The URL can be used to link to this page

Home My WebLink About2122-6 Cybersecurity Assessment-Initial (Final 7-21-22)Initial cybersecurity assessment report #2122-6 July 2022 Initial Cybersecurity Assessment To request this information in an alternate format, please call (541) 330-4674 or send email to internal.audit@Deschutes.org Deschutes County, Oregon Audit committee members: Daryl Parrish, Chair - Public member Jodi Burch – Public Member Scott Reich - Public member Summer Sears – Public member Stan Turel - Public member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director Take survey by clicking HERE The Office of County Internal Audit David Givans, CPA, CIA – County Internal Auditor Aaron Kay – Performance Auditor internal.audit@deschutes.org Recommendations 3 Initial cybersecurity assessment report #2122-6 July 2022 TABLE OF CONTENTS: HIGHLIGHTS 1. INTRODUCTION 1.1. Background on the Assessment ...…………….………………………………………. 1 1.2. Background on Cybersecurity assessments ……………………….…………. 1-3 2. FINDINGS and OBSERVATIONS 2.1. Initial Cybersecurity Assessment – Overall …….…………………………..…. 4-5 2.2. Observations ………………………………………………………………………….......... 5-9 2.3. Initial Cybersecurity Assessment – by Control …………………………….. 9-33 3. MANAGEMENT RESPONSES 3.1. Information Technology ……………..……………..……….…………............... 34-35 3.2. County Administration ………………………………………………….…………… 36-37 APPENDICES A. Objectives, Scope, and Methodology ……………………..…………………… 38-40 B. Descriptions of CIS Controlstm in assessment ……………………………. 41-56 Initial cybersecurity assessment report #2122-6 July 2022 HIGHLIGHTS Why this audit was performed: To provide an initial assessment of the maturity and overall readiness to address cybersecurity risks. What was recommended: Recommendations include: • implementing a cybersecurity program; • obtaining BOCC review of annual cybersecurity program; and • continuing to address improvements in cyber defenses. Initial Cybersecurity Assessment The focus of the audit is to provide an initial assessment of the maturity and overall readiness to address cybersecurity risks through the assessment of controls. What was found The assessment scores provide an overall level of maturity in each area. The County, through the IT Department, has begun efforts to develop a cybersecurity program. Continued efforts are required to ensure ongoing maturity in all cybersecurity control areas. An effective cybersecurity program requires organizations have policies, plans, and procedures that describe the management program and cover all major applications, systems, and facilities. The County needs to put additional effort into addressing cybersecurity controls. Deschutes County Internal Audit In each area of controls, the assessment scores identify gaps between where the County is in level of maturity and where the County thinks it should be (Goal of 100). These scores provide County management and the Board of County Commissioners with a snapshot of areas needing more attention. Initial cybersecurity assessment report #2122-6 July 2022 Page 1 1. Introduction 1.1 BACKGROUND ON THE ASSESSMENT AUDIT AUTHORITY: The Deschutes County Audit Committee authorized the assessment of cybersecurity originally with the FY 2020 2021 internal audit workplan (that extended into the FY 2022 2023 audit workplan). The audit was further refined to provide an initial assessment of the maturity and overall readiness to address cybersecurity risks through the assessment of controls. 1.2 BACKGROUND FOR CYBERSECURITY ASSESSMENTS INTRODUCTION: Cybersecurity, over recent years, has been a leading risk for most institutions, especially the public sector. Cybersecurity is the ongoing application of best practices intended to ensure and preserve confidentiality, integrity, and availability of digital information and the safety of people and environments. 1 This is an organization-wide issue and requires many organization-wide approaches. Deschutes County Information Technology (IT) centralizes most of the significant technology resources and the convergence of many platforms for which County Departments/Offices/Service Districts rely upon. Assessing the state of readiness in response to potential attacks on the County’s information technology systems is paramount in assuring continuity of operations and protecting digital assets and data. 1 Cybersecurity program development for business – The essential planning guide by Moschovitis Initial cybersecurity assessment report #2122-6 July 2022 Page 2 TABLE I – CIS Controlstm descriptions – Version 8 CIS CONTROLStm: Internal Audit chose Center for Internet Security (CIS ®) Version 8 Controlstm for the assessment as they are a good starting point for providing a high-level view of the County’s current state. These controls will be the foundation of the initial assessment of cybersecurity scope and maturity at Deschutes County. The CIS Controlstm are the basis for assessing cybersecurity readiness. These standards address the real-world environment of cyber-attacks and how to establish appropriate defenses. The CIS Controls™ are a prioritized list of 18 high-priority defensive actions that provide a starting point for enterprises to improve cyber-defense. The 18 controls are as follows: CONTROL DESCRIPTIONS – CIS Controlstm 1. Inventory and Control of Enterprise Assets 7. Continuous Vulnerability Management 13. Network Monitoring and Defense 2. Inventory and Control of Software Assets 8. Audit Log Management 14. Security Awareness and Skills Training 3. Data Protection 9. Email and Web Browser Protections 15. Service Provider Management 4. Secure Configuration of Enterprise Assets and Software 10. Malware Defenses 16. Application Software Security 5. Account Management 11. Data Recovery 17. Incident Response Management 6. Access Control Management 12. Network Infrastructure Management 18. Penetration Testing Initial cybersecurity assessment report #2122-6 July 2022 Page 3 All IG1 controls are assessed which provide “basic cyber hygiene”. The Version 8 Controlstm controls are a prioritized set of actions that collectively form a defense-in- depth set of best practices to help protect systems and networks from the most common attacks. • Implementation Group 1 (IG1) IG1 is the foundational set of cyber defense safeguards every enterprise should apply to guard against the most common attacks. These controls are considered to provide ‘basic cyber hygiene”. • Implementation Group 2 (IG2) IG2 safeguards help security teams cope with increased operational complexity. Some of these safeguards will depend on enterprise grade technology and specialized expertise to properly install and configure. • Implementation Group 3 (IG3) IG3 safeguards must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks. May require security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). Each set of controls may have sub-controls related to IG1, IG2, and/or IG3. Controls included in this assessment are from discussions of all Implementation Group 1 (IG1) controls (considered foundational safeguards every enterprise should apply to guard against the most common attacks). Also included in the assessment are controls used by the County from Implementation Groups 2 (IG2) and 3 (IG3). This assessment of specific controls does not consider the County’s risk appetite. Therefore, while these controls are considered important by many security practitioners, the County may choose not to fully implement a control if they determine within their strategic priorities that the cost of doing so outweighs the risk. In addition, while we generally considered controls that might mitigate some of the risks identified, we did not perform a detailed review of potential compensating controls for each control. Initial cybersecurity assessment report #2122-6 July 2022 Page 4 2. Findings and Observations The assessment included limited procedures to understand the systems of internal control associated with cybersecurity controls implemented. No significant deficiencies were found. A significant deficiency is defined as an internal control deficiency that could adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. The findings noted were primarily compliance and efficiency matters. Findings result from incidents of non-compliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subjective. The assessment disclosed certain policies, procedures and practices that could be improved. The assessment was neither designed nor intended to be a detailed study of every relevant system, procedure or transaction. Accordingly, the opportunities for improvement presented in the report may not be all-inclusive of areas where improvement may be needed and does not replace efforts needed to design an effective system of internal control. Management has responsibility for the system of internal controls, including monitoring internal controls on an ongoing basis to ensure that any weaknesses or non-compliance are promptly identified and corrected. Internal controls provide reasonable but not absolute assurance that an organization’s goals and objectives will be achieved. 