Qualification

No Policy
Informal Procedure
Policy Defined
Partial Written Policy
Deployed Written Policy
Not Implemented
Control Parts of the Policy Implemented
Implemented Implemented on Some Systems
Implemented on All Systems
Not Reported
Control Reported Reported on Some Systems
to Business Reported on Most Systems
Reported on All Systems

The 20 CIS Critical Security Controls for Effective Cyber Defense

ID Control
Inventory of Authorized
Control 1 and Unauthorized Devices
Inventory of Authorized and
Control 2 Unauthorized Software
Secure Configurations for Hardware and
Software on Mobile Devices, Laptops,
Control 3 Workstations, and Servers
Continuous Vulnerability Assessment
Control 4 and Remediation
Controlled Use of Administrative
Control 5 Privileges
Maintenance, Monitoring, and Analysis
Control 6 of Audit Logs
Control 7 Email and Web Browser Protections
Malware Defenses
Control 8
Limitation and Control of Network Ports,
Control 9 Protocols, and Services
Control 10 Data Recovery Capability
Secure Configurations for Network
Devices such as Firewalls, Routers, and
Control 11 Switches
Control 12 Boundary Defense
Control 13 Data Protection
Controlled Access Based on the Need to
Control 14 Know
Control 15 Wireless Access Control
Control 16 Account Monitoring and Control
 Security Skills Assessment and
Appropriate Training to Fill Gaps
Control 17
Control 18 Application Software Security

Incident Response and Management

Control 19
Penetration Tests and Red Team
Control 20 Exercises
 Description: Use it if….
The organization doesn´t have any policy deployed for the subcontrol.
The organization doesn´t have any policy deployed for this control, but there could be a procedure set and used by all the employees relat
The organization has a policy that it was not recently updated, and only covers a few of the processes related to the subcontrol.
The organization deployed a policy that covers all the processes related to the subcontrol, and it was communicated to the employees.
The organization doesn´t deploy any technology/device to mitigate the risks related to the subcontrol.
The organization deployed procedures/technology that cover part of the current policy to mitigate the risks related to the subcontrol.
The organization deployed devices/technology following the current policy in some systems to mitigate the risks related to the subcontrol
The organization deployed devices/technology following the current policy in all the systems to mitigate the risks related to the subcontro
The organization´s managers don´t generate neither analyze any report of the technology/devices deployed to mitigate the risks related to
The organization´s managers generate and/or analyze reports of the technology/devices deployed to mitigate the risks related only to the
The organization´s managers generate and/or analyze reports of the technology/devices deployed to mitigate the risks related only to the
The organization´s managers generate and/or analyze reports of the technology/devices deployed to mitigate the risks related to all the pr

Effective Cyber Defense

Key Principle
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and u
are found and prevented from gaining access.
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, a
software is found and prevented from installation or execution.

Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using
and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on comp

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browser
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automatio
data gathering, and corrective action.
Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize w
attackers.
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a r
change control process in order to prevent attackers from exploiting vulnerable services and settings.

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of se
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) accor
which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
The processes and tools used to track, control, prevent, and correct the security use of wireless local area networks (LANS), access points,
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportu
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledg
support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organiza
awareness programs.
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesse
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g
communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the atta
integrity of the network and systems.

Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and ac
Course:

Students:

Controls selected
for assessment:

Name of the
organization:

Description of
the company:

Number of
employees and
offices/buildings:

Preliminary
Analysis:
Information Security

1)Hugo Chávez Muñoz

2)-
3)-

1) (Control 1) Inventory of Authorized and Unauthorized Devices

2) (Control 2) Inventory of Authorized and Unauthorized Software
3) (Control 7) Email and Web Browser Protections
4) (Control 10) Data Recovery Capability
5) (Control 15) Wireless Access Control

A.W. Faber-Castell

Faber-Castell, a company of German origin with more than 250 years of foundation, is a
world leader in the manufacture of wooden pencils. Its headquarters are located in Stein,
Germany. In Peru, Faber-Castell has been present since 1965. Faber-Castell is present in
several countries:
Austria, Argentina, Czech Republic, France, Germany, Malaysia, Switzerland and Brazil.

