Secure by Design Example Controls Taxonomy

Principle 8: Supply chain security

CIS-18

1.1: Establish and maintain detailed asset inventory
1.3: Utilise an active discovery tool
1.4: Use dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
1.5: Use a passive asset discovery tool
2.1: Establish and maintain a software inventory
2.2: Ensure authorised software is currently supported
2.3: Address unauthorised software
2.4: Utilise automated software inventory tools
2.5: Allowlist authorised software
2.6: Allowlist authorised libraries
3.2: Establish and maintain a data inventory
3.5: Securely dispose of data
3.7: Establish and maintain a data classification scheme
3.8: Document data flows
7.1: Establish and maintain a vulnerability management process
7.2: Establish and maintain a remediation process
7.4: Perform automated application patch management
9.6: Block unnecessary file types
12.4: Establish and maintain architecture diagram(s)
13.5: Manage access control for remote assets
16.4: Establish and manage an inventory of third-party software components

OWASP 2021

ISO27001

A.8.1.1: Inventory of assets
A.8.1.2: Ownership of assets
A.8.1.3: Acceptable use of assets
A.8.1.4: Responsibility for assets
A.8.1.5: Information classification
A.8.1.6: Media handling

IGP: You have a deep understanding of your supply chain, including sub-contractors, and the wider risks it faces.

You consider factors such as your supplier’s ownership, nationality, partnerships, competitors, other organisations with which they sub-contract and their approach to cyber security. These factors inform your risk assessment and are fully considered in your procurement life cycle processes and purchasing decisions.

Your approach to supply chain risk management considers the risks to network and information systems supporting your essential functions arising from supply chain subversion by capable and well-resourced threat actors.

Critical suppliers to network and information systems supporting your essential functions can demonstrate appropriate and proportionate levels of cyber security within the context of capable and well-resourced threat actors.

You have confidence that information held by suppliers that is essential to the operation of network and information systems supporting your essential functions is appropriately protected from capable and well-resourced threat actors.

You understand which contracts are relevant and you include appropriate security obligations, in relevant contracts.

You have a proactive approach to contract management which may include a contract management plan for relevant contracts. Customer and supplier ownership of responsibilities is defined in contracts.

All network connections and data sharing with third parties are managed effectively and proportionately.

When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents.

NIST SP800-53

PM-30: Supply chain risk management strategy
SR-2: Supply chain risk management plan

NCSC: 10 Steps to Cyber Security

Supply chain security

NCSC: Cloud Security Principles

CIS-18

15.1: Establish and maintain an inventory of service providers
15.2: Establish and maintain a service provider management policy
15.3: Classify service providers
15.4: Ensure service provider contracts include security requirements
15.5: Assess service providers
15.6: Monitor service providers
15.7: Securely decommission service providers
17.4: Establish and maintain an incident response process

OWASP 2021

ISO27001

A.15: Supplier relationships

IGP: Your software suppliers leverage an established secure software development framework (for example, NIST Secure Software Development Framework (SSDF), Microsoft Secure Development Lifecycle (SDL)).

Your software supplier can demonstrate a thorough understanding of the composition and provenance of software provided to you, including any third-party components used in the development of that software, and those components are being monitored for new vulnerabilities throughout the lifespan of the product.

You consider the security of environments (for example, development, test and production), including source code and repositories, used in the production of software to be appropriate and proportionate within the context of capable and well-resourced threat actors.

The software development life cycle is informed by a detailed and up to date understanding of threat and applies appropriate techniques, such as threat modelling, to identify and assess potential vulnerabilities and attack vectors.

You can attest to the authenticity and integrity of software, including updates and patches.

NIST SP800-53

SA-3: System development life cycle
SA-8: Security and privacy engineering principles
SA-9: External system connection
SA-11: Developer security testing and evaluation
SA-12: Supply chain protection
RA-5: Vulnerability monitoring and scanning
SI-2: Flaw remediation
SI-7: Software, firmware, and information integrity
AT-3: Role-based training

NCSC: 10 Steps to Cyber Security

NCSC: Cloud Security Principles

CIS-18

Control 4: Secure configuration of enterprise assets and software
Control 6: Access control management
Control 7: Continuous vulnerability management
Control 8: Audit log management
Control 14: Security awareness and skills training
Control 15: Service Provider Management
Control 16: Application Software Security
Control 17: Incident Response Management

OWASP 2021

ISO27001

A.5.9: Inventory of information and other associated assets
A.5.12: Security of supplier relationships
A.5.14: Monitoring and review of supplier services
A.5.18: Event logging
A.5.20: Monitoring activities
A.5.30: ICT readiness for business continuity
A.6.3: Information security awareness, education and training
A.8.8: Management of technical vulnerabilities
A.8.9: Configuration management
A.10.1: Continual improvement

IGP: You fully document your overarching security governance and risk management approach, technical security practice and specific regulatory compliance.

Cyber security is integrated and embedded throughout policies, processes and procedures and key performance indicators are reported to your executive management.

Your organisation’s policies, processes and procedures are developed to be practical, usable and appropriate to mitigate the risk of adverse impact to network and information systems supporting your essential functions.

Policies, processes and procedures that rely on user behaviour are practical, appropriate and achievable.

You review and update policies, processes and procedures at suitably regular intervals to ensure they remain relevant. This is in addition to reviews following a major cyber security incident.

