IDNameImplementation GroupsThreats
    IG1IG2IG3
    12.7Deploy Network-Based Intrusion Prevention Systems  STRIDE-LM
    12.8Deploy NetFlow Collection on Networking Boundary Devices STRIDE-LM
    12.9Deploy Application Layer Filtering Proxy Server  STRIDE-LM
    12.10Decrypt Network Traffic at Proxy  STRIDE-LM
    12.11Require All Remote Login to Use Multi-Factor Authentication STRIDE-LM
    12.12Manage All Devices Remotely Logging into Internal Network  STRIDE-LM
    13Data Protection   STRIDE-LM
    13.1Maintain an Inventory of Sensitive InformationSTRIDE-LM
    13.2Remove Sensitive Data or Systems Not Regularly Accessed by OrganizationSTRIDE-LM
    13.3Monitor and Block Unauthorized Network Traffic  STRIDE-LM
    13.4Only Allow Access to Authorized Cloud Storage or Email Providers STRIDE-LM
    13.5Monitor and Detect Any Unauthorized Use of Encryption  STRIDE-LM
    13.6Encrypt Mobile Device DataSTRIDE-LM
    13.7Manage USB Devices STRIDE-LM
    13.8Manage System's External Removable Media's Read/Write Configurations  STRIDE-LM
    13.9Encrypt Data on USB Storage Devices  STRIDE-LM
    14Controlled Access Based on the Need to Know   STRIDE-LM
    14.1Segment the Network Based on Sensitivity STRIDE-LM
    14.2Enable Firewall Filtering Between VLANs STRIDE-LM
    14.3Disable Workstation to Workstation Communication STRIDE-LM
    14.4Encrypt All Sensitive Information in Transit STRIDE-LM
    14.5Utilize an Active Discovery Tool to Identify Sensitive Data  STRIDE-LM
    14.6Protect Information Through Access Control ListsSTRIDE-LM
    14.7Enforce Access Control to Data Through Automated Tools  STRIDE-LM
    14.8Encrypt Sensitive Information at Rest  STRIDE-LM
    14.9Enforce Detail Logging for Access or Changes to Sensitive Data  STRIDE-LM
    15Wireless Access Control   STRIDE-LM
    15.1Maintain an Inventory of Authorized Wireless Access Points STRIDE-LM
    15.2Detect Wireless Access Points Connected to the Wired Network STRIDE-LM
    15.3Use a Wireless Intrusion Detection System STRIDE-LM
    15.4Disable Wireless Access on Devices if Not Required  STRIDE-LM
    15.5Limit Wireless Access on Client Devices  STRIDE-LM
    15.6Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients STRIDE-LM
    15.7Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless DataSTRIDE-LM
    15.8Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication  STRIDE-LM
    15.9Disable Wireless Peripheral Access of Devices STRIDE-LM
    15.10Create Separate Wireless Network for Personal and Untrusted DevicesSTRIDE-LM
    16Account Monitoring and Control   STRIDE-LM
    16.1Maintain an Inventory of Authentication Systems STRIDE-LM
    16.2Configure Centralized Point of Authentication STRIDE-LM
    16.3Require Multi-Factor Authentication STRIDE-LM
    16.4Encrypt or Hash all Authentication Credentials STRIDE-LM
    16.5Encrypt Transmittal of Username and Authentication Credentials STRIDE-LM
    16.6Maintain an Inventory of Accounts STRIDE-LM
    16.7Establish Process for Revoking Access STRIDE-LM
    16.8Disable Any Unassociated AccountsSTRIDE-LM
    16.9Disable Dormant AccountsSTRIDE-LM
    16.10Ensure All Accounts Have An Expiration Date STRIDE-LM
    16.11Lock Workstation Sessions After InactivitySTRIDE-LM
    16.12Monitor Attempts to Access Deactivated Accounts STRIDE-LM