CIS Controls¶
3. CIS CRITICAL SECURITY CONTROLS V8¶
The Center for Internet Security (CIS) Critical Security Controls v8 (released May 2021) provide a prioritized set of actions to protect organizations from known cyber-attack vectors. The controls are organized into three implementation groups (IGs) based on organizational size and security maturity:
- IG1 (Basic Cyber Hygiene): Essential controls for all organizations (small businesses, 6 controls)
- IG2 (Enterprise): Organizations with IT resources managing multiple departments (164 safeguards)
- IG3 (Advanced): Organizations with security experts, high-value targets (156 additional safeguards)
Abhavtech Target: IG2 baseline for all systems, IG3 for critical infrastructure (CDE, identity systems, SOC platforms)
3.1 CIS Controls Implementation Overview¶
Implementation Status Summary (as of January 2025):
| Control Category | Total Safeguards (IG2) | Implemented | Partially Implemented | Not Implemented | Compliance % |
|---|---|---|---|---|---|
| IG1 (Basic) | 56 safeguards | 54 | 2 | 0 | 96% ✅ |
| IG2 (Enterprise) | 164 safeguards | 142 | 18 | 4 | 87% ✅ |
| IG3 (Advanced) | 156 safeguards | 98 | 42 | 16 | 63% ⚠️ |
Overall Abhavtech CIS Score: 85% (weighted average based on IG2 priority)
Gap Analysis: Primary gaps in IG3 controls around advanced threat hunting (MITRE ATT&CK automation), security orchestration (full SOAR implementation), and application security (SAST/DAST coverage <100%).
3.2 CIS Controls Detailed Implementation Matrix¶
3.2.1 CIS Control 1: Inventory and Control of Enterprise Assets¶
Purpose: Actively manage all enterprise assets connected to the infrastructure to ensure only authorized devices are given access.
| Safeguard | IG | Description | Abhavtech Implementation | Evidence | Status |
|---|---|---|---|---|---|
| 1.1 | 1 | Establish and maintain detailed enterprise asset inventory | DNAC Network Inventory: • 940 wireless APs (auto-discovered, MAC tracking) • 350+ switches (CDP/LLDP discovery) • 50+ routers (SD-WAN + legacy) ISE Endpoint Profiling: • 25,000 endpoints (MAC-based inventory) • Device profiling (manufacturer, OS, type) ServiceNow CMDB: • Manual entry for critical assets (servers, storage) • CI relationships (server → app → database) |
• DNAC inventory report (last sync: Jan 23, 2025) • ISE endpoint list export • ServiceNow CMDB dashboard |
✅ Implemented |
| 1.2 | 1 | Address unauthorized assets | ISE Quarantine Policy: • Unknown devices → SGT 999 (quarantine VLAN) • Deny internet access, redirect to registration portal Daily Asset Review: • SOC reviews ISE quarantine list (daily 9 AM) • Approve/deny within 4 hours |
• ISE policy config (SGT 999) • SOC asset review logs • Registration portal screenshot |
✅ Implemented |
| 1.3 | 1 | Utilize an active discovery tool | DNAC Auto-Discovery: • CDP/LLDP for network devices (5-min interval) • NetFlow for endpoint discovery ISE Profiling: • Active probing (DHCP, HTTP, SNMP) • Passive monitoring (SPAN port, NetFlow) |
• DNAC discovery settings • ISE profiling policy config |
✅ Implemented |
| 1.4 | 1 | Use Dynamic Host Configuration Protocol (DHCP) logging | ISE DHCP Logging: • All DHCP requests logged (IP → MAC binding) • Forwarded to Splunk (index=network) Retention: 90 days (Splunk), 1 year (archive) |
• ISE DHCP logs (sample) • Splunk index stats |
✅ Implemented |
| 1.5 | 1 | Use a passive asset discovery tool | NetFlow + Splunk: • NetFlow from all switches/routers → Splunk • Passive discovery of communicating devices ThousandEyes: • Cloud service discovery (SaaS usage, shadow IT) |
• NetFlow config (all devices) • Splunk NetFlow dashboard • ThousandEyes catalog view |
✅ Implemented |
3.2.2 CIS Control 2: Inventory and Control of Software Assets¶
| Safeguard | IG | Description | Abhavtech Implementation | Evidence | Status |
|---|---|---|---|---|---|
| 2.1 | 1 | Establish and maintain software inventory | AMP Software Inventory: • 25,000+ endpoints report installed software • Daily sync to Splunk (index=amp_inventory) Manual Inventory (Servers): • ServiceNow CMDB (application CI records) • License tracking (SAP, Oracle, Salesforce) |
