AuditScripts CIS Controls Initial Assessment Tool v7.1b

CIS Controls Initial Assessment Tool (v7.
1b)
Instructions - Read me first.
The purpose for this tool is to provide organizations with a simple tool for performing an initial assessment of their information assurance maturity level based on the controls defined by the CIS Controls
and the Council on Cybersecurity. Any questions about how this tool works or suggestions can be directed to info@auditscripts.com. In order to use this tool, the assessor must only complete the answers
to the drop down menu questions lists on the pages labeled CSC #1 - CSC #20. By choosing a drop down choice for each critical control, the assessment tool will automatically generate scores and maturity
level based on the answers to each question. Based on the answers to each question, the dashboard worksheet will automatically populate with the overall maturity level scores for the organization as a
whole. These scores can therefore be used to measure the organization's progress and what percentage of the CIS Controls they are currently following. Ideally in the long term organizations would deploy
tools that would automate the collection of this information, but in the meanwhile, this tool can be used to help start the process of manually assessing the organization's maturity level.
Field Definitions
ID This is the ID number of the specific CIS Control sub-control reference as included in the CIS Controls documentation.
CIS Control Detail This is the detail behind each specific sub-control as defined by the CIS Controls documentation.
EOF Function This standards for "Executive Order Framework (EOF)" function. These functions were defined by NIST in the EOF and act as control characteristics.
Sensor or Baseline This is the type of technical system or baseline that we believe is necessary in order to implement the specific sub control.
Policy Approved This question determines whether the organization currently has a policy defined that indicates that they should be implementing the defined sub control.
Control Implemented This question determines whether or not the organization currently has implemented this sub control and to what degree the control has been implemented.
Control Automated This question determines whether or not the organization currently has automated the implementation of this sub control and to what degree the control has been automat
Control Reported to Business This question determines whether or not the organization is reporting this sub control to business representatives and to what degree the control has been reported.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Controls Initial Assessment Tool (v7.1b)
CSC #1 0%
Maturity level: Description: Score: CSC #2 0%
Level One Policies Complete 0.00 Maturity Level Aggregate Scores CSC #3 0%
Level Two Controls 1-5 Implemented 0.00 1.00 CSC #4 0%
Level Three All Controls Implemented 0.00 0.80 CSC #5 0%
Level Four All Controls Automated 0.00 0.60 CSC #6 0%
Level Five All Controls Reported 0.00 0.40 CSC #7 0%
0.20
CSC #8 0%
Maturity Rating*: 0.00 0.00
0.00 0.00 0.00 0.00 0.00
CSC #9 0%
*Rating is on a 0-5 scale. Pol ici es Compl ete Control s 1-5 Implemented All Control s Impl emented Al l Controls Automated All Control s Reported CSC #10 0%
CSC #11 0%
CSC #12 0%
CSC #13 0%
CSC #14 0%
Implementation Percentage by Control CSC #15 0%
CSC #16 0%
100%
90%
CSC #17 0%
80%
CSC #18 0%
70%
CSC #19 0%
60% CSC #20 0%
50%
40%
30%
20%
10%
0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
0%
CSC #1 CSC #2 CSC #3 CSC #4 CSC #5 CSC #6 CSC #7 CSC #8 CSC #9 CSC #10 CSC #11 CSC #12 CSC #13 CSC #14 CSC #15 CSC #16 CSC #17 CSC #18 CSC #19 CSC #20
CIS Control #1: Inventory and Control of Hardware Assets
Total Implementation of CSC #1

