Skip to content

CIS Controls

3. CIS CRITICAL SECURITY CONTROLS V8

The Center for Internet Security (CIS) Critical Security Controls v8 (released May 2021) provide a prioritized set of actions to protect organizations from known cyber-attack vectors. The controls are organized into three implementation groups (IGs) based on organizational size and security maturity:

  • IG1 (Basic Cyber Hygiene): Essential controls for all organizations (small businesses, 6 controls)
  • IG2 (Enterprise): Organizations with IT resources managing multiple departments (164 safeguards)
  • IG3 (Advanced): Organizations with security experts, high-value targets (156 additional safeguards)

Abhavtech Target: IG2 baseline for all systems, IG3 for critical infrastructure (CDE, identity systems, SOC platforms)

3.1 CIS Controls Implementation Overview

Implementation Status Summary (as of January 2025):

Control Category Total Safeguards (IG2) Implemented Partially Implemented Not Implemented Compliance %
IG1 (Basic) 56 safeguards 54 2 0 96%
IG2 (Enterprise) 164 safeguards 142 18 4 87%
IG3 (Advanced) 156 safeguards 98 42 16 63% ⚠️

Overall Abhavtech CIS Score: 85% (weighted average based on IG2 priority)

Gap Analysis: Primary gaps in IG3 controls around advanced threat hunting (MITRE ATT&CK automation), security orchestration (full SOAR implementation), and application security (SAST/DAST coverage <100%).

3.2 CIS Controls Detailed Implementation Matrix

3.2.1 CIS Control 1: Inventory and Control of Enterprise Assets

Purpose: Actively manage all enterprise assets connected to the infrastructure to ensure only authorized devices are given access.

Safeguard IG Description Abhavtech Implementation Evidence Status
1.1 1 Establish and maintain detailed enterprise asset inventory DNAC Network Inventory:
• 940 wireless APs (auto-discovered, MAC tracking)
• 350+ switches (CDP/LLDP discovery)
• 50+ routers (SD-WAN + legacy)
ISE Endpoint Profiling:
• 25,000 endpoints (MAC-based inventory)
• Device profiling (manufacturer, OS, type)
ServiceNow CMDB:
• Manual entry for critical assets (servers, storage)
• CI relationships (server → app → database)
• DNAC inventory report (last sync: Jan 23, 2025)
• ISE endpoint list export
• ServiceNow CMDB dashboard
✅ Implemented
1.2 1 Address unauthorized assets ISE Quarantine Policy:
• Unknown devices → SGT 999 (quarantine VLAN)
• Deny internet access, redirect to registration portal
Daily Asset Review:
• SOC reviews ISE quarantine list (daily 9 AM)
• Approve/deny within 4 hours
• ISE policy config (SGT 999)
• SOC asset review logs
• Registration portal screenshot
✅ Implemented
1.3 1 Utilize an active discovery tool DNAC Auto-Discovery:
• CDP/LLDP for network devices (5-min interval)
• NetFlow for endpoint discovery
ISE Profiling:
• Active probing (DHCP, HTTP, SNMP)
• Passive monitoring (SPAN port, NetFlow)
• DNAC discovery settings
• ISE profiling policy config
✅ Implemented
1.4 1 Use Dynamic Host Configuration Protocol (DHCP) logging ISE DHCP Logging:
• All DHCP requests logged (IP → MAC binding)
• Forwarded to Splunk (index=network)
Retention: 90 days (Splunk), 1 year (archive)
• ISE DHCP logs (sample)
• Splunk index stats
✅ Implemented
1.5 1 Use a passive asset discovery tool NetFlow + Splunk:
• NetFlow from all switches/routers → Splunk
• Passive discovery of communicating devices
ThousandEyes:
• Cloud service discovery (SaaS usage, shadow IT)
• NetFlow config (all devices)
• Splunk NetFlow dashboard
• ThousandEyes catalog view
✅ Implemented