Any changes to the essential functions or the threat it faces triggers a review of policies, processes and procedures. Your systems are designed so that they remain secure even when user security policies, processes and procedures are not always followed.

NIST SP800-53

AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IR-1
MA-1
MP-1
PE-1
PL-1
PS-1
RA-1
SA-1
SC-1
SI-1: Policy and procedures
PM-1: Information security programme plan

NCSC: 10 Steps to Cyber Security

Risk management

NCSC: Cloud Security Principles

Principle 4: Governance framework

CIS-18

1.1: Establish and maintain detailed asset inventory
2.1: Establish and maintain a software inventory
3.2: Establish and maintain a data inventory
3.5: Securely dispose of data
3.7: Establish and maintain a data classification scheme
4.1: Establish and maintain a secure configuration process
7.1: Establish and maintain a vulnerability management process
7.2: Establish and maintain a remediation process
7.4: Perform automated application patch management
15.2: Establish and maintain a service provider management policy
16.1: Establish and maintain a secure application development process
16.4: Establish and manage an inventory of third-party software components
17.4: Establish and maintain an incident response process
18.1: Establish and maintain a penetration testing programme

OWASP 2021

A05:2021: Security misconfiguration

ISO27001

A.5.1: Policies for information security
A.5.2: Information security roles and responsibilities
A.5.3: Segregation of duties
A.5.1: Policies for information security (includes review and update requirements)
A.5.4: Management responsibilities
A.5.23: Information security for use of cloud services
A.6.1: Roles and responsibilities
A.6.2: Information security in project management

IGP: All policies, processes and procedures are followed, their correct application and security effectiveness is evaluated.

Your policies, processes and procedures are integrated with other organisational policies, processes and procedures, including HR assessments of individuals’ trustworthiness.

Your policies, processes and procedures are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities.

Appropriate action is taken to address all breaches of policies, processes and procedures with potential to adversely impact the essential functions including aggregated breaches.

NIST SP800-53

PL-01
PM-01
PM-09
RA-01
CA-01

NCSC: 10 Steps to Cyber Security

Risk management

NCSC: Cloud Security Principles

Principle 4: Governance framework

CIS-18

1.1: Establish and maintain detailed asset inventory
2.1: Establish and maintain a software inventory
2.2: Ensure authorised software is currently supported
3.1: Establish and maintain a data management process
3.2: Establish and maintain a data inventory
3.5: Securely dispose of data
3.7: Establish and maintain a data classification scheme
8.2: Collect audit logs
8.11: Conduct audit log reviews
10.3: Disable autorun and autoplay for removable media
16.4: Establish and manage an inventory of third-party software components
16.8: Separate production and non-production systems

OWASP 2021

A05:2021: Security misconfiguration

ISO27001

A.5.1: Policies for information security
A.5.4: Management responsibilities
A.6.3: Contact with authorities
A.6.4: Contact with special interest groups
A.6.5: Information security awareness, education and training
A.5.23: Information security for use of cloud services
A.5.24: Information security incident management planning and preparation
A.5.26: Response to information security incidents
A.8.16: Monitoring activities
A.6.1: Roles and responsibilities
A.6.2: Information security in project management

IGP: Your process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to network and information systems that support your essential functions.

Only authorised and individually authenticated users can physically access and logically connect to your network or information systems on which your essential functions depends.

The number of authorised users and systems that have access to network and information systems is limited to the minimum necessary to support your essential functions.

You use additional strong authentication mechanisms, such as multi-factor authentication (MFA), for all user access, including remote access, to all network and information systems that operate or support your essential functions.

The list of users and systems with access to network and information systems supporting and delivering the essential functions is reviewed on a regular basis, at least every 6 months.

Your approach to authenticating users, devices and systems follows up-to-date best practice.

NIST SP800-53

IA-11: Re-authentication
IA-2: Identification and authentication (organisational users)
IA-4: Identifier management
IA-5: Authenticator management
IA-7: Cryptographic module authentication
IA-8: Identification and authentication (non-organisational users)
IA-9: Service identification and authentication

NCSC: 10 Steps to Cyber Security

Identity and access management

NCSC: Cloud Security Principles

Principle 10: Identity and authentication

CIS-18

1.2: Address unauthorised assets
1.3: Utilise an active discovery tool
1.4: Use dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
1.5: Use a passive asset discovery tool
2.5: Allowlist authorised software
2.6: Allowlist authorised libraries
3.3: Configure data access control lists
4.7: Manage default accounts on enterprise assets and software
5.1: Establish and maintain an inventory of accounts
5.2: Use unique passwords
5.3: Disable dormant accounts
5.4: Restrict administrator privileges to dedicated administrator accounts
5.5: Establish and maintain an inventory of service accounts
6.1: Establish an access granting process
6.2: Establish an access revoking process
6.3: Require MFA for externally-exposed applications
6.4: Require MFA for remote network access
6.5: Require MFA for administrative access
6.6: Establish and maintain an inventory of authentication and authorisation systems
6.7: Centralised access control
6.8: Define and maintain role-based access control
9.6: Block unnecessary file types
12.3: Securely manage network infrastructure
12.6: Use of secure network management and communication protocols
12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
13.5: Manage access control for remote assets
13.9: Deploy port-level access control
15.7: Securely decommission service providers

OWASP 2021

ISO27001

A.9.1.1: Access to networks and network services
A.9.2.1: User access management
A.9.2.2: Use of privileged utility programs
A.9.2.3: User responsibilities
A.9.2.4: System access control
A.9.2.5: User password management
A.9.2.6: Review of user access rights
A.9.2.7: Removal or adjustment of access rights
A.9.3.1: Use of cryptographic controls

IGP: All privileged operations performed on network and information systems supporting your essential functions are conducted from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations.

