Enterprise Name

CIS RAM Risk Register Scope

Last Completed (Date)

Impact Criteria

Impact Scores Mission Operational Objectives

Definition

We would achieve our We would meet our

1. Acceptable
mission. objectives.
We would have to We would have to
reinvest or correct the reinvest or correct the
2. Unacceptable
situation to achieve our situation to achieve our
mission. objectives.

We would not be able to We would not be able to

3. Catastrophic
achieve our mission. meet our objectives.

What is the highest impact to the Mission, Operational Objectives, and

Obligations that each asset type could cause? To make this simple, add
values ('1' through '3') for "Enterprise" only and leave the indented rows
Inherent Risk Criteria
below "Enterprise" blank. If you wish to estimate risks for each Asset Class,
you must also add values to the rows that contain the Asset Classes you
wish to analyze.

Operational Objectives
Asset Class Mission Impact
Impact
Enterprise
Devices
Applications
Data
Network
Users

Risk Register
CIS Safeguard # CIS Safeguard Title Asset Class

Maintain Detailed Asset

1.4 Devices
Inventory

Address Unauthorized
1.6 Devices
Assets

Maintain Inventory of
2.1 Applications
Authorized Software

Ensure Software is
2.2 Applications
Supported by Vendor

Address Unapproved
2.6 Applications
Software

Deploy Automated
3.4 Operating System Patch Devices
Management Tools

Deploy Automated
3.5 Software Patch Devices
Management Tools
Change Default
4.2 Users
Passwords

Ensure the Use of

4.3 Dedicated Administrative Users
Accounts

Establish Secure
5.1 Devices
Configurations
6.2 Activate Audit Logging Devices

Ensure Use of Only Fully

7.1 Supported Browsers and Devices
Email Clients

Use of DNS Filtering

7.7 Devices
Services

Ensure Anti-Malware
8.2 Software and Signatures Devices
Are Updated

Configure Anti-Malware
8.4 Scanning of Removable Devices
Devices
 Configure Devices to Not
8.5 Devices
Auto-Run Content

Apply Host-Based
9.4 Network
Firewalls or Port-Filtering

Ensure Regular
10.1 Data
Automated BackUps

Perform Complete
10.2 Data
System Backups

10.4 Protect Backups Data

Ensure All Backups

Have at Least One
10.5 Data
Offline Backup
Destination

Install the Latest Stable

Version of Any Security-
11.4 Network
Related Updates on All
Network Devices

Maintain an Inventory of
12.1 Network
Network Boundaries

Deny Communication
12.4 Network
Over Unauthorized Ports

Maintain an Inventory of
13.1 Data
Sensitive Information

Remove Sensitive Data

or Systems Not
13.2 Data
Regularly Accessed by
Organization

Encrypt Mobile Device

13.6 Devices
Data

Protect Information
14.6 Through Access Control Data
Lists

Leverage the Advanced

Encryption Standard
15.7 Network
(AES) to Encrypt
Wireless Data
 Create Separate
Wireless Network for
15.10 Network
Personal and Untrusted
Devices

Disable Any
16.8 Users
Unassociated Accounts

Disable Dormant
16.9 Users
Accounts

Lock Workstation
16.11 Devices
Sessions After Inactivity

Implement a Security
17.3 Users
Awareness Program

Train Workforce on
17.5 Users
Secure Authentication
Train Workforce on
17.6 Identifying Social Users
Engineering Attacks

Train Workforce on
17.7 Users
Sensitive Data Handling

Train Workforce on
17.8 Causes of Unintentional Users
Data Exposure

Train Workforce
17.9 Members on Identifying Users
and Reporting Incidents

Document Incident
19.1 Enterprise
Response Procedures

Designate Management
19.3 Personnel to Support Enterprise
Incident Handling

Maintain Contact
Information For
19.5 Enterprise
Reporting Security
Incidents
Publish Information
Regarding Reporting
19.6 Enterprise
Computer Anomalies
and Incidents
 Financial Objectives Obligations

The high dollar limit for

each impact score.

No harm would come to

others.

The harm that would

come to others would be
correctable.

The harm that would

come to others would not
be correctable.

n, Operational Objectives, and

ause? To make this simple, add
nly and leave the indented rows
estimate risks for each Asset Class,
at contain the Asset Classes you

Obligations Impact

Risk Analysis
 Impact to
Safeguard Maturity Likelihood Impact to Impact to
VCDB Index Operational
Score Score Mission Obligations
Objectives

1 0 0 0

1 0 0 0

2 0 0 0

2 0 0 0

2 0 0 0

1 0 0 0

1 0 0 0

3 0 0 0

3 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0
1 0 0 0

1 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0

3 0 0 0

3 0 0 0

1 0 0 0

3 0 0 0

1 0 0 0
1 0 0 0

3 0 0 0

3 0 0 0

1 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0
Risk Register
 Risk
Risk Treatment Risk Treatment
Risk Score Risk Level Treatment
Safeguard Safeguard Title
Option

Maintain Detailed Asset

1.4
Inventory

1.6 Address Unauthorized Assets

Maintain Inventory of Authorized

2.1
Software

Ensure Software is Supported

2.2
by Vendor

2.6 Address Unapproved Software

Deploy Automated Operating

3.4 System Patch Management
Tools

Deploy Automated Software

3.5
Patch Management Tools

4.2 Change Default Passwords

Ensure the Use of Dedicated

4.3
Administrative Accounts

5.1 Establish Secure Configurations

6.2 Activate Audit Logging

Ensure Use of Only Fully

7.1 Supported Browsers and Email
Clients

7.7 Use of DNS Filtering Services

Ensure Anti-Malware Software

8.2
and Signatures Are Updated

Configure Anti-Malware
8.4 Scanning of Removable
Devices
 Configure Devices to Not Auto-
8.5
Run Content

Apply Host-Based Firewalls or

9.4
Port-Filtering

Ensure Regular Automated

10.1
BackUps

Perform Complete System

10.2
Backups

10.4 Protect Backups

Ensure All Backups Have at

10.5 Least One Offline Backup
Destination

Install the Latest Stable Version

11.4 of Any Security-Related
Updates on All Network Devices

Maintain an Inventory of
12.1
Network Boundaries

Deny Communication Over

12.4
Unauthorized Ports

Maintain an Inventory of
13.1
Sensitive Information

Remove Sensitive Data or

13.2 Systems Not Regularly
Accessed by Organization

13.6 Encrypt Mobile Device Data

Protect Information Through

14.6
Access Control Lists

Leverage the Advanced

15.7 Encryption Standard (AES) to
Encrypt Wireless Data
 Create Separate Wireless
15.10 Network for Personal and
Untrusted Devices

Disable Any Unassociated

16.8
Accounts

16.9 Disable Dormant Accounts

Lock Workstation Sessions After

16.11
Inactivity

Implement a Security
17.3
Awareness Program

Train Workforce on Secure

17.5
Authentication

Train Workforce on Identifying

17.6
Social Engineering Attacks

Train Workforce on Sensitive

17.7
Data Handling

Train Workforce on Causes of

17.8
Unintentional Data Exposure

Train Workforce Members on

17.9 Identifying and Reporting
Incidents

Document Incident Response

19.1
Procedures

Designate Management
19.3 Personnel to Support Incident
Handling

Maintain Contact Information

19.5
For Reporting Security Incidents

Publish Information Regarding

19.6 Reporting Computer Anomalies
and Incidents
Risk Treatment
 Risk Treatment Our Planned
Safeguard Description Implementation

Maintain an accurate and up-to-date inventory of all technology

assets with the potential to store or process information. This
inventory shall include all hardware assets, whether connected to
the organization's network or not.
Ensure that unauthorized assets are either removed from the
network, quarantined, or the inventory is updated in a timely
manner.

Maintain an up-to-date list of all authorized software that is required

in the enterprise for any business purpose on any business system.

Ensure that only software applications or operating systems

currently supported by the software's vendor are added to the
organization's authorized software inventory. Unsupported software
should be tagged as unsupported in the inventory system.

Ensure that unauthorized software is either removed or the inventory

is updated in a timely manner.

Deploy automated software update tools in order to ensure that the

operating systems are running the most recent security updates
provided by the software vendor.

Deploy automated software update tools in order to ensure that

third-party software on all systems is running the most recent
security updates provided by the software vendor.
Before deploying any new asset, change all default passwords to
have values consistent with administrative level accounts.
Ensure that all users with administrative account access use a
dedicated or secondary account for elevated activities. This account
should only be used for administrative activities and not internet
browsing, email, or similar activities.
Maintain documented, standard security configuration standards for
all authorized operating systems and software.
Ensure that local logging has been enabled on all systems and
networking devices.

Ensure that only fully supported web browsers and email clients are
allowed to execute in the organization, ideally only using the latest
version of the browsers and email clients provided by the vendor.

Use DNS filtering services to help block access to known malicious

domains.