3.2.2 CIS Control 2: Inventory and Control of Software Assets

Safeguard IG Description Abhavtech Implementation Evidence Status
2.1 1 Establish and maintain software inventory AMP Software Inventory:
• 25,000+ endpoints report installed software
• Daily sync to Splunk (index=amp_inventory)
Manual Inventory (Servers):
• ServiceNow CMDB (application CI records)
• License tracking (SAP, Oracle, Salesforce)
• AMP software inventory report
• ServiceNow application CIs
• License tracking spreadsheet
✅ Implemented
2.2 1 Ensure authorized software is currently supported Software Support Policy:
• End-of-Life (EOL) tracking (Windows Server, RHEL, apps)
• Quarterly review (Security Engineer)
• Migration plans for EOL software (ServiceNow projects)
Current EOL Items:
• Windows Server 2012 R2 (EOL Oct 2023) → Migration to 2022 (80% complete)
• EOL tracking spreadsheet
• Migration project plan (ServiceNow)
• Windows Server inventory (DNAC)
⚠️ Partially Implemented (20% legacy servers remain)
2.3 1 Address unauthorized software AMP File Blocking:
• Block execution of unauthorized executables (file reputation < -50)
• Custom blocks (crypto miners, remote access tools)
Application Allowlisting (Servers):
• Windows Defender Application Control (critical servers)
• GPO enforcement (deny unapproved software)
• AMP blocked execution report
• WDAC policy config
• GPO screenshot
✅ Implemented
2.4 1 Utilize automated software inventory tools AMP Connector:
• Real-time software discovery (all endpoints)
• Cloud integration (AMP console → Splunk)
• AMP connector config
• Splunk AMP inventory logs
✅ Implemented
2.5 1 Use allowlisting of authorized software Server Allowlisting:
• Critical servers (CDE, DCs): Windows Defender Application Control
• Allowlist: SAP, SQL Server, backup agents
• Deny all unapproved executables
• WDAC policy export
• Server list (allowlisting enabled)
⚠️ Partially Implemented (CDE only, expanding to all servers Q2 2025)
2.6 2 Use allowlisting of authorized libraries DLL Control (Advanced):
• WDAC blocks unsigned DLLs (CDE servers)
• Code signing certificate requirement (Abhavtech CA)
• WDAC library rules
• Code signing policy
⚠️ Partially Implemented (IG3 control, CDE only)
2.7 2 Use allowlisting of authorized scripts PowerShell Execution Policy:
• AllSigned (require script signing)
• GPO enforcement (all Windows endpoints)
Bash Script Control (Linux):
• SELinux (enforcing mode)
• Ansible playbook approval (ServiceNow CAB)
• PowerShell execution policy GPO
• SELinux status (all Linux servers)
• Ansible approval workflow
✅ Implemented