2.1 INITIAL CYBERSECURITY ASSESSMENT - OVERALL In the following pages and appendices, the results depict the implementation status of controls and sub-controls in each CIS Controltm as fully implemented, partially implemented, not implemented, or not applicable. The assessment used the CIS’s Critical Security controls Assessment Tool (CSAT) to aggregate the assessments by control to the County’s intended maturity in implementation, policy, and automation. The CSAT tool provides a point value that identifies the gap between where the County is in implementation and where the County thinks it should be (100). The CSAT assessment Initial cybersecurity assessment report #2122-6 July 2022 Page 5 48% overall progress towards the expected controls score provides an overall level of maturity in each area. This provides County management, the Board of County Commissioners, and others with responsibility for cybersecurity with a snapshot of areas needing more attention. 2.2 OBSERVATIONS A cybersecurity program is a project and needs a plan to be focused and effective. County lacks comprehensive and formalized cybersecurity program. The County, through the IT Department, has begun efforts to develop a cybersecurity program. For this program to succeed, there will need to be participation from all levels of the County. The initial assessment work done below provides critical information on the current state of controls and is a useful part of the program. Continued efforts are required to ensure ongoing maturity in all cybersecurity control areas. An effective cybersecurity program requires organizations have policies, plans, and procedures that describe the management program and cover all major applications, systems, and facilities. It provides a roadmap for goals and work needed for key cybersecurity initiatives and for ongoing coordination, prioritization, tracking and reporting of progress. An outline of what is involved in establishing a cybersecurity program 2 includes: Step 1: Prioritize and Scope. 2 Framework for Improving Critical Infrastructure Cybersecurity Ver. 1.1 -National Institute of Standards and Technology (4/16/2018) https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf Initial cybersecurity assessment report #2122-6 July 2022 Page 6 Cybersecurity is a shared responsibility of every employee and the extended enterprise. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. Risk tolerances may be reflected in a target Implementation Group. Step 2: Orient. Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets. Step 3: Create a Current Profile. The organization develops an “as is” state by indicating which control outcomes are currently being achieved. If an outcome is partially achieved, noting this fact will help support subsequent steps by providing baseline information. Step 4: Conduct a Risk Assessment. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. Step 5: Create a Target Profile. The organization creates a desired goal that focuses on the assessment of the controls describing the organization’s desired cybersecurity outcomes. Organizations also may develop their own additional controls to account for unique organizational risks. Step 6: Determine, Analyze, and Prioritize Gaps. Initial cybersecurity assessment report #2122-6 July 2022 Page 7 DIAGRAM I Cybersecurity Program Cycle of Improvement The organization compares the “as is” state and the desired goal to determine gaps. Next, it creates a prioritized action plan to address gaps – reflecting mission drivers, costs and benefits, and risks – to achieve the outcomes in the desired goal. The organization then determines resources, including funding and workforce, necessary to address the gaps. Using goals in this manner encourages the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements. Step 7: Implement Action Plan. The organization determines which actions, if any, to take toward addressing the gaps identified in the previous step and then adjusts its current cybersecurity practices in order to achieve the desired goal. The program identifies example references regarding the controls, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs. In the absence of a well-defined program, the County as a whole may not be adequately prepared Prioritize and Scope Orient Create Current Profile Conduct a Risk Assessment Create a Target Profile Determine, Analyze, and Prioritize Gaps Implement Action Plan An organization repeats the above steps as needed to continuously assess and improve its cybersecurity. Initial cybersecurity assessment report #2122-6 July 2022 Page 8 The reality is that cyber risk is not something that can be avoided; instead, it must be managed. for future cyberattacks. This does not suggest that appropriate controls are not in place now, as demonstrated by the identified coverage of many of the controls in the assessment. However, without a well-documented program that includes the current state of IT security controls, along with subordinate security plans, existing controls and responsibilities may be unclear, misunderstood, improperly implemented, or inconsistently applied. It is recommended for the County to implement a cybersecurity program that includes • establishing a framework and continuous cycle of activity for assessing risk, • developing and implementing effective security controls and procedures, and • monitoring the effectiveness of those procedures as noted above. It is recommended, at least annually, the Board of County Commissioners review and approve the County’s cybersecurity program. County needs to put additional effort into addressing cybersecurity controls. The County’s initial assessment of 48 (48 out of 100) provides additional direction for continuing efforts to improve controls for cybersecurity. The range of assessment values for control areas ranged from 0 to 75 with the lower values indicating areas for improvement. The overall goal within the assessment range is 100. CIS works with the global security community using collaborative processes to define security best practices for use by government and private-sector entities. The CIS Controls act as a blueprint for system and network operators to improve cyber defense by identifying specific actions to be done in a priority order, based on the current state of the global cyber threat. The CIS Controls are devised based on how malicious actors attack and are updated regularly. CIS controls are one of the tools to Initial cybersecurity assessment report #2122-6 July 2022 Page 9 implement an effective cybersecurity program. Implementing the CIS Controls (in total) mitigate against a very wide range of potential attacks, even if you don’t know any details about those attacks. County Information Technology has been working on cybersecurity for some time and has many controls and safeguards in place. As indicated in the assessment, additional work is still needed. The County will need to assess, with the IT Department, where to spend money to get the most important coverage of safeguards in the coming years. As indicated in the assessment, there are a number of aspects that need addressing, some of these include: o Documenting policy and procedures addressing the controls; o Training of workforce on security awareness and skills; o Putting additional effort into incident response planning; and o Coordinating more department involvement. The question isn’t whether there will be a cyberattack, but how the County will respond to such attack(s) and maintain the services County residents expect. It is recommended for the County, led by the IT Department, continue improvements in addressing cyber defenses. 2.3 INITIAL CYBERSECURITY ASSESSMENT – BY CONTROL To gain a better understanding of the overall initial assessment, it is worthwhile looking at each control area and progress. The following are the assessment score (from CSAT) for each control and the underlying detail of the assessment by each sub-control. Shaded sub-controls are controls Initial cybersecurity assessment report #2122-6 July 2022 Page 10 25% progress towards the controls TABLE 2 CIS 1 sub-controls assessment outside of IG-1 and represent additional control efforts taken above the “basic cyber hygiene” level. CIS Control™ 1: Inventory and Control of Enterprise Assets Why This Control Matters: The County cannot defend assets they do not know they have. Organizations should maintain a complete and up-to-date inventory with sufficient detail to effectively track and manage all enterprise assets. New or unidentified devices on the County’s network may introduce vulnerabilities. Without sufficient controls in place, attackers can take advantage of new or unidentified assets that are not securely configured. Therefore, managed control of all assets is critical to effective security monitoring, system backup, and recovery. Moreover, complete asset management can support incident response, including identification of the origination of unauthorized network traffic and potentially affected assets. CIS 1 Inventory and Control of Enterprise Assets Assessed rating Sub-Control Title Implemented Policy Defined Automated 1.1 (IG1) Establish and Maintain Detailed Enterprise Asset Inventory ○ ○ ○ 1.2 (IG1) Address Unauthorized Assets ◑ ● n/a ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 11 29% progress towards the controls TABLE 3 CIS 2 sub-controls assessment Shaded sub- controls are elective and go beyond “basic cyber hygiene”. CIS Control™ 2: Inventory and Control of Software Assets Why This Control Matters: Attackers continuously scan targeted organizations looking for vulnerable versions of software to exploit. Organizations should maintain an inventory of software installed on their computer systems, similar to the inventory of hardware assets, so they are aware of what they possess and the risks those assets pose. Additionally, organizations should monitor software installations on all systems to ensure only appropriate software is installed on agency assets. The County can prevent attacks by ensuring only authorized and up-to-date software is installed on County assets. However, without a complete, accurate, and up-to-date list of the software authorized to be on its systems, the County cannot determine if they have vulnerable software. CIS 2 Inventory and Control of Software Assets Assessed rating Sub-Control Title Implemented Policy Defined Automated 2.1(IG1) Establish and Maintain a Software Inventory ○ ○ ○ 2.2 (IG1) Ensure Authorized Software is Currently Supported ◑ ● n/a 2.3 (IG1) Address Unauthorized Software ◑ ◑ n/a 2.4 (IG2) Utilize Automated Software Inventory Tools {Optional} ◑ ◑ ○ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 12 42% progress towards the controls TABLE 4 CIS 3 sub-controls assessment CIS Control™ 3: Data Protection Why This Control Matters: County data is stored in a variety of locations and shared with a variety of partners and online services. Once breached, attackers can find and exfiltrate data. Data must be appropriately managed through its entire life cycle. An effective data management process should include a framework, classification guidelines, and requirements for protection, handling, retention, and disposal of data. Once the sensitivity of data has been defined, the County should develop a data inventory identifying software accessing data at various sensitivity levels and the enterprise assets housing those applications. One key tool for mitigating data compromise is the use of data encryption both in transit and at rest. CIS 3 Data Protection Assessed rating Sub-Control Title Implemented Policy Defined Automated 3.1 (IG1) Establish and Maintain a Data Management Process ◑ ◑ n/a 3.2 (IG1) Establish and Maintain a Data Inventory ◑ ◑ n/a 3.3 (IG1) Configure Data Access Control Lists ◑ ◑ ○ 3.4 (IG1) Enforce Data Retention ◑ ● n/a ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 13 TABLE 4 {continued} 51% progress towards the controls Sub-Control Title Implemented Policy Defined Automated 3.5 (IG1) Securely Dispose of Data ◑ ◑ n/a 3.6 (IG1) Encrypt Data on End-User Devices ◑ ◑ n/a 3.8 (IG2) Document Data Flows {Optional} ○ ◑ ○ 3.10 (IG2) Encrypt Sensitive Data in Transit {Optional} ◑ ◑ ◑ 3.11 (IG2) Encrypt Sensitive Data at Rest {Optional} ◑ ◑ ◑ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 4: Secure Configuration of Enterprise Assets and Software Why This Control Matters: Default configuration for IT assets and software are normally geared toward ease of deployment and ease of use rather than security. Default accounts or passwords, excessive access, or unnecessary services could be exploited by attackers. To address these risks, organizations should have processes in place to ensure hardware and software are securely configured. This should include verifying configurations align with business Initial cybersecurity assessment report #2122-6 July 2022 Page 14 TABLE 5 CIS 4 sub-controls assessment and security needs to ensure agency systems are not left vulnerable to attack. Agencies should have configuration management processes in place to address implementing secure system control features at the initiation of the system life cycle. Entities should also ensure software is patched and configurations remain secure as modifications are made to the system. To achieve this, baselines satisfying security requirements and standards should be developed. Deviations from baselines should be monitored and documented. Additionally, policies and procedures should be in place to address how configuration baselines are managed. CIS 4 Secure Configuration of Enterprise Assets and Software Assessed rating Sub-Control Title Implemented Policy Defined Automated 4.1 (IG1) Establish and Maintain a Secure Configuration Process ◑ ◑ ◑ 4.2 (IG1) Establish and Maintain a Secure Configuration Process for Network Infrastructure ● ◑ ○ 4.3 (IG1) Configure Automatic Session Locking on Enterprise Assets ◑ ◑ ● 4.4 (IG1) Implement and Manage a Firewall on Servers ○ ○ ○ 4.5 (IG1) Implement and Manage a Firewall on End-User Devices ● ◑ ● 4.6 (IG1) Securely Manage Enterprise Assets and Software ● ◑ n/a 4.7 (IG1) Manage Default Accounts on Enterprise Assets and Software ● ◑ n/a 4.8 (IG2) Uninstall or Disable Unnecessary Services on Enterprise Assets and Software {Optional} ◑ ◑ n/a ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 15 TABLE 5 {continued} 58% progress towards the controls Sub-Control Title Implemented Policy Defined Automated 4.9 (IG2) Configure Trusted DNS Servers on Enterprise Assets {Optional} ● ◑ ● ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 5: Account Management Why This Control Matters: It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data by using valid user credentials than through “hacking.” To mitigate these risks, management should ensure only authorized users can access County accounts. Effective management should include maintenance of an inventory of all County credentials (user, administrative, and service); appropriate password policies; and account logging and monitoring. Initial cybersecurity assessment report #2122-6 July 2022 Page 16 TABLE 6 CIS 5 sub-controls assessment 55% progress towards the controls CIS 5 Account Management Assessed rating Sub-Control Title Implemented Policy Defined Automated 5.1 (IG1) Establish and Maintain an Inventory of Accounts ● ◑ ● 5.2 (IG1) Use Unique Passwords ◑ ◑ ● 5.3 (IG1) Disable Dormant Accounts ◑ ◑ ◑ 5.4 (IG1) Restrict Administrator Privileges to Dedicated Administrator Accounts ◑ ◑ n/a 5.6 (IG2) Centralize Account Management {Optional} ◑ ◑ ◑ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 6: Access Control Management Why This Control Matters: These controls ensure users have appropriate access for their role and strong authentication for more sensitive data or functions. Users should only have access to the data or assets necessary for their role. Moreover, some user activities pose greater risk because they are initiated from untrusted networks or are performed from accounts with elevated privileges allowing them to modify other accounts or have greater access to County systems. Initial cybersecurity assessment report #2122-6 July 2022 Page 17 TABLE 7 CIS 6 sub-controls assessment 69% progress towards the controls Key practices for access management include development of consistent processes for assigning access rights and roles and granting of and removal of access. Use of Multi Factor Authentication (MFA) and Privileged Access Management (PAM) tools are important for reducing the risk of accounts inappropriately accessing County resources. CIS 6 Access Control Management Assessed rating Sub-Control Title Implemented Policy Defined Automated 6.1 (IG1) Establish an Access Granting Process ● ◑ ○ 6.2 (IG1) Establish an Access Revoking Process ● ◑ ○ 6.3 (IG1) Require MFA for Externally-Exposed Applications ● ◑ ● 6.4 (IG1) Require MFA for Remote Network Access ● ◑ ● 6.5 (IG1) Require MFA for Administrative Access ◑ ◑ ◑ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 7: Continuous Vulnerability Management Why This Control Matters: Initial cybersecurity assessment report #2122-6 July 2022 Page 18 TABLE 8 CIS 7 sub-controls assessment Attackers are constantly looking for vulnerabilities to exploit and gain access to organizations’ technology resources. Attackers can take advantage of vulnerabilities faster than an enterprise can remediate. Enterprises that do not assess their infrastructure for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their enterprise assets compromised. Organizations should be continuously engaged in identifying, remediating, and minimizing security vulnerabilities to ensure their assets are safeguarded. CIS 7 Continuous Vulnerability Management Assessed rating Sub-Control Title Implemented Policy Defined Automated 7.1 (IG1) Establish and Maintain a Vulnerability Management Process ● ◑ ◑ 7.2 (IG1) Establish and Maintain a Remediation Process ● ◑ n/a 7.3 (IG1) Perform Automated Operating System Patch Management ● ◑ ● 7.4 (IG1) Perform Automated Application Patch Management ◑ ◑ ◑ 7.6 (IG2) Perform Automated Vulnerability Scans of Externally- Exposed Enterprise Assets {Optional} ● ◑ ● 7.7 (IG2) Remediate Detected Vulnerabilities {Optional} ● ◑ ● ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 19 59% progress towards the controls TABLE 9 CIS 8 sub-controls assessment CIS Control™ 8: Audit Log Management Why This Control Matters: Without adequate audit logs, an attack may go unnoticed indefinitely and the damage done may be irreversible. Deficiencies in security logging and analysis allow attackers to hide malicious software or their own presence. Without complete logging records the County could be blind to the details of the attack and subsequent actions taken by attackers. Robust logging and log monitoring processes allow organizations to identify and understand inappropriate activity and recover more quickly from an attack. CIS 8 Audit Log Management Assessed rating Sub-Control Title Implemented Policy Defined Automated 8.1 (IG1) Establish and Maintain an Audit Log Management Process ○ ◑ ○ 8.2 (IG1) Collect Audit Logs ◑ ◑ ◑ 8.3 (IG1) Ensure Adequate Audit Log Storage ● ◑ ● 8.4 (IG2) Standardize Time Synchronization {Optional} ● ◑ n/a 8.9 (IG2) Centralize Audit Logs {Optional} ● ◑ ● ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 20 TABLE 9 {continued} 69% progress towards the controls Sub-Control Title Implemented Policy Defined Automated 8.10 (IG2) Retain Audit Logs {Optional} ● ◑ ● ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 9: Email and Web Browser Protections Why This Control Matters: Web browsers and email clients are common attack vectors because of their direct interaction with users. Attackers can entice or spoof users into disclosing credentials, providing sensitive data, or providing an open channel to allow attackers to gain access, thus increasing risk to the enterprise. Cybercriminals can use web browsers to craft malicious websites to exploit vulnerabilities with insecure or unpatched browsers. Email is the most common approach to attacks. Email can be used by attackers to perform • phishing (a perpetrator masquerades as a legitimate business or reputable person); • impersonating a legitimate business in order to trick individuals into providing financial or other sensitive information; or • modifying information in systems. Initial cybersecurity assessment report #2122-6 July 2022 Page 21 TABLE 10 CIS 9 sub-controls assessment 75% progress towards the controls CIS 9 Email and Web Browser Protections Assessed rating Sub-Control Title Implemented Policy Defined Automated 9.1 (IG1) Ensure Use of Only Fully Supported Browsers and Email Clients ◑ ◑ ◑ 9.2 (IG1) Use DNS Filtering Services ● ◑ ● 9.3 (IG2) Maintain and Enforce Network-Based URL Filters {Optional} ● ◑ ◑ 9.5 (IG2) Implement DMARC {Optional} ● ◑ n/a 9.6 (IG2) Block Unnecessary File Types {Optional} ● ◑ ● 9.7 (IG3) Deploy and Maintain Email Server Anti-Malware Protections {Optional} ● ◑ ● ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 10: Malware Defenses Why This Control Matters: Malware (or malicious software) is used as a means for threat actors to capture credentials, steal data, identify other potential attack targets, and encrypt or destroy data. This can disrupt an Initial cybersecurity assessment report #2122-6 July 2022 Page 22 TABLE 11 CIS 10 sub-controls assessment 75% progress towards the controls organization’s ability to serve its mission or put sensitive data at risk. Malware enters enterprises through vulnerabilities and often relies on end-users performing insecure actions such as clicking on bad links, opening attachments, installing software, or inserting a compromised flash drive. Agencies should leverage tools to prevent and detect malicious software. CIS 10 Malware Defenses Assessed rating Sub-Control Title Implemented Policy Defined Automated 10.1 (IG1) Deploy and Maintain Anti-Malware Software ● ◑ ● 10.2 (IG1) Configure Automatic Anti-Malware Signature Updates ● ◑ ● 10.3 (IG1) Disable Autorun and Autoplay for Removable Media ● ◑ ● 10.6 (IG2) Centrally Manage Anti-Malware Software {Optional} ● ◑ ● 10.7 (IG2) Use Behavior-Based Anti-Malware Software {Optional} ● ◑ ● ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 11: Data Recovery Initial cybersecurity assessment report #2122-6 July 2022 Page 23 TABLE 12 CIS 11 sub-controls assessment Why This Control Matters: Organizations need many types of data to make business decisions. When that data is not available or is untrusted, it could impact the enterprise. Attacks can alter data through configuration changes, malicious or unnecessary accounts, or unapproved software. Configuration changes may result in turning on insecure ports, destroying system logs, or other changes that can make systems insecure. Backups provide management with a means to fall back to a known secure state when systems were not compromised. Also, there has been a significant increase in ransomware attacks. Attackers often encrypt their target’s data and demand a ransom for its restoration. Organizations should have processes in place to backup data based on data value and sensitivity, or compliance requirements. Periodic testing should be performed to ensure backups can be restored to an intact and functional state. CIS 11 Data Recovery Assessed rating Sub-Control Title Implemented Policy Defined Automated 11.1 (IG1) Establish and Maintain a Data Recovery Process ● ◑ n/a 11.2 (IG1) Perform Automated Backups ● ◑ ● 11.3 (IG1) Protect Recovery Data ● ◑ ● 11.4 (IG1) Establish and Maintain an Isolated Instance of Recovery Data ● ◑ ● 11.5 (IG2) Test Data Recovery {Optional} ◑ ○ n/a ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 24 50% progress towards the controls TABLE 13 CIS 12 sub-controls assessment CIS Control™ 12: Network Infrastructure Management Why This Control Matters: A secure network infrastructure is an essential defense against attacks. This includes an appropriate security architecture, addressing vulnerabilities that are, often times, introduced with default settings, monitoring for changes, and reassessment of current configurations. Default configurations for network devices are geared for ease-of-deployment and ease-of-use not security. Network security is a constantly changing environment that necessitates regular re-evaluation of architecture diagrams, configurations, access controls, and allowed traffic