You either obtain independent and professional assurance of the security of third-party devices or networks before they connect to network and information systems, or you only allow third-party devices or networks that are dedicated to supporting network and information systems to connect.

You perform certificate based device identity management and only allow known devices to access systems necessary for the operation of your essential functions.

You perform regular scans to detect unknown devices and investigate any findings.

NIST SP800-53

AC-11: Device lock
AC-19: Access control for mobile devices
IA-3: Device identification and authentication
MA-2: Controlled maintenance
MA-6: Timely maintenance
SI-7: Software, firmware, and information integrity

NCSC: 10 Steps to Cyber Security

Identity and access management

NCSC: Cloud Security Principles

Principle 10: Identity and authentication

CIS-18

1.1: Establish and maintain detailed asset inventory
5.2: Use unique passwords
6.3: Require MFA for externally-exposed applications
6.4: Require MFA for remote network access
6.5: Require MFA for administrative access
9.7: Deploy and maintain email server anti-malware protections
10.1: Deploy and maintain anti-malware software
10.2: Configure automatic anti-malware signature updates
10.4: Configure automatic anti-malware scanning of removable media
10.5: Enable anti-exploitation features
10.6: Centrally manage anti-malware software
10.7: Use behaviour-based anti-malware software
12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
13.5: Manage access control for remote assets

OWASP 2021

ISO27001

A.9.1.1: Access to networks and network services
A.9.2.1: User access management
A.9.2.2: Use of privileged utility programs
A.9.2.3: User responsibilities
A.9.2.4: System access control
A.9.2.5: User password management
A.9.2.6: Review of user access rights
A.9.2.7: Removal or adjustment of access rights
A.9.3.1: Use of cryptographic controls

IGP: You follow a robust procedure to verify each user and issue the minimum required access rights, and the application of the procedure is regularly audited.

User access rights are reviewed as part of your joiners, leavers and movers process both when people change roles and at regular intervals, at least annually.

All user, device and systems access to network and information systems supporting your essential functions is logged and monitored.

You regularly review access logs and correlate this data with other access records and expected activity.

Attempts by unauthorised users, devices or systems to connect to network and information systems supporting your essential functions are alerted, promptly assessed and investigated.

NIST SP800-53

AC-10: Concurrent session control
AC-12: Session termination
AC-13: Supervision and review – access control
AC-14: Permitted actions without identification or authentication
AC-16: Security and privacy attributes
AC-17: Remote access
AC-18: Wireless access
AC-18(1): Wireless access | Authentication and encryption
AC-19: Access control for mobile devices
AC-2: Account management
AC-20: Use of external systems
AC-20(1): Use of external systems | Limits on authorised use
AC-21: Information sharing
AC-22: Publicly accessible content
AC-23: Data mining protection
AC-24: Access control decisions
AC-24(1): Access control decisions | Transmit access authorisation information
AC-25: Reference monitor
AC-3: Access enforcement
AC-4: Information flow enforcement
AC-5: Separation of duties
AC-6: Least privilege
AC-7: Unsuccessful logon attempts
AC-8: System use notification
AC-9: Previous logon notification
PS-4: Personnel termination
PS-5: Personnel transfer
PS-7: External personnel security

NCSC: 10 Steps to Cyber Security

Identity and access management

NCSC: Cloud Security Principles

Principle 6: Personnel security

CIS-18

4.11: Enforce remote wipe capability on portable end-user devices
5.2: Use unique passwords
5.6: Centralised account management
6.3: Require MFA for externally-exposed applications
6.4: Require MFA for remote network access
6.5: Require MFA for administrative access
6.6: Establish and maintain an inventory of authentication and authorisation systems
12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
13.5: Manage access control for remote assets

OWASP 2021

ISO27001

A.5.16: Identity management
A.5.17: Authentication information
A.5.15: Access control
A.5.18: Access rights
A.5.19: Access rights review
A.5.20: Removal or adjustment of access rights
A.5.17: Authentication information
A.5.21: Secure log-on procedures
A.5.1: Policies for information security
A.8.16: Monitoring activities
A.5.26: Response to information security incidents

IGP: You have identified and catalogued all the data important to the operation of network and information systems supporting your essential functions, or that would assist a threat actor.

You have identified and catalogued who has access to the data important to the operation of network and information systems supporting your essential functions.

You maintain a current understanding of the location, quantity and quality of data important to the operation of network and information systems supporting your essential functions.

You take steps to remove or minimise unnecessary copies or unneeded historic data.

You have identified all mobile devices and media that may hold data important to the operation of network and information systems supporting your essential functions.

You maintain a current understanding of the data links used to transmit data that is important to network and information systems supporting your essential functions.

You understand the context, limitations and dependencies of your important data.