3.2.3 CIS Control 3: Data Protection

Safeguard IG Description Abhavtech Implementation Evidence Status
3.1 1 Establish and maintain data management process Data Classification Policy:
• 4 levels: Public, Internal, Confidential, Restricted
• Data owners (Finance: CFO, HR: CHRO, Customer: CTO)
Data Inventory:
• ROPA (GDPR Records of Processing Activities)
• 18 data processing activities documented
• Data classification policy (v2.1)
• ROPA spreadsheet
• Data owner matrix
✅ Implemented
3.2 1 Establish and maintain data inventory Sensitive Data Locations:
• Customer PII: Salesforce CRM, SQL databases (TDE encrypted)
• PCI data: Payment gateway (Stripe), CDE databases (tokenized)
• HR data: Workday, file shares (SGT 82 isolated)
• Financial data: SAP ERP, Oracle DB (TDE encrypted)
• Data flow diagrams (see Section 2.2.4)
• Database inventory (ServiceNow)
• DLP policy (sensitive data patterns)
✅ Implemented
3.3 1 Configure data access control lists TrustSec SGT Segmentation:
• Finance data (SGT 81): Only Finance users (SGT 81) can access
• HR data (SGT 82): Only HR users (SGT 82) + CHRO can access
• Customer PII (SGT 80): Only CRM app servers (SGT 80) can access
• CDE (SGT 85-89): Only SOC (SGT 10) + admins (SGT 5) can access
• ISE SGACL matrix
• Data access control policy
• Quarterly access reviews
✅ Implemented
3.4 1 Enforce data retention Data Retention Policy:
• Financial records: 7 years (legal requirement)
• Customer transaction data: 3 years
• Audit logs: 1 year (hot), 7 years (archive)
• Email: 3 years (M365 retention policy)
Auto-Deletion:
• SQL Server jobs (purge data >retention period)
• M365 retention policies (auto-delete after 3 years)
• Data retention policy (v1.3)
• SQL purge job scripts
• M365 retention policy config
✅ Implemented
3.5 1 Securely dispose of data Data Disposal Procedures:
• Hard drives: 3-pass wipe (DoD 5220.22-M) or shred (Iron Mountain)
• Decommissioned servers: Certificate of destruction
• Cloud data: Crypto-shredding (delete encryption keys, AWS KMS)
Backup tape disposal:
• Degaussing (magnetic erasure) + physical destruction
• Data disposal SOP
• Certificate of destruction samples (Iron Mountain)
• Crypto-shredding procedure (AWS)
✅ Implemented
3.6 1 Encrypt data on end-user devices Endpoint Encryption:
• Windows: BitLocker (AES-256, TPM 2.0)
• macOS: FileVault 2 (AES-256)
• Enforcement: GPO (Windows), Jamf (macOS)
Coverage: 99.5% (25,000+ endpoints)
• BitLocker status report (GPO)
• FileVault status (Jamf console)
• Encryption coverage metric
✅ Implemented
3.7 1 Establish and maintain data classification scheme Classification Levels:
Public: Marketing materials, website content (no encryption)
Internal: Internal memos, policies (TLS in transit)
Confidential: Financial reports, strategy docs (AES-256 at rest + TLS)
Restricted: PCI data, PII, IP (AES-256 + DLP + access logs)
• Data classification policy (see 3.1)
• Classification labels (M365 sensitivity labels)
• User training (annual)
✅ Implemented
3.8 1 Document data flows Data Flow Diagrams:
• Customer order flow (web app → API → database → payment gateway)
• Employee data flow (HR → Workday → AD → payroll)
• Financial data flow (transactions → ERP → GL → reporting)
• Backup flow (servers → Veeam → NJ datacenter → London DR)
• Data flow diagrams (see Section 2.2.4)
• DFD for PCI-DSS (CDE scope)
• DFD for GDPR (cross-border transfers)
✅ Implemented
3.9 2 Encrypt data on removable media USB Device Control:
• AMP Device Control (block USB mass storage, allow keyboards/mice)
• Encrypted USB drives only (BitLocker To Go, IronKey)
Policy: USB devices prohibited except approved encrypted drives
• AMP Device Control policy
• Approved USB drive list (IronKey)
• USB usage audit logs
✅ Implemented
3.10 2 Encrypt sensitive data in transit Encryption Standards:
• TLS 1.2/1.3 (web apps, APIs, email): Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• IPsec AES-256-GCM (SD-WAN tunnels, VPN)
• MACsec AES-256-GCM (SD-Access fabric, campus)
• SSH AES-256-CTR (server management)
• SSL Labs scan report (A+ rating)
• SD-WAN tunnel config (vManage)
• MACsec config (DNAC)
✅ Implemented
3.11 2 Encrypt sensitive data at rest At-Rest Encryption:
• Databases: SQL Server TDE (AES-256), Oracle TDE
• File servers: BitLocker (Windows), LUKS (Linux)
• Cloud storage: AWS S3 SSE-KMS (AES-256, customer-managed keys)
• Backups: Veeam encryption (AES-256, password-protected)
• SQL Server TDE status report
• BitLocker/LUKS config
• AWS S3 encryption policy
• Veeam encryption config
✅ Implemented
3.12 2 Segment data processing and storage Segmentation Strategy:
• CDE isolated (SGT 85-89, VLAN 85-89, deny all except payment flow)
• HR data isolated (SGT 82, VLAN 82, access via jump host only)
• Finance data isolated (SGT 81, VLAN 81, Finance users only)
• DMZ (SGT 85, VLAN 10, public-facing web servers)
• Network segmentation diagram
• ISE SGACL matrix
• VLAN assignments (DNAC)
✅ Implemented
3.13 3 Deploy a data loss prevention (DLP) solution DLP Implementation (Multi-Layer):
1. Email DLP (Secure Email): Block PCI/PII in outbound emails (regex patterns: CC numbers, SSN)
2. Web DLP (Umbrella SWG): Block file uploads to personal cloud (Dropbox, Google Drive personal)
3. Firewall DLP (FTD): Monitor large file transfers (>100MB) via SMTP/HTTP
4. Network DLP (NetFlow + Splunk): Volumetric analysis (>100GB egress = alert)
5. Endpoint DLP (AMP Device Control): Block USB mass storage devices
• DLP policy config (Secure Email)
• Umbrella category blocks (file sharing sites)
• FTD file policy
• Splunk NetFlow alert (volumetric threshold)
✅ Implemented
3.14 3 Log sensitive data access Access Logging:
• Database audit logs (SQL Server: Event ID 33205, Oracle audit trail)
• File server audit logs (Windows Event ID 4663: object access)
• Application logs (CRM, ERP: user access to PII/PCI records)
• All logs → Splunk (index=audit, 1-year retention, 7-year archive)
• SQL Server audit config
• File server GPO (audit object access)
• Splunk audit logs (sample queries)
• Log retention policy
✅ Implemented

