48 V7 49

CIS Control 18: Procedures and Resources CIS Control 18: System Entity Relationship Diagram
The security of applications (in-house developed or acquired off the shelf or from external
developers) is a complex activity requiring a complete program encompassing enterprise-wide
policy, technology, and the role of people.

All software should be regularly tested for vulnerabilities. The operational practice of scanning
for application vulnerabilities has been consolidated within CIS Control 3: Continuous
Vulnerability Management. However, the most effective approach is to implement a full supply Secure Coding
chain security program for externally acquired software and a Secure Software Development Life Standards
Cycle for internally developed software. Those aspects are addressed in this Control.

For software developed in-house or customer software developed externally under contract,
an effective program for applications software must address security throughout the entire
life-cycle, and embed security in as a natural part of establishing requirements, training, tools,
and testing. Modern development cycles and methods do not allow for sequential approaches.
Acceptance criteria should always include requirements that application vulnerability testing
tools be run and all known vulnerabilities be documented. It is safe to assume that software Education Plans /
will not be perfect, and so a development program must plan up-front for bug reporting and Training Plans
remediation as an essential security function.

For software which is acquired (commercial, open-source, etc.), application security criteria should
Computing
be part of the evaluation criteria and efforts should be made to understand the source’s software Systems
practices, testing, and error reporting and management. Whenever possible, suppliers should be
required to show evidence that standard commercial software testing tools or services were used
and no known vulnerabilities are present in the current version. Alerting / Reporting
Analytics System Code Analysis
System
The actions in this Control provide specific, high-priority steps that can improve Application
Software Security. In addition, we recommend use of some of the excellent comprehensive
resources dedicated to this topic:

• The Open Web Application Security Project (OWASP)

OWASP is an open community that creates and shares a rich collection of
software tools and documentation on application security.
https://www.owasp.org
Web Application
Firewall (WAF)
• Software Assurance Forum for Excellence in Code (SAFECODE)
SAFECODE creates and encourages broad industry adoption of proven
software security, integrity and authenticity practices.

19
https://www.safecode.org/
CIS Control 19:
Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing and implementing
an incident response infrastructure (e.g., plans, defined roles, training, communications,
management oversight) for quickly discovering an attack and then effectively containing the
damage, eradicating the attacker’s presence, and restoring the integrity of the network and
systems.

Why Is This CIS Control Critical?

Cyber incidents are now just part of our way of life. Even large, well-funded, and technically
sophisticated enterprises struggle to keep up with the frequency and complexity of attacks. The
question of a successful cyber-attack against an enterprise is not “if” but “when.”

When an incident occurs, it is too late to develop the right procedures, reporting, data collection,
management responsibility, legal protocols, and communications strategy that will allow the
enterprise to successfully understand, manage, and recover. Without an incident response
plan, an organization may not discover an attack in the first place, or, if the attack is detected,
the organization may not follow good procedures to contain damage, eradicate the attacker’s
presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact,
causing more damage, infecting more systems, and possibly exfiltrate more sensitive data than
would otherwise be possible were an effective incident response plan in place.
50 V7 51

CIS Control 19: Incident Response and Management CIS Control 19: Procedures and Tools
Sub- Asset Security Control Control After defining detailed incident response procedures, the incident response team should engage
Control Type Function Title Descriptions in periodic scenario-based training, working through a series of attack scenarios fine-tuned to
the threats and vulnerabilities the organization faces. These scenarios help ensure that team
19.1 N/A N/A Document Incident Ensure that there are written incident response
members understand their role on the incident response team and also help prepare them to
Response Procedures plans that define roles of personnel as well as
phases of incident handling/management.
handle incidents. It is inevitable that exercise and training scenarios will identify gaps in plans and
processes, and unexpected dependencies.
19.2 N/A N/A Assign Job Titles and Assign job titles and duties for handling computer
Duties for Incident and network incidents to specific individuals and The actions in this Control provide specific, high-priority steps that can improve enterprise
Response ensure tracking and documentation throughout security, and should be a part of any comprehensive incident and response plan. In addition,
the incident through resolution. we recommend use of some of the excellent comprehensive resources dedicated to this topic:
19.3 N/A N/A Designate Management
Personnel to Support
Designate management personnel, as well as
backups, who will support the incident handling
• CREST Cyber Security Incident Response Guide
CREST provides guidance, standards, and knowledge on a wide variety of
Incident Handling process by acting in key decision-making roles.
cyberdefense topics.
19.4 N/A N/A Devise Organization-wide Devise organization-wide standards for the time https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-
Standards for Reporting required for system administrators and other Procurement-Guide.pdf
Incidents workforce members to report anomalous events
to the incident handling team, the mechanisms
for such reporting, and the kind of information
that should be included in the incident
notification. CIS Control 19: System Entity Relationship Diagram
19.5 N/A N/A Maintain Contact Assemble and maintain information on third-
Information For party contact information to be used to report
Reporting Security a security incident, such as Law Enforcement,
Incidents relevant government departments, vendors, and
ISAC partners.

19.6 N/A N/A Publish Information Publish information for all workforce members,
Regarding Reporting regarding reporting computer anomalies and Third Party
Computer Anomalies and incidents, to the incident handling team. Such Authorities
Incidents information should be included in routine
employee awareness activities.

19.7 N/A N/A Conduct Periodic Incident Plan and conduct routine incident response
Scenario Sessions for exercises and scenarios for the workforce involved
Workforce
Personnel in the incident response to maintain awareness Members
and comfort in responding to real world threats.
Exercises should test communication channels,
decision making, and incident responder’s Alerting / Reporting
Analytics System
technical capabilities using tools and data
available to them.
Incident
Management
19.8 N/A N/A Create Incident Scoring Create incident scoring and prioritization schema Plans
and Prioritization Schema based on known or potential impact to your
organization. Utilize score to define frequency of
status updates and escalation procedures.