Risk Addressed: 0%
Risk Accepted: 100%
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Control Automated or Control Reported to Business
Technically Enforced
1.1 Utilize an active discovery tool to identify devices connected to the organization's Identify Active Device Discovery System No Policy Not Implemented Not Automated Not Reported
network and update the hardware asset inventory.
1.2 Utilize a passive discovery tool to identify devices connected to the organization's Identify Passive Device Discovery System No Policy Not Implemented Not Automated Not Reported
network and automatically update the organization's hardware asset inventory.
1.3 Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP Identify Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
address management tools to update the organization's hardware asset inventory.
1.4 Maintain an accurate and up-to-date inventory of all technology assets with the Identify Asset Inventory System No Policy Not Implemented Not Automated Not Reported
potential to store or process information. This inventory shall include all assets,
whether connected to the organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware
1.5 address, machine name, data asset owner, and department for each asset and whether Identify Asset Inventory System No Policy Not Implemented Not Automated Not Reported
the hardware asset has been approved to connect to the network.
1.6 Ensure that unauthorized assets are either removed from the network, quarantined or Respond Asset Inventory System No Policy Not Implemented Not Applicable Not Applicable
the inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices
1.7 can authenticate to the network. The authentication system shall be tied into the Protect Network Level Authentication (NLA) No Policy Not Implemented Not Automated Not Reported
hardware asset inventory data to ensure only authorized devices can connect to the
network.
1.8 Use client certificates to authenticate hardware assets connecting to the organization's Protect Public Key Infrastruture (PKI) No Policy Not Implemented Not Automated Not Reported
trusted network.
CIS Control #2: Inventory and Control of Software Assets

Risk Addressed: 0%
Risk Accepted: 100%
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
2.1 Maintain an up-to-date list of all authorized software that is required in the enterprise Identify Software Application Inventory No Policy Not Implemented Not Applicable Not Applicable
for any business purpose on any business system.
Ensure that only software applications or operating systems currently supported and
2.2 receiving vendor updates are added to the organization's authorized software Identify Software Application Inventory No Policy Not Implemented Not Applicable Not Applicable
inventory. Unsupported software should be tagged as unsupported in the inventory
system.
2.3 Utilize software inventory tools throughout the organization to automate the Identify Software Application Inventory No Policy Not Implemented Not Automated Not Reported
documentation of all software on business systems.
2.4 The software inventory system should track the name, version, publisher, and install Identify Software Application Inventory No Policy Not Implemented Not Automated Not Reported
date for all software, including operating systems authorized by the organization.
2.5 The software inventory system should be tied into the hardware asset inventory so all Identify Software Application Inventory No Policy Not Implemented Not Automated Not Reported
devices and associated software are tracked from a single location.
2.6 Ensure that unauthorized software is either removed or the inventory is updated in a Identify Software Application Inventory No Policy Not Implemented Not Applicable Not Applicable
timely manner.
2.7 Utilize application whitelisting technology on all assets to ensure that only authorized Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
software executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized
2.8 software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
process.
2.9 The organization's application whitelisting software must ensure that only authorized, Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
digitally signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
2.10 Physically or logically segregated systems should be used to isolate and run software Protect Network Firewall / Acess Control System No Policy Not Implemented Not Applicable Not Applicable
that is required for business operations but incurs higher risk for the organization.
CIS Control #3: Continuous Vulnerability Management

Risk Addressed: 0%
Risk Accepted: 100%
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant

vulnerability scanning tool to automatically scan all systems on the network on a SCAP Based Vulnerability Management
3.1 weekly or more frequent basis to identify all potential vulnerabilities on the Detect System No Policy Not Implemented Not Automated Not Reported
organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each

3.2 system or with remote scanners that are configured with elevated rights on the system Detect SCAP Based Vulnerability Management No Policy Not Implemented Not Automated Not Reported
System
being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be
3.3 used for any other administrative activities and should be tied to specific machines at Detect SCAP Based Vulnerability Management No Policy Not Implemented Not Automated Not Reported
System
specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems
3.4 are running the most recent security updates provided by the software vendor. Protect Patch Management System No Policy Not Implemented Not Automated Not Reported
Deploy automated software update tools in order to ensure that third-party software
3.5 on all systems is running the most recent security updates provided by the software Protect Patch Management System No Policy Not Implemented Not Automated Not Reported
vendor.
Regularly compare the results from consecutive vulnerability scans to verify that SCAP Based Vulnerability Management
3.6 vulnerabilities have been remediated in a timely manner. Respond System No Policy Not Implemented Not Automated Not Reported
SCAP Based Vulnerability Management
3.7 Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities. Respond System No Policy Not Implemented Not Automated Not Reported
CIS Control #4: Controlled Use of Administrative Privileges

