Куда я попал?
CIS Critical Security Controls v7.1 (SANS Top 20)
Framework
https://www.cisecurity.org/controls/v7/
Альтернативное название - SANS Critical Security Controls (SANS Top 20)
Заменено на CIS Critical Security Controls v8 (The 18 CIS Critical Security Controls)
Альтернативное название - SANS Critical Security Controls (SANS Top 20)
Заменено на CIS Critical Security Controls v8 (The 18 CIS Critical Security Controls)
Для проведения оценки соответствия по документу войдите в систему.
Для оценки соответствия
- авторизуйтесь
- авторизуйтесь
Планируемый уровень
Текущий уровень
Группы областей
77
%
Входящая логистика
59
%
Создание продукта
75
%
Исходящая логистика
94
%
Маркетинг, продажа
57
%
Обслуживание клиента
82
%
Инфраструктура
69
%
HR-менеджмент
56
%
Технологии
91
%
Закупки / Снабжение
75
%
Опыт клиента
Список требований
-
CSC 1.4 Maintain Detailed Asset Inventory
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.Обязательно для implementation Group 1 2 3 -
CSC 1.5 Maintain Asset Inventory Information
Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.Обязательно для implementation Group 2 3 -
CSC 1.6 Address Unauthorized Assets
Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner.Обязательно для implementation Group 1 2 3 -
CSC 1.7 Deploy Port Level Access Control
Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.Обязательно для implementation Group 2 3 -
CSC 2.2 Ensure Software is Supported by Vendor
Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.Обязательно для implementation Group 1 2 3 -
CSC 2.6 Address unapproved software
Ensure that unauthorized software is either removed or the inventory is updated in a timely mannerОбязательно для implementation Group 1 2 3 -
CSC 3.1 Run Automated Vulnerability Scanning Tools
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.Обязательно для implementation Group 2 3 -
CSC 3.7 Utilize a Risk-Rating Process
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.Обязательно для implementation Group 2 3 -
CSC 4.2 Change Default Passwords
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.Обязательно для implementation Group 1 2 3 -
CSC 4.3 Ensure the Use of Dedicated Administrative Accounts
Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.Обязательно для implementation Group 1 2 3 -
CSC 4.5 Use Multi-Factor Authentication for All Administrative Access
Use multi-factor authentication and encrypted channels for all administrative account access.Обязательно для implementation Group 2 3 -
CSC 5.1 Establish Secure Configurations
Maintain documented security configuration standards for all authorized operating systems and software.Обязательно для implementation Group 1 2 3 -
CSC 5.2 Maintain Secure Images
Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.Обязательно для implementation Group 2 3 -
CSC 5.5 Implement Automated Configuration Monitoring Systems
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.Обязательно для implementation Group 2 3 -
CSC 6.2 Activate Audit Logging
Ensure that local logging has been enabled on all systems and networking devices.Обязательно для implementation Group 1 2 3 -
CSC 6.4 Ensure Adequate Storage for Logs
Ensure that all systems that store logs have adequate storage space for the logs generated.Обязательно для implementation Group 2 3 -
CSC 6.5 Central Log Management
Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.Обязательно для implementation Group 2 3 -
CSC 6.6 Deploy SIEM or Log Analytic Tools
Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.Обязательно для implementation Group 2 3 -
CSC 6.7 Regularly Review Logs
On a regular basis, review logs to identify anomalies or abnormal events.Обязательно для implementation Group 2 3 -
CSC 6.8 Regularly Tune SIEM
On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.Обязательно для implementation Group 3 -
CSC 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.Обязательно для implementation Group 1 2 3 -
CSC 7.4 Maintain and Enforce Network-Based URL Filters
Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.Обязательно для implementation Group 2 3 -
CSC 7.7 Use of DNS Filtering Services
Use Domain Name System (DNS) filtering services to help block access to known malicious domains.Обязательно для implementation Group 1 2 3 -
CSC 7.8 Implement DMARC and Enable Receiver-Side Verification
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM) standards.Обязательно для implementation Group 2 3 -
CSC 7.10 Sandbox All Email Attachments
Use sandboxing to analyze and block inbound email attachments with malicious behavior.Обязательно для implementation Group 3 -
CSC 8.5 Configure Devices to Not Auto-Run Content
Configure devices to not auto-run content from removable media.Обязательно для implementation Group 1 2 3 -
CSC 8.7 Enable DNS Query Logging
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.Обязательно для implementation Group 2 3 -
CSC 8.8 Enable Command-Line Audit Logging
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.Обязательно для implementation Group 2 3 -
CSC 10.1 Ensure Regular Automated BackUps
Ensure that all system data is automatically backed up on a regular basis.Обязательно для implementation Group 1 2 3 -
CSC 10.3 Test Data on Backup MediaОбязательно для implementation Group 2 3
-
CSC 11.1 Maintain Standard Security Configurations for Network Devices
Maintain documented security configuration standards for all authorized network devices.Обязательно для implementation Group 2 3 -
CSC 11.2 Document Traffic Configuration Rules
All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.Обязательно для implementation Group 2 3 -
CSC 11.7 Manage Network Infrastructure Through a Dedicated Network
Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.Обязательно для implementation Group 2 3 -
CSC 12.1 Maintain an Inventory of Network Boundaries
Maintain an up-to-date inventory of all of the organization's network boundaries.Обязательно для implementation Group 1 2 3 -
CSC 12.4 Deny Communication Over Unauthorized Ports
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries.Обязательно для implementation Group 1 2 3 -
