Professional Documents
Culture Documents
1 for IG2
The CIS RAM for IG2 Workbook protects most cells in the Risk Register and lookup t
accidentally changing the formulas and lookups that automate the risk analysis and m
If users are confident in their use of Microsoft® Excel and wish to modify values, such
Criteria, they may “unprotect” the document by going to the “Review” tab in the Excel
“Unprotect sheet” button. However, guidance for maintenance of the Workbook, form
cells is beyond the scope of this document.
r IG2
ster and lookup tables to prevent users from
k analysis and make it simple.
https://www.cisecurity.org/controls/v8/
This is a free tool with a dynamic list of the CIS Safeguards that can be filtered by Implementation Groups and mappings to multiple
frameworks.
https://www.cisecurity.org/controls/v8
Join our Community where you can discuss the CIS Controls with our global army of experts and volunteers!
https://workbench.cisecurity.org/dashboard
Overview: The CIS Controls® Self Assessment Tool, also known as CIS CSAT, enables organizations to assess and track their
implementation of the CIS Controls for Versions 8 and 7.1. The CIS Controls are a prioritized set of consensus-developed security best
practices used by organizations around the world to defend against cyber threats.
TWO TYPES:
CIS-Hosted CSAT: The CIS-hosted version of CIS CSAT is free to every organization for use in a non-commercial capacity to conduct
CIS Controls assessments of their organization. (released January 2019)
https://csat.cisecurity.org/
CIS CSAT Pro: The on-premises version of CIS CSAT is available exclusively for CIS SecureSuite Members. This version offers
additional features and benefits: Save time by using a simplified scoring method with a reduced number of questions, Decide whether to
opt in to share data and see how scores compare to industry average, Greater flexibility with organization trees for tracking
organizations, sub-organizations, and assessments, Assign users to different roles for different organizations/sub-organizations as well
as greater separation of administrative and non-administrative roles, Track multiple concurrent assessments in the same organization,
Easily access your tasks, assessments, and organizations from a consolidated home page, Includes CIS Controls Safeguard mappings
to NIST CSF, NIST SP 800-53, and PCI. (released August 2020)
https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat/
Prompt
How would you concisely describe the benefit that your
1 Mission enterprise provides your customers, clients, constituents, or the
public? This is why they engage in this risk with you.
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your mission were acceptable, or unacceptable.
Prompt
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your operational objectives were acceptable, or unacceptable.
Prompt
What are the unexpected cost outlays that your enterprise could
3 Financial Objectives or could not tolerate?
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your financial objectives were acceptable, or unacceptable.
Prompt
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Describe i
determine that the impacts to your obligations (harm, to others) were acceptable, or unacceptable.
ecurity incident. Describe in the spaces provided below how you would
Response
The mission would remain intact.
This mission would not be perfectly achieved, but could be
recovered within normal operations.
Response
ecurity incident. Describe in the spaces provided below how you would
ceptable.
Response
Response
ecurity incident. Describe in the spaces provided below how you would
ptable.
Response
Response
ecurity incident. Describe in the spaces provided below how you would
or unacceptable.
Response
No harm could foreseeably result.
Any harm that could result would not require correction, repair,
or compensation to make the harmed parties "whole."
2 Impact Criteria
Impact Scores
Definition
1. Negligible
2. Acceptable
3. Unacceptable
4. High
5. Catastrophic
3 Expectancy Criteria
Expectancy Score
1
Asset Class
Enterprise
Devices
Applications
Data
Network
Users
Enterprise Name
Scope
Last Completed (Date)
Expectancy Criteria
Safeguard would reliably prevent the
Remote
threat.
Safeguard would reliably prevent most
Unlikely
occurrences of the threat.
Safeguard would prevent as many threat
As likely as not
occurrences as it would miss.
Safeguard would prevent few threat
Likely
occurrences.
Safeguard would not prevent threat
Certain
occurrences.