Risk Addressed: 0%
Risk Accepted: 100%
Use automated tools to inventory all administrative accounts, including domain and
4.1 local accounts, to ensure that only authorized individuals have elevated privileges. Detect Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
4.2 Before deploying any new asset, change all default passwords to have values consistent Protect Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
with administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary
4.3 account for elevated activities. This account should only be used for administrative Protect Privileged Account Management System No Policy Not Implemented Not Applicable Not Applicable
activities and not Internet browsing, email, or similar activities.
4.4 Where multi-factor authentication is not supported (such as local administrator, root, Protect Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
or service accounts), accounts will use passwords that are unique to that system.
4.5 Use multi-factor authentication and encrypted channels for all administrative account Protect Multi-Factor Authentication System No Policy Not Implemented Not Automated Not Reported
access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks
requiring administrative access. This machine will be segmented from the
4.6 organization's primary network and not be allowed Internet access. This machine will Protect Dedicated Administration Systems No Policy Not Implemented Not Applicable Not Applicable
not be used for reading email, composing documents, or browsing the Internet.
4.7 Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
administrative or development users with the need to access those capabilities.
4.8 Configure systems to issue a log entry and alert when an account is added to or Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
removed from any group assigned administrative privileges.
4.9 Configure systems to issue a log entry and alert on unsuccessful logins to an Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
administrative account.
CIS Control #5: Secure Configuration for Hardware and Software

Risk Addressed: 0%
Risk Accepted: 100%
5.1 Maintain documented security configuration standards for all authorized operating Protect System Configuration Baselines & Images No Policy Not Implemented Not Applicable Not Applicable
systems and software.
Maintain secure images or templates for all systems in the enterprise based on the
5.2 organization's approved configuration standards. Any new system deployment or Protect System Configuration Baselines & Images No Policy Not Implemented Not Applicable Not Applicable
existing system that becomes compromised should be imaged using one of those
images or templates.
Store the master images and templates on securely configured servers, validated with
5.3 integrity monitoring tools, to ensure that only authorized changes to the images are Protect System Configuration Baselines & Images No Policy Not Implemented Not Automated Not Reported
possible.
5.4 Deploy system configuration management tools that will automatically enforce and Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
redeploy configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration
5.5 monitoring system to verify all security configuration elements, catalog approved Detect SCAP Based Vulnerability Management System No Policy Not Implemented Not Automated Not Reported
exceptions, and alert when unauthorized changes occur.
CIS Control #6: Maintenance, Monitoring, and Analysis of Audit Logs

Risk Addressed: 0%
Risk Accepted: 100%
Use at least three synchronized time sources from which all servers and network
6.1 devices retrieve time information on a regular basis so that timestamps in logs are Detect Network Time Protocol (NTP) Systems No Policy Not Implemented Not Automated Not Reported
consistent.
6.2 Ensure that local logging has been enabled on all systems and networking devices. Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
6.3 Enable system logging to include detailed information such as an event source, date, Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
user, timestamp, source addresses, destination addresses, and other useful elements.
6.4 Ensure that all systems that store logs have adequate storage space for the logs Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
generated.
6.5 Ensure that appropriate logs are being aggregated to a central log management system Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
for analysis and review.
6.6 Deploy Security Information and Event Management (SIEM) or log analytic tools for log Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
correlation and analysis
6.7 Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
On a regular basis, review logs to identify anomalies or abnormal events.
6.8 On a regular basis, tune your SIEM system to better identify actionable events and Detect Log Management System / SIEM No Policy Not Implemented Not Applicable Not Applicable
decrease event noise.
CIS Control #7: Email and Web Browser Protections

Risk Addressed: 0%
Risk Accepted: 100%
Ensure that only fully supported web browsers and email clients are allowed to execute
7.1 in the organization, ideally only using the latest version of the browsers and email Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
clients provided by the vendor.
7.2 Uninstall or disable any unauthorized browser or email client plugins or add-on Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
applications.
7.3 Ensure that only authorized scripting languages are able to run in all web browsers and Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites
7.4 not approved by the organization. This filtering shall be enforced for each of the Protect Network URL Filtering System No Policy Not Implemented Not Automated Not Reported
organization's systems, whether they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the
7.5 most recent website category definitions available. Uncategorized sites shall be blocked Protect Network URL Filtering System No Policy Not Implemented Not Automated Not Reported
by default.
7.6 Log all URL requests from each of the organization's systems, whether on-site or a Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
mobile device, in order to identify potentially malicious activity and assist incident
handlers with identifying potentially compromised systems.
7.7 Use Domain Name System (DNS) filtering services to help block access to known Protect DNS Domain Filtering System No Policy Not Implemented Not Automated Not Reported
malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement
7.8 Domain-based Message Authentication, Reporting and Conformance (DMARC) policy Protect Anti-Spam Gateway No Policy Not Implemented Not Automated Not Reported
and verification, starting by implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.
7.9 Block all email attachments entering the organization's email gateway if the file types Protect Anti-Spam Gateway No Policy Not Implemented Not Automated Not Reported
are unnecessary for the organization's business.
7.10 Use sandboxing to analyze and block inbound email attachments with malicious Protect Anti-Spam Gateway No Policy Not Implemented Not Automated Not Reported
behavior.
CIS Control #8: Malware Defenses

Risk Addressed: 0%
Risk Accepted: 100%
8.1 Utilize centrally managed anti-malware software to continuously monitor and defend Protect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
each of the organization's workstations and servers.
8.2 Ensure that the organization's anti-malware software updates its scanning engine and Protect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
signature database on a regular basis.
8.3 Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
Space Layout Randomization (ASLR) that are available in an operating system or deploy
appropriate toolkits that can be configured to apply protection to a broader set of
applications and executables.
8.4 Configure devices so that they automatically conduct an anti-malware scan of Detect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
removable media when inserted or connected.
8.5 Configure devices to not auto-run content from removable media. Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
8.6 Send all malware detection events to enterprise anti-malware administration tools and Detect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
event log servers for analysis and alerting.
8.7 Enable Domain Name System (DNS) query logging to detect hostname lookups for Detect DNS Domain Filtering System No Policy Not Implemented Not Automated Not Reported
known malicious domains.
8.8 Enable command-line audit logging for command shells, such as Microsoft PowerShell Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
and Bash.
CIS Control #9: Limitation and Control of Network Ports

Risk Addressed: 0%
Risk Accepted: 100%
Associate active ports, services, and protocols to the hardware assets in the asset SCAP Based Vulnerability Management
9.1 inventory. Identify System No Policy Not Implemented Not Automated Not Reported
9.2 Ensure that only network ports, protocols, and services listening on a system with Protect SCAP Based Vulnerability Management No Policy Not Implemented Not Automated Not Reported
validated business needs are running on each system. System
9.3 Perform automated port scans on a regular basis against all systems and alert if Detect SCAP Based Vulnerability Management No Policy Not Implemented Not Automated Not Reported
unauthorized ports are detected on a system. System
9.4 Apply host-based firewalls or port-filtering tools on end systems, with a default-deny Protect Host Based Firewall No Policy Not Implemented Not Automated Not Reported
rule that drops all traffic except those services and ports that are explicitly allowed.
9.5 Place application firewalls in front of any critical servers to verify and validate the traffic Protect Application Aware Firewall No Policy Not Implemented Not Automated Not Reported
going to the server. Any unauthorized traffic should be blocked and logged.
CIS Control #10: Data Recovery Capability

Risk Addressed: 0%
Risk Accepted: 100%
10.1 Ensure that all system data is automatically backed up on a regular basis. Protect Backup / Recovery System No Policy Not Implemented Not Automated Not Reported
10.2 Ensure that all of the organization's key systems are backed up as a complete system, Protect Backup / Recovery System No Policy Not Implemented Not Automated Not Reported
through processes such as imaging, to enable the quick recovery of an entire system.
10.3 Test data integrity on backup media on a regular basis by performing a data restoration Protect Backup / Recovery System No Policy Not Implemented Not Applicable Not Applicable
process to ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when
10.4 they are stored, as well as when they are moved across the network. This includes Protect Backup / Recovery System No Policy Not Implemented Not Automated Not Reported
remote backups and cloud services.
10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network Protect Backup / Recovery System No Policy Not Implemented Not Automated Not Reported
connection) backup destination.
CIS Control #11: Secure Configurations for Network Devices

