CIS Controls Compliance Matrix for Orange County Businesses

Inventory of Enterprise Assets

Maintain an accurate, continuously updated inventory of all hardware connected to the network, including end-user devices, servers, mobile devices, and IoT. You cannot protect assets you do not know exist, which is why this control sits first.

Active Discovery and Unauthorized Asset Handling

Use active discovery tooling to detect new devices on the network and define a process to remove, quarantine, or authorize unmanaged assets. IG1 allows manual inventory; higher groups expect automated detection.

Inventory of Software Assets

Track all software installed across the environment, including version and publisher, so unsupported or unauthorized applications can be identified and removed before they become an attack path.

Application Allowlisting

Enforce allowlisting so only approved software, libraries, and scripts can execute. This is an effective control against ransomware and commodity malware but requires mature operational discipline.

Data Inventory and Classification

Identify where sensitive data lives, classify it by sensitivity, and document handling requirements. California businesses subject to the CCPA and CPRA rely on this control to honor consumer access and deletion requests.

Data Encryption at Rest and in Transit

Encrypt sensitive data on end-user devices, servers, and removable media, and require TLS 1.2 or higher for data in transit. Encryption is the baseline expectation for demonstrating reasonable security under California law.

Data Loss Prevention

Deploy tooling to detect and block unauthorized exfiltration of sensitive data through email, web, and removable media. Expected of organizations handling regulated or high-volume consumer data.

Secure Configuration Baselines

Establish and maintain hardened configuration baselines for operating systems, applications, and network devices, replacing default credentials and disabling unnecessary services and ports.

Automated Configuration Monitoring

Continuously monitor for configuration drift and automatically remediate deviations from approved baselines across the fleet.

Account Inventory and Lifecycle Management

Maintain an inventory of all user, administrator, and service accounts, and disable or remove accounts promptly when staff leave or change roles. Stale accounts are a common entry point in Orange County breach investigations.

Multi-Factor Authentication

Require MFA for all externally exposed applications, remote access, and administrative accounts. MFA is one of the most effective controls for blocking credential-based attacks and is expected at every Implementation Group.

Role-Based and Least-Privilege Access

Grant access strictly by job function and review privileged access on a defined cadence. Centralized identity and access management is expected as organizations mature.

Continuous Vulnerability Management

Run authenticated vulnerability scans on a defined schedule and remediate findings within risk-based SLAs. Automated patch management for operating systems and applications is the baseline expectation.

Audit Log Collection and Retention

Collect, centralize, and retain audit logs from endpoints, servers, and network devices. Centralized log aggregation and retention windows scale with the Implementation Group and any overlapping regulatory mandate.

Email and Web Browser Protections

Filter malicious email and web content, enforce DNS-layer protection, and use supported browsers and email clients with security extensions disabled where unneeded. Phishing remains a common initial access vector for businesses of this size.

Endpoint Malware Defenses

Deploy centrally managed anti-malware on all endpoints and servers, with behavioral detection. Endpoint detection and response (EDR) with managed threat hunting is expected for IG2 and IG3 organizations.

Automated Backups and Recovery Testing

Maintain automated, isolated backups of critical data and systems, and test restoration on a defined schedule. At least one backup copy should be offline or immutable to survive a ransomware event.

Network Infrastructure Management and Segmentation

Keep network devices on supported, hardened configurations and segment the network to isolate sensitive systems. Segmentation limits lateral movement and reduces audit scope for businesses with regulated data.

Network Monitoring and Defense

Centralize security event monitoring and deploy detection across network traffic and endpoints, typically through a SIEM or managed detection and response service. This is where IG2 and IG3 expectations diverge sharply from IG1.

Security Awareness Training

Deliver role-appropriate security awareness training at hire and at least annually, including simulated phishing. Human-layer defense is required at every Implementation Group.

Service Provider and Vendor Risk Management

Inventory third-party service providers with access to your data or systems, classify them by risk, and hold them to documented security requirements. Critical for Orange County firms that outsource IT, payroll, or hosting.

Application Software Security

For organizations that develop or heavily customize software, manage the security of the development lifecycle, including code review, dependency management, and vulnerability remediation.

Incident Response Management

Maintain a documented incident response plan with defined roles, contact paths, and reporting obligations, and test it on a regular cadence. California breach notification timelines make a tested plan a practical necessity.

Penetration Testing

Conduct periodic external and internal penetration tests to validate that controls work against a realistic attacker, then remediate findings. Reserved for organizations with the maturity to act on the results.