Expectancy Impact
The "Enterprise" Asset Class will automatically use the highest Impact Score you provide for the assets below.
Applications 2.1
Applications 2.2
Applications 2.3
Applications 2.4
Applications 2.6
Applications 3.1
Applications 3.2
Applications 3.4
Applications 3.5
Applications 3.6
Applications 3.7
Applications 5.1
Applications 5.2
Applications 5.3
Applications 5.4
Applications 5.5
Applications 7.1
Applications 7.2
Applications 7.3
Data 10.1
Data 10.2
Data 10.3
Data 10.4
Data 10.5
Data 13.1
Data 13.2
Data 13.4
Data 13.6
Data 13.7
Data 14.4
Data 14.6
Devices 1.1
Devices 1.3
Devices 1.4
Devices 1.5
Devices 1.6
Devices 1.7
Devices 8.1
Devices 8.2
Devices 8.3
Devices 8.4
Devices 8.5
Devices 8.6
Devices 8.8
Devices 9.1
Devices 9.2
Devices 9.3
Devices 9.4
Devices 15.6
Devices 15.9
Enterprise 17.1
Enterprise 17.2
Enterprise 17.3
Enterprise 17.4
Enterprise 17.5
Enterprise 17.6
Enterprise 17.7
Enterprise 17.8
Enterprise 17.9
Enterprise 18.1
Enterprise 18.2
Enterprise 18.3
Enterprise 18.4
Enterprise 18.5
Enterprise 18.6
Enterprise 18.7
Enterprise 18.8
Enterprise 18.9
Enterprise 18.10
Enterprise 18.11
Enterprise 19.1
Enterprise 19.2
Enterprise 19.3
Enterprise 19.4
Enterprise 19.5
Enterprise 19.6
Enterprise 19.7
Enterprise 20.1
Enterprise 20.2
Enterprise 20.4
Enterprise 20.5
Enterprise 20.6
Enterprise 20.8
Network 6.1
Network 6.2
Network 6.3
Network 6.4
Network 6.5
Network 6.6
Network 6.7
Network 7.4
Network 7.5
Network 7.6
Network 7.7
Network 7.8
Network 7.9
Network 8.7
Network 11.1
Network 11.2
Network 11.3
Network 11.4
Network 11.5
Network 11.6
Network 11.7
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 12.8
Network 14.1
Network 14.2
Network 14.3
Network 15.1
Network 15.2
Network 15.3
Network 15.7
Network 15.10
Users 3.3
Users 4.1
Users 4.2
Users 4.3
Users 4.4
Users 4.5
Users 4.6
Users 4.7
Users 4.8
Users 4.9
Users 12.11
Users 16.1
Users 16.2
Users 16.3
Users 16.4
Users 16.5
Users 16.6
Users 16.7
Users 16.8
Users 16.9
Users 16.10
Users 16.11
Users 16.12
NIST CSF Security
CIS Safeguard Title IG1 IG2 Our Implementation
Function
Disable Unnecessary or
Unauthorized Browser or Email x Protect
Client Plugins
Subscribe to URL-Categorization
x Protect
Service
2
2
1
1
3
3
3
3
1
1
1
1
1
3
3
3
3
3
3
3
3
Risk Register
Impact to Impact to
Impact to
Operational Financial Risk Score Risk Level
Obligations
Objectives Objectives
Risk Treatment
2.1
2.2
2.3
2.4
2.6
3.1
3.2
3.4
3.5
3.6
3.7
5.1
5.2
5.3
5.4
5.5
7.1
7.2
7.3
10.1
10.2
10.3
10.4
10.5
13.1
13.2
13.4
13.6
13.7
14.4
14.6
1.1
1.3
1.4
1.5
1.6
1.7
8.1
8.2
8.3
8.4
8.5
8.6
8.8
9.1
9.2
9.3
9.4
15.6
15.9
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.1
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
20.1
20.2
20.4
20.5
20.6
20.8
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.4
7.5
7.6
7.7
7.8
7.9
8.7
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.8
14.1
14.2
14.3
15.1
15.2
15.3
15.7
15.10
3.3
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
12.11
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
Risk Treatment
Safeguard Title
Protect Backups
Maintain an up-to-date list of all authorized software that is required in the enterprise
for any business purpose on any business system.