You understand and document the impact on your essential functions of all relevant scenarios, including unauthorised data access, uncontrolled release, modification or deletion, or when authorised users are unable to appropriately access this data.

You validate these documented impact statements regularly, at least annually.

NIST SP800-53

AC-23: Data mining protection
CA-3: Information exchange
CM-13: Data action mapping
PL-8: Security and privacy architectures
PT-2: Authority to process personally identifiable information
PT-3: Personally identifiable information processing purposes
SI-12: Information management and retention

NCSC: 10 Steps to Cyber Security

Asset management

NCSC: Cloud Security Principles

CIS-18

3.1: Establish and maintain a data management process
3.2: Establish and maintain a data inventory
3.7: Establish and maintain a data classification scheme
3.8: Document data flows

OWASP 2021

ISO27001

A.8.2: Information classification
A.11.2: Cryptographic protection of information
A.13.1: Network security management
A.13.2: Information transfer

IGP: Mobile devices that hold data that is important to the operation of network and information systems supporting your essential functions are catalogued, are under your organisation’s control and configured according to best practice for the platform, with appropriate technical and procedural policies in place.

Your organisation can remotely wipe all mobile devices holding data important to the operation of network and information systems supporting your essential functions.

You have minimised this data on these mobile devices. Some data may be automatically deleted from mobile devices after a certain period.

NIST SP800-53

AC-19: Access control for mobile devices
AC-19(5): Access control for mobile devices | Full device or container-based encryption
AC-7(2): Unsuccessful logon attempts | Purge or wipe mobile device
MP-2: Media access
MP-3: Media marking
MP-4: Media storage
MP-5: Media transport
MP-6(8): Media sanitisation | Remote purging or wiping of information
MP-7: Media use

NCSC: 10 Steps to Cyber Security

Data security

NCSC: Cloud Security Principles

CIS-18

1.1: Establish and maintain detailed asset inventory
3.4: Enforce data retention
3.5: Securely dispose of data
3.9: Encrypt data on removable media
4.10: Enforce automatic device lockout on portable end-user devices
4.11: Enforce remote wipe capability on portable end-user devices
4.12: Separate enterprise workspaces on mobile end-user devices

OWASP 2021

ISO27001

A.8.10: Information deletion
A.8.11: Data masking
A.8.12: Data leakage prevention
A.5.15: Access control
A.5.16: Identity management
A.5.17: Authentication information
A.5.1: Policies for information security
A.6.2: Information security in project management
A.5.4: Management responsibilities
A.5.9: Inventory of information and other associated assets
A.5.23: Information security for use of cloud services
A.5.24: Information security incident management planning and preparation

IGP: You employ appropriate expertise to design network and information systems supporting your essential functions. Network and information systems are segregated into appropriate security zones (for example, systems supporting the essential functions are segregated in a highly trusted, more secure zone).

The network and information systems supporting your essential functions are designed to have simple data flows between components to support effective security monitoring.

The network and information systems supporting your essential functions are designed to be easy to recover.

Content-based attacks are mitigated for all inputs to network and information systems that affect the essential functions (for example, by transformation and inspection or sanitisation and validation).

If automated decision-making technologies are in use, you design and apply appropriate restrictions to prevent actions that could have an adverse impact on network and information systems supporting your essential functions.

NIST SP800-53

CA-2: Control assessments
CA-5: Plan of action and milestones
CA-7: Continuous monitoring
CA-8: Penetration testing
CA-9: Internal system connections
CM-7: Least functionality
IA-10: Adaptive authentication
IA-12: Identity proofing
IA-8: Identification and authentication (non-organisational users)
MP-2: Media access
SA-10: Developer configuration management
SA-11: Developer testing and evaluation
SA-15: Development process, standards, and tools
SA-16: Developer-provided training
SA-17: Developer security and privacy architecture and design
SA-22: Unsupported system components
SA-3: System development life cycle
SA-4: Acquisition process
SA-8: Security and privacy engineering principles
SA-9: External system services
SC-10: Network disconnect
SC-12: Cryptographic key establishment and management
SC-17: Public key infrastructure certificates
SC-18: Mobile code
SC-3: Security function isolation
SC-32: System partitioning
SC-4: Information in shared system resources
SC-5: Denial-of-service protection
SC-8: Transmission confidentiality and integrity
SI-10: Information input validation
SI-10: Information input validation
SI-16: Memory protection
SI-17: Fail-safe procedures
SI-7: Software, firmware, and information integrity