Risk Addressed: 0%
Risk Accepted: 100%
11.1 Maintain documented security configuration standards for all authorized network Protect Network Device Management System No Policy Not Implemented Not Applicable Not Applicable
devices.
11.2 All configuration rules that allow traffic to flow through network devices should be Protect Network Device Management System No Policy Not Implemented Not Applicable Not Applicable
documented in a configuration management system with a specific business reason for
each rule, a specific individual’s name responsible for that business need, and an
expected duration of the need.
11.3 Compare all network device configurations against approved security configurations Detect Network Device Management System No Policy Not Implemented Not Automated Not Reported
defined for each network device in use, and alert when any deviations are discovered.
11.4 Install the latest stable version of any security-related updates on all network devices. Protect Network Device Management System No Policy Not Implemented Not Automated Not Reported
11.5 Manage all network devices using multi-factor authentication and encrypted sessions. Protect Multi-Factor Authentication System No Policy Not Implemented Not Automated Not Reported
11.6 Ensure network engineers use a dedicated machine for all administrative tasks or tasks Protect Dedicated Administration Systems No Policy Not Implemented Not Applicable Not Applicable
requiring elevated access. This machine shall be segmented from the organization's
primary network and not be allowed Internet access. This machine shall not be used
for reading email, composing documents, or surfing the Internet.
Manage the network infrastructure across network connections that are separated
11.7 from the business use of that network, relying on separate VLANs or, preferably, on Protect Dedicated Administration Systems No Policy Not Implemented Not Applicable Not Applicable
entirely different physical connectivity for management sessions for network devices.
CIS Control #12: Boundary Defense

Risk Addressed: 0%
Risk Accepted: 100%
12.1 Maintain an up-to-date inventory of all of the organization's network boundaries. Identify Network Firewall / Acess Control System No Policy Not Implemented Not Applicable Not Applicable
Perform regular scans from outside each trusted network boundary to detect any
12.2 Detect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
unauthorized connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit
12.3 access only to trusted and necessary IP address ranges at each of the organization's Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
network boundaries.
Deny communication over unauthorized TCP or UDP ports or application traffic to
12.4 ensure that only authorized protocols are allowed to cross the network boundary in or Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
out of the network at each of the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary
12.5 at each of the organization's network boundaries. Detect Network Packet Capture System No Policy Not Implemented Not Automated Not Reported
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual Network Based Intruston Detection System
12.6 attack mechanisms and detect compromise of these systems at each of the Detect (NIDS) No Policy Not Implemented Not Automated Not Reported
organization's network boundaries.
12.7 Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network Detect Network Based Intrusion Prevention System No Policy Not Implemented Not Automated Not Reported
traffic at each of the organization's network boundaries. (IPS)
12.8 Enable the collection of NetFlow and logging data on all network boundary devices. Detect Network Device Management System No Policy Not Implemented Not Automated Not Reported
12.9 Ensure that all network traffic to or from the Internet passes through an authenticated Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
application layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the
12.10 content. However, the organization may use whitelists of allowed sites that can be Detect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
accessed through the proxy without decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit
12.11 and use multi-factor authentication. Protect Multi-Factor Authentication System No Policy Not Implemented Not Automated Not Reported
Scan all enterprise devices remotely logging into the organization's network prior to
12.12 accessing the network to ensure that each of the organization's security policies has Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
been enforced in the same manner as local network devices.
CIS Control #13: Data Protection

Risk Addressed: 0%
Risk Accepted: 100%
Maintain an inventory of all sensitive information stored, processed, or transmitted by

13.1 the organization's technology systems, including those located on-site or at a remote Identify Data Inventory / Classification System No Policy Not Implemented Not Applicable Not Applicable
service provider.
Remove sensitive data or systems not regularly accessed by the organization from the
13.2 network. These systems shall only be used as stand-alone systems (disconnected from Protect Data Inventory / Classification System No Policy Not Implemented Not Applicable Not Applicable
the network) by the business unit needing to occasionally use the system or
completely virtualized and powered off until needed.
Deploy an automated tool on network perimeters that monitors for unauthorized Network Based Data Loss Prevention (DLP)
13.3 transfer of sensitive information and blocks such transfers while alerting information Identify System No Policy Not Implemented Not Automated Not Reported
security professionals.
13.4 Only allow access to authorized cloud storage or email providers. Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
13.5 Monitor all traffic leaving the organization and detect any unauthorized use of Detect Network Based Data Loss Prevention (DLP) No Policy Not Implemented Not Automated Not Reported
encryption. System
Utilize approved cryptographic mechanisms to protect enterprise data stored on all
13.6 mobile devices. Protect Whole Disk Encryption System No Policy Not Implemented Not Automated Not Reported
If USB storage devices are required, enterprise software should be used that can
13.7 configure systems to allow the use of specific devices. An inventory of such devices Identify Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
should be maintained.
Configure systems not to write data to external removable media, if there is no
13.8 business need for supporting such devices. Protect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
If USB storage devices are required, all data stored on such devices must be encrypted
13.9 while at rest. Protect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
CIS Control #14: Controlled Access Based on the Need to Know