Ensure that the organization's anti-malware software updates its

scanning engine and signature database on a regular basis.

Configure devices so that they automatically conduct an anti-

malware scan of removable media when inserted or connected.
Configure devices to not auto-run content from removable media.

Apply host-based firewalls or port filtering tools on end systems, with

a default-deny rule that drops all traffic except those services and
ports that are explicitly allowed.
Ensure that all system data is automatically backed up on a regular
basis.
Ensure that each of the organization's key systems are backed up
as a complete system, through processes such as imaging, to
enable the quick recovery of an entire system.
Ensure that backups are properly protected via physical security or
encryption when they are stored, as well as when they are moved
across the network. This includes remote backups and cloud
services.

Ensure that all backups have at least one backup destination that is
not continuously addressable through operating system calls.

Install the latest stable version of any security-related updates on all

network devices.

Maintain an up-to-date inventory of all of the organization's network

boundaries.
Deny communication over unauthorized TCP or UDP ports or
application traffic to ensure that only authorized protocols are
allowed to cross the network boundary in or out of the network at
each of the organization's network boundaries.

Maintain an inventory of all sensitive information stored, processed,

or transmitted by the organization's technology systems, including
those located onsite or at a remote service provider.

Remove sensitive data or systems not regularly accessed by the

organization from the network. These systems shall only be used as
stand alone systems (disconnected from the network) by the
business unit needing to occasionally use the system or completely
virtualized and powered off until needed.
Utilize approved whole disk encryption software to encrypt the hard
drive of all mobile devices.

Protect all information stored on systems with file system, network

share, claims, application, or database specific access control lists.
These controls will enforce the principle that only authorized
individuals should have access to the information based on their
need to access the information as a part of their responsibilities.

Leverage the Advanced Encryption Standard (AES) to encrypt

wireless data in transit.
Maintain an inventory of authorized wireless access points
connected to the wired network.

Disable any account that cannot be associated with a business

process or business owner.

Automatically disable dormant accounts after a set period of

inactivity.

Automatically lock workstation sessions after a standard period of

inactivity.

Create a security awareness program for all workforce members to

complete on a regular basis to ensure they understand and exhibit
the necessary behaviors and skills to help ensure the security of the
organization. The organization's security awareness program should
be communicated in a continuous and engaging manner.

Train workforce members on the importance of enabling and utilizing

secure authentication.
Train the workforce on how to identify different forms of social
engineering attacks, such as phishing, phone scams, and
impersonation calls.

Train workforce on how to identify and properly store, transfer,

archive, and destroy sensitive information.

Train workforce members to be aware of causes for unintentional

data exposures, such as losing their mobile devices or emailing the
wrong person due to autocomplete in email.

Train employees to be able to identify the most common indicators

of an incident and be able to report such an incident.

Ensure that there are written incident response plans that define
roles of personnel as well as phases of incident
handling/management.

Designate management personnel, as well as backups, who will

support the incident handling process by acting in key decision-
making roles.

Assemble and maintain information on third-party contact

information to be used to report a security incident, such as Law
Enforcement, relevant government departments, vendors, and ISAC
partners.
Publish information for all workforce members, regarding reporting
computer anomalies and incidents to the incident handling team.
Such information should be included in routine employee awareness
activities.
reatment
 Risk Treatment
Risk Treatment Risk Treatment
Risk Treatment Safeguard Impact
Safeguard Safeguard Impact to
Safeguard Maturity Score to Operational
Likelihood Score Mission
Objectives

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0
0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0
0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0
 Risk Treatment Risk Treatment
Reasonable and Risk Treatment Implementation
Safeguard Impact Safeguard Risk
Acceptable Safeguard Cost Quarter
to Obligations Score

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No
0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No
0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No

0 No
Implementation Impact to Financial
Year Reasonable?
Year Objectives

$ - 2021 Yes

$ - 2022 Yes

$ - 2023 Yes

$ - 2024 Yes

$ - 2025 Yes

$ - 2026 Yes

$ - 2027 Yes

$ - 2028 Yes

$ - 2029 Yes

$ - 2030 Yes
 Enterprise Name
CIS RAM Risk Register Scope
Last Completed (Date)

Impact Criteria

Impact Scores Mission Operational Objectives

Definition

We would achieve our We would meet our

1. Acceptable
mission. objectives.
We would have to We would have to
reinvest or correct the reinvest or correct the
2. Unacceptable
situation to achieve our situation to achieve our
mission. objectives.

We would not be able to We would not be able to

3. Catastrophic
achieve our mission. meet our objectives.

What is the highest impact to the Mission, Operational Objectives, and

Obligations that each Asset Type could cause? To make this simple, add
values ('1' through '3') for "Enterprise" only and leave the indented rows
Inherent Risk Criteria
below "Enterprise" blank. If you wish to estimate risks for each Asset Class,
you must also add values to the rows that contain the Asset Classes you
wish to analyze.

Operational Objectives
Asset Class Mission Impact
Impact
Enterprise
Devices
Applications
Data
Network
Users

Risk Register

CIS Safeguard # CIS Safeguard Title Asset Class

 Establish and Maintain
1.1 Detailed Enterprise Devices
Asset Inventory

Address Unauthorized
1.2 Devices
Assets

Establish and Maintain a

2.1 Applications
Software Inventory

Ensure Authorized
2.2 Software is Currently Applications
Supported

Address Unauthorized
2.3 Applications
Software

Establish and Maintain a

3.1 Data Management Data
Process

Establish and Maintain a

3.2 Data
Data Inventory

Configure Data Access

3.3 Data
Control Lists

3.4 Enforce Data Retention Data

Securely Dispose of
3.5 Data
Data
Encrypt Data on End-
3.6 Devices
User Devices

Establish and Maintain a

4.1 Secure Configuration Applications
Process

Establish and Maintain a

Secure Configuration
4.2 Network
Process for Network
Infrastructure
 Configure Automatic
4.3 Session Locking on Users
Enterprise Assets

Implement and Manage

4.4 Devices
a Firewall on Servers

Implement and Manage

4.5 a Firewall on End-User Devices
Devices

Securely Manage
4.6 Enterprise Assets and Network
Software

Manage Default
4.7 Accounts on Enterprise Users
Assets and Software

Establish and Maintain

5.1 Users
an Inventory of Accounts

5.2 Use Unique Passwords Users

Disable Dormant
5.3 Users
Accounts
Restrict Administrator
5.4 Privileges to Dedicated Users
Administrator Accounts
Establish an Access
6.1 Users
Granting Process

Establish an Access
6.2 Users
Revoking Process

Require MFA for

6.3 Externally-Exposed Users
Applications

Require MFA for Remote

6.4 Users
Network Access

Require MFA for

6.5 Users
Administrative Access
Establish and Maintain a
7.1 Vulnerability Applications
Management Process
Establish and Maintain a
7.2 Applications
Remediation Process
Perform Automated
7.3 Operating System Patch Applications
Management
 Perform Automated
7.4 Application Patch Applications
Management

Establish and Maintain

8.1 an Audit Log Network
Management Process

8.2 Collect Audit Logs Network

Ensure Adequate Audit
8.3 Network
Log Storage

Ensure Use of Only Fully

9.1 Supported Browsers and Applications
Email Clients

Use DNS Filtering

9.2 Network
Services
Deploy and Maintain
10.1 Devices
Anti-Malware Software
Configure Automatic
10.2 Anti-Malware Signature Devices
Updates
Disable Autorun and
10.3 Autoplay for Removable Devices
Media

Establish and Maintain a

11.1 Data
Data Recovery Process 

Perform Automated
11.2 Data
Backups 
11.3 Protect Recovery Data Data

Establish and Maintain

11.4 an Isolated Instance of Data
Recovery Data 

Ensure Network
12.1 Infrastructure is Up-to- Network
Date

Establish and Maintain a

14.1 Security Awareness Enterprise
Program

Train Workforce
Members to Recognize
14.2 Enterprise
Social Engineering
Attacks
Train Workforce
Members on
14.3 Enterprise
Authentication Best
Practices
 Train Workforce on Data
14.4 Enterprise
Handling Best Practices

Train Workforce
Members on Causes of
14.5 Enterprise
Unintentional Data
Exposure
Train Workforce
Members on
14.6 Recognizing and Enterprise
Reporting Security
Incidents

Train Workforce on How

to Identify and Report if
14.7 Their Enterprise Assets Enterprise
are Missing Security
Updates

Train Workforce on the

Dangers of Connecting
14.8 to and Transmitting Enterprise
Enterprise Data Over
Insecure Networks

Establish and Maintain

15.1 an Inventory of Service Enterprise
Providers

Designate Personnel to
17.1 Manage Incident Enterprise
Handling

Establish and Maintain

Contact Information for
17.2 Enterprise
Reporting Security
Incidents

Establish and Maintain

17.3 an Enterprise Process Enterprise
for Reporting Incidents
 Financial Objectives Obligations

The high dollar limit for

each impact score.

No harm would come to

others.

The harm that would

come to others would be
correctable.

The harm that would

come to others would not
be correctable.

n, Operational Objectives, and

cause? To make this simple, add
nly and leave the indented rows
estimate risks for each Asset Class,
at contain the Asset Classes you

Obligations Impact

Risk Analysis

Impact to
Safeguard Maturity Likelihood Impact to Impact to
VCDB Index Operational
Score Score Mission Obligations
Objectives
1 0 0 0

1 0 0 0

2 0 0 0

2 0 0 0

2 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

1 0 0 0

2 0 0 0

1 0 0 0
3 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

2 0 0 0

2 0 0 0

2 0 0 0
2 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0

2 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0

1 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

1 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0
3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0

3 0 0 0
 Risk Register

Risk
Risk Treatment Risk Treatment
Risk Score Risk Level Treatment
Safeguard Safeguard Title
Option
 Establish and Maintain Detailed
1.1
Enterprise Asset Inventory

1.2 Address Unauthorized Assets

Establish and Maintain a

2.1
Software Inventory

Ensure Authorized Software is

2.2
Currently Supported

2.3 Address Unauthorized Software

Establish and Maintain a Data

3.1
Management Process

Establish and Maintain a Data

3.2
Inventory

Configure Data Access Control

3.3
Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

Encrypt Data on End-User
3.6
Devices

Establish and Maintain a Secure

4.1
Configuration Process

Establish and Maintain a Secure

4.2 Configuration Process for
Network Infrastructure
 Configure Automatic Session
4.3
Locking on Enterprise Assets

Implement and Manage a

4.4
Firewall on Servers

Implement and Manage a

4.5
Firewall on End-User Devices

Securely Manage Enterprise

4.6
Assets and Software

Manage Default Accounts on

4.7
Enterprise Assets and Software

Establish and Maintain an

5.1
Inventory of Accounts

5.2 Use Unique Passwords

5.3 Disable Dormant Accounts

Restrict Administrator Privileges

5.4 to Dedicated Administrator
Accounts
Establish an Access Granting
6.1
Process

Establish an Access Revoking

6.2
Process

Require MFA for Externally-

6.3
Exposed Applications

Require MFA for Remote

6.4
Network Access

Require MFA for Administrative

6.5
Access
Establish and Maintain a
7.1 Vulnerability Management
Process
Establish and Maintain a
7.2
Remediation Process

Perform Automated Operating

7.3
System Patch Management
 Perform Automated Application
7.4
Patch Management

Establish and Maintain an Audit

8.1
Log Management Process

8.2 Collect Audit Logs

Ensure Adequate Audit Log
8.3
Storage

Ensure Use of Only Fully

9.1 Supported Browsers and Email
Clients

9.2 Use DNS Filtering Services

Deploy and Maintain Anti-
10.1
Malware Software

Configure Automatic Anti-

10.2
Malware Signature Updates

Disable Autorun and Autoplay

10.3
for Removable Media

Establish and Maintain a Data

11.1
Recovery Process 

11.2 Perform Automated Backups 

11.3 Protect Recovery Data

Establish and Maintain an

11.4 Isolated Instance of Recovery
Data 

Ensure Network Infrastructure is

12.1
Up-to-Date

Establish and Maintain a

14.1
Security Awareness Program

Train Workforce Members to

14.2 Recognize Social Engineering
Attacks

Train Workforce Members on

14.3
Authentication Best Practices
 Train Workforce on Data
14.4
Handling Best Practices

Train Workforce Members on

14.5 Causes of Unintentional Data
Exposure

Train Workforce Members on

14.6 Recognizing and Reporting
Security Incidents

Train Workforce on How to

Identify and Report if Their
14.7
Enterprise Assets are Missing
Security Updates

Train Workforce on the Dangers

of Connecting to and
14.8
Transmitting Enterprise Data
Over Insecure Networks

Establish and Maintain an

15.1
Inventory of Service Providers

Designate Personnel to Manage

17.1
Incident Handling

Establish and Maintain Contact

17.2 Information for Reporting
Security Incidents

Establish and Maintain an

17.3 Enterprise Process for
Reporting Incidents
 Risk Treatment

Risk Treatment
Safeguard Description
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory
records the network address (if static), hardware address, machine name, enterprise asset
owner, department for each asset, and whether the asset has been approved to connect to the
network. For mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes assets that are
regularly connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more
frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.

Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.

Ensure that only currently supported software is designated as authorized in the software
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of
the enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives
a documented exception. Review monthly, or more frequently.

Establish and maintain a data management process. In the process, address data sensitivity,
data owner, handling of data, data retention limits, and disposal requirements, based on
sensitivity and retention standards for the enterprise. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Retain data according to the enterprise’s data management process. Data retention must
include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software
(operating systems and applications). Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity.
For general purpose operating systems, the period must not exceed 15 minutes. For mobile
end-user devices, the period must not exceed 2 minutes.

Implement and manage a firewall on servers, where supported. Example implementations

include a virtual firewall, operating system firewall, or a third-party firewall agent.

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly
allowed.
Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative
interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet
(Teletype Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and
other pre-configured vendor accounts. Example implementations can include: disabling default
accounts or making them unusable.

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should
contain the person’s name, username, start/stop dates, and department. Validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes, at a
minimum, an 8-character password for accounts using MFA and a 14-character password for
accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets.
Conduct general computing activities, such as internet browsing, email, and productivity suite
use, from the user’s primary, non-privileged account.
Establish and follow a process, preferably automated, for granting access to enterprise assets
upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit
trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where
supported. Enforcing MFA through a directory service or SSO provider is a satisfactory
implementation of this Safeguard.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets,
whether managed on-site or through a third-party provider.
Establish and maintain a documented vulnerability management process for enterprise assets.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation
process, with monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch

management on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a
monthly, or more frequent, basis.

Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s
audit log management process.

Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through the
vendor.

Use DNS filtering services on all enterprise assets to block access to known malicious
domains.
Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Establish and maintain a data recovery process. In the process, address the scope of data
recovery activities, recovery prioritization, and the security of backup data. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more
frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or
data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations
include, version controlling backup destinations through offline, cloud, or off-site systems or
services.

Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.

Establish and maintain a security awareness program. The purpose of a security awareness
program is to educate the enterprise’s workforce on how to interact with enterprise assets and
data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and
update content annually, or when significant enterprise changes occur that could impact this
Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing, pre-
texting, and tailgating. 

Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset,
erasing physical and virtual whiteboards at the end of meetings, and storing data and assets
securely.

Train workforce members to be aware of causes for unintentional data exposure. Example
topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing
data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to report
such an incident. 

Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.

Establish and maintain an inventory of service providers. The inventory is to list all known
service providers, include classification(s), and designate an enterprise contact for each
service provider. Review and update the inventory annually, or when significant enterprise
changes occur that could impact this Safeguard.

Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal
to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor,
designate at least one person internal to the enterprise to oversee any third-party work. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is
up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact
this Safeguard.
Risk Treatment

Risk Treatment Risk Treatment

Our Planned Risk Treatment
Safeguard Safeguard Impact to
Implementation Safeguard Maturity Score
Likelihood Score Mission
0

0
0

0
0

0
0

0
 Risk Treatment
Risk Treatment Risk Treatment
Safeguard Impact Reasonable and Risk Treatment
Safeguard Impact Safeguard Risk
to Operational Acceptable Safeguard Cost
to Obligations Score
Objectives
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No

0 0 No
Implementation Implementation Impact to Financial
Year Reasonable?
Quarter Year Objectives
$ - 2021 Yes

$ - 2022 Yes

$ - 2023 Yes

$ - 2024 Yes

$ - 2025 Yes

$ - 2026 Yes

$ - 2027 Yes

$ - 2028 Yes

$ - 2029 Yes

$ - 2030 Yes
 Color

Color Key

Title
CIS Safeguard #
CIS Safeguard Title
Asset Class
Safeguard Maturity Score

VCDB Index
Risk Analysis
Likelihood Score
Impact to Mission
Impact to Operational Objectives
Impact to Obligations
Risk Score
Risk Level
Risk Treatment Option
Risk Treatment Safeguard
Risk Treatment Safeguard Title
Risk Treatment Safeguard
Description
Our Planned Implementation
Risk Treatment Safeguard
Maturity Score
Risk Treatment Safeguard
Likelihood Score
Risk Treatment Safeguard
Risk Treatment
Impact to Mission

Risk Treatment Safeguard

Impact to Operational Objectives

Risk Treatment Safeguard

Impact to Obligations
Risk Treatment Safeguard Risk
Score
Reasonable and Acceptable
Risk Treatment Safeguard Cost
Implementation Quarter
Implementation Year
 Meaning
Automated or fixed values on the Risk Analysis side of the Risk Register. While the worksheet
is in protected mode, these values cannot be changed.
Automated or fixed values on the Risk Treatment side of the Risk Register. While the
worksheet is in protected mode, these values cannot be changed.
For user input. Risk assessors will add values into these columns.