• AMP software inventory report • ServiceNow application CIs • License tracking spreadsheet |
✅ Implemented |
| 2.2 | 1 | Ensure authorized software is currently supported | Software Support Policy: • End-of-Life (EOL) tracking (Windows Server, RHEL, apps) • Quarterly review (Security Engineer) • Migration plans for EOL software (ServiceNow projects) Current EOL Items: • Windows Server 2012 R2 (EOL Oct 2023) → Migration to 2022 (80% complete) |
• EOL tracking spreadsheet • Migration project plan (ServiceNow) • Windows Server inventory (DNAC) |
⚠️ Partially Implemented (20% legacy servers remain) |
| 2.3 | 1 | Address unauthorized software | AMP File Blocking: • Block execution of unauthorized executables (file reputation < -50) • Custom blocks (crypto miners, remote access tools) Application Allowlisting (Servers): • Windows Defender Application Control (critical servers) • GPO enforcement (deny unapproved software) |
• AMP blocked execution report • WDAC policy config • GPO screenshot |
✅ Implemented |
| 2.4 | 1 | Utilize automated software inventory tools | AMP Connector: • Real-time software discovery (all endpoints) • Cloud integration (AMP console → Splunk) |
• AMP connector config • Splunk AMP inventory logs |
✅ Implemented |
| 2.5 | 1 | Use allowlisting of authorized software | Server Allowlisting: • Critical servers (CDE, DCs): Windows Defender Application Control • Allowlist: SAP, SQL Server, backup agents • Deny all unapproved executables |
• WDAC policy export • Server list (allowlisting enabled) |
⚠️ Partially Implemented (CDE only, expanding to all servers Q2 2025) |
| 2.6 | 2 | Use allowlisting of authorized libraries | DLL Control (Advanced): • WDAC blocks unsigned DLLs (CDE servers) • Code signing certificate requirement (Abhavtech CA) |
• WDAC library rules • Code signing policy |
⚠️ Partially Implemented (IG3 control, CDE only) |
| 2.7 | 2 | Use allowlisting of authorized scripts | PowerShell Execution Policy: • AllSigned (require script signing) • GPO enforcement (all Windows endpoints) Bash Script Control (Linux): • SELinux (enforcing mode) • Ansible playbook approval (ServiceNow CAB) |
• PowerShell execution policy GPO • SELinux status (all Linux servers) • Ansible approval workflow |
✅ Implemented |
3.2.3 CIS Control 3: Data Protection¶
| Safeguard | IG | Description | Abhavtech Implementation | Evidence | Status |
|---|---|---|---|---|---|
| 3.1 | 1 | Establish and maintain data management process | Data Classification Policy: • 4 levels: Public, Internal, Confidential, Restricted • Data owners (Finance: CFO, HR: CHRO, Customer: CTO) Data Inventory: • ROPA (GDPR Records of Processing Activities) • 18 data processing activities documented |
• Data classification policy (v2.1) • ROPA spreadsheet • Data owner matrix |
✅ Implemented |
| 3.2 | 1 | Establish and maintain data inventory | Sensitive Data Locations: • Customer PII: Salesforce CRM, SQL databases (TDE encrypted) • PCI data: Payment gateway (Stripe), CDE databases (tokenized) • HR data: Workday, file shares (SGT 82 isolated) • Financial data: SAP ERP, Oracle DB (TDE encrypted) |
• Data flow diagrams (see Section 2.2.4) • Database inventory (ServiceNow) • DLP policy (sensitive data patterns) |
✅ Implemented |
| 3.3 | 1 | Configure data access control lists | TrustSec SGT Segmentation: • Finance data (SGT 81): Only Finance users (SGT 81) can access • HR data (SGT 82): Only HR users (SGT 82) + CHRO can access • Customer PII (SGT 80): Only CRM app servers (SGT 80) can access • CDE (SGT 85-89): Only SOC (SGT 10) + admins (SGT 5) can access |
• ISE SGACL matrix • Data access control policy • Quarterly access reviews |
✅ Implemented |
| 3.4 | 1 | Enforce data retention | Data Retention Policy: • Financial records: 7 years (legal requirement) • Customer transaction data: 3 years • Audit logs: 1 year (hot), 7 years (archive) • Email: 3 years (M365 retention policy) Auto-Deletion: • SQL Server jobs (purge data >retention period) • M365 retention policies (auto-delete after 3 years) |