CSC 12.8 Deploy NetFlow Collection on Networking Boundary Devices
Enable the collection of NetFlow and logging data on all network boundary devices.Обязательно для implementation Group 2 3 -
CSC 12.10 Decrypt Network Traffic at Proxy
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.Обязательно для implementation Group 3 -
CSC 12.12 Manage All Devices Remotely Logging into Internal Network
Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices.Обязательно для implementation Group 3 -
CSC 13.2 Remove Sensitive Data or Systems Not Regularly Accessed by Organization
Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.Обязательно для implementation Group 1 2 3 -
CSC 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers
Only allow access to authorized cloud storage or email providers.Обязательно для implementation Group 2 3 -
CSC 13.5 Monitor and Detect Any Unauthorized Use of Encryption
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.Обязательно для implementation Group 3 -
CSC 13.6 Encrypt Mobile Device Data
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.Обязательно для implementation Group 1 2 3 -
CSC 13.9 Encrypt Data on USB Storage Devices
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.Обязательно для implementation Group 3 -
CSC 14.3 Disable Workstation to Workstation Communication
Disable all workstation-to-workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as Private VLANs or micro segmentation.Обязательно для implementation Group 2 3 -
CSC 14.4 Encrypt All Sensitive Information in Transit
Encrypt all sensitive information in transit.Обязательно для implementation Group 2 3 -
CSC 14.5 Utilize an Active Discovery Tool to Identify Sensitive Data
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory.Обязательно для implementation Group 3 -
CSC 15.1 Maintain an Inventory of Authorized Wireless Access Points
Maintain an inventory of authorized wireless access points connected to the wired network.Обязательно для implementation Group 2 3 -
CSC 15.4 Disable Wireless Access on Devices if Not Required
Disable wireless access on devices that do not have a business purpose for wireless access.Обязательно для implementation Group 3 -
CSC 15.6 Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.Обязательно для implementation Group 2 3 -
CSC 15.7 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.Обязательно для implementation Group 1 2 3 -
CSC 15.8 Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication
Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which requires mutual, multi-factor authentication.Обязательно для implementation Group 3 -
CSC 16.4 Encrypt or Hash all Authentication Credentials
Encrypt or hash with a salt all authentication credentials when stored.Обязательно для implementation Group 2 3 -
CSC 16.6 Maintain an Inventory of Accounts
Maintain an inventory of all accounts organized by authentication system.Обязательно для implementation Group 2 3 -
CSC 16.7 Establish Process for Revoking Access
Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor . Disabling these accounts, instead of deleting accounts, allows preservation of audit trails.Обязательно для implementation Group 2 3 -
CSC 16.8 Disable Any Unassociated Accounts
Disable any account that cannot be associated with a business process or business owner.Обязательно для implementation Group 1 2 3 -
CSC 16.9 Disable Dormant Accounts
Automatically disable dormant accounts after a set period of inactivity.Обязательно для implementation Group 1 2 3 -
CSC 16.10 Ensure All Accounts Have An Expiration Date
Ensure that all accounts have an expiration date that is monitored and enforced.Обязательно для implementation Group 2 3 -
CSC 16.11 Lock Workstation Sessions After Inactivity
Automatically lock workstation sessions after a standard period of inactivity.Обязательно для implementation Group 1 2 3 -
CSC 16.12 Monitor Attempts to Access Deactivated Accounts
Monitor attempts to access deactivated accounts through audit logging.Обязательно для implementation Group 2 3 -
CSC 17.5 Train Workforce on Secure Authentication
Train workforce members on the importance of enabling and utilizing secure authentication.Обязательно для implementation Group 1 2 3 -
CSC 18.1 Establish Secure Coding Practices
Establish secure coding practices appropriate to the programming language and development environment being used.Обязательно для implementation Group 2 3 -
CSC 18.2 Ensure That Explicit Error Checking is Performed for All In-House Developed Software
For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.Обязательно для implementation Group 2 3 -
CSC 19.4 Devise Organization-wide Standards for Reporting Incidents
Devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification.Обязательно для implementation Group 2 3 -
CSC 19.5 Maintain Contact Information For Reporting Security Incidents
Assemble and maintain information on third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners.Обязательно для implementation Group 1 2 3 -
CSC 19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents
Publish information for all workforce members, regarding reporting computer anomalies and incidents, to the incident handling team. Such information should be included in routine employee awareness activities.Обязательно для implementation Group 1 2 3 -
CSC 20.5 Create Test Bed for Elements Not Typically Tested in Production
Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.Обязательно для implementation Group 2 3 -
CSC 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.Обязательно для implementation Group 2 3 -
CSC 20.7 Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
Wherever possible, ensure that Red Team results are documented using open, machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that results can be compared over time.Обязательно для implementation Group 3 -
CSC 20.8 Control and Monitor Accounts Associated with Penetration Testing
Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over.Обязательно для implementation Group 2 3
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.