For optional user input. Risk assessors may add values into these columns if it's useful to
them.

Meaning
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.
The asset class, as published in the CIS Controls.
A score of '1' through '5' designating the reliability of a Safeguard's effectiveness against
threats.
An automatically calculated value to represent how common the related threat is as a cause for
reported cybersecurity incidents.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given your current Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Likelihood and the highest of the three Impacts.
An evaluation of the risk as acceptable, unacceptable, or catastrophic.
A statement about whether the enterprise will accept or reduce the risk.
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.

The description of the CIS Safeguard, as published in the CIS Controls.

A brief description of how the Safeguard will be implemented and operated in the enterprise.
A score of '1' through '5' designating the planned reliability of a Safeguard's effectiveness
against threats.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given the planned Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.

The magnitude of harm that a successful threat would cause to your Operational Objectives.

The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Likelihood and the highest of the three impacts, given the planned
Safeguard.
A determination of whether the planned Safeguard is reasonable and acceptable.
An estimate of how much the Safeguard is expected to cost.
When the Safeguard is planned for completion of implementation (which quarter).
When the Safeguard is planned for completion of implementation (which year).
 Impact Criteria
Impact Scores Mission Operational Objectives

Definition Required Required

1. Acceptable We would achieve our mission. We would meet our objectives.
We would have to reinvest or correct We would have to reinvest or correct
2. Unacceptable
the situation to achieve our mission. the situation to achieve our objectives.

We would not be able to achieve our We would not be able to meet our
3. Catastrophic
mission. objectives.

Inherent Risk Criteria

Asset Class Mission Impact Operational Objectives Impact
Enterprise Required Required
Devices Optional Optional

Applications Optional Optional

Data Optional Optional

Network Optional Optional
Users Optional Optional
Criteria
Financial Objectives Obligations
The high dollar limit for each impact
Required
score.
Optional No harm would come to others.
The harm that would come to others
Optional
would be correctable.

The harm that would come to others

would not be correctable.

Obligations Impact
Required
Optional

Optional

Optional
Optional
Optional
Maturity Scores

Maturity Scores
1
2
3
4
5

Likelihood Scores

Likelihood Scores
1
2
3

Risk Acceptance Criteria

Acceptable Risk Score

<6

VCDB Index

Incident Count
Asset Class
Enterprise
Applications
Data
Devices
Network
Users
Unknown

VCDB Index Weight Table

VCDB Index Lookup

51
52
53
54
55
41
42
43
44
45
31
32
33
34
35
21
22
23
24
25
11
12
13
14
15
Used for "Safeguard Maturity Score" and "Risk Treatment Safeguard Maturity Score"

Definition
Safeguard is not implemented or is inconsistently implemented.
Safeguard is implemented fully on some assets or partially on all assets.
Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation over time.

Used for "Likelihood Score" and "Risk Treatment Safeguard Likelihood Score"

Likelihood Definition
The risk is not expected in this environment.
This risk should be expected to cause a security incident at some time.
We should expect this to happen soon, if it has not already occurred.

Used to evaluate risk acceptance

Risk Acceptance Criteria

All scores lower than '6' may be automatically accepted. All other risks must be reduced.

Used to populate "VCDB Index"

8893
Sum of Threat Count / Industry
4458
1253
4458
798
62
4458
863

Used to calculate "Likelihood Score" and "Risk Treatment Safeguard Likelihood Score"

Maturity
5
5
5
5
5
4
4
4
4
4
3
3
3
3
3
2
2
2
2
2
1
1
1
1
1
As of 7/29/2021
Percentage Index
50% 3
14% 2
50% 3
9% 1
1% 1
50% 3
10% 1

VCDB Index Likelihood

1 1
2 1
3 1
4 1
5 2
1 1
2 1
3 2
4 2
5 2
1 2
2 2
3 2
4 3
5 3
1 2
2 2
3 2
4 3
5 3
1 2
2 3
3 3
4 3
5 3
 CIS CSAT Pro
CIS CSAT Pro for CIS Controls v7.1

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v7.1 IG1 Safeguard #
Score (Stripped) Score Final
1.4
1.6
2.1
2.2

2.6

3.4

3.5

4.2

4.3

5.1

6.2

7.1

7.7

8.2
8.4
8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5
17.6
17.7
17.8
17.9
19.1
19.3
19.5
19.6
SAT Pro
CIS CSAT Pro for CIS Controls v8.0

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v8 IG1 Safeguard #
Score (Stripped) Score Final
1.1
1.2
2.1
2.2

2.3

3.1

3.2

3.3

3.4

3.5

3.6

4.1

4.2

4.3
4.4
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
 8.3
9.1
9.2
10.1
10.2
10.3
11.1
11.2
11.3
11.4
12.1
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
17.1
17.2
17.3
Instructions for Importing CIS CSAT Pro Scores
into CIS RAM
1)      In CIS CSAT Pro, filter on IG1 and Export Filtered CSV.
a.       Go to the Assessment Summary page for the assessment of interest (this is reachable from the
Assessment Summary tab at the top of the Assessment Dashboard for that assessment).
b.       Click the Filter button.
c.       Select "IG-1" for the Implementation Group filter and click Search.
d.       Click the "Export Filtered CSV" button to export the report.
2)      Copy your scores from the exported CSAT Pro CSV file to the CIS RAM for IG1 Workbook.
a.       In the CSAT Pro CSV file, copy the contents of column E (labeled “Sub-Control Score”) excluding
the heading row.
b.   Go to the “CIS CSAT Pro” tab in the CIS RAM for IG1 Workbook.

c.       Find the appropriate section in the “CIS CSAT Pro” tab based on which CIS Controls version you
are using (either CSAT Pro for CIS Controls v7.1 or CSAT Pro for CIS Controls v8.0).

d.       Paste the copied data into the appropriate section of the “CIS CSAT Pro” tab.
e.       For instance, if you are using Controls v7.1, you might copy cells E2 to E44 from the CSAT Pro
CSV to B5 to B47 in the “CIS CSAT Pro” tab of the CIS RAM for IG1 Workbook.
3)      Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4)      Once scores are final, copy the scores in the “CIS RAM Maturity Score Final” column into the
"Safeguard Maturity Score" column of the appropriate CIS RAM tab – “Risk Register 7.1 for IG1” for v7.1 of
the CIS Controls or “Risk Register 8 for IG1” for v8 of the CIS Controls.
a.       Right-click to copy and "Paste Special" as "Values" (e.g., 1,2,3).
b.   Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT”
tabs, if present. If copied, these values can be deleted from the “Safeguard Maturity Score” cell and
will not affect the functionality of the CIS RAM Risk Register.
Note: Please ensure that your enterprise's method for scoring Safeguards in CSAT Pro
aligns closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.

Maturity Scores

2
3
4
5
lease ensure that your enterprise's method for scoring Safeguards in CSAT Pro
closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.

Definition

Safeguard is not implemented or is inconsistently implemented.

Safeguard is implemented fully on some assets or partially on all assets.

Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation over time.
 CIS-Hosted CSAT
Policy Defined Control Implemented
Maturity Scores

1 No Policy Not Implemented

2 Informal Policy Parts of Policy Implemented

3 Partially Written Policy Implemented on Some Systems

4 Written Policy Implemented on Most Systems

5 Approved Written Policy Implemented on All Systems

Unknown - Unscored None None

Unknown - N/A Not Applicable Not Applicable

CIS-Hosted CSAT for

CIS-Hosted CSAT Values From XLSX Export
CIS Controls v7.1

v7.1 IG1 Safeguard # Policy Defined Control Implemented

1.4

1.6

2.1

2.2

2.6

3.4

3.5

4.2
4.3
5.1
6.2
7.1
7.7
8.2
8.4
 8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5
17.6
17.7
17.8
17.9
19.1
19.3
19.5
19.6
 CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores

Not Automated Not Reported 1

Parts of Policy Automated Parts of Policy Reported 2

Automated on Some Systems Reported on Some Systems 3

Automated on Most Systems Reported on Most Systems 4

Automated on All Systems Reported on All Systems 5

Unknown -
None None
Unscored

Not Applicable Not Applicable Unknown - N/A

d CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
 CIS-Hosted CSA

ulated Numerical Score

CIS RAM Maturity Score CIS RAM Maturity Score
Average Final
Control Automated Control Reported

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
sted CSAT

CIS-Hosted CSAT for CIS

CIS-Hosted CSAT Values From XLSX Export
Controls v8.0

v8 IG1 Safeguard # Policy Defined Control Implemented

1.1

1.2

2.1

2.2

2.3

3.1

3.2

3.3
3.4
3.5
3.6
4.1
4.2
4.3
4.4
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
8.3
9.1
9.2
10.1
10.2
10.3
11.1
11.2
11.3
11.4
12.1
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
15.1
17.1
17.2
17.3
CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A

