cis-controls

CIS Controls v8.1 Skill

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "cis-controls" with this command: npx skills add hack23/homepage/hack23-homepage-cis-controls

CIS Controls v8.1 Skill

Purpose

Implement prioritized CIS Controls for cyber defense across all Hack23 projects, focusing on high-impact security controls organized by Implementation Groups.

Rules

Implementation Group 1 (Essential - All Projects)

Control 1: Inventory of Enterprise Assets

  • MUST maintain asset inventory for all repositories and infrastructure

  • MUST tag all cloud resources with Application, Environment, and Owner

Control 2: Inventory of Software Assets

  • MUST track all dependencies (package.json, pom.xml, requirements.txt)

  • MUST enable Dependabot for automated dependency tracking

  • MUST generate Software Bill of Materials (SBOM) for releases

Control 3: Data Protection

  • MUST classify data per Data Classification Policy

  • MUST encrypt sensitive data at rest (AES-256) and in transit (TLS 1.3)

  • MUST implement data retention and disposal procedures

Control 4: Secure Configuration

  • MUST use secure defaults for all configurations

  • MUST disable unnecessary features and services

  • MUST never expose stack traces or debug information in production

Control 5: Account Management

  • MUST enforce MFA for all privileged accounts

  • MUST disable inactive accounts after 90 days

  • MUST review access permissions quarterly

Control 6: Access Control Management

  • MUST enforce principle of least privilege

  • MUST use role-based access control (RBAC)

  • MUST log all privileged actions

Implementation Group 2 (Enhanced Security)

Control 7: Continuous Vulnerability Management

  • MUST enable automated vulnerability scanning

  • MUST remediate per SLA (Critical: 7d, High: 30d, Medium: 90d, Low: 180d)

Control 8: Audit Log Management

  • MUST enable audit logging for all security-relevant events

  • MUST protect log integrity (immutable storage)

  • MUST retain logs per retention policy

Control 11: Data Recovery

  • MUST maintain tested backup and recovery procedures

  • MUST test recovery annually

Control 16: Application Software Security

  • MUST integrate security scanning in CI/CD (CodeQL, OWASP)

  • MUST perform code review for security-sensitive changes

  • MUST use parameterized queries and encode output

Implementation Group 3 (Advanced)

Control 17: Incident Response Management

  • MUST maintain incident response plan

  • MUST conduct tabletop exercises annually

Control 18: Penetration Testing

  • SHOULD conduct security testing for public-facing applications

Hack23 ISMS Policy References

  • Information Security Policy

  • Asset Register - Control 1

  • Data Classification Policy - Control 3

  • Access Control Policy - Controls 5-6

  • Vulnerability Management - Control 7

  • Secure Development Policy - Control 16

  • Incident Response Plan - Control 17

  • Backup Recovery Policy - Control 11

References

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

documentation-portfolio

No summary provided by upstream source.

Repository SourceNeeds Review
-16
hack23
General

secrets-management

No summary provided by upstream source.

Repository SourceNeeds Review
-16
hack23
General

compliance-checklist

No summary provided by upstream source.

Repository SourceNeeds Review
-16
hack23