Professional Documents
Culture Documents
Impact Criteria
Definition
Operational Objectives
Asset Class Mission Impact
Impact
Enterprise
Devices
Applications
Data
Network
Users
Risk Register
CIS Safeguard # CIS Safeguard Title Asset Class
Address Unauthorized
1.6 Devices
Assets
Maintain Inventory of
2.1 Applications
Authorized Software
Ensure Software is
2.2 Applications
Supported by Vendor
Address Unapproved
2.6 Applications
Software
Deploy Automated
3.4 Operating System Patch Devices
Management Tools
Deploy Automated
3.5 Software Patch Devices
Management Tools
Change Default
4.2 Users
Passwords
Establish Secure
5.1 Devices
Configurations
6.2 Activate Audit Logging Devices
Ensure Anti-Malware
8.2 Software and Signatures Devices
Are Updated
Configure Anti-Malware
8.4 Scanning of Removable Devices
Devices
Configure Devices to Not
8.5 Devices
Auto-Run Content
Apply Host-Based
9.4 Network
Firewalls or Port-Filtering
Ensure Regular
10.1 Data
Automated BackUps
Perform Complete
10.2 Data
System Backups
Maintain an Inventory of
12.1 Network
Network Boundaries
Deny Communication
12.4 Network
Over Unauthorized Ports
Maintain an Inventory of
13.1 Data
Sensitive Information
Protect Information
14.6 Through Access Control Data
Lists
Disable Any
16.8 Users
Unassociated Accounts
Disable Dormant
16.9 Users
Accounts
Lock Workstation
16.11 Devices
Sessions After Inactivity
Implement a Security
17.3 Users
Awareness Program
Train Workforce on
17.5 Users
Secure Authentication
Train Workforce on
17.6 Identifying Social Users
Engineering Attacks
Train Workforce on
17.7 Users
Sensitive Data Handling
Train Workforce on
17.8 Causes of Unintentional Users
Data Exposure
Train Workforce
17.9 Members on Identifying Users
and Reporting Incidents
Document Incident
19.1 Enterprise
Response Procedures
Designate Management
19.3 Personnel to Support Enterprise
Incident Handling
Maintain Contact
Information For
19.5 Enterprise
Reporting Security
Incidents
Publish Information
Regarding Reporting
19.6 Enterprise
Computer Anomalies
and Incidents
Financial Objectives Obligations
Obligations Impact
Risk Analysis
Impact to
Safeguard Maturity Likelihood Impact to Impact to
VCDB Index Operational
Score Score Mission Obligations
Objectives
1 0 0 0
1 0 0 0
2 0 0 0
2 0 0 0
2 0 0 0
1 0 0 0
1 0 0 0
3 0 0 0
3 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
3 0 0 0
3 0 0 0
1 0 0 0
3 0 0 0
1 0 0 0
1 0 0 0
3 0 0 0
3 0 0 0
1 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
Risk Register
Risk
Risk Treatment Risk Treatment
Risk Score Risk Level Treatment
Safeguard Safeguard Title
Option
Configure Anti-Malware
8.4 Scanning of Removable
Devices
Configure Devices to Not Auto-
8.5
Run Content
Maintain an Inventory of
12.1
Network Boundaries
Maintain an Inventory of
13.1
Sensitive Information
Implement a Security
17.3
Awareness Program
Designate Management
19.3 Personnel to Support Incident
Handling
Ensure that only fully supported web browsers and email clients are
allowed to execute in the organization, ideally only using the latest
version of the browsers and email clients provided by the vendor.
Ensure that all backups have at least one backup destination that is
not continuously addressable through operating system calls.
Ensure that there are written incident response plans that define
roles of personnel as well as phases of incident
handling/management.
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
Risk Treatment Risk Treatment
Reasonable and Risk Treatment Implementation
Safeguard Impact Safeguard Risk
Acceptable Safeguard Cost Quarter
to Obligations Score
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
0 No
Implementation Impact to Financial
Year Reasonable?