• Data retention policy (v1.3) • SQL purge job scripts • M365 retention policy config |
✅ Implemented |
| 3.5 | 1 | Securely dispose of data | Data Disposal Procedures: • Hard drives: 3-pass wipe (DoD 5220.22-M) or shred (Iron Mountain) • Decommissioned servers: Certificate of destruction • Cloud data: Crypto-shredding (delete encryption keys, AWS KMS) Backup tape disposal: • Degaussing (magnetic erasure) + physical destruction |
• Data disposal SOP • Certificate of destruction samples (Iron Mountain) • Crypto-shredding procedure (AWS) |
✅ Implemented |
| 3.6 | 1 | Encrypt data on end-user devices | Endpoint Encryption: • Windows: BitLocker (AES-256, TPM 2.0) • macOS: FileVault 2 (AES-256) • Enforcement: GPO (Windows), Jamf (macOS) Coverage: 99.5% (25,000+ endpoints) |
• BitLocker status report (GPO) • FileVault status (Jamf console) • Encryption coverage metric |
✅ Implemented |
| 3.7 | 1 | Establish and maintain data classification scheme | Classification Levels: • Public: Marketing materials, website content (no encryption) • Internal: Internal memos, policies (TLS in transit) • Confidential: Financial reports, strategy docs (AES-256 at rest + TLS) • Restricted: PCI data, PII, IP (AES-256 + DLP + access logs) |
• Data classification policy (see 3.1) • Classification labels (M365 sensitivity labels) • User training (annual) |
✅ Implemented |
| 3.8 | 1 | Document data flows | Data Flow Diagrams: • Customer order flow (web app → API → database → payment gateway) • Employee data flow (HR → Workday → AD → payroll) • Financial data flow (transactions → ERP → GL → reporting) • Backup flow (servers → Veeam → NJ datacenter → London DR) |
• Data flow diagrams (see Section 2.2.4) • DFD for PCI-DSS (CDE scope) • DFD for GDPR (cross-border transfers) |
✅ Implemented |
| 3.9 | 2 | Encrypt data on removable media | USB Device Control: • AMP Device Control (block USB mass storage, allow keyboards/mice) • Encrypted USB drives only (BitLocker To Go, IronKey) Policy: USB devices prohibited except approved encrypted drives |
• AMP Device Control policy • Approved USB drive list (IronKey) • USB usage audit logs |
✅ Implemented |
| 3.10 | 2 | Encrypt sensitive data in transit | Encryption Standards: • TLS 1.2/1.3 (web apps, APIs, email): Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 • IPsec AES-256-GCM (SD-WAN tunnels, VPN) • MACsec AES-256-GCM (SD-Access fabric, campus) • SSH AES-256-CTR (server management) |
• SSL Labs scan report (A+ rating) • SD-WAN tunnel config (vManage) • MACsec config (DNAC) |
✅ Implemented |
| 3.11 | 2 | Encrypt sensitive data at rest | At-Rest Encryption: • Databases: SQL Server TDE (AES-256), Oracle TDE • File servers: BitLocker (Windows), LUKS (Linux) • Cloud storage: AWS S3 SSE-KMS (AES-256, customer-managed keys) • Backups: Veeam encryption (AES-256, password-protected) |
• SQL Server TDE status report • BitLocker/LUKS config • AWS S3 encryption policy • Veeam encryption config |
✅ Implemented |
| 3.12 | 2 | Segment data processing and storage | Segmentation Strategy: • CDE isolated (SGT 85-89, VLAN 85-89, deny all except payment flow) • HR data isolated (SGT 82, VLAN 82, access via jump host only) • Finance data isolated (SGT 81, VLAN 81, Finance users only) • DMZ (SGT 85, VLAN 10, public-facing web servers) |
• Network segmentation diagram • ISE SGACL matrix • VLAN assignments (DNAC) |
✅ Implemented |
| 3.13 | 3 | Deploy a data loss prevention (DLP) solution | DLP Implementation (Multi-Layer): 1. Email DLP (Secure Email): Block PCI/PII in outbound emails (regex patterns: CC numbers, SSN) 2. Web DLP (Umbrella SWG): Block file uploads to personal cloud (Dropbox, Google Drive personal) 3. Firewall DLP (FTD): Monitor large file transfers (>100MB) via SMTP/HTTP 4. Network DLP (NetFlow + Splunk): Volumetric analysis (>100GB egress = alert) 5. Endpoint DLP (AMP Device Control): Block USB mass storage devices |