Ensure that only software applications or operating systems currently supported and
receiving vendor updates are added to the organization's authorized software
inventory. Unsupported software should be tagged as unsupported in the inventory
system.
Utilize software inventory tools throughout the organization to automate the
documentation of all software on business systems.
The software inventory system should track the name, version, publisher, and install
date for all software, including operating systems authorized by the organization.
Deploy automated software update tools in order to ensure that the operating systems
are running the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on
all systems is running the most recent security updates provided by the software
vendor.
Regularly compare the results from consecutive vulnerability scans to verify that
vulnerabilities have been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Maintain documented security configuration standards for all authorized operating
systems and software.
Maintain secure images or templates for all systems in the enterprise based on the
organization's approved configuration standards. Any new system deployment or
existing system that becomes compromised should be imaged using one of those
images or templates.
Store the master images and templates on securely configured servers, validated with
integrity monitoring tools, to ensure that only authorized changes to the images are
possible.
Deploy system configuration management tools that will automatically enforce and
redeploy configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration
monitoring system to verify all security configuration elements, catalog approved
exceptions, and alert when unauthorized changes occur.
Ensure that only fully supported web browsers and email clients are allowed to
execute in the organization, ideally only using the latest version of the browsers and
email clients provided by the vendor.
Ensure that only authorized scripting languages are able to run in all web browsers
and email clients.
Ensure that all of the organization's key systems are backed up as a complete system,
through processes such as imaging, to enable the quick recovery of an entire system.
Ensure that backups are properly protected via physical security or encryption when
they are stored, as well as when they are moved across the network. This includes
remote backups and cloud services.
Ensure that all backups have at least one offline (i.e., not accessible via a network
connection) backup destination.
Maintain an inventory of all sensitive information stored, processed, or transmitted by
the organization's technology systems, including those located on-site or at a remote
service provider.
Remove sensitive data or systems not regularly accessed by the organization from the
network. These systems shall only be used as stand-alone systems (disconnected
from the network) by the business unit needing to occasionally use the system or
completely virtualized and powered off until needed.
Protect all information stored on systems with file system, network share, claims,
application, or database specific access control lists. These controls will enforce the
principle that only authorized individuals should have access to the information based
on their need to access the information as a part of their responsibilities.
Maintain an accurate and up-to-date inventory of all technology assets with the
potential to store or process information. This inventory shall include all hardware
assets, whether connected to the organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware
address, machine name, data asset owner, and department for each asset and
whether the hardware asset has been approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined, or
the inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices
can authenticate to the network. The authentication system shall be tied into the
hardware asset inventory data to ensure only authorized devices can connect to the
network.
Utilize centrally managed anti-malware software to continuously monitor and defend
each of the organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and
signature database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address
Space Layout Randomization (ASLR) that are available in an operating system or
deploy appropriate toolkits that can be configured to apply protection to a broader set
of applications and executables.
Configure devices so that they automatically conduct an anti-malware scan of
removable media when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and
event log servers for analysis and alerting.
Enable command-line audit logging for command shells, such as Microsoft PowerShell
and Bash.
Associate active ports, services, and protocols to the hardware assets in the asset
inventory.
Ensure that only network ports, protocols, and services listening on a system with
validated business needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if
unauthorized ports are detected on a system.
Disable wireless peripheral access of devices [such as Bluetooth and Near Field
Communication (NFC)], unless such access is required for a business purpose.
Perform a skills gap analysis to understand the skills and behaviors workforce
members are not adhering to, using this information to build a baseline education
roadmap.