NCSC: 10 Steps to Cyber Security

NCSC: Cloud Security Principles

CIS-18

2.7: Allowlist authorised scripts
3.9: Encrypt data on removable media
3.10: Encrypt sensitive data in transit
3.11: Encrypt sensitive data at rest
3.12: Segment data processing and storage based on sensitivity
3.13: Deploy a data loss prevention solution
4.1: Establish and maintain a secure configuration process
4.2: Establish and maintain a secure configuration process for network infrastructure
4.3: Configure automatic session locking on enterprise assets
4.4: Implement and manage a firewall on servers
5.2: Use unique passwords
6.3: Require MFA for externally-exposed applications
6.4: Require MFA for remote network access
6.5: Require MFA for administrative access
7.4: Perform automated application patch management
9.1: Ensure use of only fully supported browsers and email clients
9.2: Use DNS filtering services
9.3: Maintain and enforce network-based URL filters
9.4: Restrict unnecessary or unauthorised browser and email client extensions
9.6: Block unnecessary file types
10.3: Disable autorun and autoplay for removable media
12.2: Establish and maintain a secure network architecture
12.3: Securely manage network infrastructure
12.6: Use of secure network management and communication protocols
12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
12.8: Establish and maintain dedicated computing resources for all administrative work
13.2: Deploy a host-based intrusion detection solution
13.3: Deploy a network intrusion detection solution
13.4: Perform traffic filtering between network segments
13.5: Manage access control for remote assets
13.6: Collect network traffic flow logs
13.7: Deploy a host-based intrusion prevention solution
13.8: Deploy a network intrusion prevention solution
13.10: Perform application layer filtering
16.1: Establish and maintain a secure application development process
16.7: Use standard hardening configuration templates for application infrastructure
16.8: Separate production and non-production systems
16.11: Leverage vetted modules or services for application security components
16.14: Conduct threat modelling
18.3: Remediate penetration test findings
18.4: Validate security measures

OWASP 2021

ISO27001

A.13.1: Network security management
A.14: System acquisition, development and maintenance

IGP: You have identified, documented and actively manage (for example, maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of network and information systems supporting your essential functions.

All platforms conform to your secure, defined baseline build, or the latest known good configuration version for that environment.

You closely and effectively manage changes in your environment, ensuring that network and information systems configurations are secure and documented.

You regularly review and validate that network and information systems have the expected, secure settings and configuration.

Only permitted software can be installed.

If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated.

Generic, shared, default name and built-in accounts have been removed or disabled. Where this is not possible, credentials to these accounts have been changed. Service accounts are appropriately protected.

NIST SP800-53

CM-11: User-installed software
CM-14: Signed components
CM-2: Baseline configuration
CM-3: Configuration change control
CM-6: Configuration settings
CM-9: Configuration management plan
SA-10: Developer configuration management
SC-7(19): Boundary protection | Block communication from non-organisationally configured hosts
SI-3: Malicious code protection
SI-8: Spam protection

NCSC: 10 Steps to Cyber Security

Principle 11: External interface protection

NCSC: Cloud Security Principles

CIS-18

2.5: Allowlist authorised software
2.7: Allowlist authorised scripts
3.12: Segment data processing and storage based on sensitivity
3.13: Deploy a data loss prevention solution
4.1: Establish and maintain a secure configuration process
4.2: Establish and maintain a secure configuration process for network infrastructure
4.3: Configure automatic session locking on enterprise assets
4.8: Uninstall or disable unnecessary services on enterprise assets and software
5.2: Use unique passwords
6.3: Require MFA for externally-exposed applications
6.4: Require MFA for remote network access
6.5: Require MFA for administrative access
7.5: Perform automated vulnerability scans of internal enterprise assets
8.4: Standardise time synchronisation
8.5: Collect detailed audit logs
8.6: Collect DNS query audit logs
8.7: Collect URL request audit logs
8.8: Collect command-line audit logs
9.1: Ensure use of only fully supported browsers and email clients
9.2: Use DNS filtering services
9.3: Maintain and enforce network-based URL filters
9.4: Restrict unnecessary or unauthorised browser and email client extensions
9.6: Block unnecessary file types
9.7: Deploy and maintain email server anti-malware protections
10.1: Deploy and maintain anti-malware software
10.2: Configure automatic anti-malware signature updates
10.3: Disable autorun and autoplay for removable media
10.4: Configure automatic anti-malware scanning of removable media
10.5: Enable anti-exploitation features
10.6: Centrally manage anti-malware software
10.7: Use behaviour-based anti-malware software
12.2: Establish and maintain a secure network architecture
12.3: Securely manage network infrastructure
12.6: Use of secure network management and communication protocols
12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
12.8: Establish and maintain dedicated computing resources for all administrative work
13.2: Deploy a host-based intrusion detection solution
13.3: Deploy a network intrusion detection solution
13.4: Perform traffic filtering between network segments
13.5: Manage access control for remote assets
13.6: Collect network traffic flow logs
13.7: Deploy a host-based intrusion prevention solution
13.8: Deploy a network intrusion prevention solution
13.10: Perform application layer filtering
16.1: Establish and maintain a secure application development process
16.7: Use standard hardening configuration templates for application infrastructure
16.8: Separate production and non-production systems

OWASP 2021

ISO27001

A.13.1: Network security management
A.14: System acquisition, development and maintenance

IGP: Your systems and devices supporting the operation of the essential functions are only administered or maintained by authorised privileged users from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations.

You regularly review and update technical knowledge about network and information systems, such as documentation and network diagrams, and ensure they are securely stored.

You prevent, detect and remove malware, and unauthorised software. You use technical, procedural and physical measures as necessary.