The company has around 1000 employees (Perú), the areas it has are: finance, sales,
production, quality control, marketing, projects, human management, supply chain and
exports.
Summary:

Controls selected for assessment

Evaluation Criteria
C# 1 C# 2 C# 7
Policy Defined
No Policy 0 0 1
Informal Procedure 2 3 0
Partial Written Policy 1 1 4
Deployed Written Policy 3 0 3
Control Implemented
Not Implemented 0 1 1
Parts of the Policy Implemented 2 2 0
Implemented on Some Systems 0 1 1
Implemented on All Systems 4 0 6
Control Reported to Business
Not Reported 1 0 1
Reported on Some Systems 1 1 1
Reported on Most Systems 3 3 4
Reported on All Systems 1 0 2
cted for assessment
Total
C# 10 C# 15

0 0 1
1 1 7
1 2 9
2 6 14

0 0 2
2 2 8
1 1 4
1 6 17

0 1 3
3 1 7
1 4 15
0 3 6
Critical Security Control #1: Inventory of Authorized and Unauthorized Devi

ID Critical Security Control Detail

Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems
connected to an organization’s public and private network(s). Both active tools that scan through IPv4 or IPv6
1.1 network address ranges and passive tools that identify hosts based on analyzing their traffic should be
employed.

If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration
1.2 protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect
unknown systems.

Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices
1.3 are connected to the network.

Maintain an asset inventory of all systems connected to the network and the network devices themselves,
recording at least the network addresses, machine name(s), purpose of each system, an asset owner
responsible for each device, and the department associated with each device. The inventory should include
every system that has an Internet protocol (IP) address on the network, including but not limited to
1.4 desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area
networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory
created must also include data on whether the device is a portable and/or personal device. Devices such as
mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be
identified, regardless of whether they are attached to the organization’s network.

Deploy network level authentication via 802.1x to limit and control which devices can be connected to the
1.5 network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized
systems.

1.6 Use client certificates to validate and authenticate systems prior to connecting to the private network.

No Policy
Informal Procedure
Partial Written Policy
Deployed Written Policy

Not Implemented
Parts of the Policy Implemented
Implemented on Some Systems
Implemented on All Systems

Not Reported
Reported on Critical Systems
Reported on Most Systems
Reported on All Systems
authorized Devices

Policy Defined Control Implemented Control Reported to Business

Informal Procedure Parts of the Policy Implemented Reported on Critical Systems

Deployed Written Policy Implemented on All Systems Reported on Most Systems

Deployed Written Policy Implemented on All Systems Reported on Most Systems

Partial Written Policy Implemented on All Systems Reported on Most Systems

Informal Procedure Parts of the Policy Implemented Not Reported

Deployed Written Policy Implemented on All Systems Reported on All Systems

Amount of Sub Controls for "Policy Defined"

0
2
1
3
Amount of Sub Controls for "Control Implemented"
0
2
0
4
Amount of Sub Controls for "Control Reported to Business"
1
1
3
1
 Justification

The IT department uses the software ip scan, it is used to scan all the equipment connected to the network
and check with the inventory file if everything is correct, this is done once a month for the monthly
inventory.

The company manages the equipment through the Active Directory in which each team is identified by a
standard code, this improves for the identification of all the company's equipment.

All the equipment is configured by the IT team and the inventory is manual by means of an excel then this
document is uploaded to the network so that the departments can consult the reports monthly.

The tools that are used by the IT department are recorded in excel files, these files have a standard model
which are approved by the quality control area (department responsible for audits), are updated every day,
this file is uploaded to the network where other departments have access and can perform sports (cost
department).