Deliver training to address the skills gap identified to positively impact workforce
members' security behavior.
Create a security awareness program for all workforce members to complete on a
regular basis to ensure they understand and exhibit the necessary behaviors and skills
to help ensure the security of the organization. The organization's security awareness
program should be communicated in a continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at
least annually) to address new technologies, threats, standards, and business
requirements.
Train workforce members on the importance of enabling and utilizing secure
authentication.
Train the workforce on how to identify different forms of social engineering attacks,
such as phishing, phone scams, and impersonation calls.
Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive information.
Train workforce members to be aware of causes for unintentional data exposures,
such as losing their mobile devices or emailing the wrong person due to autocomplete
in email.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being
adhered to for internally developed software.
Plan and conduct routine incident, response exercises and scenarios for the workforce
involved in the incident response to maintain awareness and comfort in responding to
real-world threats. Exercises should test communication channels, decision making,
and incident responders technical capabilities using tools and data available to them.
Establish a program for penetration tests that includes a full scope of blended attacks,
such as wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and
attack vectors that can be used to exploit enterprise systems successfully.
Include tests for the presence of unprotected system information and artifacts that
would be useful to attackers, including network diagrams, configuration files, older
penetration test reports, e-mails or documents containing passwords or other
information critical to system operation.
Create a test bed that mimics a production environment for specific penetration tests
and Red Team attacks against elements that are not typically tested in production,
such as attacks against supervisory control and data acquisition and other control
systems.
Use vulnerability scanning and penetration testing tools in concert. The results of
vulnerability scanning assessments should be used as a starting point to guide and
focus penetration testing efforts.
Any user or system accounts used to perform penetration testing should be controlled
and monitored to make sure they are only being used for legitimate purposes, and are
removed or restored to normal function after testing is over.
Use at least three synchronized time sources from which all servers and network
devices retrieve time information on a regular basis so that timestamps in logs are
consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as a event source, date,
user, timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs
generated.
Ensure that appropriate logs are being aggregated to a central log management
system for analysis and review.
Deploy Security Information and Event Management (SIEM) or log analytic tool for log
correlation and analysis.
On a regular basis, review logs to identify anomalies or abnormal events.
Enforce network-based URL filters that limit a system's ability to connect to websites
not approved by the organization. This filtering shall be enforced for each of the
organization's systems, whether they are physically at an organization's facilities or
not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the
most recent website category definitions available. Uncategorized sites shall be
blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a
mobile device, in order to identify potentially malicious activity and assist incident
handlers with identifying potentially compromised systems.
Use Domain Name System (DNS) filtering services to help block access to known
malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement
Domain-based Message Authentication, Reporting and Conformance (DMARC) policy
and verification, starting by implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail(DKIM) standards.
Block all email attachments entering the organization's email gateway if the file types
are unnecessary for the organization's business.
Enable Domain Name System (DNS) query logging to detect hostname lookups for
known malicious domains.
Maintain documented security configuration standards for all authorized network
devices.
All configuration rules that allow traffic to flow through network devices should be
documented in a configuration management system with a specific business reason
for each rule, a specific individual’s name responsible for that business need, and an
expected duration of the need.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or
tasks requiring elevated access. This machine shall be segmented from the
organization's primary network and not be allowed Internet access. This machine shall
not be used for reading email, composing documents, or surfing the Internet.
Manage the network infrastructure across network connections that are separated
from the business use of that network, relying on separate VLANs or, preferably, on
entirely different physical connectivity for management sessions for network devices.
Perform regular scans from outside each trusted network boundary to detect any
unauthorized connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit
access only to trusted and necessary IP address ranges at each of the organization's
network boundaries,.
Deny communication over unauthorized TCP or UDP ports or application traffic to
ensure that only authorized protocols are allowed to cross the network boundary in or
out of the network at each of the organization's network boundaries.
