CIS’s 20 control measures are divided into three parts: 1) Basic control (6 items in total); 2) Basic control (10 items in Foundational); 3) Organization-wide control (4 items in Organizational) ).
Following the introduction of 6 basic control measures and 10 basic control measures in the previous two issues, this issue focuses on the last four organizational-wide control neutron sets IG1.
17. Implement a Security Awareness and Training Program (Implement a Security Awareness and Training Program)
For all functional roles in the organization (prioritize those tasks that are critical to the business and its security), determine the specific knowledge, skills, and capabilities needed to support corporate defense; develop and implement a comprehensive plan to assess and identify gaps, And through policies, organized planning, training and awareness raising to remedy. Implementation points:
1. Perform skill gap analysis to understand the skills and non-compliance behaviors that employees do not possess, and use this information to build a basic roadmap for training.
2. Train employees how to recognize different forms of social network ***, such as phishing, phone fraud and fake calls.
The specific measures of IG1 are:
1. Implement a safety awareness training program.
2. Conduct safety certification training for employees.
3. Train employees how to recognize social media***.
4. Train employees how to handle sensitive data.
5. Train employees to understand various reasons for accidentally exposing data.
6. Train employees to identify and report accidents.
18. Application Software Security
Manage the safety life cycle of all internally developed and purchased software to prevent, detect and correct its existing safety defects. Implementation points:
1. Establish safe programming practices suitable for the programming language and development environment used.
2. Use static and dynamic analysis tools to verify whether internal software development follows safe coding practices.
This control has no specific requirements for IG1.
19. Incident Response and Management (Incident Response and Management)
Through the development and implementation of incident response infrastructure (such as planning, role definition, training, communication, management errors), the information and reputation of the organization are protected, so as to quickly find the ***, effectively stop the loss, clear the ***, and restore the network And the integrity of the system. Implementation points:
1. Ensure that there is a written incident response plan that defines the roles of personnel and the various stages of incident handling/management.
2. Collect and maintain third-party contact information for reporting security incidents, such as law enforcement agencies, relevant government agencies, suppliers, and information sharing partners.
The specific measures of IG1 are:
1. Document incident response procedures.
2. Designate specific management personnel to support incident handling.
3. Maintain contact information for reporting security incidents.
4. Publish information about reporting computer anomalies and incidents.
Twenty. Penetration Tests and Red Team Exercises
Test the organization's overall defense capabilities (technology, process, and personnel) by simulating the goals and actions of the attacker. Implementation points:
1. Establish a VPN testing plan, including a full range of hybrid VPNs, such as wireless VPN, client-based VPN and web application VPN.
2. Create a test bench that simulates the production environment for specific *** testing, allowing the red team to *** those elements that are not normally tested in the production environment, such as monitoring systems, data acquisition systems, and other control systems. **.
This control has no specific requirements for IG1.
THE END
About Holographic Network Control: Holographic Network Control Technology integrates four advanced technologies, NG-DLP, UEBA, NG-SIEM, and CASB, and combines machine learning (artificial intelligence) to discover and reconstruct invisible user-device-data in the network in real time "Interactive relationship, launching an information security risk perception platform centered on user behaviors, providing an intelligent traceability system without perception and blind spots for enterprise information security management, efficiently and accurately auditing the past, monitoring the present, and preventing the future, greatly improving IT security operation and maintenance and security personnel respond to accidents, capture the evidence chain, hold accountability, and restore the ability and efficiency of IT systems.