Organization: Foundry Labs, Inc.
Report Date: July 12, 2026
This view maps the automated checks and manual controls tracked in this instance onto the 56 Implementation Group 1 safeguards of CIS Controls v8 — the tier CIS defines as essential cyber hygiene. It is a coverage snapshot for security questionnaires and cyber-insurance applications, not an attestation. Subcategories marked Not covered are outside what this tool tracks (end-user device safeguards especially). IG2 and IG3 safeguards are intentionally excluded, which is also why the encryption checks tracked elsewhere in Controls do not appear here: server-side encryption at rest and in transit are IG2 safeguards. CIS coverage does not affect your compliance score and CIS does not appear in the dashboard framework filter.
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 1.1 | Establish and maintain a detailed enterprise asset inventory | Not yet | Manual: Information asset inventory maintained |
| 1.2 | Address unauthorized assets | Not covered | — |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 2.1 | Establish and maintain a software inventory | Not yet | Manual: Information asset inventory maintained; Manual: Payment-page script inventory + authorization |
| 2.2 | Ensure authorized software is currently supported | Not covered | — |
| 2.3 | Address unauthorized software | Not covered | — |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 3.1 | Establish and maintain a data management process | Not covered | — |
| 3.2 | Establish and maintain a data inventory | Partial | Manual: Cardholder data flow diagram documented; Manual: Quarterly PCI scope confirmation; Manual: FCI scoping documented; Manual: Application and data criticality analysis |
| 3.3 | Configure data access control lists | Partial | Check: Key Vaults use Azure RBAC; Check: Uniform bucket-level access enabled on GCS buckets; Check: S3 public access block enabled; Check: GCS buckets block public access; Check: Azure Storage account public blob access disabled |
| 3.4 | Enforce data retention | Not covered | — |
| 3.5 | Securely dispose of data | Partial | Manual: Device and media controls documented; Manual: Media sanitized before disposal or reuse |
| 3.6 | Encrypt data on end-user devices | Implemented | Manual: Workstation use and security policy |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 4.1 | Establish and maintain a secure configuration process | Not covered | — |
| 4.2 | Establish and maintain a secure configuration process for network infrastructure | Implemented | Check: The default VPC network has been removed |
| 4.3 | Configure automatic session locking on enterprise assets | Implemented | Manual: Workstation use and security policy |
| 4.4 | Implement and manage a firewall on servers | Implemented | Check: No security groups expose SSH/RDP/DB ports to the internet; Check: No firewall rule opens SSH/RDP to the internet; Check: No NSG rule opens SSH/RDP to the internet |
| 4.5 | Implement and manage a firewall on end-user devices | Not covered | — |
| 4.6 | Securely manage enterprise assets and software | Not covered | — |
| 4.7 | Manage default accounts on enterprise assets and software | Implemented | Check: RDS instances use non-default master username |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 5.1 | Establish and maintain an inventory of accounts, validated on a regular schedule | Partial | Check: OS Login is enforced at the project level; Check: Service account keys not older than 90 days; Manual: Quarterly user access review |
| 5.2 | Use unique passwords | Implemented | Check: Strong password policy configured |
| 5.3 | Disable dormant accounts | Implemented | Check: No credentials unused for 90+ days; Check: No stale Azure AD guest users |
| 5.4 | Restrict administrator privileges to dedicated administrator accounts | Partial | Check: Root account has no active access keys; Check: Primitive IAM roles (Owner/Editor) not assigned to users; Check: Privileged Identity Management activated for admin roles; Manual: Privileged access reviewed quarterly |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 6.1 | Establish an access granting process | Not covered | — |
| 6.2 | Establish an access revoking process | Not yet | Manual: Offboarding access revoked within 24h |
| 6.3 | Require MFA for externally-exposed applications | Partial | Check: 2FA required for all org members; Check: 2-Step Verification enforced for all Google Workspace users; Check: MFA enforced via Security Defaults or Conditional Access |
| 6.4 | Require MFA for remote network access | Not covered | — |
| 6.5 | Require MFA for administrative access | Implemented | Check: MFA enabled for all IAM users |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 7.1 | Establish and maintain a vulnerability management process | Not covered | — |
| 7.2 | Establish and maintain a remediation process | Not covered | — |
| 7.3 | Perform automated operating system patch management | Not covered | — |
| 7.4 | Perform automated application patch management | Implemented | Check: Dependabot security alerts enabled |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 8.1 | Establish and maintain an audit log management process | Not covered | — |
| 8.2 | Collect audit logs | Partial | Check: CloudTrail enabled in all regions; Check: CloudTrail log file validation enabled; Check: VPC Flow Logs enabled; Check: Cloud Audit Logs enabled for all services; Check: VPC Flow Logs enabled on all subnets; Check: Azure Activity Log diagnostic settings configured; Check: Azure SQL server-level auditing enabled |
| 8.3 | Ensure adequate audit log storage | Implemented | Check: CloudWatch log groups retain at least 12 months; Check: Long-term log sink configured; Check: Log Analytics workspaces retain logs for 90+ days |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 9.1 | Ensure use of only fully supported browsers and email clients | Not covered | — |
| 9.2 | Use DNS filtering services | Not covered | — |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 10.1 | Deploy and maintain anti-malware software | Partial | Check: GuardDuty enabled in all regions; Check: Microsoft Defender for Cloud enabled on key workloads |
| 10.2 | Configure automatic anti-malware signature updates | Not covered | — |
| 10.3 | Disable autorun and autoplay for removable media | Not covered | — |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 11.1 | Establish and maintain a data recovery process | Not yet | Manual: Business continuity plan documented; Manual: Annual disaster recovery test |
| 11.2 | Perform automated backups | Not yet | Check: S3 versioning enabled on critical buckets |
| 11.3 | Protect recovery data | Not covered | — |
| 11.4 | Establish and maintain an isolated instance of recovery data | Not covered | — |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 12.1 | Ensure network infrastructure is up-to-date | Not covered | — |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 14.1 | Establish and maintain a security awareness program | Partial | Manual: Annual security awareness training; Manual: PCI security awareness training (annual) |
| 14.2 | Train workforce members to recognize social engineering attacks | Not covered | — |
| 14.3 | Train workforce members on authentication best practices | Not covered | — |
| 14.4 | Train workforce members on data handling best practices | Not covered | — |
| 14.5 | Train workforce members on causes of unintentional data exposure | Not covered | — |
| 14.6 | Train workforce members on recognizing and reporting security incidents | Not covered | — |
| 14.7 | Train workforce members on identifying and reporting missing security updates | Not covered | — |
| 14.8 | Train workforce members on the dangers of connecting to insecure networks | Not covered | — |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 15.1 | Establish and maintain an inventory of service providers | Partial | Manual: Annual vendor security review; Manual: Third-party service provider (TPSP) list; Manual: Business associate inventory maintained |
| Code | Safeguard | Status | Evidence |
|---|---|---|---|
| 17.1 | Designate personnel to manage incident handling | Implemented | Manual: Incident response plan documented |
| 17.2 | Establish and maintain contact information for reporting security incidents | Not yet | Manual: Breach notification process documented |
| 17.3 | Establish and maintain an enterprise process for reporting incidents | Implemented | Manual: Incident response plan documented |
Generated by Scorifya Controls · July 12, 2026 · CIS Controls v8 IG1 derived coverage view for Foundry Labs, Inc.