ISM Control to Tenable Filters Mapping
Application Control:
The following mapping table lists the go-to filters an organisation can utilise to verify conformity to the related Essential Eight mapped ISM controls. The filters most used for ISM controls mapped to the Application Control Essential Eight Strategy are the Plugin Name Filter and Audit Name Filter (Plugin Name in Tenable Security Center). The Plugin Name Filter can assist any application control solution to detect any possible blacklisted application on an asset. Then the Audit Name, or Plugin Name in Security Center, can allow an organisation to target specific audit checks run during a host audit scan. These host audit scans can include, depending on the audit file used, configuration setups. For example, if an organisation utilises MSCT audit files which would be pertinent when relating to controls like ISM-1544, ISM-0843 and others, an organisation can look for the audit results for checks like "Configure detection for potentially unwanted applications." To enhance these filters utilise Asset Tagging in Tenable Vulnerability Management or Dynamic Asset Lists in Tenable Security Center.Tagging and lists will allow an organisation to separate findings and detected assets by categories like internet-facing, non-internet-facing, etc. Refer to Tagging and Dynamic Asset Lists for tips on Tagging and Dynamic Asset Lists.
| Control ID | Description | Tenable VM Filter |
|---|---|---|
| ISM-0843 | Application control is implemented on workstations. | Plugin Name, Audit Name |
| ISM-1490 |
Application control is implemented on internet-facing servers. |
(Plugin Name OR Audit Name) + Asset Tagging |
| ISM-1544 |
Microsoft’s recommended application blocklist is implemented. |
Audit Name |
| ISM-1582 |
Application control rulesets are validated on an annual or more frequent basis. |
(Plugin Name, Audit Name) + Last Seen |
| ISM-1656 |
Application control is implemented on non-internet-facing servers. |
(Plugin Name) + Asset Tagging |
| ISM-1657 |
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set. |
Audit Name |
| ISM-1658 |
Application control restricts the execution of drivers to an organisation-approved set. |
Audit Name |
| ISM-1659 |
Microsoft’s vulnerable driver blocklist is implemented. |
Plugin Name, Audit Name |
Patch Applications:
The following Mapping Table lists the go-to filters an organisation can utilise to verify conformity to the related Essential Eight mapped ISM controls. The filters most used for ISM controls mapped to the Patch Applications Essential Eight Strategy are the Plugin Name filter and Vulnerability Published filter, Patch Published filter, Exploitability Ease filter, Unsupported by Vendor filter, and Last Authenticated Scan asset filter. The Plugin Name filter can help the organisation look for any detected unsupported applications present on an asset. The Unsupported by Vendor filter can be used to quickly identify if an application is deemed to be unsupported by the vendor, this would support many controls related to Patch applications like: ISM-0304, ISM-1905, ISM-1704. Throughout the Patch Applications strategy, many of the mapped ISM controls include a timeframe when the requirements need to be done (for example,ISM-1691 states patches for office vulnerabilities need to be applied within two weeks). To meet the two week timeframes, Tenable Vulnerability Management and Security Center support searching with the Patch Published filter. If a patch has not been released by the vendor, you can use the Vulnerability published filter. Exploitability Ease filter assists the organisation in determining if a vulnerability is exploitable or not, this exploitability is an explicit requirement in determining in ISM controls like: ISM-1690, ISM-1692, ISM-1876, and more. Lastly, the Last Authenticated Scan asset filter will satisfy the requirements where there are vulnerability scan frequency requirements and asset detection is required. Keeping the plugin set up to date is crucial to ensure the latest vulnerabilities are detected, enabling timely and accurate risk identification and remediation. These ISM controls are: ISM-1807, and ISM-1808.
