.

Carefully monitor logs associated with any scanning activity and associated
4.6 V/A administrator accounts to ensure that all scanning activity and associated access via
the privileged account is limited to the timeframes of legitimate scans.

Compare the results from back-to-back vulnerability scans to verify that vulnerabilities
were addressed either by patching, implementing a compensating control, or
documenting and accepting a reasonable business risk. Such acceptance of business
4.7 C/H risks for existing vulnerabilities should be periodically reviewed to determine if newer
compensating controls or subsequent patches can address vulnerabilities that were
previously accepted, or if conditions have changed, increasing the risk.

Measure the delay in patching new vulnerabilities and ensure that the delay is equal to
4.8 C/H or less than the benchmarks set forth by the organization. Alternative
countermeasures should be considered if patches are not available.

Evaluate critical patches in a test environment before pushing them into production on
enterprise systems. If such patches break critical business applications on test
4.9 C/H machines, the organization must devise other mitigating controls that block
exploitation on systems where the patch cannot be deployed because of its impact on
business functionality.

Establish a process to risk-rate vulnerabilities based on the exploitability and potential

impact of the vulnerability, and segmented by appropriate groups of assets (example,
4.10 C/H DMZ servers, internal network servers, desktops, laptops). Apply patches for the
riskiest vulnerabilities first. A phased rollout can be used to minimize the impact to the
organization. Establish expected patching timelines based on the risk rating level.
This work is
rity Control #4: Continuous Vulnerability Assessment and Remediation

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

SCAP Based Vulnerability No Policy

Management System

Detect

Log Management System / SIEM No Policy

Detect

SCAP Based Vulnerability No Policy

Management System

Detect
Vulnerability Intelligence Service No Policy

Monitor

Patch Management System No Policy

Prevent

Log Management System / SIEM No Policy

Monitor

SCAP Based Vulnerability No Policy

Management System

Monitor

SCAP Based Vulnerability No Policy

Management System
Monitor

Patch Management System No Policy

Prevent

SCAP Based Vulnerability No Policy

Management System

Prevent

All Policies Approved:

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
4.0 International License.
Critical Sec

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Employ automated tools to continuously monitor workstations, servers, and mobile

5.1 QW devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS
functionality. All malware detection events should be sent to enterprise anti-malware
administration tools and event log servers.

Employ anti-malware software that offers a remote, cloud-based centralized

5.2 QW infrastructure that compiles information on file reputations or have administrators
manually push updates to all machines. After applying an update, automated systems
should verify that each system has received its signature update.

Configure laptops, workstations, and servers so that they will not auto-run content
5.3 QW from removable media, like USB tokens (i.e., “thumb drives”), USB hard drives,
CDs/DVDs, FireWire devices, external serial advanced technology attachment devices,
and mounted network shares,.
5.4 QW Configure systems so that they automatically conduct an anti-malware scan of
removable media when inserted.

5.5 QW Scan and block all e-mail attachments entering the organization’s e-mail gateway if they
contain malicious code or file types that are unnecessary for the organization’s
business. This scanning should be done before the e-mail is placed in the user’s inbox.
This includes e-mail content filtering and web content filtering.

Enable anti-exploitation features such as Data Execution Prevention (DEP), Address

5.6 QW Space Layout Randomization (ASLR), virtualization/containerization, etc. For increased
protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET)
that can be configured to apply these protections to a broader set of applications and
executables.
5.7 QW Limit use of external devices to those that have a business need. Monitor for use and
attempted use of external devices.
5.8 V/A Ensure that automated monitoring tools use behavior-based anomaly detection to
complement traditional signature-based detection.
Use network-based anti-malware tools to identify executables in all network traffic and
5.9 V/A use techniques other than signature-based detection to identify and filter out
malicious content before it arrives at the endpoint.

Implement an incident response process that allows the IT support organization to

5.10 ADV supply the security team with samples of malware running on corporate systems that
do not appear to be recognized by the enterprise’s anti-malware software. Samples
should be provided to the security vendor for “out-of-band” signature creation and
later deployed to the enterprise by system administrators.
5.11 ADV Enable domain name system (DNS) query logging to detect hostname lookup for
known malicious C2 domains.

This work is
Critical Security Control #5: Malware Defenses

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Anti-Malware / Endpoint Protection No Policy

System
Monitor

Anti-Malware / Endpoint Protection No Policy

System
Prevent

Removeable Media Control / No Policy

Endpoint Protection System
Prevent
Removeable Media Control / No Policy
Monitor Endpoint Protection System

Email Anti-Malware System No Policy

Prevent

Microsoft EMET No Policy

Prevent
Log Management System / SIEM No Policy
Monitor
Anti-Malware / Endpoint Protection No Policy
Monitor System

Network Based Anti-Malware System No Policy

Detect

Malware Analysis System No Policy

Respond
Log Management System / SIEM No Policy
Monitor

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security C

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

For all acquired application software, check that the version you are using is still
6.1 QW supported by the vendor. If not, update to the most current version and install all
relevant patches and vendor security recommendations.

Protect web applications by deploying web application firewalls (WAFs) that inspect all
traffic flowing to the web application for common web application attacks, including
but not limited to cross-site scripting, SQL injection, command injection, and directory
traversal attacks. For applications that are not web-based, specific application firewalls
6.2 QW should be deployed if such tools are available for the given application type. If the
traffic is encrypted, the device should either sit behind the encryption or be capable of
decrypting the traffic prior to analysis. If neither option is appropriate, a host-based
web application firewall should be deployed.

For in-house developed software, ensure that explicit error checking is performed and
6.3 V/A documented for all input, including for size, data type, and acceptable ranges or
formats.

Test in-house-developed and third-party-procured web applications for common

security weaknesses using automated remote web application scanners prior to
6.4 V/A deployment, whenever updates are made to the application, and on a regular recurring
basis. Include tests for application behavior under denial-of-service or resource
exhaustion attacks.

6.5 V/A Do not display system error messages to end-users (output sanitization).
Maintain separate environments for production and nonproduction systems.
6.6 V/A Developers should not typically have unmonitored access to production environments.

Test in-house-developed web and other application software for coding errors and
potential vulnerabilities prior to deployment using automated static code analysis
6.7 C/H software, as well as manual testing and inspection. In particular, input validation and
output encoding routines of application software should be reviewed and tested.

For acquired application software, examine the product security process of the vendor
6.8 C/H (history of vulnerabilities, customer notification, patching/remediation) as part of the
overall enterprise risk management process.

For applications that rely on a database, use standard hardening configuration

6.9 C/H templates. All systems that are part of critical business processes should also be tested.

Ensure that all software development personnel receive training in writing secure code
6.10 C/H for their specific development environment.
For in-house developed applications, ensure that development artifacts (sample data
6.11 C/H and scripts; unused libraries, components, debug code; or tools) are not included in
the deployed software, or accessible in the production environment.