Year Objectives
$ - 2021 Yes
$ - 2022 Yes
$ - 2023 Yes
$ - 2024 Yes
$ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2029 Yes
$ - 2030 Yes
Enterprise Name
CIS RAM Risk Register Scope
Last Completed (Date)
Impact Criteria
Definition
Operational Objectives
Asset Class Mission Impact
Impact
Enterprise
Devices
Applications
Data
Network
Users
Risk Register
Address Unauthorized
1.2 Devices
Assets
Ensure Authorized
2.2 Software is Currently Applications
Supported
Address Unauthorized
2.3 Applications
Software
Securely Manage
4.6 Enterprise Assets and Network
Software
Manage Default
4.7 Accounts on Enterprise Users
Assets and Software
Disable Dormant
5.3 Users
Accounts
Restrict Administrator
5.4 Privileges to Dedicated Users
Administrator Accounts
Establish an Access
6.1 Users
Granting Process
Establish an Access
6.2 Users
Revoking Process
Perform Automated
11.2 Data
Backups
11.3 Protect Recovery Data Data
Ensure Network
12.1 Infrastructure is Up-to- Network
Date
Train Workforce
Members to Recognize
14.2 Enterprise
Social Engineering
Attacks
Train Workforce
Members on
14.3 Enterprise
Authentication Best
Practices
Train Workforce on Data
14.4 Enterprise
Handling Best Practices
Train Workforce
Members on Causes of
14.5 Enterprise
Unintentional Data
Exposure
Train Workforce
Members on
14.6 Recognizing and Enterprise
Reporting Security
Incidents
Designate Personnel to
17.1 Manage Incident Enterprise
Handling
Obligations Impact
Risk Analysis
Impact to
Safeguard Maturity Likelihood Impact to Impact to
VCDB Index Operational
Score Score Mission Obligations
Objectives
1 0 0 0
1 0 0 0
2 0 0 0
2 0 0 0
2 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
1 0 0 0
2 0 0 0
1 0 0 0
3 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
2 0 0 0
2 0 0 0
2 0 0 0
2 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
2 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
1 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
1 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
3 0 0 0
Risk Register
Risk
Risk Treatment Risk Treatment
Risk Score Risk Level Treatment
Safeguard Safeguard Title
Option
Establish and Maintain Detailed
1.1
Enterprise Asset Inventory
Risk Treatment
Safeguard Description
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory
records the network address (if static), hardware address, machine name, enterprise asset
owner, department for each asset, and whether the asset has been approved to connect to the
network. For mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes assets that are
regularly connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more
frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.
Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of
the enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives
a documented exception. Review monthly, or more frequently.
Establish and maintain a data management process. In the process, address data sensitivity,
data owner, handling of data, data retention limits, and disposal requirements, based on
sensitivity and retention standards for the enterprise. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Retain data according to the enterprise’s data management process. Data retention must
include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software
(operating systems and applications). Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity.
For general purpose operating systems, the period must not exceed 15 minutes. For mobile
end-user devices, the period must not exceed 2 minutes.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly
allowed.
Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative
interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet
(Teletype Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and
other pre-configured vendor accounts. Example implementations can include: disabling default
accounts or making them unusable.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should
contain the person’s name, username, start/stop dates, and department. Validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a
minimum, an 8-character password for accounts using MFA and a 14-character password for
accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets.
Conduct general computing activities, such as internet browsing, email, and productivity suite
use, from the user’s primary, non-privileged account.
Establish and follow a process, preferably automated, for granting access to enterprise assets
upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit
trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where
supported. Enforcing MFA through a directory service or SSO provider is a satisfactory
implementation of this Safeguard.
Require MFA for all administrative access accounts, where supported, on all enterprise assets,
whether managed on-site or through a third-party provider.
Establish and maintain a documented vulnerability management process for enterprise assets.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation
process, with monthly, or more frequent, reviews.
Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s
audit log management process.
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through the
vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
domains.
Deploy and maintain anti-malware software on all enterprise assets.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Establish and maintain a data recovery process. In the process, address the scope of data
recovery activities, recovery prioritization, and the security of backup data. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more
frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or
data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations
include, version controlling backup destinations through offline, cloud, or off-site systems or
services.
Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.
Establish and maintain a security awareness program. The purpose of a security awareness
program is to educate the enterprise’s workforce on how to interact with enterprise assets and
data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and
update content annually, or when significant enterprise changes occur that could impact this
Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-
texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset,
erasing physical and virtual whiteboards at the end of meetings, and storing data and assets
securely.
Train workforce members to be aware of causes for unintentional data exposure. Example
topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing
data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report
such an incident.
Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.