NIST SP800-53

PL-9: Central management
SC-2: Separation of system and user functionality
SC-20: Secure name/address resolution service (authoritative source)
SC-21: Secure name/address resolution service (recursive or caching resolver)

NCSC: 10 Steps to Cyber Security

Principle 12: Secure service administration

NCSC: Cloud Security Principles

CIS-18

1.3: Utilise an active discovery tool
1.4: Use dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
1.5: Use a passive asset discovery tool
2.3: Address unauthorised software
2.4: Utilise automated software inventory tools
2.5: Allowlist authorised software
2.6: Allowlist authorised libraries
3.3: Configure data access control lists
4.11: Enforce remote wipe capability on portable end-user devices
4.6: Securely manage enterprise assets and software
4.7: Manage default accounts on enterprise assets and software
5.3: Disable dormant accounts
5.4: Restrict administrator privileges to dedicated administrator accounts
5.5: Establish and maintain an inventory of service accounts
6.2: Establish an access revoking process
6.7: Centralised access control
9.6: Block unnecessary file types
9.7: Deploy and maintain email server anti-malware protections
10.1: Deploy and maintain anti-malware software
10.5: Enable anti-exploitation features
10.6: Centrally manage anti-malware software
11.5: Test data recovery
12.3: Securely manage network infrastructure
12.6: Use of secure network management and communication protocols
12.8: Establish and maintain dedicated computing resources for all administrative work
13.5: Manage access control for remote assets
13.9: Deploy port-level access control
15.6: Monitor service providers
15.7: Securely decommission service providers
16.12: Implement code-level security checks
16.5: Use up-to-date and trusted third-party software components
16.10: Apply secure design principles in application architectures

OWASP 2021

ISO27001

A.13.1: Network security management
A.14: System acquisition, development and maintenance

IGP: You maintain a current understanding of the exposure of network and information systems supporting your essential functions to publicly known vulnerabilities.

Announced vulnerabilities for all software packages used in network and information systems supporting your essential functions are tracked, prioritised and mitigated (for example, by patching) promptly.

You regularly test to fully understand the vulnerabilities of network and information systems that support the operation of your essential functions and verify this understanding with third-party testing.

You actively maximise the use of supported software, firmware and hardware in network and information systems supporting your essential functions.

NIST SP800-53

RA-5: Vulnerability monitoring and scanning
SA-11(2): Developer testing and evaluation | Threat modelling and vulnerability analyses
SA-15(7): Development process, standards, and tools | Automated vulnerability analysis
SA-15(8): Development process, standards, and tools | Reuse of threat and vulnerability information

NCSC: 10 Steps to Cyber Security

Vulnerability management

NCSC: Cloud Security Principles

CIS-18

7.1: Establish and maintain a vulnerability management process
7.2: Establish and maintain a remediation process
7.3: Perform automated operating system patch management
7.4: Perform automated application patch management
7.5: Perform automated vulnerability scans of internal enterprise assets
7.6: Perform automated vulnerability scans of externally-exposed enterprise assets
7.7: Remediate detected vulnerabilities
16.2: Establish and maintain a process to accept and address software vulnerabilities
16.6: Establish and maintain a severity rating system and process for application vulnerabilities

OWASP 2021

ISO27001

A.13.1: Network security management
A.14: System acquisition, development and maintenance

IGP: Network and information systems supporting the operation of your essential functions are segregated from other business and external systems by appropriate technical and physical means (for example, separate network and system infrastructure with independent user administration).

Internet services, such as browsing and email, are not accessible from network and information systems supporting your essential functions.

You have identified and mitigated all resource limitations (for example, bandwidth limitations and single network paths).

You have identified and mitigated any geographical constraints or weaknesses. (for example, systems that your essential functions depend upon are replicated in another location, important network connectivity has alternative physical paths and service providers).

You review and update assessments of dependencies, resource and geographical limitations and mitigations when necessary.

NIST SP800-53

SC-6: Resource availability
SC-24: Fail in known state
SC-36: Distributed processing and storage
CP-4: Contingency plan testing
CP-6: Alternate storage site
CP-7: Alternate processing site
CP-10: System recovery and reconstitution
IR-3: Incident response testing
PM-11: Mission/business process definition
PM-30: Risk response
PL-8: Information security architecture
RA-5: Vulnerability scanning
SA-8: Security and privacy engineering principles
SA-12: Supply chain protection
SA-14: Criticality analysis
SR-3: Supply chain controls and processes
SR-5: System component authenticity
SR-6: Component authenticity

NCSC: 10 Steps to Cyber Security

NCSC: Cloud Security Principles

Principle 4: Governance framework

CIS-18

2.7: Allowlist authorised scripts
3.3: Configure data access control lists
4.1: Establish and maintain a secure configuration process
4.2: Establish and maintain a secure configuration process for network infrastructure
4.3: Configure automatic session locking on enterprise assets
5.4: Restrict administrator privileges to dedicated administrator accounts
6.4: Require MFA for remote network access
6.5: Require MFA for administrative access
9.1: Ensure use of only fully supported browsers and email clients
9.4: Restrict unnecessary or unauthorised browser and email client extensions
11.4: Establish and maintain an isolated instance of recovery data
12.1: Ensure network infrastructure is up-to-date
12.3: Securely manage network infrastructure
12.5: Centralised network authentication, authorisation, and auditing (AAA)
13.3: Deploy a network intrusion detection solution
13.7: Deploy a host-based intrusion prevention solution
13.8: Deploy a network intrusion prevention solution
13.10: Perform application layer filtering
16.1: Establish and maintain a secure application development process
16.7: Use standard hardening configuration templates for application infrastructure
16.8: Separate production and non-production systems

OWASP 2021

ISO27001

A.5.29: Information security during disruption requires companies to maintain information security activities on proper levels during disruptive events, in order to keep information protected even during critical failure of operations.

