Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
Why Is This Control Critical?
Web browsers and email clients are very common points of entry for attackers because of their direct interaction with users inside an enterprise. Content can be crafted to entice or spoof users into disclosing credentials, providing sensitive data, or providing an open channel to allow attackers to gain access, thus increasing risk to the enterprise. Since email and web are the main means that users interact with external and untrusted users and environments, these are prime targets for both malicious code and social engineering.
Related Policy Templates
Safeguards (7)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | Protect |
IG1
IG2
IG3
|
9 | 4 |
| 9.2 | Use DNS Filtering Services | Protect |
IG1
IG2
IG3
|
6 | 4 |
| 9.3 | Maintain and Enforce Network>Based URL Filters | Protect |
IG2
IG3
|
5 | 3 |
| 9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | Protect |
IG2
IG3
|
7 | 4 |
| 9.5 | Implement DMARC | Protect |
IG2
IG3
|
7 | 4 |
| 9.6 | Block Unnecessary File Types | Protect |
IG2
IG3
|
7 | 4 |
| 9.7 | Deploy and Maintain Email Server Anti>Malware Protections | Protect |
IG3
|
12 | 7 |
Audit Verification Details
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Email authentication (SPF, DKIM, DMARC) is configured and passing.
DNS record verification, DMARC aggregate reports
Email filtering is active for attachments and URLs.
Email gateway configuration, filtering statistics
Changes to protection controls follow the change management process.
Change tickets, approval records
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Email security configuration (SPF, DKIM, DMARC records) | Verified quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
DNS filtering is active and blocking known malicious domains.
DNS filter configuration, block statistics
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | DNS filtering configuration and block statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Email authentication (SPF, DKIM, DMARC) is configured and passing.
DNS record verification, DMARC aggregate reports
Email filtering is active for attachments and URLs.
Email gateway configuration, filtering statistics
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Email security configuration (SPF, DKIM, DMARC records) | Verified quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Email authentication (SPF, DKIM, DMARC) is configured and passing.
DNS record verification, DMARC aggregate reports
Email filtering is active for attachments and URLs.
Email gateway configuration, filtering statistics
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Email security configuration (SPF, DKIM, DMARC records) | Verified quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Email authentication (SPF, DKIM, DMARC) is configured and passing.
DNS record verification, DMARC aggregate reports
Email filtering is active for attachments and URLs.
Email gateway configuration, filtering statistics
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Email security configuration (SPF, DKIM, DMARC records) | Verified quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Vulnerability scans cover all in-scope assets and run at the defined frequency.
Scan reports with scope and schedule evidence
Anti-malware is deployed on all applicable endpoints with current signatures.
Deployment status dashboard, signature update timestamps
Email authentication (SPF, DKIM, DMARC) is configured and passing.
DNS record verification, DMARC aggregate reports
Email filtering is active for attachments and URLs.
Email gateway configuration, filtering statistics
Changes to protection controls follow the change management process.
Change tickets, approval records
Vulnerabilities are remediated within defined SLAs by severity.
Remediation tracking with SLA compliance metrics
Exceptions and risk acceptances are documented and approved.
Exception/waiver records with management sign-off
Malware detections are investigated and resolved.
Detection logs, investigation and resolution records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Technical | Email security configuration (SPF, DKIM, DMARC records) | Verified quarterly |
| Technical | Anti-malware deployment status and detection statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |