• xImplementation Group: IG2
IDNameImplementation GroupsThreats
1.1Establish and Maintain Detailed Enterprise Asset InventorySTRIDE-LM
1.2Address Unauthorized AssetsSTRIDE-LM
1.3Utilize an Active Discovery Tool STRIDE-LM
1.4Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory STRIDE-LM
2.1Establish and Maintain a Software InventorySTRIDE-LM
2.2Ensure Authorized Software is Currently SupportedSTRIDE-LM
2.3Address Unauthorized SoftwareSTRIDE-LM
2.4Utilize Automated Software Inventory Tools STRIDE-LM
2.5Allowlist Authorized Software STRIDE-LM
2.6Allowlist Authorized Libraries STRIDE-LM
3.1Establish and Maintain a Data Management ProcessSTRIDE-LM
3.2Establish and Maintain a Data InventorySTRIDE-LM
3.3Configure Data Access Control ListsSTRIDE-LM
3.4Enforce Data RetentionSTRIDE-LM
3.5Securely Dispose of DataSTRIDE-LM
3.6Encrypt Data on End-User DevicesSTRIDE-LM
3.7Establish and Maintain a Data Classification Scheme STRIDE-LM
3.8Document Data Flows STRIDE-LM
3.9Encrypt Data on Removable Media STRIDE-LM
3.10Encrypt Sensitive Data in Transit STRIDE-LM
3.11Encrypt Sensitive Data at Rest STRIDE-LM
3.12Segment Data Processing and Storage Based on Sensitivity STRIDE-LM
4.1Establish and Maintain a Secure Configuration ProcessSTRIDE-LM
4.2Establish and Maintain a Secure Configuration Process for Network InfrastructureSTRIDE-LM
4.3Configure Automatic Session Locking on Enterprise AssetsSTRIDE-LM
4.4Implement and Manage a Firewall on ServersSTRIDE-LM
4.5Implement and Manage a Firewall on End-User DevicesSTRIDE-LM
4.6Securely Manage Enterprise Assets and SoftwareSTRIDE-LM
4.7Manage Default Accounts on Enterprise Assets and SoftwareSTRIDE-LM
4.8Uninstall or Disable Unnecessary Services on Enterprise Assets and Software STRIDE-LM
4.9Configure Trusted DNS Servers on Enterprise Assets STRIDE-LM
4.10Enforce Automatic Device Lockout on Portable End-User Devices STRIDE-LM
4.11Enforce Remote Wipe Capability on Portable End-User Devices STRIDE-LM
5.1Establish and Maintain an Inventory of AccountsSTRIDE-LM
5.2Use Unique PasswordsSTRIDE-LM
5.3Disable Dormant AccountsSTRIDE-LM
5.4Restrict Administrator Privileges to Dedicated Administrator AccountsSTRIDE-LM
5.5Establish and Maintain an Inventory of Service Accounts STRIDE-LM
5.6Centralize Account Management STRIDE-LM
6.1Establish an Access Granting ProcessSTRIDE-LM
6.2Establish an Access Revoking ProcessSTRIDE-LM
6.3Require MFA for Externally-Exposed ApplicationsSTRIDE-LM
6.4Require MFA for Remote Network AccessSTRIDE-LM
6.5Require MFA for Administrative AccessSTRIDE-LM
6.6Establish and Maintain an Inventory of Authentication and Authorization Systems STRIDE-LM
6.7Centralize Access Control STRIDE-LM
7.1Establish and Maintain a Vulnerability Management ProcessSTRIDE-LM
7.2Establish and Maintain a Remediation ProcessSTRIDE-LM
7.3Perform Automated Operating System Patch ManagementSTRIDE-LM
7.4Perform Automated Application Patch ManagementSTRIDE-LM