Establish and maintain an inventory of service providers. The inventory is to list all known
service providers, include classification(s), and designate an enterprise contact for each
service provider. Review and update the inventory annually, or when significant enterprise
changes occur that could impact this Safeguard.
Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal
to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor,
designate at least one person internal to the enterprise to oversee any third-party work. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is
up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact
this Safeguard.
Risk Treatment
0
0
0
0
0
0
0
Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
to Operational Acceptable Safeguard Cost
to Obligations Score
Objectives
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
0 0 No
Implementation Implementation Impact to Financial
Year Reasonable?
Quarter Year Objectives
$ - 2021 Yes
$ - 2022 Yes
$ - 2023 Yes
$ - 2024 Yes
$ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2029 Yes
$ - 2030 Yes
Color
Color Key
Title
CIS Safeguard #
CIS Safeguard Title
Asset Class
Safeguard Maturity Score
VCDB Index
Risk Analysis
Likelihood Score
Impact to Mission
Impact to Operational Objectives
Impact to Obligations
Risk Score
Risk Level
Risk Treatment Option
Risk Treatment Safeguard
Risk Treatment Safeguard Title
Risk Treatment Safeguard
Description
Our Planned Implementation
Risk Treatment Safeguard
Maturity Score
Risk Treatment Safeguard
Likelihood Score
Risk Treatment Safeguard
Risk Treatment
Impact to Mission
For optional user input. Risk assessors may add values into these columns if it's useful to
them.
Meaning
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.
The asset class, as published in the CIS Controls.
A score of '1' through '5' designating the reliability of a Safeguard's effectiveness against
threats.
An automatically calculated value to represent how common the related threat is as a cause for
reported cybersecurity incidents.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given your current Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Likelihood and the highest of the three Impacts.
An evaluation of the risk as acceptable, unacceptable, or catastrophic.
A statement about whether the enterprise will accept or reduce the risk.
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.
A brief description of how the Safeguard will be implemented and operated in the enterprise.
A score of '1' through '5' designating the planned reliability of a Safeguard's effectiveness
against threats.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given the planned Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Likelihood and the highest of the three impacts, given the planned
Safeguard.
A determination of whether the planned Safeguard is reasonable and acceptable.
An estimate of how much the Safeguard is expected to cost.
When the Safeguard is planned for completion of implementation (which quarter).
When the Safeguard is planned for completion of implementation (which year).
Impact Criteria
Impact Scores Mission Operational Objectives
We would not be able to achieve our We would not be able to meet our
3. Catastrophic
mission. objectives.
Obligations Impact
Required
Optional
Optional
Optional
Optional
Optional
Maturity Scores
Maturity Scores
1
2
3
4
5
Likelihood Scores
Likelihood Scores
1
2
3
VCDB Index
Incident Count
Asset Class
Enterprise
Applications
Data
Devices
Network
Users
Unknown
Definition
Safeguard is not implemented or is inconsistently implemented.
Safeguard is implemented fully on some assets or partially on all assets.
Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation over time.
Used for "Likelihood Score" and "Risk Treatment Safeguard Likelihood Score"
Likelihood Definition
The risk is not expected in this environment.
This risk should be expected to cause a security incident at some time.
We should expect this to happen soon, if it has not already occurred.
8893
Sum of Threat Count / Industry
4458
1253
4458
798
62
4458
863
Used to calculate "Likelihood Score" and "Risk Treatment Safeguard Likelihood Score"
Maturity
5
5
5
5
5
4
4
4
4
4
3
3
3
3
3
2
2
2
2
2
1
1
1
1
1
As of 7/29/2021
Percentage Index
50% 3
14% 2
50% 3
9% 1
1% 1
50% 3
10% 1
2.6
3.4
3.5
4.2
4.3
5.1
6.2
7.1
7.7
8.2
8.4
8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5
17.6
17.7
17.8
17.9
19.1
19.3
19.5
19.6
SAT Pro
CIS CSAT Pro for CIS Controls v8.0
2.3
3.1
3.2
3.3
3.4
3.5
3.6
4.1
4.2
4.3
4.4
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
8.3
9.1
9.2
10.1
10.2
10.3
11.1
11.2
11.3
11.4
12.1
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
17.1
17.2
17.3
Instructions for Importing CIS CSAT Pro Scores
into CIS RAM
1) In CIS CSAT Pro, filter on IG1 and Export Filtered CSV.
a. Go to the Assessment Summary page for the assessment of interest (this is reachable from the
Assessment Summary tab at the top of the Assessment Dashboard for that assessment).
b. Click the Filter button.
c. Select "IG-1" for the Implementation Group filter and click Search.
d. Click the "Export Filtered CSV" button to export the report.