This work is
Critical Security Control #6: Application Software Security

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Patch Management System No Policy

Prevent

Web Application Firewall (WAF) No Policy

Prevent

Application Code Review / No Policy

Vulnerability Scanning System
Prevent

Application Code Review / No Policy

Vulnerability Scanning System

Detect
Application Code Review / No Policy
Prevent Vulnerability Scanning System
Application Code Review / No Policy
Vulnerability Scanning System
Prevent

Application Code Review / No Policy

Vulnerability Scanning System

Detect

Application Code Review / No Policy

Vulnerability Scanning System
Detect

Application Code Review / No Policy

Vulnerability Scanning System
Prevent
Training / Awareness Education Plans No Policy
Prevent

Application Code Review / No Policy

Vulnerability Scanning System
Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
curity

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Securi

Total Completion Policy Completion Implementation Completion Preventive Control C

0% 0% 0% 0%

ID Category Critical Security Control Detail

Ensure that each wireless device connected to the network matches an authorized
configuration and security profile, with a documented owner of the connection and a
7.1 QW defined business need. Organizations should deny access to those wireless devices that
do not have such a configuration and profile.

Configure network vulnerability scanning tools to detect wireless access points

connected to the wired network. Identified devices should be reconciled against a list
7.2 QW of authorized wireless access points. Unauthorized (i.e., rogue) access points should be
deactivated.

Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and
7.3 V /H detect attack attempts and successful compromises. In addition to WIDS, all wireless
traffic should be monitored by WIDS as traffic passes into the wired network.

Where a specific business need for wireless access has been identified, configure
7.4 C/H wireless access on client machines to allow access only to authorized wireless
networks.

For devices that do not have an essential wireless business purpose, disable wireless
access in the hardware configuration (basic input/output system or extensible firmware
7.5 C/H interface), with password protections to lower the possibility that the user will override
such configurations.
Ensure that all wireless traffic leverages at least Advanced Encryption Standard (AES)
7.6 C/H encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection.
Ensure that wireless networks use authentication protocols such as Extensible
7.7 C/H Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential
protection and mutual authentication.
Disable peer-to-peer wireless network capabilities on wireless clients, unless such
7.8 C/H functionality meets a documented business need.
Disable wireless peripheral access of devices (such as Bluetooth), unless such access is
7.9 C/H required for a documented business need.
Create separate virtual local area networks (VLANs) for BYOD systems or other
untrusted devices. Internet access from this VLAN should go through at least the same
7.10 C/H border as corporate traffic. Enterprise access from this VLAN should be treated as
untrusted and filtered and audited accordingly.

This work is
Critical Security Control #7: Wireless Access Control

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Wireless Security Standard / Baseline No Policy

Prevent

SCAP Based Vulnerability No Policy

Management System
Detect

Wireless Intrusion Detection System No Policy

(WIDS)
Identify

Wireless Security Standard / Baseline No Policy

Prevent

Configuration Enforcement System No Policy

Prevent
Configuration Enforcement System No Policy
Prevent
Prevent Configuration Enforcement System No Policy
Prevent Public Key Infrastructure (PKI) No Policy
Prevent Network Access Control (NAC) No Policy
Configuration Enforcement System No Policy
Prevent
Configuration Enforcement System No Policy
Prevent

Wireless Security Standard / Baseline No Policy

Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
rol

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Securit

Total Completion Policy Completion Implementation Completion Preventive Control C

0% 0% 0% 0%

ID Category Critical Security Control Detail

Ensure that each system is automatically backed up on at least a weekly basis, and
more often for systems storing sensitive information. To help ensure the ability to
rapidly restore a system from backup, the operating system, application software, and
8.1 QW data on a machine should each be included in the overall backup procedure. These
three components of a system do not have to be included in the same backup file or
use the same backup software. There should be multiple backups over time, so that in
the event of malware infection, restoration can be from a version that is believed to
predate the original infection. All backup policies should be compliant with any
regulatory or official requirements.
8.2 QW Test data on backup media on a regular basis by performing a data restoration process
to ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when
8.3 C/H they are stored, as well as when they are moved across the network. This includes
remote backups and cloud services.

Ensure that key systems have at least one backup destination that is not continuously
8.4 C/H addressable through operating system calls. This will mitigate the risk of attacks like
CryptoLocker which seek to encrypt or damage data on all addressable data shares,
including backup destinations.
This work is
Critical Security Control #8: Data Recovery Capability

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Backup / Recovery System No Policy

Prevent
Backup / Recovery System No Policy
Monitor

Backup / Recovery System No Policy

Prevent

Backup / Recovery System No Policy

Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
lity

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Control #9: Secur

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Perform gap analysis to see which skills employees need and which behaviors
9.1 QW employees are not adhering to, using this information to build a baseline training and
awareness roadmap for all employees.

Deliver training to fill the skills gap. If possible, use more senior staff to deliver the
9.2 QW training. A second option is to have outside teachers provide training onsite so the
examples used will be directly relevant. If you have small numbers of people to train,
use training conferences or online training to fill the gaps.

Implement an online security awareness program that (1) focuses only on the methods
commonly used in intrusions that can be blocked through individual action, (2) is
9.3 QW delivered in short online modules convenient for employees (3) is updated frequently
(at least annually) to represent the latest attack techniques, (4) is mandated for
completion by all employees at least annually, and (5) is reliably monitored for
employee completion.

Validate and improve awareness levels through periodic tests to see whether
9.4 V/A employees will click on a link from suspicious e-mail or provide sensitive information
on the telephone without following appropriate procedures for authenticating a caller;
targeted training should be provided to those who fall victim to the exercise.

Use security skills assessments for each of the mission-critical roles to identify skills
9.5 C/H gaps. Use hands-on, real-world examples to measure mastery. If you do not have such
assessments, use one of the available online competitions that simulate real-world
scenarios for each of the identified jobs in order to measure skills mastery.
This work is
Control #9: Security Skills Assessment and Appropriate Training to Fill Gaps

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Training / Awareness Education Plans No Policy

Identify

Training / Awareness Education Plans No Policy

Prevent

Training / Awareness Education Plans No Policy

Prevent

Training / Awareness Education Plans No Policy

Monitor

Training / Awareness Education Plans No Policy

Identify

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
te Training to Fill Gaps

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Control

Total Completion Policy Completion Implementation Completion Preventive Control C

0% 0% 0% 0%

ID Category Critical Security Control Detail

Compare firewall, router, and switch configuration against standard secure

configurations defined for each type of network device in use in the organization. The
10.1 QW security configuration of such devices should be documented, reviewed, and approved
by an organization change control board. Any deviations from the standard
configuration or updates to the standard configuration should be documented and
approved in a change control system.