IGP: Your executive management clearly and effectively communicates the organisation’s cyber security priorities and objectives to all staff. Your organisation displays positive cyber security attitudes, behaviours and expectations.

People in your organisation raising potential cyber security incidents and issues are treated positively.

Individuals at all levels in your organisation routinely report concerns or issues about cyber security and are recognised for their contribution to keeping the organisation secure.

Your management is seen to be committed to and actively involved in cyber security.

Your organisation communicates openly about cyber security, with any concern being taken seriously.

People across your organisation collaborate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise.

NIST SP800-53

AT-6: Training feedback

NCSC: 10 Steps to Cyber Security

Engagement and training

NCSC: Cloud Security Principles

CIS-18

14.1: Establish and maintain a security awareness programme
14.2: Train workforce members to recognise social engineering attacks
14.3: Train workforce members on authentication best practices
14.4: Train workforce on data handling best practices
14.5: Train workforce members on causes of unintentional data exposure
14.6: Train workforce members on recognising and reporting security incidents
14.7: Train workforce on how to identify and report if their enterprise assets are missing security updates
14.8: Train workforce on the dangers of connecting to and transmitting enterprise data over insecure networks
14.9: Conduct role-specific security awareness and skills training
15.4: Ensure service provider contracts include security requirements
16.9: Train developers in application security concepts and secure coding
17.3: Establish and maintain an enterprise process for reporting incidents
17.4: Establish and maintain an incident response process

OWASP 2021

Not applicable

ISO27001

A.6.3: Information security awareness, education and training

IGP: Monitoring is based on a thorough understanding of network and information systems supporting your essential functions, techniques used by threat actors, and awareness of what logging and monitoring is required to detect events and incidents that could affect the operation of your essential functions.

Your monitoring data provides enough detail to promptly and reliably detect security events, incidents and support investigations. This is reviewed regularly and after a significant security event.

Extensive monitoring of user and system activity in relation to network and information systems that support your essential functions enables you to promptly detect policy violations, suspicious or undesirable user and system behaviour, deviations from normal or routine behaviour, or abnormalities indicative of adverse activity.

Your logging and monitoring capability includes host-based and network monitoring.

All new network and information systems supporting your essential functions are considered as potential logging and monitoring data sources to maintain a comprehensive monitoring capability.

Log datasets are synchronised including using an accurate common time source so that separate datasets can be correlated in appropriate ways.

You enrich log data with other network and information systems data to provide a more comprehensive picture of actions and behaviours.

Your monitoring tools make use of log data to pinpoint activity.

You regularly review the data sources and tools included in your logging and monitoring strategy to ensure it remains effective.

NIST SP800-53

AU-2: Event logging
AU-6: Audit record review, analysis and reporting

NCSC: 10 Steps to Cyber Security

Logging and monitoring

NCSC: Cloud Security Principles

A09:2021: Security logging and monitoring failures

CIS-18

8.2: Collect audit logs
8.3: Ensure adequate audit log storage
8.4: Standardise time synchronisation
8.5: Collect detailed audit logs
8.6: Collect DNS query audit logs
8.7: Collect URL request audit logs
8.8: Collect command-line audit logs
8.11: Conduct audit log reviews
8.12: Collect service provider logs
13.2: Deploy a host-based intrusion detection solution
13.3: Deploy a network intrusion detection solution
13.6: Collect network traffic flow logs

OWASP 2021

ISO27001

A.12: Operations security
A.12.4: Logging and monitoring
A.12.6: Security incident management
A.16: Information security incident management
A.16.1: Management of information security incidents and improvements

IGP: You have monitoring and detection personnel who are responsible for the proactive and reactive analysis, investigation and reporting of monitoring alerts including both security and performance.

Monitoring and detection personnel have defined roles and skills that cover all parts of the monitoring and investigation process.

Monitoring and detection personnel follow policies, processes and procedures that address all governance reporting requirements, internal and external.

Monitoring and detection personnel are empowered to look beyond the fixed process to investigate and understand non-standard threats.

Monitoring and detection personnel are aware of the network and information systems and your essential functions, related assets and can identify and prioritise alerts and investigations that relate to them.

Monitoring and detection personnel drive and shape new log data collection and can make effective use of it.

Monitoring and detection personnel are capable of following all of the required workflows. Monitoring and detection personnel have a sufficient understanding of the operational context (for example, people, processes, network and information systems that support your essential function) to enhance the security monitoring function.

Monitoring and detection personnel deal with their workload and cases effectively as well as identifying areas for improvement.

NIST SP800-53

CA-7: Continuous monitoring

NCSC: 10 Steps to Cyber Security

Logging and monitoring

NCSC: Cloud Security Principles

A09:2021: Security logging and monitoring failures

CIS-18

7.1: Establish and maintain a vulnerability management process
7.2: Establish and maintain a remediation process
8.1: Establish and maintain an audit log management process
8.11: Conduct audit log reviews
13.11: Tune security event alerting thresholds

OWASP 2021

ISO27001

A.5.30: Collection of evidence
A.8.16: Monitoring activities
A.8.7: Protection against malware
A.5.23: Information security for use of cloud services
A.5.24: Information security incident management planning and preparation
A.5.25: Assessment and decision on information security events
A.5.26: Response to information security incidents

IGP: You track the effectiveness of your threat intelligence and actively share feedback on the usefulness of Indicators of Compromise (IoCs) and other intelligence with the threat community (for example, sector partners, threat intelligence providers and government agencies).