2) Copy your scores from the exported CSAT Pro CSV file to the CIS RAM for IG1 Workbook.
a. In the CSAT Pro CSV file, copy the contents of column E (labeled “Sub-Control Score”) excluding
the heading row.
b. Go to the “CIS CSAT Pro” tab in the CIS RAM for IG1 Workbook.
c. Find the appropriate section in the “CIS CSAT Pro” tab based on which CIS Controls version you
are using (either CSAT Pro for CIS Controls v7.1 or CSAT Pro for CIS Controls v8.0).
d. Paste the copied data into the appropriate section of the “CIS CSAT Pro” tab.
e. For instance, if you are using Controls v7.1, you might copy cells E2 to E44 from the CSAT Pro
CSV to B5 to B47 in the “CIS CSAT Pro” tab of the CIS RAM for IG1 Workbook.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, copy the scores in the “CIS RAM Maturity Score Final” column into the
"Safeguard Maturity Score" column of the appropriate CIS RAM tab – “Risk Register 7.1 for IG1” for v7.1 of
the CIS Controls or “Risk Register 8 for IG1” for v8 of the CIS Controls.
a. Right-click to copy and "Paste Special" as "Values" (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT”
tabs, if present. If copied, these values can be deleted from the “Safeguard Maturity Score” cell and
will not affect the functionality of the CIS RAM Risk Register.
Note: Please ensure that your enterprise's method for scoring Safeguards in CSAT Pro
aligns closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.
Maturity Scores
2
3
4
5
lease ensure that your enterprise's method for scoring Safeguards in CSAT Pro
closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.
Definition
1.4
1.6
2.1
2.2
2.6
3.4
3.5
4.2
4.3
5.1
6.2
7.1
7.7
8.2
8.4
8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5
17.6
17.7
17.8
17.9
19.1
19.3
19.5
19.6
CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores
Unknown -
None None
Unscored
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
CIS-Hosted CSA
1.1
1.2
2.1
2.2
2.3
3.1
3.2
3.3
3.4
3.5
3.6
4.1
4.2
4.3
4.4
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
8.3
9.1
9.2
10.1
10.2
10.3
11.1
11.2
11.3
11.4
12.1
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
17.1
17.2
17.3
CSAT Values From XLSX Export Calculated Numerical Score
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
lculated Numerical Score
CIS RAM Maturity CIS RAM Maturity
Score Average Score Final
Control Automated Control Reported
1) In CIS-Hosted CSAT, filter on IG1 and export the filtered Safeguards
a. Go to the All Controls page for the assessment of interest (this is reachable from the All Controls
left under “Current Assessment”).
b. Click the Filter button.
c. Select “Group 1” for the Implementation Group filter and click Filter.
d. Check to see if any of these Safeguards are in the blue (Not Assessed) state. You can see this
will be a colored circle in each row by the Safeguard number. Any Safeguards that have a blue circle
you have any blue Safeguards and you want to continue these steps, one way to get them out of the
b. Go to the “CIS-Hosted CSAT” tab in the CIS RAM for IG1 Workbook.
c. Find the appropriate section in the “CIS-Hosted CSAT” tab based on which CIS Controls version
CIS-Hosted CSAT for CIS Controls v7.1 or CIS-Hosted CSAT for CIS Controls v8.0).
d. Paste the copied data into the appropriate section of the “CIS-Hosted CSAT” tab.
e. For instance, if you are using Controls v7.1, you might copy the cells from E2:E44 over to H2:H4
CSAT XLSX file, select cell B14 in the “CIS-Hosted CSAT” tab in the CIS RAM for IG1 Workbook and
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguar
column of the appropriate CIS RAM tab – “Risk Register 7.1 for IG1” for v7.1 of the CIS Controls or “Risk Re
the CIS Controls.
a. Right-click to copy and "Paste Special" as "Values" (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT
copied, these values can be deleted from the “Safeguard Maturity Score” cell and will not affect the f
RAM Risk Register.