Risk Addressed: 0%
Risk Accepted: 100%
Segment the network based on the label or classification level of the information
14.1 stored on the servers, locate all sensitive information on separated Virtual Local Area Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are
14.2 able to communicate with other systems necessary to fulfill their specific Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
responsibilities.
Disable all workstation-to-workstation communication to limit an attacker's ability to
14.3 move laterally and compromise neighboring systems, through technologies such as Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
private VLANs or micro segmentation.
14.4 Encrypt all sensitive information in transit. Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
Utilize an active discovery tool to identify all sensitive information stored, processed, or
14.5 transmitted by the organization's technology systems, including those located on-site Detect Data Inventory / Classification System No Policy Not Implemented Not Automated Not Reported
or at a remote service provider, and update the organization's sensitive information
inventory.
14.6 Protect all information stored on systems with file system, network share, claims, Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
application, or database specific access control lists. These controls will enforce the
principle that only authorized individuals should have access to the information based
on their need to access the information as a part of their responsibilities.
14.7 Use an automated tool, such as host-based Data Loss Prevention, to enforce access Protect Host Based Data Loss Prevention (DLP) System No Policy Not Implemented Not Automated Not Reported
controls to data even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary
14.8 authentication mechanism not integrated into the operating system, in order to access Protect Host Based Data Loss Prevention (DLP) System No Policy Not Implemented Not Automated Not Reported
the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data
14.9 (utilizing tools such as File Integrity Monitoring or Security Information and Event Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
Monitoring).
CIS Control #15: Wireless Access Control

Risk Addressed: 0%
Risk Accepted: 100%
Maintain an inventory of authorized wireless access points connected to the wired

15.1 network. Identify Network Device Management System No Policy Not Implemented Not Applicable Not Applicable
15.2 Configure network vulnerability scanning tools to detect and alert on unauthorized Identify SCAP Based Vulnerability Management No Policy Not Implemented Not Automated Not Reported
wireless access points connected to the wired network. System
15.3 Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized Detect Wireless Intrusion Detection System (WIDS) No Policy Not Implemented Not Automated Not Reported
wireless access points connected to the network.
15.4 Disable wireless access on devices that do not have a business purpose for wireless Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
access.
Configure wireless access on client machines that do have an essential wireless
15.5 business purpose, to allow access only to authorized wireless networks and to restrict Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
access to other wireless networks.
15.6 Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
15.7 Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit. Protect Network Device Management System No Policy Not Implemented Not Automated Not Reported
Ensure that wireless networks use authentication protocols such as Extensible
15.8 Authentication Protocol-Transport Layer Security (EAP/TLS), that requires mutual, Protect Network Device Management System No Policy Not Implemented Not Automated Not Reported
multi-factor authentication.
15.9 Disable wireless peripheral access of devices [such as Bluetooth and Near Field Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
Communication (NFC)], unless such access is required for a business purpose.
15.10 Create a separate wireless network for personal or untrusted devices. Enterprise access Protect Network Device Management System No Policy Not Implemented Not Applicable Not Applicable
from this network should be treated as untrusted and filtered and audited accordingly.
CIS Control #16: Account Monitoring and Control