• DLP policy config (Secure Email) • Umbrella category blocks (file sharing sites) • FTD file policy • Splunk NetFlow alert (volumetric threshold) |
✅ Implemented |
| 3.14 | 3 | Log sensitive data access | Access Logging: • Database audit logs (SQL Server: Event ID 33205, Oracle audit trail) • File server audit logs (Windows Event ID 4663: object access) • Application logs (CRM, ERP: user access to PII/PCI records) • All logs → Splunk (index=audit, 1-year retention, 7-year archive) |
• SQL Server audit config • File server GPO (audit object access) • Splunk audit logs (sample queries) • Log retention policy |
✅ Implemented |
3.2.4 CIS Control 4: Secure Configuration of Enterprise Assets and Software¶
| Safeguard | IG | Description | Abhavtech Implementation | Evidence | Status |
|---|---|---|---|---|---|
| 4.1 | 1 | Establish and maintain secure configuration process | Configuration Baselines: • CIS Benchmarks (Windows Server 2022, RHEL 8, Cisco IOS) • Templates stored in DNAC (network), Ansible (Linux), GPO (Windows) • Quarterly reviews (Security Engineer + Network Admin) |
• CIS Benchmark policy docs • DNAC template library (48 templates) • Ansible playbook repo (GitLab) • GPO baseline export |
✅ Implemented |
| 4.2 | 1 | Establish and maintain secure configuration baseline | Baseline Standards: • Switches/Routers: DNAC Day-N templates (NTP, SNMP v3, SSH only, ACLs) • Firewalls: FMC platform settings (TLS 1.2+, strong ciphers, default-deny) • Windows Servers: GPO (password policy, audit logging, service hardening) • Linux Servers: Ansible playbooks (SELinux enforcing, firewalld, CIS Level 1) |
• DNAC template configs • FMC platform policy • Windows Server GPO export • Ansible playbook (RHEL hardening, 120 tasks) |
✅ Implemented |
| 4.3 | 1 | Configure automatic session locking | Idle Timeout Policies: • Workstations: 10 minutes (GPO screen lock) • Servers RDP: 15 minutes (GPO) • SSH sessions: 15 minutes (TMOUT=900) • Web applications: 30 minutes (session timeout) • CyberArk PAM: 5 minutes (privileged session timeout) |
• GPO (screen lock policy) • SSH TMOUT config (/etc/profile) • Web app session config • CyberArk timeout policy |
✅ Implemented |
| 4.4 | 1 | Implement and manage firewall on end-user devices | Host-Based Firewalls: • Windows Defender Firewall (GPO enforcement, block all inbound except approved) • macOS Firewall (Jamf enforcement, stealth mode enabled) Management: GPO (Windows), Jamf (macOS), central monitoring (Splunk) |
• Windows Firewall GPO • macOS Firewall policy (Jamf) • Splunk firewall logs (blocked connections) |
✅ Implemented |
| 4.5 | 1 | Implement and manage firewall on servers | Server Firewall: • Windows Server: Windows Firewall (allow only required ports: 3389 RDP, 443 HTTPS, 445 SMB) • Linux: firewalld (RHEL), allow SSH (22), app ports only FTD Perimeter: All server access through FTD (stateful inspection, IPS) |
• Windows Server firewall rules • firewalld rules (RHEL) • FTD access policies |
✅ Implemented |
| 4.6 | 2 | Securely manage enterprise assets and software | Change Management: • All config changes via ServiceNow (CAB approval) • Version control (GitLab for Ansible, DNAC templates) • Rollback procedures (configs saved pre-change) |
• ServiceNow change tickets • GitLab commit history • DNAC config archives |
✅ Implemented |
| 4.7 | 2 | Manage default accounts | Default Account Controls: • Cisco devices: Default 'admin' disabled, custom admin accounts (CyberArk) • Windows: 'Administrator' renamed, disabled (use named admin accounts) • Linux: Root login disabled (sudo only), named admin accounts • Applications: Default accounts changed (SAP, Oracle, etc.) |
• Cisco config (no username admin) • Windows 'Administrator' status (disabled) • Linux /etc/ssh/sshd_config (PermitRootLogin no) • Application account audit |
✅ Implemented |
| 4.8 | 2 | Uninstall or disable unnecessary services | Service Minimization: • Windows: Disable Telnet, FTP, SMBv1, LLMNR, NetBIOS • Linux: Remove unnecessary packages (yum/apt remove), disable unused services • Network devices: Disable CDP (external interfaces), disable HTTP (HTTPS only) |
