CIS Top 20 Checklist

Prioritize security controls for effectiveness against real world threats


CIS Top 20 Controls Checklist

  1. Do you have the ability to prevent and detect when unauthorized hardware devices are connected to your network?
  2. Do you have the ability to prevent and detect unauthorized software from being installed on your network devices and employee mobile devices?
  3. Do you regularly (monthly/quarterly) scan, detect, and remediate vulnerabilities on your network using a SCAP certified scanning tool?
  4. Have you applied added protections for administrative tasks, roles, accounts, and critical devices?
  5. Do you apply security hardening procedures to your phones, mobile devices, laptops, workstations, and servers?
  6. Do you use a Security Incident and Event Management (SIEM) tool?
  7. Do you only use fully supported, current, and updated email clients, web browsers, content filtering, and spam filtering?
  8. Do you have an anti-malware solution in place?
  9. Do you utilize a next-generation firewall with endpoint control to limit and control network ports, protocols, and services?
  10. Do you perform and test regular backups with a protected “non-continuously addressable” backup destination to protect against ransomware attacks?
  11. Do you utilize configuration management and a change control process to manage all critical network devices and infrastructure?
  12. Does your firewall inspect and alert on all traffic, including encrypted traffic?
  13. Do you inventory where all of your sensitive information and data are stored and have a process and tool in place to prevent the exfiltration of your data?
  14. Do you segment and control access to data and systems in your organization?
  15. Do you have formal processes and tools in place to track, control, prevent, and restrict access to your wireless networks utilizing Strong Encryption and Multi-Factor Authentication?
  16. Do you have formal processes and technologies to monitor and manage users’ access to systems, workstations, and applications?
  17. Do you currently have a security awareness training and testing program and test all employees at least semi-annually?
  18. Do you have formal processes and tools in place to manage the security lifecycle of all “in-house developed” and acquired software in order to prevent, detect, and correct security weaknesses?
  19. Do you have a documented incident response plan and test it at least annually?
  20. Do you conduct internal and external penetration tests at least annually?

Get in touch

Schedule your risk-free consultation.

Contact us today to speak with an expert about your specific needs.

Stay in the Cloud

Sign Up for Our Newsletter

Sign up for our monthly newsletter for to stay up to date.

Copyright © 2021 STN Inc. All Rights Reserved.