CIS Controls v8 Overview- Control 04

Our review of the CIS Controls v8 continues…and today’s post introduces Control 04.

Control 04: Secure Configuration of Enterprise Assets and Software- Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

Why is this Control important?

This control focuses on the Enterprise Assets and Software inventoried in Controls 01 and 02. The assets and software acquired by organizations are typically delivered with default configurations focused more on ease-of-setup than security. If these services, ports, accounts, passwords, and other settings are left as they came, “out of the box,” they may be exploited very easily. Configuration updates must be made and maintained over the life cycle of enterprise assets and software. These updates should follow a management workflow to maintain records for compliance, incident response, and audits.

And its Safeguards?

The control has twelve (12) Safeguards that cover the key actions to establish and maintain secure configurations. The Safeguards include session locking, firewalls on servers/end-user devices, default accounts, unnecessary services, DNS, and lockout/remote wipe on mobile devices among others.

How is this Control implemented?

Organizations should leverage configuration baselines that include security benchmarks, security guides, and checklists. Recommended baselines include the CIS Benchmarks as well as the National Institute of Standards and Technology (NIST) national checklist. Organizations may need to adjust the baseline to align with their security policies and government regulations. Any deviations from the original baseline should be documented for audits.

Key Reminder(s)

Even after a strong initial configuration for the enterprise assets and software has been implemented, it must be continually managed. Otherwise, security effectiveness may be reduced with additional software patches, new security vulnerabilities, and modifications to configurations in support of new software or operational requirements.

In the next post, we will look at Control 05: Account Management. If you enjoyed this post, please 𝙇𝙞𝙠𝙚 and 𝙎𝙝𝙖𝙧𝙚!

Contact Temples Consulting (CIS SecureSuite Partner) to schedule a no-cost consultation for Secure Configurations using the latest CIS Benchmarks.