Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Asset Type | Security Function | Implementation Groups |
---|---|---|
Devices | Protect | 2, 3 |
- Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
- Safeguard 4.1: Establish and Maintain a Secure Configuration Process
GV1
: Enterprise asset inventoryGV3
: Configuration standards
- For each asset in
GV1
, use configuration standardsGV3
to determine if it is propely configured to enable anti-exploitation features - Identify and enumerate assets properly configured to enable anti-exploitation features (M2)
- Identify and enumerate assets not properly configured to enable anti-exploitation features (M3)
- For each asset in
- M1 = Count of
GV1
- M2 = Count of assets properly configured to enable anti-exploitation feautures
- M3 = Count of assets not properly configured to enable anti-exploitation features
Metric | The percentage of assets properly configured to enable |
anti-exploitation features. |
Calculation | M2 / M1 |