#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
lculated Numerical Score
CIS RAM Maturity CIS RAM Maturity
Score Average Score Final
Control Automated Control Reported

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A

#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
Instructions for Importing CIS-Hosted CSAT Scores in

1)      In CIS-Hosted CSAT, filter on IG1 and export the filtered Safeguards
a.       Go to the All Controls page for the assessment of interest (this is reachable from the All Controls
left under “Current Assessment”).
b.       Click the Filter button.
c.       Select “Group 1” for the Implementation Group filter and click Filter.

d.       Check to see if any of these Safeguards are in the blue (Not Assessed) state. You can see this
will be a colored circle in each row by the Safeguard number. Any Safeguards that have a blue circle
you have any blue Safeguards and you want to continue these steps, one way to get them out of the

i.      Select the checkbox next to each blue Safeguard.

ii.      Select “Un-Assign the control” from the Bulk Action option dropdown and click the “Save”
dropdown. Please note: If any of the selected Safeguards were assigned, this will remove th
date.
e.       Click the Download Report button to export the report.
2)      Copy your scores from the exported CIS-Hosted CSAT XLSX file to the CIS RAM for IG1 Workbook.
a.       In the CIS-Hosted CSAT XLSX file, copy the contents of columns E through H (labeled Policy D
Implemented, Control Automated, and Control Reported) excluding the heading row.

b.       Go to the “CIS-Hosted CSAT” tab in the CIS RAM for IG1 Workbook.
c.       Find the appropriate section in the “CIS-Hosted CSAT” tab based on which CIS Controls version
CIS-Hosted CSAT for CIS Controls v7.1 or CIS-Hosted CSAT for CIS Controls v8.0).
d.       Paste the copied data into the appropriate section of the “CIS-Hosted CSAT” tab.

e.       For instance, if you are using Controls v7.1, you might copy the cells from E2:E44 over to H2:H4
CSAT XLSX file, select cell B14 in the “CIS-Hosted CSAT” tab in the CIS RAM for IG1 Workbook and

3)      Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4)      Once scores are final, copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguar
column of the appropriate CIS RAM tab – “Risk Register 7.1 for IG1” for v7.1 of the CIS Controls or “Risk Re
the CIS Controls.
a.       Right-click to copy and "Paste Special" as "Values" (e.g., 1,2,3).
b.    Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT
copied, these values can be deleted from the “Safeguard Maturity Score” cell and will not affect the f
RAM Risk Register.
 Note: This method will average the four scoring categories in CIS-Hosted CSAT for each Safegu
those averages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, a
to ensure this method aligns closely enough for your enterprise's scoring practice

Maturity Scores

3
4

5
is method will average the four scoring categories in CIS-Hosted CSAT for each Safeguard and aligns
ages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, as defined below,
to ensure this method aligns closely enough for your enterprise's scoring practices.

Definition

Safeguard is not implemented or is inconsistently implemented.

Safeguard is implemented fully on some assets or partially on all assets.

Safeguard is implemented on all assets.

Safeguard is tested and inconsistencies are corrected.

Safeguard has mechanisms that ensure consistent implementation over time.

Remember to download the CIS Critical Security Controls (CIS Controls) Version 8 Guide where you can
learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list")
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Control critical
- Procedures and Tools
https://www.cisecurity.org/controls/v8/

This is a free tool with a dynamic list of the CIS Safeguards that can be filtered by Implementation Groups
and mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/

Join our Community where you can discuss the CIS Controls with our global army of experts and
volunteers!
https://workbench.cisecurity.org/dashboard

CIS CSAT (Controls Self Assessment Tool)

Overview: The CIS Controls® Self Assessment Tool, also known as CIS CSAT, enables organizations to
assess and track their implementation of the CIS Controls for Versions 8 and 7.1. The CIS Controls are a
prioritized set of consensus-developed security best practices used by organizations around the world to
defend against cyber threats.

TWO TYPES:
CIS-Hosted CSAT: The CIS-hosted version of CIS CSAT is free to every organization for use in a non-
commercial capacity to conduct CIS Controls assessments of their organization. (released January 2019)

https://csat.cisecurity.org/

CIS CSAT Pro: The on-premises version of CIS CSAT is available exclusively for CIS SecureSuite
Members. This version offers additional features and benefits: Save time by using a simplified scoring
method with a reduced number of questions, Decide whether to opt in to share data and see how scores
compare to industry average, Greater flexibility with organization trees for tracking organizations, sub-
organizations, and assessments, Assign users to different roles for different organizations/sub-
organizations as well as greater separation of administrative and non-administrative roles, Track multiple
concurrent assessments in the same organization, Easily access your tasks, assessments, and
organizations from a consolidated home page, Includes CIS Controls Safeguard mappings to NIST CSF,
NIST SP 800-53, and PCI. (released August 2020)

https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat/
 Enterprise Name State College
CIS RAM Risk Register Scope All assets
Last Completed (Date) 20-Aug-21

Impact Criteria

Impact Scores Mission Operational Objectives

To prepare each
generation to succeed to
the best of their ability; To
inspire young artists to
Maintain an operational
find their voice; To meet
Definition budget; Grow the
or exceed performance
Foundation
standards issued by the
state; To help each
Chris Cronin:
student achieve their
This enterprise could tolerate a loss
potential.
up to $20,000.
We would achieve our We would meet our
1. Acceptable
mission. objectives.

We would have to reinvest We would have to reinvest

2. Unacceptable or correct the situation to or correct the situation to
achieve our mission. achieve our objectives.
Chris Cronin:
If this enterprise loses
We would not be able to moretothan $1,000,000,
We would not be able
3. Catastrophic they could not recover.
achieve our mission. meet our objectives.

What is the highest impact to the mission, operational objectives, and

obligations that each asset type could cause? To make this simple, add values
Inherent Risk Criteria ('1' through '3') for "Enterprise" only and leave the indented rows below
"Enterprise" blank. If you wish to estimate risks for each Asset Class, you must
also add values to the rows that contain the Asset Classes you wish to analyze.

Operational Objectives
Asset Class Mission Impact
Impact
Enterprise 2 2
Devices 2 2
Applications 2 2
Data 2 2
Network 1 2
Users 2 2
Risk Register

CIS Safeguard # CIS Safeguard Title Asset Class

Maintain Detailed Asset

1.4 Devices
Inventory

Address Unauthorized
1.6 Devices
Assets

Maintain Inventory of
2.1 Applications
Authorized Software

Ensure Software is
2.2 Applications
Supported by Vendor

Address Unapproved
2.6 Applications
Software

Deploy Automated
3.4 Operating System Patch Devices
Management Tools

Deploy Automated
3.5 Software Patch Devices
Management Tools

Change Default
4.2 Users
Passwords

Ensure the Use of

4.3 Dedicated Administrative Users
Accounts
 Establish Secure
5.1 Devices
Configurations

6.2 Activate Audit Logging Devices

Ensure Use of Only Fully

7.1 Supported Browsers and Devices
Email Clients

Use of DNS Filtering

7.7 Devices
Services

Ensure Anti-Malware
8.2 Software and Signatures Devices
Are Updated

Configure Anti-Malware
8.4 Scanning of Removable Devices
Devices

Configure Devices to Not

8.5 Devices
Auto-Run Content

Apply Host-Based
9.4 Network
Firewalls or Port-Filtering

Ensure Regular
10.1 Data
Automated BackUps

Perform Complete System

10.2 Data
Backups

10.4 Protect Backups Data

Ensure All Backups Have

10.5 at Least One Offline Data
Backup Destination

Install the Latest Stable

Version of Any Security-
11.4 Network
Related Updates on All
Network Devices
 Maintain an Inventory of
12.1 Network
Network Boundaries

Deny Communication
12.4 Network
Over Unauthorized Ports

Maintain an Inventory of
13.1 Data
Sensitive Information

Remove Sensitive Data or

13.2 Systems Not Regularly Data
Accessed by Organization

Encrypt Mobile Device

13.6 Devices
Data

Protect Information
14.6 Through Access Control Data
Lists

Leverage the Advanced

Encryption Standard
15.7 Network
(AES) to Encrypt Wireless
Data

Create Separate Wireless

15.10 Network for Personal and Network
Untrusted Devices

Disable Any Unassociated

16.8 Users
Accounts

Disable Dormant
16.9 Users
Accounts

Lock Workstation
16.11 Devices
Sessions After Inactivity
 Implement a Security
17.3 Users
Awareness Program

Train Workforce on
17.5 Users
Secure Authentication

Train Workforce on
17.6 Identifying Social Users
Engineering Attacks

Train Workforce on
17.7 Users
Sensitive Data Handling

Train Workforce on
17.8 Causes of Unintentional Users
Data Exposure

Train Workforce Members

17.9 on Identifying and Users
Reporting Incidents

Document Incident
19.1 Enterprise
Response Procedures

Designate Management
19.3 Personnel to Support Enterprise
Incident Handling

Maintain Contact
19.5 Information For Reporting Enterprise
Security Incidents

Publish Information
Regarding Reporting
19.6 Enterprise
Computer Anomalies and
Incidents
 Financial Objectives Obligations

All data on this page is con

The high dollar limit for
each impact score.
could tolerate a loss
and not meant to reflect an
To prevent theft of
risk register. Only to be
students’ identity
purpo

No harm would come to

$ 20,000.00
others.