flows. CIS 12 Network Infrastructure Management Assessed rating Sub-Control Title Implemented Policy Defined Automated 12.1 (IG1) Ensure Network Infrastructure is Up-to-Date ◑ ◑ n/a 12.2 (IG2) Establish and Maintain a Secure Network Architecture {Optional} ◑ ◑ n/a 12.4 (IG2) Establish and Maintain Architecture Diagram(s) {Optional} ● ◑ ● ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 25 TABLE 13 {continued} 60% progress towards the controls Sub-Control Title Implemented Policy Defined Automated 12.5 (IG2) Centralize Network Authentication, Authorization, and Auditing (AAA) {Optional} ◑ ◑ ◑ 12.6 (IG2) Use of Secure Network Management and Communication Protocols {Optional} ◑ ◑ n/a 12.7 (IG2) Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure {Optional} ● ◑ ◑ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 13: Network Monitoring and Defense Why This Control Matters: Network defenses will never be perfect. Adversaries continue to evolve and develop new means to bypass security controls. Even security tools working as intended need to be continually monitored, tuned, and logged to continue to remain effective. Without proper monitoring in place, organizations may not successfully prevent, or timely detect and respond, to security compromises. Initial cybersecurity assessment report #2122-6 July 2022 Page 26 TABLE 14 CIS 13 sub-controls assessment 43% progress towards the controls Organizations should have processes in place to continuously monitor network security so that defenders can detect, analyze, and respond to threats in a timely manner. Moreover, recovery from security incidents can be achieved faster and more effectively if the agency has access to complete information about how, when, and where the incident occurred. CIS 13 Network Monitoring and Defense Assessed rating Sub-Control Title Implemented Policy Defined Automated 13.2 (IG2) Deploy a Host-Based Intrusion Detection Solution {Optional} ● ◑ ● 13.3 (IG2) Deploy a Network Intrusion Detection Solution {Optional} ● ◑ ◑ 13.5 (IG2) Manage Access Control for Remote Assets {Optional} ◑ ◑ n/a ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 14: Security Awareness and Skills Training Why This Control Matters: The actions of employees play a critical part in the success or failure of an organization’s security Initial cybersecurity assessment report #2122-6 July 2022 Page 27 TABLE 15 CIS 14 sub-controls assessment program. It is easier for an attacker to gain access to an enterprise’s network by enticing users to click a link than to find and exploit a vulnerability in the network to gain access. Moreover, users can cause incidents, both intentionally and unintentionally, through sending sensitive data to the wrong recipient, using weak passwords, or clicking a malicious link. An organization’s personnel should receive ongoing security awareness training to understand their role in recognizing and reducing the likelihood and impact of security threats. Training should be ongoing to increase awareness about potential social engineering, authentication, data handling, and other threat topics. Additionally, training should be tailored to the organization’s environment as well as users’ roles. CIS 14 Security Awareness and Skills Training Assessed rating Sub-Control Title Implemented Policy Defined Automated 14.1 (IG1) Establish and Maintain a Security Awareness Program ● ◑ ◑ 14.2 (IG1) Train Workforce Members to Recognize Social Engineering Attacks ● ◑ ● 14.3 (IG1) Train Workforce Members on Authentication Best Practices ◑ ◑ ◑ 14.4 (IG1) Train Workforce on Data Handling Best Practices ◑ ◑ n/a 14.5 (IG1) Train Workforce Members on Causes of Unintentional Data Exposure ◑ ◑ n/a 14.6 (IG1) Train Workforce Members on Recognizing and Reporting Security Incidents ◑ ◑ ◑ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 28 TABLE 15 {continued} 31% progress towards the controls Sub-Control Title Implemented Policy Defined Automated 14.7 (IG1) Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates ○ ○ ○ 14.8 (IG1) Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks ◑ ◑ ○ 14.9 (IG2) Conduct Role-Specific Security Awareness and Skills Training {Optional} ◑ ◑ n/a ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 15: Service Provider Management Why This Control Matters: Most organizations rely on vendors or partners to provide services to help with data management, infrastructure, or other functions. Service providers present another avenue through which enterprise systems or data may be compromised. These impacts may be indirect, such as when an attack disables a partner from being able to provide services, or direct, such as when a compromised vendor has access to enterprise systems or data putting it at risk of loss or theft. Similar to assets, organizations should be reviewing service providers, maintaining an inventory of Initial cybersecurity assessment report #2122-6 July 2022 Page 29 TABLE 16 CIS 15 sub-controls assessment 42% progress towards the controls these vendors, and assessing the risk associated with their potential organizational impact. If there was an incident, the agency can make informed decisions about how to address those risks. Contract language should be in place to ensure responsibilities are clearly defined, so providers can be held accountable if an incident impacts the organization or its data. CIS 15 Service Provider Management Assessed rating Sub-Control Title Implemented Policy Defined Automated 15.1 (IG1) Establish and Maintain an Inventory of Service Providers ◑ ◑ ○ 15.2 (IG2) Establish and Maintain a Service Provider Management Policy {Optional} ◑ ◑ n/a 15.3 (IG2) Classify Service Providers {Optional} ◑ ◑ n/a 15.4 (IG2) Ensure Service Provider Contracts Include Security Requirements {Optional} ◑ ◑ n/a ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 16: Application Software Security Initial cybersecurity assessment report #2122-6 July 2022 Page 30 TABLE 17 CIS 16 sub-controls assessment Why This Control Matters: Application flaws provide attackers with a direct route to compromise or access sensitive data. Potential weaknesses can occur due to insecure application design, insecure infrastructure, coding mistakes, weak authentication, and failure to test for unexpected inputs. Vulnerabilities can provide a pathway for attackers to obtain data or credentials to gain access to an organization’s environment. Modern practices such as increasingly complex platforms, shorter development cycles, and assembly from various development frameworks and libraries make application security more challenging. Organizations should have an application security program in place which includes vulnerability management processes; training in security concepts and secure coding practices; and minimizing the attack surface. These efforts can help ensure vulnerabilities are less prevalent and more likely to be addressed in a timely manner when they do occur. CIS 16 Application Software Security Assessed rating Sub-Control Title Implemented Policy Defined Automated 16.1 (IG2) Establish and Maintain a Secure Application Development Process {Optional} ● ◑ n/a 16.2 (IG2) Establish and Maintain a Process to Accept and Address Software Vulnerabilities {Optional} ◑ ◑ ○ 16.4 (IG2) Establish and Manage an Inventory of Third-Party Software Components {Optional} ◑ ◑ ○ 16.5 (IG2) Use Up-to-Date and Trusted Third-Party Software Components {Optional} ◑ ◑ ○ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 31 TABLE 17 {continued} 37% progress towards the controls Sub-Control Title Implemented Policy Defined Automated 16.7 (IG2) Use Standard Hardening Configuration Templates for Application Infrastructure {Optional} ● ◑ ○ 16.8 (IG2) Separate Production and Non-Production Systems {Optional} ◑ ◑ n/a 16.9 (IG2) Train Developers in Application Security Concepts and Secure Coding {Optional} ● ◑ ◑ 16.10 (IG2) Apply Secure Design Principles in Application Architectures {Optional} ◑ ◑ ○ 16.11 (IG2) Leverage Vetted Modules or Services for Application Security Components {Optional} ◑ ◑ ○ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 17: Incident Response Management Why This Control Matters: The primary goal of incident response is to identify threats on the enterprise, respond to them before they can spread, and remediate them before they can cause harm. When an attack occurs, organizations without a documented response plan