Note: This method will average the four scoring categories in CIS-Hosted CSAT for each Safegu
those averages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, a
to ensure this method aligns closely enough for your enterprise's scoring practice
Maturity Scores
3
4
5
is method will average the four scoring categories in CIS-Hosted CSAT for each Safeguard and aligns
ages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, as defined below,
to ensure this method aligns closely enough for your enterprise's scoring practices.
Definition
This is a free tool with a dynamic list of the CIS Safeguards that can be filtered by Implementation Groups
and mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/
Join our Community where you can discuss the CIS Controls with our global army of experts and
volunteers!
https://workbench.cisecurity.org/dashboard
Overview: The CIS Controls® Self Assessment Tool, also known as CIS CSAT, enables organizations to
assess and track their implementation of the CIS Controls for Versions 8 and 7.1. The CIS Controls are a
prioritized set of consensus-developed security best practices used by organizations around the world to
defend against cyber threats.
TWO TYPES:
CIS-Hosted CSAT: The CIS-hosted version of CIS CSAT is free to every organization for use in a non-
commercial capacity to conduct CIS Controls assessments of their organization. (released January 2019)
https://csat.cisecurity.org/
CIS CSAT Pro: The on-premises version of CIS CSAT is available exclusively for CIS SecureSuite
Members. This version offers additional features and benefits: Save time by using a simplified scoring
method with a reduced number of questions, Decide whether to opt in to share data and see how scores
compare to industry average, Greater flexibility with organization trees for tracking organizations, sub-
organizations, and assessments, Assign users to different roles for different organizations/sub-
organizations as well as greater separation of administrative and non-administrative roles, Track multiple
concurrent assessments in the same organization, Easily access your tasks, assessments, and
organizations from a consolidated home page, Includes CIS Controls Safeguard mappings to NIST CSF,
NIST SP 800-53, and PCI. (released August 2020)
https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat/
Enterprise Name State College
CIS RAM Risk Register Scope All assets
Last Completed (Date) 20-Aug-21
Impact Criteria
To prepare each
generation to succeed to
the best of their ability; To
inspire young artists to
Maintain an operational
find their voice; To meet
Definition budget; Grow the
or exceed performance
Foundation
standards issued by the
state; To help each
Chris Cronin:
student achieve their
This enterprise could tolerate a loss
potential.
up to $20,000.
We would achieve our We would meet our
1. Acceptable
mission. objectives.
Operational Objectives
Asset Class Mission Impact
Impact
Enterprise 2 2
Devices 2 2
Applications 2 2
Data 2 2
Network 1 2
Users 2 2
Risk Register
Address Unauthorized
1.6 Devices
Assets
Maintain Inventory of
2.1 Applications
Authorized Software
Ensure Software is
2.2 Applications
Supported by Vendor
Address Unapproved
2.6 Applications
Software
Deploy Automated
3.4 Operating System Patch Devices
Management Tools
Deploy Automated
3.5 Software Patch Devices
Management Tools
Change Default
4.2 Users
Passwords
Ensure Anti-Malware
8.2 Software and Signatures Devices
Are Updated
Configure Anti-Malware
8.4 Scanning of Removable Devices
Devices
Apply Host-Based
9.4 Network
Firewalls or Port-Filtering
Ensure Regular