3.2.4 CIS Control 4: Secure Configuration of Enterprise Assets and Software

Safeguard IG Description Abhavtech Implementation Evidence Status
4.1 1 Establish and maintain secure configuration process Configuration Baselines:
• CIS Benchmarks (Windows Server 2022, RHEL 8, Cisco IOS)
• Templates stored in DNAC (network), Ansible (Linux), GPO (Windows)
• Quarterly reviews (Security Engineer + Network Admin)
• CIS Benchmark policy docs
• DNAC template library (48 templates)
• Ansible playbook repo (GitLab)
• GPO baseline export
✅ Implemented
4.2 1 Establish and maintain secure configuration baseline Baseline Standards:
Switches/Routers: DNAC Day-N templates (NTP, SNMP v3, SSH only, ACLs)
Firewalls: FMC platform settings (TLS 1.2+, strong ciphers, default-deny)
Windows Servers: GPO (password policy, audit logging, service hardening)
Linux Servers: Ansible playbooks (SELinux enforcing, firewalld, CIS Level 1)
• DNAC template configs
• FMC platform policy
• Windows Server GPO export
• Ansible playbook (RHEL hardening, 120 tasks)
✅ Implemented
4.3 1 Configure automatic session locking Idle Timeout Policies:
• Workstations: 10 minutes (GPO screen lock)
• Servers RDP: 15 minutes (GPO)
• SSH sessions: 15 minutes (TMOUT=900)
• Web applications: 30 minutes (session timeout)
• CyberArk PAM: 5 minutes (privileged session timeout)
• GPO (screen lock policy)
• SSH TMOUT config (/etc/profile)
• Web app session config
• CyberArk timeout policy
✅ Implemented
4.4 1 Implement and manage firewall on end-user devices Host-Based Firewalls:
• Windows Defender Firewall (GPO enforcement, block all inbound except approved)
• macOS Firewall (Jamf enforcement, stealth mode enabled)
Management: GPO (Windows), Jamf (macOS), central monitoring (Splunk)
• Windows Firewall GPO
• macOS Firewall policy (Jamf)
• Splunk firewall logs (blocked connections)
✅ Implemented
4.5 1 Implement and manage firewall on servers Server Firewall:
• Windows Server: Windows Firewall (allow only required ports: 3389 RDP, 443 HTTPS, 445 SMB)
• Linux: firewalld (RHEL), allow SSH (22), app ports only
FTD Perimeter: All server access through FTD (stateful inspection, IPS)
• Windows Server firewall rules
• firewalld rules (RHEL)
• FTD access policies
✅ Implemented
4.6 2 Securely manage enterprise assets and software Change Management:
• All config changes via ServiceNow (CAB approval)
• Version control (GitLab for Ansible, DNAC templates)
• Rollback procedures (configs saved pre-change)
• ServiceNow change tickets
• GitLab commit history
• DNAC config archives
✅ Implemented
4.7 2 Manage default accounts Default Account Controls:
• Cisco devices: Default 'admin' disabled, custom admin accounts (CyberArk)
• Windows: 'Administrator' renamed, disabled (use named admin accounts)
• Linux: Root login disabled (sudo only), named admin accounts
• Applications: Default accounts changed (SAP, Oracle, etc.)
• Cisco config (no username admin)
• Windows 'Administrator' status (disabled)
• Linux /etc/ssh/sshd_config (PermitRootLogin no)
• Application account audit
✅ Implemented
4.8 2 Uninstall or disable unnecessary services Service Minimization:
• Windows: Disable Telnet, FTP, SMBv1, LLMNR, NetBIOS
• Linux: Remove unnecessary packages (yum/apt remove), disable unused services
• Network devices: Disable CDP (external interfaces), disable HTTP (HTTPS only)
• Windows service list (disabled services)
• Linux package list (minimal install)
• Cisco config (no cdp enable, no ip http server)
✅ Implemented
4.9 3 Configure trusted DNS servers DNS Security:
• Internal DNS: Active Directory DNS (DNSSEC validation)
• Recursive DNS: Umbrella (malware/phishing filtering, DNSSEC)
• Block public DNS (8.8.8.8, 1.1.1.1) via FTD for workstations
• AD DNS config (DNSSEC enabled)
• Umbrella policy (malicious domains blocked)
• FTD DNS block rule
✅ Implemented
4.10 3 Enforce automatic device lockout Account Lockout Policy:
• Failed login attempts: 5 (AD GPO)
• Lockout duration: 30 minutes
• Cisco devices: 3 failed attempts = 5-minute lockout
• Duo MFA: 5 failed MFA = account lockout (manual unlock)
• AD GPO (account lockout policy)
• Cisco config (login block-for 300 attempts 3 within 60)
• Duo policy (lockout threshold)
✅ Implemented
4.11 3 Enforce remote wipe capability Mobile Device Management (MDM):
• Intune (iOS, Android): Remote wipe enabled
• Laptops: BitLocker recovery key (IT can remotely wipe + reimage)
Termination Process: Auto-wipe for terminated employees (within 1 hour)
• Intune remote wipe capability
• BitLocker recovery process
• Termination SOP (ServiceNow)
✅ Implemented