may not know the appropriate and effective procedures necessary to allow the organization to successfully understand, manage, and recover Initial cybersecurity assessment report #2122-6 July 2022 Page 32 TABLE 18 CIS 17 sub-controls assessment 0% progress towards the controls from the incident. The organization should periodically test the plan to ensure staff understand their role and how to respond to incidents. CIS 17 Incident Response Management Assessed rating Sub-Control Title Implemented Policy Defined Automated 17.1 (IG1) Designate Personnel to Manage Incident Handling ◑ ◑ n/a 17.2 (IG1) Establish and Maintain Contact Information for Reporting Security Incidents ○ ◑ n/a 17.3 (IG1) Establish and Maintain an Enterprise Process for Reporting Incidents ○ ◑ ○ 17.4 (IG2) Establish and Maintain an Incident Response Process {Optional} ○ ◑ n/a 17.5 (IG2) Assign Key Roles and Responsibilities {Optional} ○ ◑ ○ 17.6 (IG2) Define Mechanisms for Communicating During Incident Response {Optional} ○ ◑ ○ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable CIS Control™ 18: Penetration Testing Initial cybersecurity assessment report #2122-6 July 2022 Page 33 TABLE 19 CIS 18 sub-controls assessment Note: Deschutes County has performed penetration testing in the past but nothing recently to address this control. Why This Control Matters: An organization’s defense posture is rarely perfect. Attackers are constantly testing enterprise environments to identify and take advantage of security weaknesses. Independent penetration testing can provide an organization with valuable insights of vulnerabilities in enterprise assets and staff, so they can be remedied before an attack occurs. Penetration testing includes reconnaissance of an organization and its environment; identification of vulnerabilities; demonstrating exploits of those vulnerabilities to show how controls can be circumvented; and reporting on findings. Because of the risk involved with intentionally exploiting controls, penetration tests should be conducted by experienced people from reputable organizations. CIS 18 Penetration Testing Assessed rating Sub-Control Title Implemented Policy Defined Automated 18.1 (IG2) Establish and Maintain a Penetration Testing Program {Optional} ○ ○ ○ 18.2 (IG2) Perform Periodic External Penetration Tests {Optional} ○ ○ ○ 18.3 (IG2) Remediate Penetration Test Findings {Optional} ○ ○ ○ ○=Not implemented ◑=Partially implemented ●=Fully implemented n/a=not applicable Initial cybersecurity assessment report #2122-6 July 2022 Page 34 3. Management response Information Technology Department Joe Sadony, Director In general, I am in agreement with the findings of this report. The focused, targeted scope of this assessment will allow the reader to absorb the basic concepts of cybersecurity and the role of the CIS Controls in support of managing risk. The content of the report appears accurate and presents facts without bias. In response to the report findings I would like to include the following as a management response: Finding: County lacks comprehensive and formalized cybersecurity program. Recommendations: It is recommended for the County to implement a cybersecurity program that includes establishing a framework and continuous cycle of activity for assessing risk, developing and implementing effective security controls and procedures, and monitoring the effectiveness of those procedures as noted above. It is recommended, at least annually, the Board of County Commissioners review and approve the County’s cybersecurity program. I agree with this finding. IT did make an initial attempt at formalizing a cybersecurity program by establishing an advisory committee. However, we ran into a “cart before the horse” scenario where key program components were not in place necessary to provide direction. The committee was left without adequate tools to define its purpose and develop an agenda. The committee is in a holding pattern until these other components are in place. These components include the actions included in the report’s recommendations. IT has included in the fiscal ’23 JOE SADONY, INFORMATION TECNOLOGY Initial cybersecurity assessment report #2122-6 July 2022 Page 35 Information Technology (continued) budget funds to enlist the professional services necessary to create the components necessary to establish a formalized program. Finding: County needs to put additional effort into addressing cybersecurity controls. Recommendation: It is recommended for the County, led by the IT Department, continue improvements in addressing cyber defenses. I agree with this finding. Establishing and maintaining cyber defenses is a manpower intensive task. The IT Department dedicates a significant portion of three FTE to the implementation and maintenance of cyber defense. Dedicating a resource of at least 1.0 FTE would be the prudent approach going forward. The position would dedicate their time to managing the cybersecurity program. Key to this position is the authority to direct the efforts of the program as it is applied countywide. There are activities in different departments that deviate from standards established by the IT Department. My opinion is the county would be more effective in cyber resilience with a unified approach. Efforts to deviate from established standard should be met with strong resistance. An established and Board approved cybersecurity program would help in this area. On the CIS Controls: Full compliance with CIS Controls is an ideal, but unrealistic goal. As mentioned in the assessment, some controls lack the benefit necessary to justify the expense to implement. Others may not apply when compared to county operational obligations. Overall the controls set goals and the organizations role is to determine at what levels those goals should be achieved. Making these determinations is part of an on-going a cybersecurity program. Initial cybersecurity assessment report #2122-6 July 2022 Page 36 County Administration Nick Lelack, County Administrator To: David Givans, County Internal Auditor From: Nick Lelack, County Administrator Subject: Response to Initial Cybersecurity Assessment ________________________________________________________________________________________________________ Thank you for the detailed review of cybersecurity. Technology has and continues to evolve rapidly and along with it, so do cybersecurity threats. We recognize the importance of protecting our digital systems and resources and support the recommendations outlined in this audit. Administration will continue to support the Information Technology Department with the development and implementation of a unified cybersecurity. I will also work with Deputy County Administrators Erik Kropp and Whitney Hale to follow-up with the departments under our administrative direction to directly make them aware of this assessment. Please see Administration’s responses to specific findings below: Recommendation #1 We agree with the auditors’ comments and will support the IT department’s continued work to establish a cybersecurity program. Funding for this program was included in the FY23 budget and we expect that work should begin in FY23. IT will continue to track this work through its performance measures, which should provide consistent progress updates both to the Board and to residents. COUNTY ADMINISTRATOR NICK LELACK Initial cybersecurity assessment report #2122-6 July 2022 Page 37 County Administration (continued) Recommendation #2 We agree with this recommendation and will support IT in facilitating this annual check in with the Board. Recommendation #3 Administration agrees with this finding and will support the IT Department in engaging with the Board to add additional FTE as needed to meet organizational needs. Information Technology plans to request a new FTE in the FY24 budget process. I anticipate that this FTE will be included my proposed budget. Initial cybersecurity assessment report #2122-6 July 2022 Page 38 APPENDICES APPENDIX A - OBJECTIVES, SCOPE, AND METHODOLOGY 1. OBJECTIVES and SCOPE “Audit objectives” define the goals of the audit. Objectives included: 1) Assess the extent to which Deschutes County has addressed the CIS Version 8 “basic cyber hygiene” safeguards (Implementation Group 1) from the Center for Internet Security’s (CIS) Controlstm. 2) Notate additional safeguards identified from CIS Version 8 that are also addressed (Implementations Groups 2 and 3). 