IG1 IG2 IG3

Ensure Use of Only Fully Supported Browsers and Email Clients

Control Group: 9. Email and Web Browser Protections

Asset Type: Applications

Security Function: Protect

Description

Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Configure email authentication (SPF, DKIM, DMARC)

7

Deploy email security gateway with filtering

8

Configure attachment and URL scanning

9

Inventory all third-party service providers

10

Classify third parties by risk level

11

Conduct security assessments of critical vendors

12

Include security requirements in contracts

Tool Recommendations

Microsoft Defender for Office 365 Gartner MQ Leader, Email Security 2024

Email security platform with anti-phishing, safe attachments, safe links, and automated investigation/response

Microsoft · Per-user subscription (P1/P2)

Proofpoint Email Protection Gartner MQ Leader, Email Security 2024

Advanced email security with targeted attack protection, BEC defense, impostor detection, and URL defense

Proofpoint · Per-user subscription

Mimecast Email Security Gartner MQ Leader, Email Security 2024

Cloud email security with threat protection, continuity, archiving, and security awareness training integration

Mimecast · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Browser-Based Exploit Kit Delivery

Confidentiality

Outdated or unsupported browsers contain known vulnerabilities that exploit kits target to deliver malware through malicious advertisements, compromised websites, or watering hole attacks without requiring any user interaction beyond visiting a page.

Email Client Vulnerability Exploitation for Initial Access

Integrity

Unsupported email clients with known rendering or parsing vulnerabilities are exploited to execute malicious code when users preview or open specially crafted emails, bypassing attachment-based security controls.

Session Hijacking via Outdated Browser TLS Implementation

Confidentiality

Outdated browsers supporting deprecated TLS versions or weak cipher suites allow man-in-the-middle attackers to intercept and decrypt sensitive web sessions, including banking, email, and enterprise application traffic.

Vulnerabilities (When Safeguard Absent)

Unsupported Browser Versions in Production Use

Enterprise assets run end-of-life browser versions that no longer receive security patches from vendors, accumulating exploitable vulnerabilities with each new disclosure while remaining the primary interface to web applications.

No Browser Version Enforcement Policy

The organization has no technical controls (GPO, MDM, or configuration management) to enforce minimum browser versions or prevent the use of unsupported browsers, allowing users to operate with dangerously outdated software.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	Email security configuration (SPF, DKIM, DMARC records)	Verified quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Secure Configuration Management Policy

Control 4, Control 9, Control 12

Email Security Policy

Control 9

Web Browser Security Policy

Control 9

Related Safeguards in Control 9

9.2 Use DNS Filtering Services

9.3 Maintain and Enforce Network>Based URL Filters

9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

9.5 Implement DMARC

9.6 Block Unnecessary File Types

9.7 Deploy and Maintain Email Server Anti>Malware Protections