CIS Controls v8 Implementation Group 1

Helping small business navigate the cybersecurity jungle

Free Personalized Digitization Cybersecurity Risk Assessment For Your Business

Tell us about your business cybersecurity practices and get expert advice in minutes!

Overall Governance of Cybersecurity Program
Control 1: Inventory and Control of Enterprise Assets
Governance
Visibility
Data
Identity & Access Management
Threat & Vulnerability Management
Risk Management
Documentation
Monitoring
Incident Response
Results

1. Information Security Charter

An information security charter is an essential document for defining the scope and purpose of security within your organization. Without a clear charter to control and set clear objectives for the organization, the responsibilities of security initiatives will be likely undefined within the company, preventing the security program from operating efficiently.

2. Does your organization have an Information Security Charter?

3. Is the Security Charter clearly communicated to the entire organization?

4. Is the Security Charter regularly reviewed, evaluated, and updated?

5. Cybersecurity Program

The cybersecurity program provides a holistic view of the actions needed to achieve sound cybersecurity management across the organization. It defines not only the technical but operational, management, legal and regulatory baseline measures.

6. Do you have a cybersecurity program in place?

7. Do you currently have cybersecurity responsibilities assigned to an individual or individuals in your organization?

8. Do the staff assigned these responsibilities have the necessary ongoing training to perform their responsibilities?

9. Does your organization have a cybersecurity steering committee in place?

1. 1.1 Does your organization maintain a detailed hardware asset inventory?

2. Policy Defined

3. Implementation Status

4. Automation Status

5. Reporting Status

6. 1.2 Does your organization address unauthorized devices?

7. Policy Defined

8. Implementation Status

1. Do you have a security awareness program in place for all staff that use computers?

2. Are staff trained on how to identify social engineering attacks?

3. Are staff trained on how to craft and store passwords, and use multi-factor authentication?

4. Do you train staff on how to identify, properly store, transfer, archive and destroy sensitive data?

5. Do you train staff on how to be aware of causes of unintentional data exposure?

6. Have you trained employees on how to recognize and report security incidents?

7. Do you train employees on how to identify and report if their assets are missing security updates?

8. Do you train employees on the dangers of connecting to and transmitting data over insecure networks?

9. Do you have written cybersecurity policies that staff read and acknowledge?

10. Do you have cybersecurity assigned to someone in the organization?

1. Do you have a detailed inventory of all your hardware assets?

2. Do you have a tool to address unauthorized assets on your network?

3. Do you have a detailed inventory of all of your software?

4. Do you ensure that all of the installed software is licensed and supported by the developer?

5. Do you have a tool or process to remove unauthorized software?

6. Do you ensure that only fully supported browsers and email clients are in use by employees?

7. Do you have a regularly updated inventory of vendors and service providers?

1. Do you have a process to identify the sensitivity of your data and the owner of data?

2. Do you have an inventory of your data, so you know what data is sensitive and were it is?

3. Do you have a retention schedule that outlines how long you keep certain data types?

4. Do you have a process to securely dispose of data outlined in the retention schedule?

5. Do you encrypt the hard drives of your computers?

1. Do you have a process that controls which employee can access which data?

2. Do you manage default accounts on assets and software, such as root or administrator?

3. Do you have an inventory of all accounts used in the organization?

4. Do you make sure all employees use strong and unique passwords?

5. Do you make sure to delete or disable all user accounts that are not in use?

6. Do you restrict the use of administrator privileges to dedicated administrator accounts?

7. Do you have a process for granting access to data for new users or change of role for users?

8. Do you have a process for revoking access to data for users leaving the organization or role change?

9. Do you require the use of Multi-Factor Authentication for all externally exposed applications?

10. Do you require the use of Multi-Factor Authentication for remote network access?

11. Do you require the use of Multi-Factor Authentication fo all administrative access accounts for both on premise or through a third party provider?

1. Do you have firewalls installed on your servers?

2. Do you have firewalls installed on all of your computers?

3. Do you have a vulnerability management program in place?

4. Do you have a remediation process in place to remediate vulnerabilities found on assets?

5. Do you have a process in place to apply operating system updates to assets?

6. Do you have a process in place to apply updates to application software?

7. Do you have a process that defines the collection, review and retention of logs of critical assets?

8. Do you ensure audit logs are enabled on critical assets?

9. Do you ensure you have adequate storage of audit logs?

10. Do you utilize DNS filtering services on assets to block access to known malicious domains?

11. Do you have subscription based anti-malware software installed on all assets?

12. Does the anti-malware software update automatically?

13. Do you have autorun and autoplay turned off for removable media?

1. Do you have a process to make sure hardware assets are configured securely?

2. Do you have a process to make sure your network devices are configured securely?

3. Do you have a process to make sure that assets and software lock after a period of inactivity?

4. Do you utilize secure protocols such as HTTPS for website, and SSH for secure communication with devices?

1. Do you have a data recovery process that includes backup of data and the security of the backups?

2. Do you have data backups scheduled to run automatically based on the sensitivity or criticality of the data?

3. Do you encrypt your backups?

4. Do you have at least two people designated that will handle incident response?

5. Do you have a contact list for everyone that will need to be involved or informed of security incidents?

6. Do you have a process in place for employees to report security incidents?

Ready to see your results?

First name

Last name

Your email address

Your company name

Employees

Select your industry

Your password

Use of this site is subject to this Privacy Policy and Terms of Use.