Risk Addressed: 0%
Risk Accepted: 100%
16.1 Maintain an inventory of each of the organization's authentication systems, including Identify Identity & Access Management System No Policy Not Implemented Not Applicable Not Applicable
those located on-site or at a remote service provider.
16.2 Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
Configure access for all accounts through as few centralized points of authentication as
possible, including network, security, and cloud systems.
16.3 Require multi-factor authentication for all user accounts, on all systems, whether Protect Multi-Factor Authentication System No Policy Not Implemented Not Automated Not Reported
managed on-site or by a third-party provider.
16.4 Encrypt or hash with a salt all authentication credentials when stored. Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
16.5 Ensure that all account usernames and authentication credentials are transmitted Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
across networks using encrypted channels.
16.6 Identify Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling
16.7 accounts immediately upon termination or change of responsibilities of an employee Protect Identity & Access Management System No Policy Not Implemented Not Applicable Not Applicable
or contractor. Disabling these accounts, instead of deleting accounts, allows
preservation of audit trails.
16.8 Disable any account that cannot be associated with a business process or business Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
owner.
16.9 Automatically disable dormant accounts after a set period of inactivity. Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
16.10 Ensure that all accounts have an expiration date that is monitored and enforced. Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
16.11 Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
Automatically lock workstation sessions after a standard period of inactivity.
16.12 Monitor attempts to access deactivated accounts through audit logging. Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
16.13 Alert when users deviate from normal login behavior, such as time-of-day, workstation Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
location, and duration.
CIS Control #17: Implement a Security Awareness and Training Program

Risk Addressed: 0%
Risk Accepted: 100%
17.1 Perform a skills gap analysis to understand the skills and behaviors workforce members Identify Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
are not adhering to, using this information to build a baseline education roadmap.
17.2 Deliver training to address the skills gap identified to positively impact workforce Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
members' security behavior.
17.3 Create a security awareness program for all workforce members to complete on a Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
regular basis to ensure they understand and exhibit the necessary behaviors and skills
to help ensure the security of the organization. The organization's security awareness
program should be communicated in a continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at
17.4 least annually) to address new technologies, threats, standards, and business Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
requirements.
17.5 Train workforce members on the importance of enabling and utilizing secure Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
authentication.
17.6 Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
Train the workforce on how to identify different forms of social engineering attacks,
such as phishing, phone scams, and impersonation calls.
17.7 Train workforce members on how to identify and properly store, transfer, archive, and Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
destroy sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such
17.8 as losing their mobile devices or emailing the wrong person due to autocomplete in Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
email.
17.9 Train workforce members to be able to identify the most common indicators of an Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
incident and be able to report such an incident.
CIS Control #18: Application Software Security

Risk Addressed: 0%
Risk Accepted: 100%
Establish secure coding practices appropriate to the programming language and

18.1 development environment being used. Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
For in-house developed software, ensure that explicit error checking is performed and
18.2 documented for all input, including for size, data type, and acceptable ranges or Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
formats.
Verify that the version of all software acquired from outside your organization is still
18.3 supported by the developer or appropriately hardened based on developer security Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
recommendations.
Only use up-to-date and trusted third-party components for the software developed by
18.4 the organization. Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
18.5 Use only standardized, currently accepted, and extensively reviewed encryption Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
algorithms.
18.6 Ensure that all software development personnel receive training in writing secure code Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
for their specific development environment and responsibilities.
18.7 Apply static and dynamic analysis tools to verify that secure coding practices are being Detect Software Vulnerability Scanning Tool No Policy Not Implemented Not Automated Not Reported
adhered to for internally developed software.
18.8 Establish a process to accept and address reports of software vulnerabilities, including Protect Software Vulnerability Scanning Tool No Policy Not Implemented Not Applicable Not Applicable
providing a means for external entities to contact your security group.
18.9 Maintain separate environments for production and non-production systems. Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
Developers should not have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all
traffic flowing to the web application for common web application attacks. For
applications that are not web-based, specific application firewalls should be deployed if
18.10 such tools are available for the given application type. If the traffic is encrypted, the Protect Web Application Firewall (WAF) No Policy Not Implemented Not Automated Not Reported
device should either sit behind the encryption or be capable of decrypting the traffic
prior to analysis. If neither option is appropriate, a host-based web application firewall
should be deployed.
For applications that rely on a database, use standard hardening configuration

18.11 templates. All systems that are part of critical business processes should also be tested. Protect System Configuration Enforcement System No Policy Not Implemented Not Applicable Not Applicable
CIS Control #19: Incident Response and Management