All new configuration rules beyond a baseline-hardened configuration that allow traffic
10.2 C/H to flow through network security devices, such as firewalls and network-based IPS,
should be documented and recorded in a configuration management system, with a
specific business reason for each change, a specific individual’s name responsible for
that business need, and an expected duration of the need.

10.3 C/H Use automated tools to verify standard device configurations and detect changes. All
alterations to such files should be automatically reported to security personnel.

10.4 C/H
Manage network devices using two-factor authentication and encrypted sessions.
10.5 C/H
Install the latest stable version of any security-related updates.
Manage the network infrastructure across network connections that are separated
10.6 ADV from the business use of that network, relying on separate VLANs or, preferably, on
entirely different physical connectivity for management sessions for network devices.
This work is
l Security Control #10: Secure Configurations for Network Devices

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

SCAP Based Vulnerability No Policy

Management System

Monitor

Network Traffic / Service Baseline No Policy

Identify
Monitor Network Traffic / Service Baseline No Policy
Network Device Management No Policy
Monitor System
Prevent Network Traffic / Service Baseline No Policy
Network Device Management No Policy
Prevent System
Network Device Management No Policy
Prevent System

Network Device Management No Policy

System
Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
work Devices

on Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Contro

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Ensure that only ports, protocols, and services with validated business needs are
11.1 QW running on each system.

Apply host-based firewalls or port filtering tools on end systems, with a default-deny
11.2 QW rule that drops all traffic except those services and ports that are explicitly allowed.
Perform automated port scans on a regular basis against all key servers and compared
11.3 QW to a known effective baseline. If a change that is not listed on the organization’s
approved baseline is discovered, an alert should be generated and reviewed.
Keep all services up to date and uninstall and remove any unnecessary components
11.4 QW from the system.
Verify any server that is visible from the Internet or an untrusted network, and if it is
11.5 V/A not required for business purposes, move it to an internal VLAN and give it a private
address.
Operate critical services on separate physical or logical host machines, such as DNS,
11.6 C/H file, mail, web, and database servers.
Place application firewalls in front of any critical servers to verify and validate the traffic
11.7 C/H going to the server. Any unauthorized services or traffic should be blocked and an alert
generated.
This work is
al Security Control #11: Limitation and Control of Network Ports

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Service Inventory / Baseline No Policy
Monitor
Secure System Configuration No Policy
Monitor Baselines & Images
Host Based Firewalls / Endpoint No Policy
Prevent Protection System
Monitor Service Inventory / Baseline No Policy
SCAP Based Vulnerability No Policy
Monitor Management System

Patch Management System No Policy

Prevent

Service Inventory / Baseline No Policy

Prevent
Secure System Configuration No Policy
Prevent Baselines & Images

Application Aware Firewalls No Policy

Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
twork Ports

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Control

Total Completion Policy Completion Implementation Completion Preventive Control C

0% 0% 0% 0%

ID Category Critical Security Control Detail

Minimize administrative privileges and only use administrative accounts when they are
12.1 QW required. Implement focused auditing on the use of administrative privileged
functions and monitor for anomalous behavior.

Use automated tools to inventory all administrative accounts and validate that each
12.2 QW person with administrative privileges on desktops, laptops, and servers is authorized by
a senior executive.

Configure all administrative passwords to be complex and contain letters, numbers,

and special characters intermixed, and with no dictionary words present in the
12.3 QW password. Pass phrases containing multiple dictionary words, along with special
characters, are acceptable if they are of a reasonable length.

Before deploying any new devices in a networked environment, change all default
12.4 QW passwords for applications, operating systems, routers, firewalls, wireless access points,
and other systems to have values consistent with administration-level accounts.

Ensure that all service accounts have long and difficult-to-guess passwords that are
12.5 QW changed on a periodic basis, as is done for traditional user and administrative
passwords.

Passwords should be hashed or encrypted in storage. Passwords that are hashed

should be salted and follow guidance provided in NIST SP 800-132 or similar guidance.
12.6 QW Files containing these encrypted or hashed passwords required for systems to
authenticate users should be readable only with super-user privileges.
Utilize access control lists to ensure that administrative accounts are used only for
system administration activities, and not for reading e-mail, composing documents, or
12.7 QW surfing the Internet. Web browsers and e-mail clients especially must be configured to
never run as administrator.

Through policy and user awareness, require that administrators establish unique,
different passwords for their administrative and non-administrative accounts. Each
person requiring administrative access should be given his/her own separate account.
12.8 QW Users should only use the Windows “administrator” or UNIX “root” accounts in
emergency situations. Domain administration accounts should be used when required
for system administration instead of local administrative accounts.

Configure operating systems so that passwords cannot be re-used within a timeframe

12.9 QW of six months.
Configure systems to issue a log entry and alert when an account is added to or
12.10 V/A removed from a domain administrators’ group, or when a new local administrator
account is added on a system.
Configure systems to issue a log entry and alert when unsuccessful login to an
12.11 V/A administrative account is attempted.
Use multifactor authentication for all administrative access, including domain
administrative access. Multi-factor authentication can include a variety of techniques,
12.12 C/H to include the use of smart cards with certificates, One Time Password (OTP) tokens,
and biometrics.

When using certificates to enable multi-factor certificate-based authentication, ensure

12.13 C/H that the private keys are protected using strong passwords or are stored in trusted,
secure hardware tokens.

Block access to a machine (either remotely or locally) for administrator-level accounts.

Instead, administrators should be required to access a system using a fully logged and
non-administrative account. Then, once logged on to the machine without
12.14 C/H administrative privileges, the administrator should transition to administrative
privileges using tools such as Sudo on Linux/UNIX, RunAs on Windows, and other
similar facilities for other types of systems. Users would use their own administrative
accounts and enter a password each time that is different than their user account.

This work is
l Security Control #12: Controlled Use of Administrative Privileges

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Prevent Elevated Account System Baseline No Policy
Identity & Access Management No Policy
Prevent System

Elevated Account System Baseline No Policy

Identify
Identity & Access Management No Policy
Identify System

Authentication System No Policy

Prevent

Authentication System No Policy

Prevent

Authentication System No Policy

Prevent

Authentication System No Policy

Prevent
Host Based Access Control Lists No Policy

Prevent

Authentication System No Policy

Prevent
Authentication System No Policy
Prevent

Identity & Access Management No Policy

System
Monitor
Log Management System / SIEM No Policy
Monitor

Authentication System No Policy

Prevent

Public Key Infrastructure (PKI) No Policy

Prevent

Identity & Access Management No Policy

System

Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
ve Privileges

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Secu

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Deny communications with (or limit data flow to) known malicious IP addresses (black
lists), or limit access only to trusted sites (whitelists). Tests can be periodically carried
out by sending packets from bogon source IP addresses (non-routable or otherwise
13.1 QW unused IP addresses) into the network to verify that they are not transmitted through
network perimeters. Lists of bogon addresses are publicly available on the Internet
from various sources, and indicate a series of IP addresses that should not be used for
legitimate traffic traversing the Internet.

