CIS Control 9 Explained: Email and Web Browser Protections
CIS Control 9 involves email and web browser protections. It means to improve threat detection and protection from client and server side threats in web browsing and email, such as social engineering and malicious attachments.
In this article
The Importance of Control 9
Web browsers and email clients are common entry points for attackers, as they interact directly with enterprise users. Malicious attackers craft deceptive content to trick users into revealing credentials, sharing sensitive information or granting unauthorized access, which increases the organization’s risk. Since email and web platforms serve as the main avenues for users to connect with external and untrusted sources, they become prime targets for malicious code and social engineering tactics.
Implementation Groups (IGs)
To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.
For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.
The Safeguards of Control 9
There are seven safeguards in CIS Control 9. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.
| Safeguard Number | Safeguard Title | NIST Security Function | StartingImplementation Group |
| Safeguard 9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | Protect | IG1 |
| Safeguard 9.2 | Use DNS Filtering Services | Protect | IG1 |
| Safeguard 9.3 | Maintain and Enforce Network-Based URL Filters | Protect | IG2 |
| Safeguard 9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | Protect | IG2 |
| Safeguard 9.5 | Implement DMARC | Detect | IG2 |
| Safeguard 9.6 | Block Unnecessary File Types | Detect | IG2 |
| Safeguard 9.7 | Deploy and Maintain Email Server Anti-Malware Protections | Detect | IG3 |