When using threat intelligence feeds, these have been selected using risk-based and threat informed decisions based on your business needs and sector.

You make relevant, reliable and actionable threat intelligence available to the necessary users and systems promptly.

You contextualise threat intelligence and link it to the why or how attacks take place for security monitoring.

You understand normal user and system abnormalities fully, to such an extent that searching for system abnormalities is an effective way of detecting adverse activity (for example, you fully understand which systems should and should not communicate and when).

The user and system abnormalities you monitor for are based on the nature of adverse activities likely to impact network and information systems supporting the operation of your essential functions.

The user and system abnormalities indicative of adverse activity you use are regularly updated to reflect changes in network and information systems supporting your essential functions and current threat intelligence.

You possess the capability to share threat intelligence (for example, ways to effectively detect adversaries) with the threat community or defender community (sector partners, threat intelligence providers, government agencies) when required.

NIST SP800-53

AU-6(3): Audit review, analysis, and reporting: Correlation with physical monitoring
AU-12: Audit generation
AC-6(9): Least privilege: Log use of privileged functions
CA-7: Continuous monitoring
IR-4: Incident handling
IR-5: Incident monitoring
PL-2: System and communications protection policy
PM-14: Testing, training, and monitoring
PS-3: Personnel screening
RA-10: Threat hunting
SI-4: System monitoring
SI-4(7): System monitoring: Detect unauthorised use
SI-4(11): System monitoring: Analyse communications traffic
SI-4(13): System monitoring: Automated response capability
SI-4(14): System monitoring: Incorporate threat intelligence

NCSC: 10 Steps to Cyber Security

NCSC: Cloud Security Principles

CIS-18

Control 3: Data protection
Control 4: Secure configuration of enterprise assets and software
Control 5: Account management
Control 6: Access control management
Control 8: Audit log management
Control 14: Security awareness and skills training and SOC
Control 17: Incident response management

OWASP 2021

ISO27001

A.10.1: Continual improvement
A.5.7: Threat intelligence
A.5.9: Inventory of information and other associated assets
A.5.10: Acceptable use of information and asset
A.5.18: Event logging
A.5.19: Protection of log information
A.5.20: Monitoring activities
A.5.23: Information security incident management
A.6.2: Privileged access rights

IGP: You understand the resources required to perform threat hunting and these are deployed as part of business as usual.

You deploy threat hunting resources at a frequency that matches the risks posed to network and information systems supporting your essential functions.

Your threat hunts follow pre-determined and documented methods (for example, hypothesis driven, data driven, entity driven) designed to identify adverse activity not detected by automated detections.

You turn threat hunts into automated detections and alerting where appropriate.

You routinely record details of previous threat hunts and post hunt activities. You use these to drive improvements in your threat hunting and security posture.

You have justified confidence in the effectiveness of your threat hunts and the threat hunting process is reviewed and updated to match the risks posed to network and information systems supporting your essential functions. You leverage automation to improve threat hunts where appropriate (for example, some stages of the threat hunting process are automated).

Your threat hunts focus on the tactics, techniques and procedures (TTPs) of threats over atomic IoCs (for example, hashes, IP addresses, domain names and so on).

NIST SP800-53

AC-6(9): Log use of privileged functions
AU-6: Audit review, analysis, and reporting
AU-12: Audit generation
CA-7: Continuous monitoring
PM-14: Testing, training, and monitoring
IR-4: Incident handling
IR-5: Incident monitoring
RA-3: Risk assessment
RA-10: Threat hunting
SI-4: System monitoring
SI-4(14): Incorporate threat intelligence

NCSC: 10 Steps to Cyber Security

NCSC: Cloud Security Principles

CIS-18

Control 3: Data protection
Control 4: Secure configuration of enterprise assets and software
Control 5: Account management
Control 6: Access control management
Control 7: Continuous vulnerability management
Control 8: Audit log management
Control 10: Malware defenses
Control 14: Security operations centre (SOC)
Control 17: Incident response management

OWASP 2021

ISO27001

A.5.7: Threat intelligence
A.5.18: Event logging
A.5.19: Protection of log information
A.5.9: Inventory of information and other associated assets
A.6.2: Privileged access rights
A.5.10: Acceptable use of information and assets
A.5.20: Monitoring activities
A.5.23: Information security incident management
A.10.1: Continual improvement

IGP: You understand the resources that will likely be needed to carry out any required response activities, and arrangements are in place to make these resources available.

You understand the types of information that will likely be needed to inform response decisions and arrangements are in place to make this information available.

Your response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.

Key roles are duplicated and operational delivery knowledge is shared with all individuals involved in the operations and recovery of the essential functions.

Back-up mechanisms are available that can be readily activated to allow continued operation of your essential functions, although possibly at a reduced level, if primary network and information systems fail or are unavailable.

Arrangements exist to augment your organisation’s incident response capabilities with external support if necessary (for example, specialist cyber incident responders).

NIST SP800-53

CP-2: Contingency plan

NCSC: 10 Steps to Cyber Security

Incident management

NCSC: Cloud Security Principles