On DMZ networks, configure monitoring systems (which may be built in to the IDS
sensors or deployed as a separate technology) to record at least packet header
information, and preferably full packet header and payloads of the traffic destined for
13.2 QW or passing through the network border. This traffic should be sent to a properly
configured Security Information Event Management (SIEM) or log analytics system so
that events can be correlated from all devices on the network.

To lower the chance of spoofed e-mail messages, implement the Sender Policy
13.3 V/A Framework (SPF) by deploying SPF records in DNS and enabling receiver-side
verification in mail servers.

Deploy network-based IDS sensors on Internet and extranet DMZ systems and
networks that look for unusual attack mechanisms and detect compromise of these
13.4 V/A systems. These network-based IDS sensors may detect attacks through the use of
signatures, network behavior analysis, or other mechanisms to analyze traffic.
Network-based IPS devices should be deployed to complement IDS by blocking known
bad signature or behavior of attacks. As attacks become automated, methods such as
IDS typically delay the amount of time it takes for someone to react to an attack. A
13.5 V/A properly configured network-based IPS can provide automation to block bad traffic.
When evaluating network-based IPS products, include those using techniques other
than signature-based detection (such as virtual machine or sandbox-based
approaches) for consideration.

Design and implement network perimeters so that all outgoing web, file transfer
protocol (FTP), and secure shell traffic to the Internet must pass through at least one
proxy on a DMZ network. The proxy should support logging individual TCP sessions;
blocking specific URLs, domain names, and IP addresses to implement a black list; and
13.6 V/A applying whitelists of allowed sites that can be accessed through the proxy while
blocking all other sites. Organizations should force outbound traffic to the Internet
through an authenticated proxy server on the enterprise perimeter. Proxies can also
be used to encrypt all traffic leaving an organization.

Require all remote login access (including VPN, dial-up, and other forms of access that
13.7 V/A allow login to internal systems) to use two-factor authentication.

All enterprise devices remotely logging into the internal network should be managed
by the enterprise, with remote control of their configuration, installed software, and
13.8 C/H patch levels. For third-party devices (e.g., subcontractors/vendors), publish minimum
security standards for access to the enterprise network and perform a security scan
before allowing access.

Periodically scan for back-channel connections to the Internet that bypass the DMZ,
including unauthorized VPN connections and dual-homed hosts connected to the
13.9 C/H enterprise network and to other networks via wireless, dial-up modems, or other
mechanisms.

To limit access by an insider, untrusted subcontractor/vendor, or malware spreading on

13.10 C/H an internal network, devise internal network segmentation schemes to limit traffic to
only those services needed for business use across the organization’s internal network.

To minimize the impact of an attacker pivoting between compromised systems, only

13.12 ADV allow DMZ systems to communicate with private network systems via application
proxies or application-aware firewalls over approved channels.

To help identify covert channels exfiltrating data through a firewall, configure the built-
in firewall session tracking mechanisms included in many commercial firewalls to
13.13 ADV identify TCP sessions that last an unusually long time for the given organization and
firewall device, alerting personnel about the source and destination addresses
associated with these long sessions.

Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous
13.14 C/H activity.
This work is
Critical Security Control #13: Boundary Defense

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Network Proxy / Firewall / No Policy

Monitoring System

Prevent

Network Proxy / Firewall / No Policy

Monitoring System

Monitor

SPF DNS Records No Policy

Prevent

Network Information Flow Baseline No Policy

Detect
Network Proxy / Firewall / No Policy
Monitoring System
Detect
Network Information Flow Baseline No Policy
Prevent

Network Proxy / Firewall / No Policy

Monitoring System
Prevent

Network Information Flow Baseline No Policy

Detect

Network Proxy / Firewall / No Policy

Monitoring System
Prevent
Authentication System No Policy
Prevent

Configuration Enforcement System No Policy

Prevent
Network Information Flow Baseline No Policy
Monitor
Network Proxy / Firewall / No Policy
Monitor Monitoring System

Network Devices that Support VLANs No Policy

& ACLs
Preventt
Network Information Flow Baseline No Policy
Prevent
Application Aware Firewalls No Policy
Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
e

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Control #14:

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Include at least two synchronized time sources (i.e., Network Time Protocol – NTP)
14.1 QW from which all servers and network equipment retrieve time information on a regular
basis so that timestamps in logs are consistent, and are set to UTC (Coordinate
Universal Time).

Validate audit log settings for each hardware device and the software installed on it,
ensuring that logs include a date, timestamp, source addresses, destination addresses,
14.2 QW and various other useful elements of each packet and/or transaction. Systems should
record logs in a standardized format such as syslog entries or those outlined by the
Common Event Expression initiative. If systems cannot generate logs in a standardized
format, log normalization tools can be deployed to convert logs into such a format.
Ensure that all systems that store logs have adequate storage space for the logs
14.3 QW generated on a regular basis, so that log files will not fill up between log rotation
intervals. The logs must be archived and digitally signed on a periodic basis.

Develop a log retention policy to make sure that the logs are kept for a sufficient period
14.4 QW of time. Organizations are often compromised for several months without detection.
The logs must be kept for a longer period of time than it takes an organization to detect
an attack so they can accurately determine what occurred.
Have security personnel and/or system administrators run biweekly reports that
14.5 QW identify anomalies in logs. They should then actively review the anomalies,
documenting their findings.
Configure network boundary devices, including firewalls, network-based IPS, and
14.6 V/A inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked)
arriving at the device.
For all servers, ensure that logs are written to write-only devices or to dedicated
14.7 V/A logging servers running on separate machines from the hosts generating the event
logs, lowering the chance that an attacker can manipulate logs stored locally on
compromised machines.

Deploy a SIEM (Security Incident and Event Management) or log analytic tools for log
aggregation and consolidation from multiple machines and for log correlation and
14.8 V/A analysis. Using the SIEM tool, system administrators and security personnel should
devise profiles of common events from given systems so that they can tune detection
to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and
prevent overwhelming analysts with insignificant alerts.

Monitor for service creation events and enable process tracking logs. On Windows
14.9 ADV systems, many attackers use PsExec functionality to spread from system to system.
Creation of a service is an unusual event and should be monitored closely. Process
tracking is valuable for incident handling.

Ensure that the log collection system does not lose events during peak activity, and
14.10 ADV that the system detects and alerts if event loss occurs (such as when volume exceeds
the capacity of a log collection system). This includes ensuring that the log collection
system can accommodate intermittent or restricted-bandwidth connectivity through
the use of handshaking / flow control.