The security method implemented in the company is through the configuration that is implemented in each
device, adding it to the Faber-Castell group with which it adopts the permissions and policies of the
company.

SSL certificate is used to verify and validate the connection to the network of a device
Critical Security Control #2: Inventory of Authorized and Unauthorized Softw

ID Critical Security Control Detail

Devise a list of authorized software and version that is required in the enterprise for each type of system,
2.1 including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file
integrity checking tools to validate that the authorized software has not been modified.

Deploy application whitelisting technology that allows systems to run software only if it is included on the
whitelist and Protects execution of all other software on the system. The whitelist may be very extensive (as
2.2 is available from commercial whitelist vendors), so that users are not inconvenienced when using common
software. Or, for some special-purpose systems (which require only a small number of programs to achieve
their needed business functionality), the whitelist may be quite narrow.

Deploy software inventory tools throughout the organization covering each of the operating system types in
use, including servers, workstations, and laptops. The software inventory system should track the version of
2.3 the underlying operating system as well as the applications installed on it. The software inventory systems
must be tied into the hardware asset inventory so all devices and associated software are tracked from a
single location.

2.4 Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required
for business operations but based on higher risk should not be installed within a networked environment.

No Policy
Informal Procedure
Partial Written Policy
Deployed Written Policy

Not Implemented
Parts of the Policy Implemented
Implemented on Some Systems
Implemented on All Systems

Not Reported
Reported on Critical Systems
Reported on Most Systems
Reported on All Systems
authorized Software

Policy Defined Control Implemented Control Reported to Business

Parts of the Policy Implemented Reported on Most Systems

Partial Written Policy

Informal Procedure Not Implemented Reported on Critical Systems

Informal Procedure Implemented on Some Systems Reported on Most Systems

Informal Procedure Parts of the Policy Implemented Reported on Most Systems

Amount of Sub Controls for "Policy Defined"

0
3
1
0
Amount of Sub Controls for "Control Implemented"
1
2
1
0
Amount of Sub Controls for "Control Reported to Business"
0
1
3
0
 Justification

It is necessary to make reports because it is useful information for budgets and expenses of the company, in
some cases it affects the production of the products and affects the final price of the product development,
the company manages users and equipment through the Direct Active tool

The list of programs that can be used is generated according to the needs of the different departments. The
list is managed by the systems area and by the area of costs, the policy that manages the company is to
install programs only with a license which is managed with the managers of the respective departments.

The company has a tool that helps to scan the programs of all the equipment connected to the network,
Sccm Client is the name of the program used. Then this data is worked and posted on the network.

The company has 2 virtual machines which are used to perform tests before they go into production, these
tests are coordinated with the responsible departments
Critical Security Control #7: email and Web Browser Protections

ID Critical Security Control Detail

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization,
7.1 ideally only using the latest version of the browsers provided by the vendor in order to take advantage of the
latest security functions and fixes.

Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications.
7.2 Each plugin shall utilize application / URL whitelisting and only allow the use of the application for pre-
approved domains.

7.3 Limit the use of unnecessary scripting languages in all web browsers and email clients. This includes the use
of languages such as ActiveX and JavaScript on systems where it is unnecessary to support such capabilities.
Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order to
7.4 identify potentially malicious activity and assist incident handlers with identifying potentially compromised
systems.
Deploy two separate browser configurations to each system. One configuration should disable the use of all
7.5 plugins, unnecessary scripting languages, and generally be configured with limited functionality and be used
for general web browsing. The other configuration shall allow for more browser functionality but should only
be used to access specific websites that require the use of such functionality.

The organization shall maintain and enforce network based URL filters that limit a system's ability to connect
to websites not approved by the organization. The organization shall subscribe to URL categorization services
7.6 to ensure that they are up-to-date with the most recent website category definitions available.
Uncategorized sites shall be blocked by default. This filtering shall be enforced for each of the organization's
systems, whether they are physically at an organization's facilities or not.