3.2.5 CIS Control 5: Account Management

Safeguard IG Description Abhavtech Implementation Evidence Status
5.1 1 Establish and maintain an inventory of accounts Account Inventory:
• Active Directory: 3,200 user accounts, 45 admin accounts, 120 service accounts
• ISE: 25,000 device accounts (802.1X machine certs)
• CyberArk PAM: 18 privileged accounts (CDE admins)
• Cloud: M365 (12,000 users), AWS (25 IAM users)
• AD user export (PowerShell)
• ISE device list
• CyberArk account inventory
• M365/AWS user lists
✅ Implemented
5.2 1 Use unique passwords Password Uniqueness:
• AD password history: 24 (users cannot reuse last 24 passwords)
• CyberArk auto-rotation: Generates unique passwords (30-day rotation)
• Service accounts: Unique passwords (stored in CyberArk)
• AD GPO (password history)
• CyberArk password generation settings
• Service account audit
✅ Implemented
5.3 1 Disable dormant accounts Dormant Account Cleanup:
• Automated: PowerShell script runs monthly (disable accounts with >90 days inactivity)
• Quarterly review: HR + IT review disabled accounts, delete if no longer needed
• ISE: Profiling identifies unused device accounts (>180 days), flagged for review
• PowerShell script (dormant account cleanup)
• Disabled account report (AD)
• ISE inactive device report
✅ Implemented
5.4 1 Restrict administrator privileges Least Privilege:
• Standard users: NO local admin rights (workstations)
• Admins: Separate admin accounts (admin-username), no email/browsing with admin account
• Privileged access: CyberArk PAM (jump hosts, session recording)
• Network devices: RBAC (read-only analysts, read-write engineers, full-access senior engineers)
• AD group memberships (Domain Admins, Server Admins, etc.)
• CyberArk safe structure (role-based access)
• Cisco TACACS+ config (privilege levels)
✅ Implemented
5.5 2 Establish and maintain MFA MFA Coverage: 100%
Network Access: 802.1X + Duo MFA (push notification)
VPN: AnyConnect + Duo MFA (biometric or push)
Web Apps: Duo MFA (M365, Salesforce, SAP, all cloud apps)
Admin Access: CyberArk + Duo MFA (PAM + MFA)
Cloud: Azure AD Conditional Access (MFA required)
• Duo enrollment report (3,200/12,000 users = 100%)
• ISE MAB vs. 802.1X ratio (802.1X = 95%)
• Azure AD Conditional Access policies
✅ Implemented
5.6 3 Centralize account management Centralized Identity:
Identity Source: Active Directory (on-prem + Azure AD hybrid)
Integration: ISE (LDAP), Duo (SAML), M365 (Azure AD SSO), Salesforce (SAML SSO)
Provisioning: Workday → AD → ISE/Duo/M365 (automated via API)
• AD + Azure AD hybrid config
• ISE identity source (AD LDAP)
• Workday integration diagram
• SAML SSO configs
✅ Implemented