This work is
urity Control #14: Maintenance, Monitoring, and Analysis of Audit Logs

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Network Time Protocol (NTP) No Policy

Systems
Prevent

Log Management System / SIEM No Policy

Prevent

Log Management System / SIEM No Policy

Prevent
Log Retention Standard No Policy
Prevent
Log Management System / SIEM No Policy
Prevent

Log Management System / SIEM No Policy

Monitor

Log Management System / SIEM No Policy

Detect
Log Management System / SIEM No Policy

Prevent

Log Management System / SIEM No Policy

Monitor

Log Management System / SIEM No Policy

Monitor

Log Management System / SIEM No Policy

Monitor

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
lysis of Audit Logs

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Control #

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Locate any sensitive information on separated VLANS with firewall filtering. All
15.1 QW communication of sensitive information over less-trusted networks should be
encrypted.

Enforce detailed audit logging for access to nonpublic data and special authentication
15.3 V/A for sensitive data.
Segment the network based on the trust levels of the information stored on the
15.4 C/H servers. Whenever information flows over a network with a lower trust level, the
information should be encrypted.

Use host-based data loss prevention (DLP) to enforce ACLs even when data is copied off
a server. In most organizations, access to the data is controlled by ACLs that are
15.5 ADV implemented on the server. Once the data have been copied to a desktop system, the
ACLs are no longer enforced and the users can send the data to whomever they want.
This work is
Security Control #15: Controlled Access Based on the Need to Know

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Network Devices that Support VLANs No Policy
Prevent & ACLs

Data Encryption System No Policy

Prevent
Log Management System / SIEM No Policy
Monitor

Network Devices that Support VLANs No Policy

& ACLs
Prevent

Hosed Based Data Loss Prevention No Policy

(DLP) System
Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Need to Know

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Co

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

16.1 QW Review all system accounts and disable any account that cannot be associated with a
business process and owner.

16.2 QW
Ensure that all accounts have an expiration date associated with the account.

Ensure that systems automatically create a report that includes a list of locked-out
16.3 QW accounts, disabled accounts, accounts with passwords that exceed the maximum
password age, and accounts with passwords that never expire. This list should be sent
to the associated system administrator in a secure fashion.
Establish and follow a process for revoking system access by disabling accounts
16.4 QW immediately upon termination of an employee or contractor. Disabling instead of
deleting accounts allows preservation of audit trails.
16.5 QW Regularly monitor the use of all accounts, automatically logging off users after a
standard period of inactivity.
16.6 QW Configure screen locks on systems to limit access to unattended workstations.

Monitor account usage to determine dormant accounts, notifying the user or user’s
16.7 QW manager. Disable such accounts if not needed, or document and monitor exceptions
(e.g., vendor maintenance accounts needed for system recovery or continuity
operations).
Require that all non-administrator accounts have strong passwords that contain letters,
16.8 QW numbers, and special characters, be changed at least every 90 days, have a minimal
age of one day, and not be allowed to use the previous 15 passwords as a new
password. These values can be adjusted based on the specific business needs of the
organization.
16.9 QW Use and configure account lockouts such that after a set number of failed login
attempts the account is locked for a standard period of time.
Require that managers match active employees and contractors with each account
16.10 V/A belonging to their managed staff. Security or system administrators should then disable
accounts that are not assigned to active employees or contractors.
16.11 V/A
Monitor attempts to access deactivated accounts through audit logging.
Configure access for all accounts through a centralized point of authentication, for
16.12 C/H example Active Directory or LDAP. Configure network and security devices for
centralized authentication as well.

Profile each user’s typical account usage by determining normal time-of-day access
16.13 C/H and access duration. Reports should be generated that indicate users who have logged
in during unusual hours or have exceeded their normal login duration. This includes
flagging the use of the user’s credentials from a computer other than computers on
which the user generally works.
Require multi-factor authentication for accounts that have access to sensitive data or
16.14 ADV systems. Multi-factor authentication can be achieved using Smart cards with
certificates, One Time Password (OTP) tokens, or biometrics.
For authenticated access to web services within an enterprise, ensure that account
16.15 ADV usernames and passwords are passed over an encrypted channel and associated
password hash files are stored securely if a centralized service is not employed.
16.16 ADV Configure all systems to use encrypted channels for the transmission of passwords over
a network.
Verify that all password files are encrypted or hashed and that these files cannot be
16.17 ADV accessed without root or administrator privileges. Audit all access to password files in
the system.

This work is
ritical Security Control #16: Account Monitoring and Control

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Identify User Account Inventory No Policy
Identity & Access Management No Policy
Identify System
Monitor User Account Inventory No Policy
Identity & Access Management No Policy
Prevent System

User Account Inventory No Policy

Monitor
Identity & Access Management No Policy
Monitor System
Prevent User Account Inventory No Policy
Identity & Access Management No Policy
Prevent System

Log Management System / SIEM No Policy

Monitor
Prevent Configuration Enforcement System No Policy

Identity & Access Management No Policy

System
Monitor
Authentication Standards No Policy

Prevent
Configuration Enforcement System No Policy
Prevent
Identify User Account Inventory No Policy
Identity & Access Management No Policy
Identify System
Monitor User Account Inventory No Policy
Monitor Log Management System / SIEM No Policy
Prevent User Account Inventory No Policy
Prevent Authentication System No Policy

Log Management System / SIEM No Policy

Monitor

Authentication System No Policy

Prevent

Authentication System No Policy

Prevent
Authentication System No Policy
Prevent

Authentication System No Policy

Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Control

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Sec

Total Completion Policy Completion Implementation Completion Preventive Control C

0% 0% 0% 0%

ID Category Critical Security Control Detail

17.1 QW Deploy approved hard drive encryption software to mobile devices and systems that
hold sensitive data.
17.2 QW Verify that cryptographic devices and software are configured to use publicly-vetted
algorithms.

17.3 QW
Perform an assessment of data to identify sensitive information that requires the
application of encryption and integrity controls
17.4 QW Review cloud provider security practices for data protection.

Deploy an automated tool on network perimeters that monitors for certain sensitive
17.5 V/A information (i.e., personally identifiable information), keywords, and other document
characteristics to discover unauthorized attempts to exfiltrate data across network
boundaries and block such transfers while alerting information security personnel.

Conduct periodic scans of server machines using automated tools to determine

17.6 V/A whether sensitive data (i.e., personally identifiable information, health, credit card, and
classified information) is present on the system in clear text. These tools, which search
for patterns that indicate the presence of sensitive information, can help identify if a
business or technical process is leaving behind or otherwise leaking sensitive
information.

17.7 C/H Move data between networks using secure, authenticated, and encrypted
mechanisms.
If there is no business need for supporting such devices, configure systems so that they
will not write data to USB tokens or USB hard drives. If such devices are required,
enterprise software should be used that can configure systems to allow only specific
17.8 C/H USB devices (based on serial number or other unique property) to be accessed, and
that can automatically encrypt all data placed on such devices. An inventory of all
authorized devices must be maintained.