Configure monitoring systems to record network packets passing through the
boundary at each of the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual
attack mechanisms and detect compromise of these systems at each of the
organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Segment the network based on the label or classification level of the information
stored on the servers, locate all sensitive information on separated Virtual Local Area
Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are
able to communicate with other systems necessary to fulfill their specific
responsibilities.
Disable all workstation-to-workstation communication to limit an attacker's ability to
move laterally and compromise neighboring systems, through technologies such as
Private VLANs or micro segmentation.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Use automated tools to inventory all administrative accounts, including domain and
local accounts, to ensure that only authorized individuals have elevated privileges.
Before deploying any new asset, change all default passwords to have values
consistent with administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary
account for elevated activities. This account should only be used for administrative
activities and not internet browsing, email, or similar activities.
Use multi-factor authentication and encrypted channels for all administrative account
access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks
requiring administrative access. This machine will be segmented from the
organization's primary network and not be allowed Internet access. This machine will
not be used for reading e-mail, composing documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only
administrative or development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or
removed from any group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an
administrative account.
Require all remote login access to the organization's network to encrypt data in transit
and use multi-factor authentication.
Maintain an inventory of each of the organization's authentication systems, including
those located on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication
as possible, including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether
managed on-site or by a third-party provider.
Encrypt or hash with a salt all authentication credentials when stored.
Ensure that all account usernames and authentication credentials are transmitted
across networks using encrypted channels.
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling
accounts immediately upon termination or change of responsibilities of an employee or
contractor . Disabling these accounts, instead of deleting accounts, allows
preservation of audit trails.
Disable any account that cannot be associated with a business process or business
owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Reasonable Annual Cost
Impact to
Implementation Implementation Reasonabl
Financial Year
Quarter Year e?
Objectives
$ - 2021 Yes
$ - 2022 Yes
$ - 2023 Yes
$ - 2024 Yes
$ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2029 Yes
$ - 2030 Yes
Enterprise Name
Enterprise Risk Scope
Assessment Criteria Last Completed (Date)
Devices 1.1
Devices 1.2
Devices 1.3
Devices 1.4
Applications 2.1
Applications 2.2
Applications 2.3
Applications 2.4
Applications 2.5
Applications 2.6
Data 3.1
Data 3.2
Data 3.3
Data 3.4
Data 3.5
Devices 3.6
Data 3.7
Data 3.8
Data 3.9
Data 3.10
Data 3.11
Network 3.12
Applications 4.1
Network 4.2
Users 4.3
Devices 4.4
Devices 4.5
Network 4.6
Users 4.7
Devices 4.8
Devices 4.9
Devices 4.10
Devices 4.11
Users 5.1
Users 5.2
Users 5.3
Users 5.4
Users 5.5
Users 5.6
Users 6.1
Users 6.2
Users 6.3
Users 6.4
Users 6.5
Users 6.6
Users 6.7
Applications 7.1
Applications 7.2
Applications 7.3
Applications 7.4
Applications 7.5
Applications 7.6
Applications 7.7
Network 8.1
Network 8.11
Network 8.2
Network 8.3
Network 8.4
Network 8.5
Network 8.6
Network 8.7
Devices 8.8
Network 8.9
Network 8.10
Applications 9.1
Network 9.2
Network 9.3
Applications 9.4
Network 9.5
Network 9.6
Devices 10.1
Devices 10.2
Devices 10.3
Devices 10.4
Devices 10.5
Devices 10.6
Devices 10.7
Data 11.1
Data 11.2
Data 11.3
Data 11.4
Data 11.5
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Devices 12.7
Network 13.1
Devices 13.2
Network 13.3
Network 13.4
Devices 13.5
Network 13.6
Enterprise 14.1
Enterprise 14.2
Enterprise 14.3
Enterprise 14.4
Enterprise 14.5
Enterprise 14.6
Enterprise 14.7
Enterprise 14.8
Enterprise 14.9
Enterprise 15.1
Enterprise 15.2
Enterprise 15.3
Enterprise 15.4
Applications 16.1
Applications 16.2
Applications 16.3
Applications 16.4
Applications 16.5
Applications 16.6
Applications 16.7
Applications 16.8
Applications 16.9
Applications 16.10
Applications 16.11
Enterprise 17.1
Enterprise 17.2
Enterprise 17.3
Enterprise 17.4
Enterprise 17.5
Enterprise 17.6
Enterprise 17.7