To lower the chance of spoofed e-mail messages, implement the Sender Policy Framework (SPF) by
7.7 deploying SPF records in DNS and enabling receiver-side verification in mail servers.

Scan and block all e-mail attachments entering the organization's e-mail gateway if they contain malicious
7.8 code or file types that are unnecessary for the organization's business. This scanning should be done before
the e-mail is placed in the user's inbox. This includes e-mail content filtering and web content filtering.

No Policy
Informal Procedure
Partial Written Policy
Deployed Written Policy

Not Implemented
Parts of the Policy Implemented
Implemented on Some Systems
Implemented on All Systems

Not Reported
Reported on Critical Systems
Reported on Most Systems
Reported on All Systems
 Policy Defined Control Implemented Control Reported to Business

Deployed Written Policy Implemented on All Systems Reported on Most Systems

Partial Written Policy Implemented on Some Systems Reported on Critical Systems

Partial Written Policy Implemented on All Systems Reported on Most Systems

Partial Written Policy Implemented on All Systems Reported on Most Systems

No Policy Not Implemented Not Reported

Deployed Written Policy Implemented on All Systems Reported on Most Systems

Partial Written Policy Implemented on All Systems Reported on All Systems

Deployed Written Policy Implemented on All Systems Reported on All Systems

Amount of Sub Controls for "Policy Defined"

1
0
4
3
Amount of Sub Controls for "Control Implemented"
1
0
1
6
Amount of Sub Controls for "Control Reported to Business"
1
1
4
2
 Justification

By policy for all branches of the company must use the latest version of Internet explorer, there is no rule for
chrome or mozilla. In case the user requests another browser that is not Explorer it is coordinated with the
systems area and the requested browser is installed in a secure way.

The blocking of web pages is controlled from the parent company to all the surcusales, in case there is a
need to block or unblock pages it is informed by mail.

For security and policy from the parent company is blocked use of ActiveX and Javascript, these can be
enabled according to the needs.

The company works with retarus to manage security in emails and web pages, every request made by users
is registered to verify that they are safe sites.

There are no 2 configurations for access to internet pages, all have the same accesses, these can be modified
according to the needs

Through the service that Retarus offers, the security of emails and web pages is managed, in the case of
emails each user is informed of incoming emails, depending on the case, the domains can be blocked or
enabled.

These configurations are already implemented in the company's mail server

The person in charge of carrying out this scan is retarus who sends emails when there is a suspicion of a
threat, giving the user the option of admitting or blocking it.
Critical Security Control #10: Data Recovery Capability

ID Critical Security Control Detail

Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems
storing sensitive information. To help ensure the ability to rapidly restore a system from backup, the
operating system, application software, and data on a machine should each be included in the overall backup
10.1 procedure. These three components of a system do not have to be included in the same backup file or use
the same backup software. There should be multiple backups over time, so that in the event of malware
infection, restoration can be from a version that is believed to predate the original infection. All backup
policies should be compliant with any regulatory or official requirements.

Test data on backup media on a regular basis by performing a data restoration process to ensure that the
10.2 backup is properly working.

Ensure that backups are properly protected via physical security or encryption when they are stored, as well
10.3 as when they are moved across the network. This includes remote backups and cloud services.
Ensure that key systems have at least one backup destination that is not continuously addressable through
10.4 operating system calls. This will mitigate the risk of attacks like CryptoLocker which seek to encrypt or
damage data on all addressable data shares, including backup destinations.