3) Be aware of any issues with compliance with federal and state regulations and requirements, as may be applicable. Scope and timing: The overall assessment work commenced in May 2022 through June 2022. The assessment utilized Center for Internet Security CIS Controlstm, Version 8. These controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices to help protect systems and networks from the most common attacks. Controls included in the assessment are from discussions of all Implementation Group 1 controls (considered foundational safeguards that every enterprise should apply to guard against the most common attacks). The assessment also includes controls the County uses from Implementations Groups 2 & 3. The assessment relies on interviews and guidance provided by County IT and departmental staff. This assessment of specific controls does not consider the County’s risk appetite. Therefore, while these controls are considered important by many security practitioners, the County may choose not to fully implement a control if they determine within their strategic priorities that the cost of doing so outweighs the risk. In addition, while we generally considered controls that might mitigate some of the risks identified, we did not perform a detailed review of potential compensating controls for each control. Initial cybersecurity assessment report #2122-6 July 2022 Page 39 This report does not contain any information that is considered confidential. This report considered the risks posed by publicly releasing any information related to security findings. As part of our consideration, we balanced the need for stakeholders, such as the Board of County Commissioners, to be informed on critical or systemic IT security issues affecting the County against the need to protect the County from cybersecurity threats. Consequently, in accordance with ORS 192.345(23) and generally accepted government auditing standards, we may have excluded some details of the security weaknesses from this public report and provided them confidentially to County management. 2. METHODOLOGY “Audit procedures are created to address the audit objectives” Audit procedures relevant to the reported topics in this report include: • Interviews of selected departmental management and staff. • Coordination of assessment with IT Operations Manager. • Assess from discussion the implementation status and level of maturity of the safeguard implementation. o Utilized CIS’s Critical Security controls Assessment Tool (CSAT) to aggregate the assessments as to County’s anticipated maturity in implementation, policy, and automation. • Analyze and present cybersecurity assessment information. • Reviewed IT policies. • If applicable, obtain evidence of extent of implementation on safeguards/controls. NOTE: Many thanks to the Oregon Secretary of State Audits Division for sharing their work and knowledge in assessing cybersecurity. Initial cybersecurity assessment report #2122-6 July 2022 Page 40 Assessment criteria The Center for Internet Security’s (CIS) Controlstm address the real-world environment of cyber- attacks and how to establish appropriate defenses. These controls are identified by implementation group. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (2018 Revision of Government Auditing Standards, issued by the Comptroller General of the United States.) The County Internal Auditor was created by the Deschutes County Code as an independent office conducting performance audits to provide information and recommendations for improvement. Initial cybersecurity assessment report #2122-6 July 2022 Page 41 APPENDIX B – Descriptions of CIS CONTROLSTM in assessment The following controls were addressed in the assessment. Some of these controls may be optional if they are part of the implementation group 2 or 3 level controls. Sub- Control Title Description CIS Control 1: Inventory and Control of Enterprise Assets 1.1 Establish and Maintain Detailed Enterprise Asset Inventory Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/Internet of Things devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. 1.2 Address Unauthorized Assets Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. CIS Control 2: Inventory and Control of Software Assets 2.1 Establish and Maintain a Software Inventory Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. Initial cybersecurity assessment report #2122-6 July 2022 Page 42 Sub- Control Title Description 2.2 Ensure Authorized Software is Currently Supported Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. 2.3 Address Unauthorized Software Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. 2.4 Utilize Automated Software Inventory Tools Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. CIS Control 3: Data Protection 3.1 Establish and Maintain a Data Management Process Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 3.2 Establish and Maintain a Data Inventory Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. 3.3 Configure Data Access Control Lists Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. 3.4 Enforce Data Retention Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. Initial cybersecurity assessment report #2122-6 July 2022 Page 43 Sub- Control Title Description 3.5 Securely Dispose of Data Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity. 3.6 Encrypt Data on End-User Devices Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. 3.8 Document Data Flows Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 3.10 Encrypt Sensitive Data in Transit Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). 3.11 Encrypt Sensitive Data at Rest Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. CIS Control 4: Secure Configuration of Enterprise Assets and Software 4.1 Establish and Maintain a Secure Configuration Process Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Initial cybersecurity assessment report #2122-6 July 2022 Page 44 Sub- Control Title Description 4.3 Configure Automatic Session Locking on Enterprise Assets Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. 4.4 Implement and Manage a Firewall on Servers Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. 4.5 Implement and Manage a Firewall on End-User Devices Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. 4.6 Securely Manage Enterprise Assets and Software Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. 4.7 Manage Default Accounts on Enterprise Assets and Software Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. 4.9 Configure Trusted DNS Servers on Enterprise Assets Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. Initial cybersecurity assessment report #2122-6 July 2022 Page 45 Sub- Control Title Description CIS Control 5: Account Management 5.1 Establish and Maintain an Inventory of Accounts Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. 5.2 Use Unique Passwords Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. 5.3 Disable Dormant Accounts Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. 5.6 Centralize Account Management Centralize account management through a directory or identity service. CIS Control 6: Access Control Management 6.1 Establish an Access Granting Process Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. 6.2 Establish an Access Revoking Process Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. 6.3 Require MFA for Externally- Exposed Applications Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. Initial cybersecurity assessment report #2122-6 July 2022 Page 46 Sub- Control Title Description 6.4 Require MFA for Remote Network Access Require MFA for remote network access. 6.5 Require MFA for Administrative Access Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. 6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. 6.7 Centralize Access Control Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. 6.8 Define and Maintain Role- Based Access Control Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. CIS Control 7: Continuous Vulnerability Management 7.1 Establish and Maintain a Vulnerability Management Process Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 7.2 Establish and Maintain a Remediation Process Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. 