Enterprise 17.8
Enterprise 18.1
Network 18.2
Network 18.3
NIST CSF Security
CIS Safeguard Title IG1 IG2 Our Implementation
Function
Restrict Unnecessary or
Unauthorized Browser and Email x Protect
Client Extensions
2
2
1
2
3
3
2
2
1
1
1
1
1
1
3
3
2
2
2
3
1
Risk Register Risk Treatment
Impact to Impact to
Impact to
Operational Financial Risk Score Risk Level Risk Treatment Option
Obligations
Objectives Objectives
ment
Risk Treatment
Risk Treatment Safeguard
Safeguard Title
Uninstall or Disable
4.8 Unnecessary Services on
Enterprise Assets and Software
Centralize Account
5.6
Management
Establish an Access Granting
6.1
Process
Perform Automated
7.5 Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
7.6
Externally-Exposed Enterprise
Assets
Remediate Detected
7.7
Vulnerabilities
Restrict Unnecessary or
9.4 Unauthorized Browser and
Email Client Extensions
Enable Anti-Exploitation
10.5
Features
Centralize Network
12.5 Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
12.6 Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
12.7
an Enterprise’s AAA
Infrastructure
Centralize Security Event
13.1
Alerting
Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from
connecting remotely to the network, or quarantine the asset.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address
management tools to update the enterprise’s asset inventory. Review and use logs
to update the enterprise’s asset inventory weekly, or more frequently.
Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
Establish and maintain a secure configuration process for enterprise assets (end-
user devices, including portable and mobile, non-computing/IoT devices, and
servers) and software (operating systems and applications). Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring
schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation
includes, at a minimum, an 8-character password for accounts using MFA and a 14-
character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
enterprise’s audit log management process.
Standardize time synchronization. Configure at least two synchronized time sources
across enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data.
Include event source, date, username, timestamp, source addresses, destination
addresses, and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and
supported.
Collect URL request audit logs on enterprise assets, where appropriate and
supported.
Collect command-line audit logs. Example implementations include collecting audit
logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across
enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided
through the vendor.
Use DNS filtering services on all enterprise assets to block access to known
malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example
implementations include category-based filtering, reputation-based filtering, or
through the use of block lists. Enforce filters for all enterprise assets.
To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Establish and maintain a data recovery process. In the process, address the scope
of data recovery activities, recovery prioritization, and the security of backup data.
Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
more frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example
implementations include, version controlling backup destinations through offline,
cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope
enterprise assets.
Ensure network infrastructure is kept up-to-date. Example implementations include
running the latest stable release of software and/or using currently supported
network-as-a-service (NaaS) offerings. Review software versions monthly, or more
frequently, to verify software support.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Train workforce members on how to identify and properly store, transfer, archive,
and destroy sensitive data. This also includes training workforce members on clear
screen and desk best practices, such as locking their screen when they step away
from their enterprise asset, erasing physical and virtual whiteboards at the end of
meetings, and storing data and assets securely.
Train workforce to understand how to verify and report out-of-date software patches
or any failures in automated processes and tools. Part of this training should include
notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data
over, insecure networks for enterprise activities. If the enterprise has remote
workers, training must include guidance to ensure that all users securely configure
their home network infrastructure.
Conduct role-specific security awareness and skills training. Example
implementations include secure system administration courses for IT professionals,
OWASP® Top 10 vulnerability awareness and prevention training for web
application developers, and advanced social engineering awareness training for
high-profile roles.