3.2.6 CIS Control 6: Access Control Management

Safeguard IG Description Abhavtech Implementation Evidence Status
6.1 1 Establish access granting process Access Request Workflow (ServiceNow):
1. User requests access (ServiceNow ticket)
2. Manager approval (email notification)
3. Security approval (for sensitive data: HR, Finance, CDE)
4. IT provisions access (AD group, ISE SGT, CyberArk safe)
5. Confirmation email (user + manager)
SLA: 1 business day (standard), 4 hours (urgent)
• ServiceNow access request workflow
• Approval matrix (manager + security)
• Sample access tickets
✅ Implemented
6.2 1 Establish access revoking process De-provisioning (Automated):
1. HR terminates employee in Workday
2. Workday triggers ServiceNow workflow (API)
3. Automated actions (within 1 hour):
- Disable AD account
- Revoke ISE authorization (802.1X fails)
- Lock Duo account
- Revoke M365 license
- Alert IT (badge deactivation, laptop recovery)
Manual Cleanup: Remove from CyberArk (within 24 hours)
• Workday → ServiceNow integration
• PowerShell automation script
• De-provisioning SLA report (avg: 45 minutes)
• ServiceNow termination tickets
✅ Implemented
6.3 2 Require MFA for privileged access Privileged MFA Enforcement:
• CyberArk PAM: Duo MFA required (every session)
• Network devices: TACACS+ + Duo (CLI/HTTPS access)
• Cloud admin: Azure AD Conditional Access (MFA for admin roles)
• Linux sudo: pam_duo module (MFA for sudo commands)
• CyberArk Duo integration config
• TACACS+ Duo config
• Azure AD Conditional Access policy
• Linux pam_duo config (/etc/pam.d/sudo)
✅ Implemented
6.4 2 Require MFA for remote network access Remote Access MFA:
• AnyConnect VPN: Duo MFA (push, biometric, hardware token)
• Webex remote access: Duo MFA
• Cloud apps (M365, Salesforce): Azure AD MFA + Duo
No exceptions: VPN = 100% MFA coverage
• AnyConnect Duo plugin config
• Duo policy (VPN group)
• MFA success rate (99.8%, failures = wrong code or timeout)
✅ Implemented
6.5 2 Require MFA for administrative access Admin MFA (see 6.3):
• All admin accounts: Duo MFA required
• Even on internal network (no MFA bypass)
• Session timeout: 5 minutes (CyberArk), 15 minutes (SSH)
• See 6.3 evidence ✅ Implemented
6.6 3 Establish and maintain attribute-based access control TrustSec SGT-Based Access (Attribute-Based):
• User attributes: Department (HR, Finance, IT), Location (NJ, London), Role (Analyst, Manager, Admin)
• Device attributes: Type (laptop, phone, IoT), Compliance (AMP agent, OS patch level)
• Access decisions: IF (user.dept=Finance AND device.compliance=Healthy) THEN SGT 81 (Finance access)
Dynamic SGT Assignment: ISE profiling + UEBA risk scores
• ISE authorization policies (attribute-based rules)
• UEBA integration (risk score → SGT adjustment)
• SGT dynamic assignment examples
⚠️ Partially Implemented (UEBA → SGT integration in pilot, expanding to production Q2 2025)
6.7 3 Centralize access control Centralized Access Control Platforms:
• ISE: Network access control (802.1X, MAB, posture, SGT)
• Azure AD: Cloud app SSO (M365, Salesforce, etc.)
• CyberArk PAM: Privileged account access control
• FTD: Perimeter access control (SGT-aware firewall policies)
• ISE as central NAC
• Azure AD SSO config
• CyberArk architecture diagram
✅ Implemented
6.8 3 Define and maintain role-based access control RBAC Roles (see Section 2.3.5):
• 8 roles with SGT assignments
• Corporate User (SGT 15), Finance (SGT 81), HR (SGT 82), Developer (SGT 60), SOC Analyst (SGT 10), Network Admin (SGT 5), Guest (SGT 40), Quarantine (SGT 999)
• ISE RBAC matrix
• AD security groups (role-based)
• Quarterly role review
✅ Implemented

(Continuing with CIS Controls 7-18, then moving to MITRE ATT&CK, ISO 27001, SOC Procedures, Threat Hunting, Continuous Monitoring, Compliance Reporting, and Appendices...)

4. MITRE