Use network-based DLP solutions to monitor and control the flow of data within the
17.9 C/H network. Any anomalies that exceed the normal traffic patterns should be noted and
appropriate action taken to address them.
Only allow approved Certificate Authorities (CAs) to issue certificates within the
17.10 C/H enterprise; Review and verify each CAs Certificate Practices Statement (CPS) and
Certificate Policy (CP).
Perform an annual review of algorithms and key lengths in use for protection of
17.11 C/H sensitive data.
Monitor all traffic leaving the organization and detect any unauthorized use of
encryption. Attackers often use an encrypted channel to bypass network security
17.12 ADV devices. Therefore it is essential that organizations be able to detect rogue
connections, terminate the connection, and remediate the infected system.

17.13 ADV Block access to known file transfer and e-mail exfiltration websites.

Define roles and responsibilities related to management of encryption keys within the
17.14 ADV enterprise; define processes for lifecycle.
Where applicable, implement Hardware Security Modules (HSMs) for protection of
17.15 ADV private keys (e.g., for sub CAs) or Key Encryption Keys.

This work is
Critical Security Control #17: Data Protection

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Data Encryption System No Policy
Prevent
Data Encryption System No Policy
Prevent

Network Information Flow Baseline No Policy

Identify
Network Proxy / Firewall / No Policy
Identify Monitoring System
Prevent No Policy

Network Based Data Loss Prevention No Policy

(DLP) System
Detect

Network Information Flow Baseline No Policy

Detect

Host Based Data Loss Prevention No Policy

(DLP) System
Detect
Prevent Network Information Flow Baseline No Policy
Network Based Data Loss Prevention No Policy
Prevent (DLP) System
Removeable Media Control / No Policy
Endpoint Protection System

Prevent

Network Based Data Loss Prevention No Policy

(DLP) System
Prevent

Public Key Infrastructure (PKI) No Policy

Prevent
Public Key Infrastructure (PKI) No Policy
Prevent

Network Proxy / Firewall / No Policy

Monitoring System
Monitor
Network Proxy / Firewall / No Policy
Prevent Monitoring System

Public Key Infrastructure (PKI) No Policy

Prevent
Public Key Infrastructure (PKI) No Policy
Prevent

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
on Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported
Not Implemented Not Automated Not Reported

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Cont

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Ensure that there are written incident response procedures that include a definition of
18.1 QW personnel roles for handling incidents. The procedures should define the phases of
incident handling.
18.2 QW Assign job titles and duties for handling computer and network incidents to specific
individuals.
18.3 QW Define management personnel who will support the incident handling process by
acting in key decision-making roles.

Devise organization-wide standards for the time required for system administrators and
other personnel to report anomalous events to the incident handling team, the
18.4 QW mechanisms for such reporting, and the kind of information that should be included in
the incident notification. This reporting should also include notifying the appropriate
Community Emergency Response Team in accordance with all legal or regulatory
requirements for involving that organization in computer incidents.
Assemble and maintain information on third-party contact information to be used to
18.5 QW report a security incident (i.e., maintain an e-mail address of
security@organization.com or have a web page http://organization.com/security).
Publish information for all personnel, including employees and contractors, regarding
18.6 QW reporting computer anomalies and incidents to the incident handling team. Such
information should be included in routine employee awareness activities.
Conduct periodic incident scenario sessions for personnel associated with the incident
18.7 C/H handling team to ensure that they understand current threats and risks, as well as their
responsibilities in supporting the incident handling team.
This work is
tical Security Control #18: Incident Response and Management

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

No Policy
Prevent Incident Management Standard
No Policy
Prevent Incident Management Standard
No Policy
Prevent Incident Management Standard

No Policy

Prevent Incident Management Standard

No Policy
Prevent Incident Management Standard

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
nagement

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security C

Total Completion Policy Completion Implementation Completion Preventive Control Co

0% 0% 0% 0%

ID Category Critical Security Control Detail

Design the network using a minimum of a three-tier architecture (DMZ, middleware,

19.1 QW and private network). Any system accessible from the Internet should be on the DMZ,
but DMZ systems should never contain sensitive data. Any system with sensitive data
should reside on the private network and never be directly accessible from the
Internet. DMZ systems should communicate with private network systems through an
application proxy residing on the middleware tier.

19.2 C/H To support rapid response and shunning of detected attacks, engineer the network
architecture and its corresponding systems for rapid deployment of new access control
lists, rules, signatures, blocks, blackholes, and other defensive measures.

Deploy domain name systems (DNS) in a hierarchical, structured fashion, with all
internal network client machines configured to send requests to intranet DNS servers,
19.3 V/A not to DNS servers located on the Internet. These internal DNS servers should be
configured to forward requests they cannot resolve to DNS servers located on a
protected DMZ. These DMZ servers, in turn, should be the only DNS servers allowed to
send requests to the Internet.

19.4 C/H
Segment the enterprise network into multiple, separate trust zones to provide more
granular control of system access and additional intranet boundary defenses.
This work is
Critical Security Control #19: Secure Network Engineering

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

Network Architecture Baseline No Policy

Prevent

Network Architecture Baseline No Policy

Prevent

Network Architecture Baseline No Policy

Prevent

Network Information Flow Baseline No Policy

Prevent
Network Devices that Support VLANs No Policy
Prevent & ACLs

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
eering

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

Critical Security Contro

Total Completion Policy Completion Implementation Completion Preventive Control C

0% 0% 0% 0%

ID Category Critical Security Control Detail

Conduct regular external and internal penetration tests to identify vulnerabilities and
20.1 QW attack vectors that can be used to exploit enterprise systems successfully. Penetration
testing should occur from outside the network perimeter (i.e., the Internet or wireless
frequencies around an organization) as well as from within its boundaries (i.e., on the
internal network) to simulate both outsider and insider attacks.
Any user or system accounts used to perform penetration testing, should be controlled
20.2 QW and monitored to make sure they are only being used for legitimate purposes, and are
removed or restored to normal function after testing is over.
20.3 V/A Perform periodic Red Team exercises to test organizational readiness to identify and
stop attacks or to respond quickly and effectively.

Include tests for the presence of unprotected system information and artifacts that
20.4 V/A would be useful to attackers, including network diagrams, configuration files, older
penetration test reports, e-mails or documents containing passwords or other
information critical to system operation.

Plan clear goals of the penetration test itself with blended attacks in mind, identifying
20.5 V/A the goal machine or target asset. Many APT-style attacks deploy multiple vectors—
often social engineering combined with web or network exploitation. Red Team
manual or automated testing that captures pivoted and multi-vector attacks offers a
more realistic assessment of security posture and risk to critical assets.
Use vulnerability scanning and penetration testing tools in concert. The results of
20.6 C/H vulnerability scanning assessments should be used as a starting point to guide and
focus penetration testing efforts.
20.7 ADV Devise a scoring method for determining the results of Red Team exercises so that
results can be compared over time.