10.1 Data
Automated BackUps
Deny Communication
12.4 Network
Over Unauthorized Ports
Maintain an Inventory of
13.1 Data
Sensitive Information
Protect Information
14.6 Through Access Control Data
Lists
Disable Dormant
16.9 Users
Accounts
Lock Workstation
16.11 Devices
Sessions After Inactivity
Implement a Security
17.3 Users
Awareness Program
Train Workforce on
17.5 Users
Secure Authentication
Train Workforce on
17.6 Identifying Social Users
Engineering Attacks
Train Workforce on
17.7 Users
Sensitive Data Handling
Train Workforce on
17.8 Causes of Unintentional Users
Data Exposure
Document Incident
19.1 Enterprise
Response Procedures
Designate Management
19.3 Personnel to Support Enterprise
Incident Handling
Maintain Contact
19.5 Information For Reporting Enterprise
Security Incidents
Publish Information
Regarding Reporting
19.6 Enterprise
Computer Anomalies and
Incidents
Financial Objectives Obligations
Impact to
Safeguard Maturity Likelihood Impact to Impact to
VCDB Index Operational
Score Score Mission Obligations
Objectives
3 1 2 2 2 2
3 1 2 2 2 2
2 2 2 2 2 3
4 2 1 2 2 3
1 2 3 2 2 3
4 1 1 2 2 2
1 1 2 2 2 2
3 3 2 2 2 3
4 3 2 2 2 3
5 1 1 2 2 2
2 1 2 2 2 2
2 1 2 2 2 2
1 1 2 2 2 2
2 1 2 2 2 2
4 1 1 2 2 2
3 1 2 2 2 2
3 1 2 1 2 2
3 3 2 2 2 3
1 3 3 2 2 3
1 3 3 2 2 3
2 3 2 2 2 3
4 1 1 1 2 2
1 1 2 1 2 2
1 1 2 1 2 2
1 3 3 2 2 3
1 3 3 2 2 3
2 1 2 2 2 2
4 3 2 2 2 3
3 1 2 1 2 2
1 1 2 1 2 2
2 3 2 2 2 3
4 3 2 2 2 3
2 1 2 2 2 2
5 3 1 2 2 3
1 3 3 2 2 3
2 3 2 2 2 3
3 3 2 2 2 3
4 3 2 2 2 3
5 3 1 2 2 3
2 3 2 2 2 3
1 3 3 2 2 3
1 3 3 2 2 3
3 3 2 2 2 3
page is considered sample data only,
to reflect an individual organization's
. Only to be used for demonstration
purposes.
Risk Register
Risk
Risk Treatment Risk Treatment
Risk Score Risk Level Treatment
Safeguard Safeguard Title
Option
Configure Anti-Malware
2 Accept Scanning of Removable
Devices
Maintain an Inventory of
9 Reduce 13.1
Sensitive Information
Designate Management
9 Reduce 19.3 Personnel to Support Incident
Handling
Risk Treatment
Risk Treatment Risk Treatment Risk Treatment Risk Treatment
Safeguard Impact
Safeguard Safeguard Impact to Safeguard Impact Safeguard Risk
to Operational
Likelihood Score Mission to Obligations Score
Objectives
1 2 2 2 2
1 2 2 2 2
1 2 2 3 3
2 2 3
1 2 2 3 3
2 2 2
1 2 2 2 2
2 2 2 3 6
2 2 2 3 6
2 2 2
2 2 2 2 4
2 2 2 2 4
2 2 2 2 4
2 2 2 2 4
2 2 2
2 2 2 2 4
2 1 2 2 4
2 2 2 3 6
3 2 2 3 9
3 2 2 3 9
2 2 2 3 6
1 2 2
2 1 2 2 4
2 1 2 2 4
3 2 2 3 9
3 2 2 3 9
2 2 2 2 4
2 2 3
2 1 2 2 4
2 1 2 2 4
2 2 2 3 6
2 2 2 3 6
2 2 2 2 4
2 2 3
3 2 2 3 9
2 2 2 3 6
2 2 2 3 6
2 2 2 3 6
2 2 3
2 2 2 3 6
3 2 2 3 9
3 2 2 3 9
2 2 2 3 6
Reasonable and Risk Treatment Implementation Implementati Impact to Financial
Acceptable Safeguard Cost Quarter on Year Objectives
Yes Q2 2022 $ -
Yes Q3 2022 $ -
Yes Q4 2022 $ -
Yes Q2 2022 $ -
Yes Q1 2023 $ -
Yes Q2 2023 $ -
Yes Q4 2021 $ -
Chris Cronin:
If the safeguard is implemented at maturity '4' the
safeguard risk will still be too high. Using, auditing, and
No correcting PAM may not be enough,Q4 in this case. The2021 $ -
enterprise may consider an automated approach to
ensure that PAM is consistently enforced and
automatically improved over time.
No $ -
Yes $ -
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
No
No
Yes
No
Yes
Yes
No
No
Yes
Yes
No
No
No
No
Yes
No
No
No
No
Year Reasonable?
2021 Yes
2022 Yes
2023 Yes
2024 Yes
2025 Yes
2026 Yes
2027 Yes
2028 Yes
2029 Yes
2030 Yes
CIS CSAT Pro
CIS CSAT Pro for CIS Controls v7.1
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
d CSAT
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
4 5 4 4
4 5 5 5
5 5 5 5
2 1 1 1
1 1 1 1