CIS Top 20 Checklist

Prioritize security controls for effectiveness against real world threats

schedule your compliance review

CIS Top 20 Controls Check List

  • 1. Do you have the ability to prevent and detect when unauthorized hardware devices are connected to your network?
  • 2. Do you have the ability to prevent and detect unauthorized software from being installed on your network devices and employee mobile devices?
  • 3. Do you regularly (monthly/quarterly) scan, detect, and remediate vulnerabilities on your network using a SCAP certified scanning tool?
  • 4. Have you applied added protections for administrative tasks, roles, accounts, and critical devices?
  • 5. Do you apply security hardening procedures to your phones, mobile devices, laptops, workstations, and servers?
  • 6. Do you use a Security Incident and Event Management (SIEM) tool?
  • 7. Do you only use fully supported, current, and updated email clients, web browsers, content filtering, and spam filtering?
  • 8. Do you have an anti-malware solution in place?
  • 9. Do you utilize a next-generation firewall with endpoint control to limit and control network ports, protocols, and services?
  • 10. Do you perform and test regular backups with a protected "non-continuously addressable" backup destination to protect against ransomware attacks?
  • 11. Do you utilize configuration management and a change control process to manage all critical network devices and infrastructure?
  • 12. Does your firewall inspect and alert on all traffic, including encrypted traffic?
  • 13. Do you inventory where all of your sensitive information and data are stored and have a process and tool in place to prevent the exfiltration of your data?
  • 14. Do you segment and control access to data and systems in your organization?
  • 15. Do you have formal processes and tools in place to track, control, prevent, and restrict access to your wireless networks utilizing Strong Encryption and Multi-Factor Authentication?
  • 16. Do you have formal processes and technologies to monitor and manage users’ access to systems, workstations, and applications?
  • 17. Do you currently have a security awareness training and testing program and test all employees at least semi-annually?
  • 18. Do you have formal processes and tools in place to manage the security lifecycle of all “in-house developed” and acquired software in order to prevent, detect, and correct security weaknesses?
  • 19. Do you have a documented incident response plan and test it at least annually?
  • 20. Do you conduct internal and external penetration tests at least annually?