Create a test bed that mimics a production environment for specific penetration tests
20.8 ADV and Red Team attacks against elements that are not typically tested in production, such
as attacks against supervisory control and data acquisition and other control
systems.

This work is
al Security Control #20: Penetration Tests and Red Team Exercises

Preventive Control Completion Detective Control Completion Automation Completion

0% 0% 0%

NIST Core Framework Sensor or Baseline Policy Defined

No Policy

Identify Penetration Testing System

No Policy
Monitor Penetration Testing System
No Policy
Identify Penetration Testing System

No Policy

Detect Penetration Testing System

No Policy

Monitor Penetration Testing System

No Policy
Monitor Penetration Testing System
No Policy
Prevent Penetration Testing System

No Policy

Prevent Penetration Testing System

All Policies Approved:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
am Exercises

n Completion Reporting Completion

0% 0%

Control Implemented Control Automated Control Reported to Business

Not Implemented Not Automated Not Reported

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

4.0 International License.

DO NOT CHANGE THESE VALUES

Policy Status
No Policy
Informal Policy
Partial Written Policy
Written Policy
Approved Written Policy

Implementation Status
Not Implemented
Parts of Policy Implemented
Implemented on Some Systems
Implemented on All Systems

Automation Status
Not Automated
Parts of Policy Automated
Automated on Some Systems
Automated on All Systems

Reporting Status
Not Reported
Parts of Policy Reported
Reported on Some Systems
Reported on All Systems