The harm that would

$ 1,000,000.00 come to others would be
Chris Cronin: correctable.
If this enterprise loses
more than $1,000,000, The harm that would
they could not recover. come to others would not
be correctable.

operational objectives, and

se? To make this simple, add values
ave the indented rows below
risks for each Asset Class, you must
e Asset Classes you wish to analyze.

Obligations Impact Chris Cronin:

The highest obligations
3
impact score that an
2 asset could cause
3 would be '3'.
3
2 Chris Cronin:
3 If the network in this enterprise were
compromised, the highest obligations
impact it could create would be '2'.
 Risk Analysis

Impact to
Safeguard Maturity Likelihood Impact to Impact to
VCDB Index Operational
Score Score Mission Obligations
Objectives

3 1 2 2 2 2

3 1 2 2 2 2

2 2 2 2 2 3

4 2 1 2 2 3

1 2 3 2 2 3

4 1 1 2 2 2

1 1 2 2 2 2

3 3 2 2 2 3

4 3 2 2 2 3
5 1 1 2 2 2

2 1 2 2 2 2

2 1 2 2 2 2

1 1 2 2 2 2

2 1 2 2 2 2

4 1 1 2 2 2

3 1 2 2 2 2

3 1 2 1 2 2

3 3 2 2 2 3

1 3 3 2 2 3

1 3 3 2 2 3

2 3 2 2 2 3

4 1 1 1 2 2
1 1 2 1 2 2

1 1 2 1 2 2

1 3 3 2 2 3

1 3 3 2 2 3

2 1 2 2 2 2

4 3 2 2 2 3

3 1 2 1 2 2

1 1 2 1 2 2

2 3 2 2 2 3

4 3 2 2 2 3

2 1 2 2 2 2
5 3 1 2 2 3

1 3 3 2 2 3

2 3 2 2 2 3

3 3 2 2 2 3

4 3 2 2 2 3

5 3 1 2 2 3

2 3 2 2 2 3

1 3 3 2 2 3

1 3 3 2 2 3

3 3 2 2 2 3
 page is considered sample data only,
to reflect an individual organization's
. Only to be used for demonstration
purposes.
 Risk Register

Risk
Risk Treatment Risk Treatment
Risk Score Risk Level Treatment
Safeguard Safeguard Title
Option

Maintain Detailed Asset

4 Reduce 1.4
Inventory

4 Reduce 1.6 Address Unauthorized Assets

Maintain Inventory of Authorized

6 Reduce 2.1
Software

Ensure Software is Supported

3 Accept 2.2
by Vendor

9 Reduce 2.6 Address Unapproved Software

Deploy Automated Operating

2 Accept 3.4 System Patch Management
Tools

Deploy Automated Software

4 Reduce 3.5
Patch Management Tools

6 Reduce 4.2 Change Default Passwords

Ensure the Use of Dedicated

6 Reduce 4.3
Administrative Accounts
2 Accept Establish Secure Configurations

4 Reduce 6.2 Activate Audit Logging

Ensure Use of Only Fully

4 Reduce 7.1 Supported Browsers and Email
Clients

4 Reduce 7.7 Use of DNS Filtering Services

Ensure Anti-Malware Software

4 Reduce 8.2
and Signatures Are Updated

Configure Anti-Malware
2 Accept Scanning of Removable
Devices

Configure Devices to Not Auto-

4 Reduce 8.5
Run Content

Apply Host-Based Firewalls or

4 Reduce 9.4
Port-Filtering

Ensure Regular Automated

6 Reduce 10.1
BackUps

Perform Complete System

9 Reduce 10.2
Backups

9 Reduce 10.4 Protect Backups

Ensure All Backups Have at

6 Reduce 10.5 Least One Offline Backup
Destination

Install the Latest Stable Version

2 Accept of Any Security-Related
Updates on All Network Devices
 Maintain an Inventory of
4 Reduce 12.1
Network Boundaries

Deny Communication Over

4 Reduce 12.4
Unauthorized Ports

Maintain an Inventory of
9 Reduce 13.1
Sensitive Information

Remove Sensitive Data or

9 Reduce 13.2 Systems Not Regularly
Accessed by Organization

4 Reduce 13.6 Encrypt Mobile Device Data

Protect Information Through

6 Accept
Access Control Lists

Leverage the Advanced

4 Reduce 15.7 Encryption Standard (AES) to
Encrypt Wireless Data

Create Separate Wireless

4 Reduce 15.10 Network for Personal and
Untrusted Devices

Disable Any Unassociated

6 Reduce 16.8
Accounts

6 Reduce 16.9 Disable Dormant Accounts

Lock Workstation Sessions After

4 Reduce 16.11
Inactivity
 Implement a Security
3 Accept
Awareness Program

Train Workforce on Secure

9 Reduce 17.5
Authentication

Train Workforce on Identifying

6 Reduce 17.6
Social Engineering Attacks

Train Workforce on Sensitive

6 Reduce 17.7
Data Handling

Train Workforce on Causes of

6 Reduce 17.8
Unintentional Data Exposure

Train Workforce Members on

3 Accept Identifying and Reporting
Incidents

Document Incident Response

6 Reduce 19.1
Procedures

Designate Management
9 Reduce 19.3 Personnel to Support Incident
Handling

Maintain Contact Information

9 Reduce 19.5
For Reporting Security Incidents

Publish Information Regarding

6 Reduce 19.6 Reporting Computer Anomalies
and Incidents
 Risk Treatment

Risk Treatment Our Planned Risk Treatment

Safeguard Description Implementation Safeguard Maturity Score

Maintain an accurate and up-to-date Chris Cronin:

The the
inventory of all technology assets with enterprise believes that
implementing a network access
potential to store or process information.
Implement
control device a NAC.
will address 4
This inventory shall include all hardware
multiple risks.
assets, whether connected to the
organization's network or not.
Ensure that unauthorized assets are either
removed from the network, quarantined, or
Implement a NAC. 4
the inventory is updated in a timely
manner.
Maintain an up-to-date list of all authorized
software that is required in the enterprise Use application
4
for any business purpose on any business whitelisting.
system.
Ensure that only software applications or
operating systems currently supported by
the software's vendor are added to the
organization's authorized software
inventory. Unsupported software should be
tagged as unsupported in the inventory
system.
Ensure that unauthorized software is either
Add unapproved software
removed or the inventory is updated in a 4
to incident response plan.
timely manner.

Deploy automated software update tools in

order to ensure that the operating systems
are running the most recent security
updates provided by the software vendor.

Deploy automated software update tools in

order to ensure that third-party software on Configure end-user
all systems is running the most recent systems to automatically 4
security updates provided by the software apply patches from vendor.
vendor.
Before deploying any new asset, change
all default passwords to have values Use PAM for all admin
4
consistent with administrative level accounts.
accounts.

Ensure that all users with administrative

account access use a dedicated or
secondary account for elevated activities.
4
This account should only be used for
administrative activities and not internet
browsing, email, or similar activities.
Maintain documented, standard security
configuration standards for all authorized
operating systems and software.

Ensure that local logging has been

enabled on all systems and networking 2
devices.

Ensure that only fully supported web

browsers and email clients are allowed to
execute in the organization, ideally only 2
using the latest version of the browsers
and email clients provided by the vendor.

Use DNS filtering services to help block

1
access to known malicious domains.
Ensure that the organization's anti-
malware software updates its scanning
2
engine and signature database on a
regular basis.
Configure devices so that they
automatically conduct an anti-malware
scan of removable media when inserted or
connected.
Configure devices to not auto-run content
3
from removable media.
Apply host-based firewalls or port filtering
tools on end systems, with a default-deny
rule that drops all traffic except those 3
services and ports that are explicitly
allowed.
Ensure that all system data is
automatically backed up on a regular 3
basis.
Ensure that each of the organization's key
systems are backed up as a complete
system, through processes such as 1
imaging, to enable the quick recovery of an
entire system.
Ensure that backups are properly
protected via physical security or
encryption when they are stored, as well
1
as when they are moved across the
network. This includes remote backups
and cloud services.
Ensure that all backups have at least one
backup destination that is not continuously
2
addressable through operating system
calls.

Install the latest stable version of any

security-related updates on all network
devices.
Maintain an up-to-date inventory of all of
1
the organization's network boundaries.