Risk Addressed: 0%
Risk Accepted: 100%
19.1 Ensure that there are written incident response plans that define roles of personnel as Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
well as phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific
19.2 individuals, and ensure tracking and documentation throughout the incident through Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
resolution.
19.3 Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
Designate management personnel, as well as backups, who will support the incident
handling process by acting in key decision-making roles.
19.4 Devise organization-wide standards for the time required for system administrators and Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
other workforce members to report anomalous events to the incident handling team,
the mechanisms for such reporting, and the kind of information that should be
included in the incident notification.
Assemble and maintain information on third-party contact information to be used to
19.5 report a security incident, such as Law Enforcement, relevant government Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
departments, vendors, and Information Sharing and Analysis Center (ISAC) partners.
19.6 Publish information for all workforce members, regarding reporting computer Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
anomalies and incidents, to the incident handling team. Such information should be
included in routine employee awareness activities.
Plan and conduct routine incident response exercises and scenarios for the workforce
19.7 involved in the incident response to maintain awareness and comfort in responding to Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
real-world threats. Exercises should test communication channels, decision making,
and incident responder’s technical capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact
19.8 to your organization. Utilize score to define frequency of status updates and escalation Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
procedures.
CIS Control #20: Penetration Tests and Red Team Exercises

Risk Addressed: 0%
Risk Accepted: 100%
20.1 Protect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
Establish a program for penetration tests that includes a full scope of blended attacks,
such as wireless, client-based, and web application attacks.
20.2 Conduct regular external and internal penetration tests to identify vulnerabilities and Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
attack vectors that can be used to exploit enterprise systems successfully.
20.3 Perform periodic Red Team exercises to test organizational readiness to identify and Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
stop attacks or to respond quickly and effectively.
20.4 Include tests for the presence of unprotected system information and artifacts that Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
would be useful to attackers, including network diagrams, configuration files, older
penetration test reports, emails or documents containing passwords or other
information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests
20.5 and Red Team attacks against elements that are not typically tested in production, such Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
as attacks against supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of
20.6 vulnerability scanning assessments should be used as a starting point to guide and Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
focus penetration testing efforts.
20.7 Wherever possible, ensure that Red Team results are documented using open, Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
machine-readable standards (e.g., SCAP). Devise a scoring method for determining the
results of Red Team exercises so that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled
20.8 and monitored to make sure they are only being used for legitimate purposes, and are Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
removed or restored to normal function after testing is over.
DO NOT CHANGE THESE VALUES
Policy Status
No Policy
Informal Policy
Partial Written Policy
Written Policy
Approved Written Policy
Implementation Status
Not Implemented
Parts of Policy Implemented
Implemented on Some Systems
Implemented on Most Systems
Implemented on All Systems
Automation Status
Not Automated
Parts of Policy Automated
Automated on Some Systems
Automated on Most Systems
Automated on All Systems
Reporting Status
Not Reported
Parts of Policy Reported
Reported on Some Systems
Reported on Most Systems
Reported on All Systems

AuditScripts CIS Controls Initial Assessment Tool v7.1b

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AuditScripts CIS Controls Initial Assessment Tool v7.1b

Uploaded by

Copyright:

Available Formats

CIS Controls Initial Assessment Tool (v7.

Instructions - Read me first.

Total Implementation of CSC #1

Risk Accepted: 100%

Total Implementation of CSC #2

Risk Accepted: 100%

Total Implementation of CSC #3

Risk Accepted: 100%

Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant

Perform authenticated vulnerability scanning with agents running locally on each

Total Implementation of CSC #4

Risk Accepted: 100%

Total Implementation of CSC #5

Risk Accepted: 100%

Total Implementation of CSC #6

Risk Accepted: 100%

Total Implementation of CSC #7

Risk Accepted: 100%

Total Implementation of CSC #8

Risk Accepted: 100%

Total Implementation of CSC #9

Risk Accepted: 100%

Total Implementation of CSC #10

Risk Accepted: 100%

Total Implementation of CSC #11

Risk Accepted: 100%

Total Implementation of CSC #12

Risk Accepted: 100%

Total Implementation of CSC #13

Risk Accepted: 100%

Maintain an inventory of all sensitive information stored, processed, or transmitted by

Total Implementation of CSC #14

Risk Accepted: 100%

Total Implementation of CSC #15

Risk Accepted: 100%

Maintain an inventory of authorized wireless access points connected to the wired

Total Implementation of CSC #16

Risk Accepted: 100%

Total Implementation of CSC #17

Risk Accepted: 100%

Total Implementation of CSC #18

Risk Accepted: 100%

Establish secure coding practices appropriate to the programming language and

For applications that rely on a database, use standard hardening configuration

Total Implementation of CSC #19

Risk Accepted: 100%

Total Implementation of CSC #20

Risk Accepted: 100%

You might also like