7.3 Perform Automated Operating System Patch Management Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. Initial cybersecurity assessment report #2122-6 July 2022 Page 47 Sub- Control Title Description 7.4 Perform Automated Application Patch Management Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis. 7.7 Remediate Detected Vulnerabilities Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. CIS Control 8: Audit Log Management 8.1 Establish and Maintain an Audit Log Management Process Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 8.2 Collect Audit Logs Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. 8.3 Ensure Adequate Audit Log Storage Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. 8.4 Standardize Time Synchronization Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. 8.9 Centralize Audit Logs Centralize, to the extent possible, audit log collection and retention across enterprise assets. 8.10 Retain Audit Logs Retain audit logs across enterprise assets for a minimum of 90 days. Initial cybersecurity assessment report #2122-6 July 2022 Page 48 Sub- Control Title Description CIS Control 9: Email and Web Browser Protections 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. 9.2 Use DNS Filtering Services Use DNS filtering services on all enterprise assets to block access to known malicious domains. 9.3 Maintain and Enforce Network-Based URL Filters Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. 9.5 Implement DMARC To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. 9.6 Block Unnecessary File Types Block unnecessary file types attempting to enter the enterprise’s email gateway. CIS Control 10: Malware Defenses 10.1 Deploy and Maintain Anti- Malware Software Deploy and maintain anti-malware software on all enterprise assets. 10.2 Configure Automatic Anti- Malware Signature Updates Configure automatic updates for anti-malware signature files on all enterprise assets. 10.3 Disable Autorun and Autoplay for Removable Media Disable autorun and autoplay auto-execute functionality for removable media. 10.6 Centrally Manage Anti- Malware Software Centrally manage anti-malware software. 10.7 Use Behavior-Based Anti- Malware Software Use behavior-based anti-malware software. Initial cybersecurity assessment report #2122-6 July 2022 Page 49 Sub- Control Title Description CIS Control 11: Data Recovery 11.1 Establish and Maintain a Data Recovery Process Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 11.2 Perform Automated Backups Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. 11.3 Protect Recovery Data Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. 11.4 Establish and Maintain an Isolated Instance of Recovery Data Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. 11.5 Test Data Recovery Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets. CIS Control 12: Network Infrastructure Management 12.1 Ensure Network Infrastructure is Up-to-Date Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network- as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. 12.2 Establish and Maintain a Secure Network Architecture Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. 12.4 Establish and Maintain Architecture Diagram(s) Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Initial cybersecurity assessment report #2122-6 July 2022 Page 50 Sub- Control Title Description 12.5 Centralize Network Authentication, Authorization, and Auditing (AAA) Centralize network AAA. 12.6 Use of Secure Network Management and Communication Protocols Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater). 12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. CIS Control 13: Network Monitoring and Defense 13.2 Deploy a Host-Based Intrusion Detection Solution Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported. 13.3 Deploy a Network Intrusion Detection Solution Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. 13.5 Manage Access Control for Remote Assets Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are up-to-date. CIS Control 14: Security Awareness and Skills Training 14.1 Establish and Maintain a Security Awareness Program Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. Initial cybersecurity assessment report #2122-6 July 2022 Page 51 Sub- Control Title Description 14.2 Train Workforce Members to Recognize Social Engineering Attacks Train workforce members to recognize social engineering attacks, such as phishing, pre- texting, and tailgating. 14.3 Train Workforce Members on Authentication Best Practices Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. 14.4 Train Workforce on Data Handling Best Practices Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. 14.5 Train Workforce Members on Causes of Unintentional Data Exposure Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences. 14.6 Train Workforce Members on Recognizing and Reporting Security Incidents Train workforce members to be able to recognize a potential incident and be able to report such an incident. 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. Initial cybersecurity assessment report #2122-6 July 2022 Page 52 Sub- Control Title Description 14.9 Conduct Role-Specific Security Awareness and Skills Training Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles. CIS Control 15: Service Provider Management 15.1 Establish and Maintain an Inventory of Service Providers Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. 15.2 Establish and Maintain a Service Provider Management Policy Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. 15.3 Classify Service Providers Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. 15.4 Ensure Service Provider Contracts Include Security Requirements Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. CIS Control 16: Application Software Security 16.1 Establish and Maintain a Secure Application Development Process Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and Initial cybersecurity assessment report #2122-6 July 2022 Page 53 Sub- Control Title Description application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. 16.4 Establish and Manage an Inventory of Third-Party Software Components Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill of materials,” as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. 16.5 Use Up-to-Date and Trusted Third-Party Software Components Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that Initial cybersecurity assessment report #2122-6 July 2022 Page 54 Sub- Control Title Description improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. 16.8 Separate Production and Non- Production Systems Maintain separate environments for production and non-production systems. 16.9 Train Developers in Application Security Concepts and Secure Coding Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. 16.10 Apply Secure Design Principles in Application Architectures Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts. 16.11 Leverage Vetted Modules or Services for Application Security Components Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those Initial cybersecurity assessment report #2122-6 July 2022 Page 55 Sub- Control Title Description mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs. CIS Control 17: Incident Response Management 17.1 Designate Personnel to Manage Incident Handling Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. 17.2 Establish and Maintain Contact Information for Reporting Security Incidents Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. 17.4 Establish and Maintain an Incident Response Process Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. Initial cybersecurity assessment report #2122-6 July 2022 Page 56 Sub- Control Title Description 17.5 Assign Key Roles and Responsibilities Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard. 17.6 Define Mechanisms for Communicating During Incident Response Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. CIS Control 18: Penetration Testing 18.1 Establish and Maintain a Penetration Testing Program Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. 18.2 Perform Periodic External Penetration Tests Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. 18.3 Remediate Penetration Test Findings Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. {End of Report} Initial cybersecurity assessment report #2122-6 July 2022 Page 57 Please take a survey on this report by clicking on the attached link: https://www.surveymonkey.com/r/2122-6 If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.