Control Browser
  • Network Security
    • NS-1 - Establish network segmentation boundaries
    • NS-2 - Secure cloud native services with network controls
    • NS-3 - Deploy firewall at the edge of enterprise network
    • NS-4 - Deploy intrusion detection/intrusion prevention systems (IDS/IPS)
    • NS-5 - Deploy DDOS protection
    • NS-6 - Deploy web application firewall
    • NS-7 - Simplify network security configuration
    • NS-8 - Detect and disable insecure services and protocols
    • NS-9 - Connect on-premises or cloud network privately
    • NS-10 - Ensure Domain Name System (DNS) security
    Identity Management
    • IM-1 - Use centralized identity and authentication system
    • IM-2 - Protect identity and authentication systems
    • IM-3 - Manage application identities securely and automatically
    • IM-4 - Authenticate server and services
    • IM-5 - Use single sign-on (SSO) for application access
    • IM-6 - Use strong authentication controls
    • IM-7 - Restrict resource access based on conditions
    • IM-8 - Restrict the exposure of credential and secrets
    • IM-9 - Secure user access to existing applications
    Privileged Access
    • PA-1 - Separate and limit highly privileged/administrative users
    • PA-2 - Avoid standing access for user accounts and permissions
    • PA-3 - Manage lifecycle of identities and entitlements
    • PA-4 - Review and reconcile user access regularly
    • PA-5 - Set up emergency access
    • PA-6 - Use privileged access workstations / channel for administrative tasks
    • PA-7 - Follow just enough administration (least privilege) principle
    • PA-8 - Determine access process for cloud provider support
    Data Protection
    • DP-1 - Discover, classify, and label sensitive data
    • DP-2 - Monitor anomalies and threats targeting sensitive data
    • DP-3 - Encrypt sensitive data in transit
    • DP-4 - Enable data at rest encryption by default
    • DP-5 - Use customer-managed key option in data at rest encryption when required
    • DP-6 - Use a secure key management process
    • DP-7 - Use a secure certificate management process
    • DP-8 - Ensure security of key and certificate repository
    Asset Management
    • AM-1 - Track asset inventory and their risks
    • AM-2 - Use only approved services
    • AM-3 - Ensure security of asset lifecycle management
    • AM-4 - Limit access to asset management
    • AM-5 - Use only approved applications in virtual machine
    Logging and threat detection
    • LT-1 - Enable threat detection capabilities
    • LT-2 - Enable threat detection for identity and access management
    • LT-3 - Enable logging for security investigation
    • LT-4 - Enable network logging for security investigation
    • LT-5 - Centralize security log management and analysis
    • LT-6 - Configure log storage retention
    • LT-7 - Use approved time synchronization sources
    Incident Response
    • IR-1 - Preparation - update incident response plan and handling process
    • IR-2 - Preparation - setup incident contact information
    • IR-3 - Detection and analysis - create incidents based on high-quality alerts
    • IR-4 - Detection and analysis - investigate an incident
    • IR-5 - Detection and analysis - prioritize incidents
    • IR-6 - Containment, eradication and recovery - automate the incident handling
    • IR-7 - Post-incident activity - conduct lesson learned and retain evidence
    Posture and Vulnerability Management
    • PV-1 - Define and establish secure configurations
    • PV-2 - Audit and enforce secure configurations
    • PV-3 - Define and establish secure configurations for compute resources
    • PV-4 - Audit and enforce secure configurations for compute resources
    • PV-5 - Perform vulnerability assessments
    • PV-6 - Rapidly and automatically remediate vulnerabilities
    • PV-7 - Conduct regular red team operations
    Endpoint security
    • ES-1 - Use Endpoint Detection and Response (EDR)
    • ES-2 - Use modern anti-malware software
    • ES-3 - Ensure anti-malware software and signatures are updated
    Backup and recovery
    • BR-1 - Ensure regular automated backups
    • BR-2 - Protect backup and recovery data
    • BR-3 - Monitor backups
    • BR-4 - Regularly test backup
    DevOps Security
    • DS-1 - Conduct threat modeling
    • DS-2 - Ensure software supply chain security
    • DS-3 - Secure DevOps infrastructure
    • DS-4 - Integrate static application security testing into DevOps pipeline
    • DS-5 - Integrate dynamic application security testing into DevOps pipeline
    • DS-6 - Enforce security of workload throughout DevOps lifecycle
    • DS-7 - Enable logging and monitoring in DevOps
    Governance and Strategy
    • GS-1 - Align organization roles, responsibilities and accountabilities
    • GS-2 - Define and implement enterprise segmentation/separation of duties strategy
    • GS-3 - Define and implement data protection strategy
    • GS-4 - Define and implement network security strategy
    • GS-5 - Define and implement security posture management strategy
    • GS-6 - Define and implement identity and privileged access strategy
    • GS-7 - Define and implement logging, threat detection and incident response strategy
    • GS-8 - Define and implement backup and recovery strategy
    • GS-9 - Define and implement endpoint security strategy
    • GS-10 - Define and implement DevOps security strategy
    • GS-11 - Define and implement multi-cloud security strategy
select a control on the left