Cambridge Igcse Information and Communication Technology Thirdnbsped 9781398318540 139831854x
38% (13)
Cambridge Igcse Information and Communication Technology Thirdnbsped 9781398318540 139831854x
89 pages
AuditScripts CIS Controls Initial Assessment Tool V8.0a
No ratings yet
AuditScripts CIS Controls Initial Assessment Tool V8.0a
21 pages
STRIDE-based Methodologies For Threat Modeling of Industrial Control Systems A Review
No ratings yet
STRIDE-based Methodologies For Threat Modeling of Industrial Control Systems A Review
8 pages
Software Release Note - Template
No ratings yet
Software Release Note - Template
8 pages
OT Security Policy Template
No ratings yet
OT Security Policy Template
5 pages
ACCA P5 - Advanced Performance Management Passcards 2013-1
100% (4)
ACCA P5 - Advanced Performance Management Passcards 2013-1
177 pages
Audit Programme Payroll 2
100% (1)
Audit Programme Payroll 2
3 pages
Audit Programme Payroll 2
100% (1)
Audit Programme Payroll 2
3 pages
LFS101x - Introduction To Linux Outline
0% (1)
LFS101x - Introduction To Linux Outline
4 pages
MTM 0051 00 Vol01 - E2.31.L3 PDF
100% (3)
MTM 0051 00 Vol01 - E2.31.L3 PDF
490 pages
All Checks of Prowler
No ratings yet
All Checks of Prowler
18 pages
Dcs Training-Basic
86% (7)
Dcs Training-Basic
96 pages
CIS Risk Assessment Method (RAM) : Implementation Group 1 (IG1) Workbook Edition
100% (1)
CIS Risk Assessment Method (RAM) : Implementation Group 1 (IG1) Workbook Edition
38 pages
AuditScripts CIS Controls Master Mappings v7.1b
No ratings yet
AuditScripts CIS Controls Master Mappings v7.1b
3,429 pages
CSF PF To Sp800 53r5 Mappings
No ratings yet
CSF PF To Sp800 53r5 Mappings
285 pages
Iia Australia White Paper Integrated Risk Based Internal Auditing 2016 PDF
100% (1)
Iia Australia White Paper Integrated Risk Based Internal Auditing 2016 PDF
12 pages
WebSphere Application Server 8.5 Security Hardening
No ratings yet
WebSphere Application Server 8.5 Security Hardening
111 pages
Cmmi Project
No ratings yet
Cmmi Project
3,570 pages
Gain A Complete View of Risk & Compliance
No ratings yet
Gain A Complete View of Risk & Compliance
22 pages
Platform SAMPLE Project Plan - 7
No ratings yet
Platform SAMPLE Project Plan - 7
10 pages
Sample SelfAssessment Questionnaire SAQ
0% (1)
Sample SelfAssessment Questionnaire SAQ
26 pages
Sector Mapping Chart - Nov11
No ratings yet
Sector Mapping Chart - Nov11
177 pages
Dynatrace SaaS CAIQ v3.0.1
No ratings yet
Dynatrace SaaS CAIQ v3.0.1
94 pages
CIS Benchmark
No ratings yet
CIS Benchmark
39 pages
F08-Application Form
No ratings yet
F08-Application Form
3 pages
Solaris 10 Installation Guide - Solaris Flash Archives (Creation and Installation)
No ratings yet
Solaris 10 Installation Guide - Solaris Flash Archives (Creation and Installation)
86 pages
SAP ASE Installation Guide Windows en
No ratings yet
SAP ASE Installation Guide Windows en
120 pages
v04 NBU83ADM - Lab 04 NetBackup Policies Windows
No ratings yet
v04 NBU83ADM - Lab 04 NetBackup Policies Windows
21 pages
Application Review Audit Program
No ratings yet
Application Review Audit Program
7 pages
AuditScripts CIS Controls Initial Assessment Tool v7.1b
No ratings yet
AuditScripts CIS Controls Initial Assessment Tool v7.1b
23 pages
PcVueSolutions Industry 4.0 en v5
No ratings yet
PcVueSolutions Industry 4.0 en v5
45 pages
Overview Presentation - It Essentials - CCNA
No ratings yet
Overview Presentation - It Essentials - CCNA
37 pages
ACL9 Getting Started Guide PDF
No ratings yet
ACL9 Getting Started Guide PDF
84 pages
MAN Appendix 17-D Information Security Assessment VDA en November-2017 v1.0
No ratings yet
MAN Appendix 17-D Information Security Assessment VDA en November-2017 v1.0
39 pages
Identity and Access Management PMI Westchester Quality SIG Presentation September 12 2017
No ratings yet
Identity and Access Management PMI Westchester Quality SIG Presentation September 12 2017
20 pages
Iot Fundamentals:: Security & Privacy
No ratings yet
Iot Fundamentals:: Security & Privacy
21 pages
Security BP For Manufacturing Ot
100% (1)
Security BP For Manufacturing Ot
35 pages
Tackling RMF W/Devsecops: Jennifer Rekas March 2019
No ratings yet
Tackling RMF W/Devsecops: Jennifer Rekas March 2019
16 pages
Rsa Archer Information Security Management Systems (ISMS) Ds Letter
No ratings yet
Rsa Archer Information Security Management Systems (ISMS) Ds Letter
4 pages
6820 SIE DI Whitepaper Industrial Network Security Architecture A4 LK 03
No ratings yet
6820 SIE DI Whitepaper Industrial Network Security Architecture A4 LK 03
13 pages
Lock.: Chapter 2: Deadlocks 2.1 Introduction To Deadlock
No ratings yet
Lock.: Chapter 2: Deadlocks 2.1 Introduction To Deadlock
10 pages
Cisco Modeling Labs 1.0 Corporate Edition Client Installation Guide
No ratings yet
Cisco Modeling Labs 1.0 Corporate Edition Client Installation Guide
20 pages
Final PPT Med Reminder PPT Sem Third
No ratings yet
Final PPT Med Reminder PPT Sem Third
17 pages
LSBF Big Book of Acca Tips
No ratings yet
LSBF Big Book of Acca Tips
36 pages
Schneider 62443 Maintain
No ratings yet
Schneider 62443 Maintain
7 pages
Software Development Tools: Issue and Defect Tracking With DevTrack
No ratings yet
Software Development Tools: Issue and Defect Tracking With DevTrack
9 pages
Cs2402 Mobile Computing: Unit Ii
No ratings yet
Cs2402 Mobile Computing: Unit Ii
6 pages
SDLA 100 Certification Scheme (v1 - 8)
No ratings yet
SDLA 100 Certification Scheme (v1 - 8)
16 pages
Virtual Machine Seminar
No ratings yet
Virtual Machine Seminar
37 pages
BSIMM V Activities
No ratings yet
BSIMM V Activities
32 pages
It Audit Checklist
No ratings yet
It Audit Checklist
3 pages
Tekgem IACS Cyber Security Assessment
No ratings yet
Tekgem IACS Cyber Security Assessment
8 pages
Control Control Requirements: Statement of Applicability
No ratings yet
Control Control Requirements: Statement of Applicability
3 pages
Iso/Iec 27001 Solution Brief: Eventtracker
No ratings yet
Iso/Iec 27001 Solution Brief: Eventtracker
8 pages
Kaspersky Security Center Datasheet
No ratings yet
Kaspersky Security Center Datasheet
2 pages
Isms Policy List
No ratings yet
Isms Policy List
6 pages
Sma75 Cs Imaging 8 System Requirements Edition 04
No ratings yet
Sma75 Cs Imaging 8 System Requirements Edition 04
2 pages
RACI ERP Migration
No ratings yet
RACI ERP Migration
2 pages
ICS SICS Framework Infographic
100% (1)
ICS SICS Framework Infographic
1 page
CV - Mayank Agrawal
No ratings yet
CV - Mayank Agrawal
3 pages
Fundamentals of OT ICS Security Course Content
No ratings yet
Fundamentals of OT ICS Security Course Content
8 pages
Fleet Management System: in Information Technology by
No ratings yet
Fleet Management System: in Information Technology by
30 pages
25 Great But Little-Known Cybersecurity Frameworks
No ratings yet
25 Great But Little-Known Cybersecurity Frameworks
2 pages
Cis Controls V7.1: Center For Internet Security
No ratings yet
Cis Controls V7.1: Center For Internet Security
5 pages
Cis Benchmark Matrix
No ratings yet
Cis Benchmark Matrix
8 pages
CO Product-Security-Infographic CS EN
No ratings yet
CO Product-Security-Infographic CS EN
1 page
Section - 5 - Part B-31 Access Management Functional Requirements
No ratings yet
Section - 5 - Part B-31 Access Management Functional Requirements
3 pages
Isc2 Cissp 1 13 1 Threat Modeling Concepts and Methodologies
No ratings yet
Isc2 Cissp 1 13 1 Threat Modeling Concepts and Methodologies
2 pages
Nerc Cip
No ratings yet
Nerc Cip
30 pages
Coassurance KULeuven Distrinet
No ratings yet
Coassurance KULeuven Distrinet
48 pages
OT Group Information Security Policy
No ratings yet
OT Group Information Security Policy
11 pages
What Does Proven in Use Imply
No ratings yet
What Does Proven in Use Imply
17 pages
800-22559V1-D - MAXPRO NVR - 5.0 - Whats - New - Release - Notes
No ratings yet
800-22559V1-D - MAXPRO NVR - 5.0 - Whats - New - Release - Notes
19 pages
G7 - Revision Questions - Computer Systems - PART 1 - Answer
No ratings yet
G7 - Revision Questions - Computer Systems - PART 1 - Answer
5 pages
Firewall Checklist PDF
No ratings yet
Firewall Checklist PDF
5 pages
ISA112 - SCADA Systems - SCADA Model Architecture - Rev2022 01 26
No ratings yet
ISA112 - SCADA Systems - SCADA Model Architecture - Rev2022 01 26
1 page
ICQ Is Your PCI DSS Compliance Program Working Correctly Res Eng 0216
No ratings yet
ICQ Is Your PCI DSS Compliance Program Working Correctly Res Eng 0216
2 pages
XM IS Governance
No ratings yet
XM IS Governance
1 page
Cisco Industrial-Security-Cvd-So
No ratings yet
Cisco Industrial-Security-Cvd-So
8 pages
Controlcasepciv4 241115112355 3cfe7e3f
No ratings yet
Controlcasepciv4 241115112355 3cfe7e3f
27 pages
Introduction To Systems Development
No ratings yet
Introduction To Systems Development
19 pages
Cross OSFileExchangeUsersGuide
No ratings yet
Cross OSFileExchangeUsersGuide
214 pages
PME 2023 IT Guide
No ratings yet
PME 2023 IT Guide
132 pages
cs0-002 3
No ratings yet
cs0-002 3
29 pages
MICT For 4thclass - Week 1 - 0
No ratings yet
MICT For 4thclass - Week 1 - 0
34 pages
EE3220 - Tutorial 6
No ratings yet
EE3220 - Tutorial 6
5 pages
Cyber Audit Self Assessment Audit Form
No ratings yet
Cyber Audit Self Assessment Audit Form
12 pages
An Evaluation Framework For Cybersecurity Maturity Aligned With The NIST CSF
No ratings yet
An Evaluation Framework For Cybersecurity Maturity Aligned With The NIST CSF
20 pages
KPIs For Cyber Security
No ratings yet
KPIs For Cyber Security
52 pages
OSCA Rev3
No ratings yet
OSCA Rev3
2 pages
Info Security Policy
No ratings yet
Info Security Policy
21 pages
Best Practices For Armv8 R Cortex r52 St2 Whitepaper
No ratings yet
Best Practices For Armv8 R Cortex r52 St2 Whitepaper
33 pages
Icom Rev (Com)
No ratings yet
Icom Rev (Com)
17 pages
Final Hotel IT Governance Report
No ratings yet
Final Hotel IT Governance Report
13 pages
Comp Grade 9 PA 1
No ratings yet
Comp Grade 9 PA 1
2 pages
Unit 5 Mobile Platforms and Applications
No ratings yet
Unit 5 Mobile Platforms and Applications
9 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.