No Policy
Informal Procedure
Partial Written Policy
Deployed Written Policy

Not Implemented
Parts of the Policy Implemented
Implemented on Some Systems
Implemented on All Systems

Not Reported
Reported on Critical Systems
Reported on Most Systems
Reported on All Systems
 Policy Defined Control Implemented Control Reported to Business

Deployed Written Policy Implemented on All Systems Reported on Most Systems

Informal Procedure Parts of the Policy Implemented Reported on Critical Systems

Partial Written Policy Parts of the Policy Implemented Reported on Critical Systems

Deployed Written Policy Implemented on Some Systems Reported on Critical Systems

Amount of Sub Controls for "Policy Defined"

0
1
1
2
Amount of Sub Controls for "Control Implemented"
0
2
1
1
Amount of Sub Controls for "Control Reported to Business"
0
3
1
0
 Justification

The backup of the company files is done daily, the company manages 2 backups for Oracle and for the data
center, 15 GB LTO tape is used to back up the compressed data.

Faber Peru does not test backup copies. These tests are carried out by the parent company Germany and
they send reports about these tests.

The LTO tapes are sent to a company (Iron Mountain), this company is dedicated to keep in proper places
against any accident (fire, theft, etc)

The company has the policy of maintaining a backup on the file server of the last week of all data, then the
backup is done through the LTO tapes.
Critical Security Control #15: Wireless Access Control

ID Critical Security Control Detail

Ensure that each wireless device connected to the network matches an authorized configuration and security
15.1 profile, with a documented owner of the connection and a defined business need. Organizations should deny
access to those wireless devices that do not have such a configuration and profile.

Configure network vulnerability scanning tools to detect wireless access points connected to the wired
15.2 network. Identified devices should be reconciled against a list of authorized wireless access points.
Unauthorized (i.e., rogue) access points should be deactivated.
Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack
15.3 attempts and successful compromises. In addition to WIDS, all wireless traffic should be monitored by WIDS
as traffic passes into the wired network.
Where a specific business need for wireless access has been identified, configure wireless access on client
machines to allow access only to authorized wireless networks. For devices that do not have an essential
15.4 wireless business purpose, disable wireless access in the hardware configuration (basic input/output system
or extensible firmware interface).

Ensure that all wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with at
15.5 least Wi-Fi Protected Access 2 (WPA2) protection.
Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-
15.6 Transport Layer Security (EAP/TLS), which provide credential protection and mutual authentication.

15.7 Disable peer-to-peer wireless network capabilities on wireless clients.

15.8 Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a
documented business need.
Create separate virtual local area networks (VLANs) for BYOD systems or other untrusted devices. Internet
15.9 access from this VLAN should go through at least the same border as corporate traffic. Enterprise access
from this VLAN should be treated as untrusted and filtered and audited accordingly.

No Policy
Informal Procedure
Partial Written Policy
Deployed Written Policy

Not Implemented
Parts of the Policy Implemented
Implemented on Some Systems
Implemented on All Systems

Not Reported
Reported on Critical Systems
Reported on Most Systems
Reported on All Systems
 Policy Defined Control Implemented Control Reported to Business

Deployed Written Policy Implemented on All Systems Reported on Most Systems

Deployed Written Policy Implemented on All Systems Reported on All Systems

Partial Written Policy Parts of the Policy Implemented Reported on Critical Systems

Partial Written Policy Implemented on Some Systems Reported on Most Systems

Informal Procedure Parts of the Policy Implemented Not Reported

Deployed Written Policy Implemented on All Systems Reported on Most Systems

Deployed Written Policy Implemented on All Systems Reported on Most Systems

Deployed Written Policy Implemented on All Systems Reported on All Systems

Deployed Written Policy Implemented on All Systems Reported on All Systems

Amount of Sub Controls for "Policy Defined"

0
1
2
6
Amount of Sub Controls for "Control Implemented"
0
2
1
6
Amount of Sub Controls for "Control Reported to Business"
1
1
4
3
 Justification

Faber handles various WiFi networks, for scanning equipment (warehouses), for devices configured with the
domain of the company and a network for equipment that does not belong to the company, for all these
networks permission is requested for the connection in the case of teams that do not belong to the company
a user and password is created for a set time.

The access points with which the company works are cisco these are properly configured and identified, any
suspicious traces are sent alerts to the IT department Peru and Germany, so far no threats have been
presented.