Deny communication over unauthorized

TCP or UDP ports or application traffic to
ensure that only authorized protocols are
1
allowed to cross the network boundary in
or out of the network at each of the
organization's network boundaries.

Maintain an inventory of all sensitive

information stored, processed, or
transmitted by the organization's
1
technology systems, including those
located onsite or at a remote service
provider.

Remove sensitive data or systems not

regularly accessed by the organization
from the network. These systems shall
only be used as stand alone systems
1
(disconnected from the network) by the
business unit needing to occasionally use
the system or completely virtualized and
powered off until needed.
Utilize approved whole disk encryption
software to encrypt the hard drive of all 2
mobile devices.

Protect all information stored on systems

with file system, network share, claims,
application, or database specific access
control lists. These controls will enforce the
principle that only authorized individuals
should have access to the information
based on their need to access the
information as a part of their
responsibilities.

Leverage the Advanced Encryption

Standard (AES) to encrypt wireless data in 3
transit.

Maintain an inventory of authorized

wireless access points connected to the 1
wired network.

Disable any account that cannot be

associated with a business process or 2
business owner.
Automatically disable dormant accounts
4
after a set period of inactivity.

Automatically lock workstation sessions

2
after a standard period of inactivity.
Create a security awareness program for
all workforce members to complete on a
regular basis to ensure they understand
and exhibit the necessary behaviors and
skills to help ensure the security of the
organization. The organization's security
awareness program should be
communicated in a continuous and
engaging manner.

Train workforce members on the

importance of enabling and utilizing secure 1
authentication.
Train the workforce on how to identify
different forms of social engineering
2
attacks, such as phishing, phone scams,
and impersonation calls.
Train workforce on how to identify and
properly store, transfer, archive, and 3
destroy sensitive information.
Train workforce members to be aware of
causes for unintentional data exposures,
such as losing their mobile devices or 4
emailing the wrong person due to
autocomplete in email.

Train employees to be able to identify the

most common indicators of an incident and
be able to report such an incident.

Ensure that there are written incident

response plans that define roles of
2
personnel as well as phases of incident
handling/management.
Designate management personnel, as well
as backups, who will support the incident
1
handling process by acting in key decision-
making roles.

Assemble and maintain information on

third-party contact information to be used
to report a security incident, such as Law 1
Enforcement, relevant government
departments, vendors, and ISAC partners.

Publish information for all workforce

members, regarding reporting computer
anomalies and incidents to the incident
3
handling team. Such information should be
included in routine employee awareness
activities.
Risk Treatment

Risk Treatment
Risk Treatment Risk Treatment Risk Treatment Risk Treatment
Safeguard Impact
Safeguard Safeguard Impact to Safeguard Impact Safeguard Risk
to Operational
Likelihood Score Mission to Obligations Score
Objectives

1 2 2 2 2

1 2 2 2 2

1 2 2 3 3

2 2 3

1 2 2 3 3

2 2 2

1 2 2 2 2

2 2 2 3 6

2 2 2 3 6
 2 2 2

2 2 2 2 4

2 2 2 2 4

2 2 2 2 4

2 2 2 2 4

2 2 2

2 2 2 2 4

2 1 2 2 4

2 2 2 3 6

3 2 2 3 9

3 2 2 3 9

2 2 2 3 6

1 2 2
2 1 2 2 4

2 1 2 2 4

3 2 2 3 9

3 2 2 3 9

2 2 2 2 4

2 2 3

2 1 2 2 4

2 1 2 2 4

2 2 2 3 6

2 2 2 3 6

2 2 2 2 4
 2 2 3

3 2 2 3 9

2 2 2 3 6

2 2 2 3 6

2 2 2 3 6

2 2 3

2 2 2 3 6

3 2 2 3 9

3 2 2 3 9

2 2 2 3 6
Reasonable and Risk Treatment Implementation Implementati Impact to Financial
Acceptable Safeguard Cost Quarter on Year Objectives

Yes Q2 2022 $ -

Yes Q3 2022 $ -

Yes Q4 2022 $ -

Yes Q2 2022 $ -

Yes Q1 2023 $ -

Yes Q2 2023 $ -

Yes Q4 2021 $ -
Chris Cronin:
If the safeguard is implemented at maturity '4' the
safeguard risk will still be too high. Using, auditing, and
No correcting PAM may not be enough,Q4 in this case. The2021 $ -
enterprise may consider an automated approach to
ensure that PAM is consistently enforced and
automatically improved over time.

No $ -
Yes $ -

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

No

No

Yes
Yes

Yes

No

No

Yes

No

Yes

Yes

No

No

Yes
Yes

No

No

No

No

Yes

No

No

No

No
Year Reasonable?

2021 Yes

2022 Yes

2023 Yes

2024 Yes

2025 Yes

2026 Yes

2027 Yes

2028 Yes

2029 Yes
2030 Yes
 CIS CSAT Pro
CIS CSAT Pro for CIS Controls v7.1

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v7.1 IG1 Safeguard #
Score (Stripped) Score Final
1.4 5 (81-100%) 5 5
1.6 3 (41-60%) 3 3
2.1 4 (61-80%) 4 4
2.2 3 (41-60%) 3 3
2.6 2 (21-40%) 2 2
3.4 4 (61-80%) 4 4
3.5 4 (61-80%) 4 4
4.2 2 (21-40%) 2 2
4.3 2 (21-40%) 2 2
5.1 5 (81-100%) 5 5
6.2 2 (21-40%) 2 2
7.1
7.7 Not Applicable N N
8.2
8.4 Not Available N N
8.5
9.4
10.1
10.2
10.4
10.5
11.4
12.1
12.4
13.1
13.2
13.6
14.6
15.7
15.10
16.8
16.9
16.11
17.3
17.5 5 (81-100%) 5 5
17.6
17.7
17.8
17.9
19.1 5 (81-100%) 5 5
19.3
19.5 3 (41-60%) 3 3
19.6
SAT Pro
CIS CSAT Pro for CIS Controls v8.0

CSAT Pro Export CSAT Pro Score CIS RAM Maturity

v8 IG1 Safeguard #
Score (Stripped) Score Final
1.1 5 (81-100%) 5 5
1.2 3 (41-60%) 3 3 All data on this
2.1 4 (61-80%) 4 4
2.2 3 (41-60%) 3 3 only, and not
2.3
3.1
2 (21-40%)
4 (61-80%)
2
4
2
4 organization's
3.2
3.3
4 (61-80%)
2 (21-40%)
4
2
4
2
used for
3.4 2 (21-40%) 2 2
3.5 5 (81-100%) 5 5
3.6 2 (21-40%) 2 2
4.1
4.2 Not Applicable N N
4.3
4.4 Not Available N N
4.5
4.6
4.7
5.1
5.2
5.3
5.4
6.1
6.2
6.3
6.4
6.5
7.1
7.2
7.3
7.4
8.1
8.2
8.3
9.1 5 (81-100%) 5 5
9.2
10.1
10.2
10.3
11.1 5 (81-100%) 5 5
11.2
11.3 3 (41-60%) 3 3
11.4 3 (41-60%) 3 3
12.1 2 (21-40%) 2 2
14.1 4 (61-80%) 4 4
14.2 4 (61-80%) 4 4
14.3 2 (21-40%) 2 2
14.4 2 (21-40%) 2 2
14.5 5 (81-100%) 5 5
14.6 4 (61-80%) 4 4
14.7 2 (21-40%) 2 2
14.8 2 (21-40%) 2 2
15.1 5 (81-100%) 5 5
17.1
17.2
17.3
All data on this page is considered sample data
only, and not meant to reflect an individual
organization's CSAT/RAM scoring. Only to be
used for demonstration purposes.
 CIS-Hosted CSAT
Policy Defined
Maturity Scores
1 No Policy
2 Informal Policy
3 Partially Written Policy
4 Written Policy
5 Approved Written Policy
Unknown - Unscored None
Unknown - N/A Not Applicable
Control Implemented
Not Implemented
Parts of Policy Implemented
Implemented on Some Systems
Implemented on Most Systems
Implemented on All Systems
None
Not Applicable

CIS-Hosted CSAT for

CIS-Hosted CSAT Values From XLSX Export
CIS Controls v7.1

v7.1 IG1 Safeguard # Policy Defined Control Implemented

1.4 Approved Written Policy Implemented on Most Systems

1.6 Partially Written Policy Implemented on Some Systems
2.1 Approved Written Policy Implemented on All Systems
2.2 Partially Written Policy Implemented on Some Systems
2.6 Informal Policy Parts of Policy Implemented
3.4 Partially Written Policy Implemented on Some Systems
3.5 Partially Written Policy Implemented on Some Systems
4.2 Partially Written Policy Implemented on All Systems
4.3 Approved Written Policy Implemented on All Systems
5.1 Approved Written Policy Implemented on Some Systems
6.2 Approved Written Policy Implemented on Most Systems
7.1 Partially Written Policy Implemented on Most Systems
7.7 Partially Written Policy Implemented on Most Systems
8.2 No Policy Not Implemented
8.4 No Policy Not Implemented
8.5 No Policy Not Implemented
9.4 Approved Written Policy Implemented on Most Systems
10.1 Written Policy Implemented on Most Systems
10.2 Partially Written Policy Implemented on Most Systems
10.4 Written Policy Implemented on All Systems
10.5 Written Policy Implemented on All Systems
11.4 Approved Written Policy Implemented on Most Systems
12.1 None None

