CIS-9.2 / SC-7 / A.13.1.3 CIS Controls v8

URL filtering

Demonstrate that URL filtering mechanisms are actively deployed, configured to block high-risk web categories, enforced across user populations, and generating actionable logs of blocked and permitted requests.

Description

What this control does

URL filtering controls restrict user access to web content by evaluating requested URLs against policy-based allow/deny lists, category databases, and reputation feeds before permitting HTTP/HTTPS connections. This control is typically enforced at secure web gateways, proxy servers, DNS resolvers, or endpoint agents to block access to malicious, inappropriate, or non-business-related websites. URL filtering reduces exposure to drive-by downloads, phishing sites, command-and-control infrastructure, and productivity-draining content while supporting compliance with acceptable use policies.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Users access phishing sites that harvest credentials or deliver malware payloads via social engineering
Workstations connect to known command-and-control domains enabling data exfiltration or botnet enrollment
Drive-by download attacks exploit browser vulnerabilities from malicious websites hosting exploit kits
Employees access illegal, offensive, or bandwidth-intensive content violating acceptable use policies and creating legal liability
Shadow IT services and unapproved cloud applications bypass security controls through unfiltered web access
Newly registered or typosquatted domains are accessed before reputation data is available in threat intelligence feeds
Ransomware campaigns communicate with payment portals and data leak sites over HTTP/HTTPS channels

Testing procedure

How an auditor verifies this control

Obtain and review the current URL filtering policy document identifying blocked categories, custom block/allow lists, and enforcement scope.
Export or screenshot the URL filtering configuration from secure web gateways, proxies, or DNS filtering appliances showing enabled categories and thresholds.
Verify enforcement coverage by reviewing network architecture diagrams and confirming all egress paths route through filtering infrastructure or endpoint agents are deployed to remote workers.
Select a representative sample of 15-20 user accounts spanning departments and roles for testing.
Conduct live simulation testing by attempting access to test URLs in blocked categories (malware, phishing test domains, adult content) from sampled user workstations and recording outcomes.
Review URL filtering logs for a recent 30-day period to confirm blocked request volumes, top blocked categories, and evidence of policy violations.
Examine exception or override request records to verify approval workflows and business justifications for any custom allow-list entries.
Test bypass scenarios including direct IP access, use of anonymizers or VPNs, and encrypted DNS queries to confirm controls remain effective.

Evidence required Collect the URL filtering policy document, configuration exports or annotated screenshots from filtering platforms showing category selections and thresholds, network diagrams demonstrating enforcement points, test result logs or screenshots showing blocked access attempts, query logs from the filtering system covering a 30-day period with evidence of active blocking, and any change management records for allow-list exceptions.

Pass criteria URL filtering is enforced across all user populations with high-risk categories (malware, phishing, known malicious sites) actively blocked, simulated access attempts to test URLs are successfully prevented, and logs demonstrate ongoing blocking activity with no unapproved bypass methods available.