• Windows service list (disabled services) • Linux package list (minimal install) • Cisco config (no cdp enable, no ip http server) |
✅ Implemented |
| 4.9 | 3 | Configure trusted DNS servers | DNS Security: • Internal DNS: Active Directory DNS (DNSSEC validation) • Recursive DNS: Umbrella (malware/phishing filtering, DNSSEC) • Block public DNS (8.8.8.8, 1.1.1.1) via FTD for workstations |
• AD DNS config (DNSSEC enabled) • Umbrella policy (malicious domains blocked) • FTD DNS block rule |
✅ Implemented |
| 4.10 | 3 | Enforce automatic device lockout | Account Lockout Policy: • Failed login attempts: 5 (AD GPO) • Lockout duration: 30 minutes • Cisco devices: 3 failed attempts = 5-minute lockout • Duo MFA: 5 failed MFA = account lockout (manual unlock) |
• AD GPO (account lockout policy) • Cisco config (login block-for 300 attempts 3 within 60) • Duo policy (lockout threshold) |
✅ Implemented |
| 4.11 | 3 | Enforce remote wipe capability | Mobile Device Management (MDM): • Intune (iOS, Android): Remote wipe enabled • Laptops: BitLocker recovery key (IT can remotely wipe + reimage) Termination Process: Auto-wipe for terminated employees (within 1 hour) |
• Intune remote wipe capability • BitLocker recovery process • Termination SOP (ServiceNow) |
✅ Implemented |
3.2.5 CIS Control 5: Account Management¶
| Safeguard | IG | Description | Abhavtech Implementation | Evidence | Status |
|---|---|---|---|---|---|
| 5.1 | 1 | Establish and maintain an inventory of accounts | Account Inventory: • Active Directory: 3,200 user accounts, 45 admin accounts, 120 service accounts • ISE: 25,000 device accounts (802.1X machine certs) • CyberArk PAM: 18 privileged accounts (CDE admins) • Cloud: M365 (12,000 users), AWS (25 IAM users) |
• AD user export (PowerShell) • ISE device list • CyberArk account inventory • M365/AWS user lists |
✅ Implemented |
| 5.2 | 1 | Use unique passwords | Password Uniqueness: • AD password history: 24 (users cannot reuse last 24 passwords) • CyberArk auto-rotation: Generates unique passwords (30-day rotation) • Service accounts: Unique passwords (stored in CyberArk) |
• AD GPO (password history) • CyberArk password generation settings • Service account audit |
✅ Implemented |
| 5.3 | 1 | Disable dormant accounts | Dormant Account Cleanup: • Automated: PowerShell script runs monthly (disable accounts with >90 days inactivity) • Quarterly review: HR + IT review disabled accounts, delete if no longer needed • ISE: Profiling identifies unused device accounts (>180 days), flagged for review |
• PowerShell script (dormant account cleanup) • Disabled account report (AD) • ISE inactive device report |
✅ Implemented |
| 5.4 | 1 | Restrict administrator privileges | Least Privilege: • Standard users: NO local admin rights (workstations) • Admins: Separate admin accounts (admin-username), no email/browsing with admin account • Privileged access: CyberArk PAM (jump hosts, session recording) • Network devices: RBAC (read-only analysts, read-write engineers, full-access senior engineers) |
• AD group memberships (Domain Admins, Server Admins, etc.) • CyberArk safe structure (role-based access) • Cisco TACACS+ config (privilege levels) |
✅ Implemented |
| 5.5 | 2 | Establish and maintain MFA | MFA Coverage: 100% • Network Access: 802.1X + Duo MFA (push notification) • VPN: AnyConnect + Duo MFA (biometric or push) • Web Apps: Duo MFA (M365, Salesforce, SAP, all cloud apps) • Admin Access: CyberArk + Duo MFA (PAM + MFA) • Cloud: Azure AD Conditional Access (MFA required) |
• Duo enrollment report (3,200/12,000 users = 100%) • ISE MAB vs. 802.1X ratio (802.1X = 95%) • Azure AD Conditional Access policies |
✅ Implemented |
| 5.6 | 3 | Centralize account management | Centralized Identity: • Identity Source: Active Directory (on-prem + Azure AD hybrid) • Integration: ISE (LDAP), Duo (SAML), M365 (Azure AD SSO), Salesforce (SAML SSO) • Provisioning: Workday → AD → ISE/Duo/M365 (automated via API) |
• AD + Azure AD hybrid config • ISE identity source (AD LDAP) • Workday integration diagram • SAML SSO configs |
✅ Implemented |
3.2.6 CIS Control 6: Access Control Management¶
| Safeguard | IG | Description | Abhavtech Implementation | Evidence | Status |
|---|---|---|---|---|---|
| 6.1 | 1 | Establish access granting process | Access Request Workflow (ServiceNow): 1. User requests access (ServiceNow ticket) 2. Manager approval (email notification) 3. Security approval (for sensitive data: HR, Finance, CDE) 4. IT provisions access (AD group, ISE SGT, CyberArk safe) 5. Confirmation email (user + manager) SLA: 1 business day (standard), 4 hours (urgent) |
• ServiceNow access request workflow • Approval matrix (manager + security) • Sample access tickets |
✅ Implemented |
| 6.2 | 1 | Establish access revoking process | De-provisioning (Automated): 1. HR terminates employee in Workday 2. Workday triggers ServiceNow workflow (API) 3. Automated actions (within 1 hour): - Disable AD account - Revoke ISE authorization (802.1X fails) - Lock Duo account - Revoke M365 license - Alert IT (badge deactivation, laptop recovery) Manual Cleanup: Remove from CyberArk (within 24 hours) |
• Workday → ServiceNow integration • PowerShell automation script • De-provisioning SLA report (avg: 45 minutes) • ServiceNow termination tickets |
✅ Implemented |
| 6.3 | 2 | Require MFA for privileged access | Privileged MFA Enforcement: • CyberArk PAM: Duo MFA required (every session) • Network devices: TACACS+ + Duo (CLI/HTTPS access) • Cloud admin: Azure AD Conditional Access (MFA for admin roles) • Linux sudo: pam_duo module (MFA for sudo commands) |
• CyberArk Duo integration config • TACACS+ Duo config • Azure AD Conditional Access policy • Linux pam_duo config (/etc/pam.d/sudo) |
✅ Implemented |
| 6.4 | 2 | Require MFA for remote network access | Remote Access MFA: • AnyConnect VPN: Duo MFA (push, biometric, hardware token) • Webex remote access: Duo MFA • Cloud apps (M365, Salesforce): Azure AD MFA + Duo No exceptions: VPN = 100% MFA coverage |
• AnyConnect Duo plugin config • Duo policy (VPN group) • MFA success rate (99.8%, failures = wrong code or timeout) |
✅ Implemented |
| 6.5 | 2 | Require MFA for administrative access | Admin MFA (see 6.3): • All admin accounts: Duo MFA required • Even on internal network (no MFA bypass) • Session timeout: 5 minutes (CyberArk), 15 minutes (SSH) |
• See 6.3 evidence | ✅ Implemented |
| 6.6 | 3 | Establish and maintain attribute-based access control | TrustSec SGT-Based Access (Attribute-Based): • User attributes: Department (HR, Finance, IT), Location (NJ, London), Role (Analyst, Manager, Admin) • Device attributes: Type (laptop, phone, IoT), Compliance (AMP agent, OS patch level) • Access decisions: IF (user.dept=Finance AND device.compliance=Healthy) THEN SGT 81 (Finance access) Dynamic SGT Assignment: ISE profiling + UEBA risk scores |
• ISE authorization policies (attribute-based rules) • UEBA integration (risk score → SGT adjustment) • SGT dynamic assignment examples |
⚠️ Partially Implemented (UEBA → SGT integration in pilot, expanding to production Q2 2025) |
| 6.7 | 3 | Centralize access control | Centralized Access Control Platforms: • ISE: Network access control (802.1X, MAB, posture, SGT) • Azure AD: Cloud app SSO (M365, Salesforce, etc.) • CyberArk PAM: Privileged account access control • FTD: Perimeter access control (SGT-aware firewall policies) |
• ISE as central NAC • Azure AD SSO config • CyberArk architecture diagram |
✅ Implemented |
| 6.8 | 3 | Define and maintain role-based access control | RBAC Roles (see Section 2.3.5): • 8 roles with SGT assignments • Corporate User (SGT 15), Finance (SGT 81), HR (SGT 82), Developer (SGT 60), SOC Analyst (SGT 10), Network Admin (SGT 5), Guest (SGT 40), Quarantine (SGT 999) |
• ISE RBAC matrix • AD security groups (role-based) • Quarterly role review |
✅ Implemented |
(Continuing with CIS Controls 7-18, then moving to MITRE ATT&CK, ISO 27001, SOC Procedures, Threat Hunting, Continuous Monitoring, Compliance Reporting, and Appendices...)