12.4 None None

13.1 None None

13.2 None None

13.6 None None
14.6 Approved Written Policy Implemented on All Systems
15.7 Approved Written Policy Implemented on All Systems
15.10 Approved Written Policy Implemented on All Systems
16.8 None None

16.9 None None

16.11 Approved Written Policy Implemented on All Systems
17.3 Approved Written Policy Implemented on All Systems
17.5 None None

17.6 None None

17.7 None None

17.8 None None

17.9 None None

19.1 None None

19.3 Approved Written Policy Implemented on All Systems
19.5 None None

19.6 None None

 CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores
Not Automated Not Reported 1
Parts of Policy Automated Parts of Policy Reported 2
Automated on Some Systems Reported on Some Systems 3
Automated on Most Systems Reported on Most Systems 4
Automated on All Systems Reported on All Systems 5
Unknown -
None None
Unscored
Not Applicable Not Applicable Unknown - N/A

CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

Automated on All Systems Reported on Some Systems 5 4

Automated on Some Systems
Automated on All Systems
Automated on Most Systems
Parts of Policy Automated
Automated on Some Systems
Automated on Some Systems
Automated on Some Systems
Automated on All Systems
Automated on Most Systems
Automated on Most Systems
Automated on All Systems
Automated on Most Systems
Parts of Policy Automated
Parts of Policy Automated
Not Automated
Automated on Most Systems
Automated on All Systems
Automated on Most Systems
Automated on Most Systems
Automated on All Systems
Automated on All Systems
None
Reported on Most Systems
Reported on All Systems
Reported on All Systems
Reported on Some Systems
Reported on Most Systems
Reported on Some Systems
Reported on Most Systems
Reported on All Systems
Reported on All Systems
Reported on All Systems
Reported on Most Systems
Reported on Most Systems
Not Reported
Not Reported
Not Reported
Reported on Most Systems
Reported on Some Systems
Reported on All Systems
Reported on All Systems
Reported on All Systems
Reported on Most Systems
None Unknown - Unscored
3 3
5 5
3 3
2 2
3 3
3 3
3 5
5 5
5 3
5 4
3 4
3 4
1 1
1 1
1 1
5 4
4 4
3 4
4 5
4 5
5 4
Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

 None None Unknown - Unscored Unknown - Unscored
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

Automated on All Systems Not Applicable 5 5
None None Unknown - Unscored Unknown - Unscored

None None Unknown - Unscored Unknown - Unscored

 CIS-Hosted CSAT

All data on this page is considered sample data only, and n

an individual organization's CSAT/RAM scoring. Only
demonstration purposes.

ulated Numerical Score

CIS RAM Maturity Score CIS RAM Maturity Score
Average Final
Control Automated Control Reported

5 3
3 4
5 5
4 5
2 3
3 4
3 3
3 4
5 5
4 5
4 5
5 4
4 4
2 1
2 1
1 1
4 4
5 3
4 5
4 5
5 5
5 4
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
4 4
3 3
5 5
4 4
2 2
3 3
3 3
4 4
5 5
4 4
5 5
4 4
4 4
1 1
1 1
1 1
4 4
4 4
4 4
5 5
5 5
5 5
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
 Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
d CSAT

ata only, and not meant to reflect

scoring. Only to be used for
poses.

CIS-Hosted CSAT for CIS

CIS-Hosted CSAT Values From XLSX Export
Controls v8.0

v8 IG1 Safeguard # Policy Defined Control Implemented

1.1 Approved Written Policy Implemented on Most Systems

1.2 Partially Written Policy Implemented on Some Systems
2.1 Approved Written Policy Implemented on All Systems
2.2 Partially Written Policy Implemented on Some Systems
2.3 Informal Policy Parts of Policy Implemented
3.1 Partially Written Policy Implemented on Some Systems
3.2 Partially Written Policy Implemented on Some Systems
3.3 Partially Written Policy Implemented on All Systems
3.4 Approved Written Policy Implemented on All Systems
3.5 Approved Written Policy Implemented on Some Systems
3.6 Approved Written Policy Implemented on Most Systems
4.1 Partially Written Policy Implemented on Most Systems
4.2 Partially Written Policy Implemented on Most Systems
4.3 No Policy Not Implemented
4.4 No Policy Not Implemented
4.5 No Policy Not Implemented
4.6 Approved Written Policy Implemented on Most Systems
4.7 Written Policy Implemented on Most Systems
5.1 Partially Written Policy Implemented on Most Systems
5.2 Written Policy Implemented on All Systems
5.3 Written Policy Implemented on All Systems
5.4 Approved Written Policy Implemented on Most Systems
6.1 None None

6.2 None None

6.3 None None

6.4 None None

6.5 None None
7.1 Approved Written Policy Implemented on All Systems
7.2 Approved Written Policy Implemented on All Systems
7.3 Approved Written Policy Implemented on All Systems
7.4 None None

8.1 None None

8.2 Approved Written Policy Implemented on All Systems
8.3 Approved Written Policy Implemented on All Systems
9.1 None None

9.2 None None

10.1 None None

10.2 None None

10.3 None None

11.1 None None

11.2 Approved Written Policy Implemented on All Systems
11.3 None None

11.4 None None

12.1 No Policy Not Implemented
14.1 No Policy Not Implemented
14.2 Approved Written Policy Implemented on Most Systems
14.3 Written Policy Implemented on Most Systems
14.4 Partially Written Policy Implemented on Most Systems
14.5 Written Policy Implemented on All Systems
14.6 Written Policy Implemented on All Systems
14.7 Approved Written Policy Implemented on Most Systems
14.8 Partially Written Policy Implemented on Most Systems
15.1 Written Policy Implemented on All Systems
17.1 Written Policy Implemented on All Systems
17.2 No Policy Not Implemented
17.3 No Policy Not Implemented
CSAT Values From XLSX Export Calculated Numerical Score

Control Automated Control Reported Policy Defined Control Implemented

Automated on All Systems Reported on Some Systems 5 4

Automated on Some Systems Reported on Most Systems 3 3
Automated on All Systems Reported on All Systems 5 5
Automated on Most Systems Reported on All Systems 3 3
Parts of Policy Automated Reported on Some Systems 2 2
Automated on Some Systems Reported on Most Systems 3 3
Automated on Some Systems Reported on Some Systems 3 3
Automated on Some Systems Reported on Most Systems 3 5
Automated on All Systems Reported on All Systems 5 5
Automated on Most Systems Reported on All Systems 5 3
Automated on Most Systems Reported on All Systems 5 4
Automated on All Systems Reported on Most Systems 3 4
Automated on Most Systems Reported on Most Systems 3 4
Parts of Policy Automated Not Reported 1 1
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
Automated on Most Systems Reported on Most Systems 5 4
Automated on All Systems Reported on Some Systems 4 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Automated on All Systems Reported on Most Systems 5 4
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
 Unknown -
None None Unknown - Unscored
Unscored
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Automated on All Systems Reported on All Systems 5 5
Automated on All Systems Reported on All Systems 5 5
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Automated on All Systems Not Applicable 5 5
Unknown -
None None Unknown - Unscored
Unscored
Unknown -
None None Unknown - Unscored
Unscored
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
Automated on Most Systems Reported on Most Systems 5 4
Automated on All Systems Reported on Some Systems 4 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Automated on All Systems Reported on Most Systems 5 4
Automated on Most Systems Reported on All Systems 3 4
Automated on Most Systems Reported on All Systems 4 5
Automated on All Systems Reported on All Systems 4 5
Parts of Policy Automated Not Reported 1 1
Not Automated Not Reported 1 1
lculated Numerical Score
CIS RAM Maturity Score CIS RAM Maturity Score
Average
Control Automated Control Reported
5 3
3 4
5 5
4 5
2 3
3 4
3 3
3 4
5 5
4 5
4 5
5 4
4 4
2 1
2 1
1 1
4 4
5 3
4 5
4 5
5 5
5 4
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
Unknown -
Unknown - Unscored
Unscored
Final
4 4
3 3
5 5
4 4
2 2
3 3
3 3
4 4
5 5
4 4
5 5
4 4
4 4
1 1
1 1
1 1
4 4
4 4
4 4
5 5
5 5
5 5
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
#DIV/0! #DIV/0!
 Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
4 5 4 4
4 5 5 5
5 5 5 5
2 1 1 1
1 1 1 1