| Control ID | Description | Tenable VM Filter |
|---|---|---|
| ISM-0304 | Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. | (Unsupported by Vendor, Plugin Name) |
| ISM-1690 |
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. |
Vulnerability Published, Patch Published, Exploitability Ease |
| ISM-1691 |
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. |
Vulnerability Published, Patch Published, plugin name |
| ISM-1692 |
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
Vulnerability Published, Patch Published, plugin name, Exploitability Ease |
| ISM-1693 |
Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release. |
Vulnerability Published, Patch Published, plugin name, Exploitability Ease |
| ISM-1698 |
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services. |
Vulnerability Published, Patch Published, Last Seen, Online Services Tag or Asset List |
| ISM-1699 |
A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. |
Vulnerability Published, Patch Published, plugin name |
| ISM-1700 |
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security |
Vulnerability Published, Patch Published, plugin name |
| ISM-1704 |
Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
Plugin Name, Unsupported by Vendor |
| ISM-1807 |
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. |
Last Authenticated Scan (Asset) |
| ISM-1808 |
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. |
Last Authenticated Scan (Asset) |
| ISM-1876 |
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
Vulnerability Published, Patch Published, plugin name,Online Services Tag or Asset List |
| ISM-1901 |
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. |
Vulnerability Published, Patch Published, plugin name, Exploitability Ease |
| ISM-1905 |
Online services that are no longer supported by vendors are removed. |
Plugin Name, Unsupported by Vendor, ,Online Services Tag or Asset List |
Configure Microsoft Office Macro Settings:
The following Mapping Table lists the go-to filters an organisation can utilise to verify conformity to the related Essential Eight mapped ISM controls. The filters most used for ISM controls mapped to the Configure Microsoft Office Macro Essential Eight Strategy is the Audit Name filter in Tenable Vulnerability Management and Plugin Name filter in Tenable Security Center. Tenable solutions allow organisations to evaluate conformity with this Essential Strategy the most useful filter will be the Audit Name filter in Tenable Vulnerability Management or the Plugin Name filter in Tenable Security Center. These filters should be chosen for this Strategy because many MSCT audit files that can be run during a Policy Compliance Scan will include audit names related to Microsoft office macro configurations. Some related Audit Names include: "Block macros from running in Office files from the Internet - blockcontentexecutionfrominternet - access", "Security setting for macros", "Prevent Excel from running XLM macros", and many more.
| Control ID | Description | Tenable VM Filter |
|---|---|---|
| ISM-1488 | Microsoft Office macros in files originating from the internet are blocked | Audit Name |
| ISM-1489 |
Microsoft Office macro security settings cannot be changed by users. |
Audit Name |
| ISM-1671 |
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. |
Audit Name |
| ISM-1672 |
Microsoft Office macro antivirus scanning is enabled. |
Audit Name |
| ISM-1673 |
Microsoft Office macros are blocked from making Win32 API calls. |
Audit Name |
| ISM-1674 |
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute. |
Audit Name |
| ISM-1675 |
Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View. |
Audit Name |
| ISM-1676 |
Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis. |
Audit Name |
| ISM-1890 |
Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations. |
Audit Name |
User Application Hardening:
The following mapping table lists the go-to filters an organisation can utilise to verify conformity to the related Essential Eight mapped ISM controls. The filters most used for ISM controls mapped to the User Application Hardening Essential Eight Strategy are the Plugin Name filter and the Audit Name filter in Tenable Vulnerability Management and just Plugin Name filter in Tenable Security Center. Using these filters an organisation can establish a level of compliance with the User Application Hardening strategy. The Plugin Name filter can enhance the implementation of application blocklists by detecting if any application on the list is present. Furthermore, the Host Audit scanning using any of the many supported audit files allows the organisation to get a bit more information on specific configurations.
| Control ID | Description | Tenable VM Filter |
|---|---|---|
| ISM-1486 | Web browsers do not process Java from the internet. | Plugin name, Audit Name |
| ISM-1542 |
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages. |
Audit Name |
| ISM-1585 |
Web browser security settings cannot be changed by users. |
Audit Name |
| ISM-1621 |
Windows PowerShell 2.0 is disabled or removed. |
Plugin Name, Host Audit Name |
| ISM-1654 |
Internet Explorer 11 is disabled or removed. |
Plugin Name, Host Audit Name |
| ISM-1655 |
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed. |
Plugin Name, Host Audit Name |