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise
contact for each service provider. Review and update the inventory annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and
decommissioning of service providers. Review and update the policy annually, or
when significant enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more
characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could
impact this Safeguard.
Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe
bugs are fixed first. Review and update the system and process annually.
Ensure that all software development personnel receive training in writing secure
code for their specific development environment and responsibilities. Training can
include general security principles and application security standard practices.
Conduct training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate
and report during a security incident. Mechanisms can include phone calls, emails,
or letters. Keep in mind that certain mechanisms, such as emails, can be affected
during a security incident. Review annually, or when significant enterprise changes
occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key
personnel involved in the incident response process to prepare for responding to
real-world incidents. Exercises need to test communication channels, decision
making, and workflows. Conduct testing on an annual basis, at a minimum.
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Reasonable Annual Cost
Impact to
Implementation Reasonabl
Implementation Year Financial Year
Quarter e?
Objectives
$ - 2021 Yes
$ - 2022 Yes
$ - 2023 Yes
$ - 2024 Yes
$ - 2025 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2029 Yes
$ - 2030 Yes
Color
Color Key
CIS Safeguard #
Our Implementation
Evidence of Implementation
Vulnerabilities
Risk Analysis
Safeguard Maturity Score
VCDB Index
Expectancy Score
Impact to Mission
Meaning
The asset class, as published in the CIS Controls.
An optional field used to input the name of an individual asset to distinguish its risks from other
Asset Class risks.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Financial Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three Impacts.
An evaluation of the risk as negligible, acceptable, unacceptable, high, or catastrophic.
A statement about whether the enterprise will accept or reduce the risk.
The unique CIS Safeguard identifier, as published in the CIS Controls.
The title of the CIS Safeguard, as published in the CIS Controls.
A brief description of how the Safeguard will be implemented and operated in the enterprise.
A score of '1' through '5' designating the planned reliability of a Safeguard's effectiveness
against threats.
An automatically calculated value to represent how commonly the related threat would be the
cause of a cybersecurity incident, given the planned Safeguard.
The magnitude of harm that a successful threat would cause to your Mission.
The magnitude of harm that a successful threat would cause to your Operational Objectives.
The magnitude of harm that a successful threat would cause to your Financial Objectives.
The magnitude of harm that a successful threat would cause to your Obligations.
The product of the Expectancy and the highest of the three impacts, given the planned
Safeguard.
A determination of whether the planned Safeguard is reasonable and acceptable.
An estimate of how much the Safeguard is expected to cost.
When the Safeguard is planned for completion of implementation (which quarter).
When the Safeguard is planned for completion of implementation (which year).
Risk Levels
Optional Required
Optional Use Default or Custom Responses
Optional Use Default or Custom Responses
sk Criteria
Required Required
Required Required
Asset Classes
Asset Classes
Applications
Data
Devices
Enterprise
Network
Users
Maturity Scores
Maturity Scores
1
2
3
4
5
Expectancy Criteria
Expectancy Scores
1
2
3
4
5
VCDB Index
Incident Count
Asset Class
Enterprise
Applications
Data
Devices
Network
Users
Unknown
Definition
Safeguard is not implemented or is inconsistently implemented.
Safeguard is implemented fully on some assets or partially on all
assets.
Safeguard is implemented on all assets.
Safeguard is tested and inconsistencies are corrected.
Safeguard has mechanisms that ensure consistent implementation
over time.
Expectancy
Remote
Unlikely
As likely as not
Likely
Certain
Maturity
5
5
5
5
5
4
4
4
4
4
3
3
3
3
3
2
2
2
2
2
1
1
1
1
1
Criteria
Safeguard would reliably prevent the threat.
Safeguard would reliably prevent most occurrences of the
threat.
Safeguard would prevent as many threat occurrences as it
would miss.
Safeguard would prevent few threat occurrences.
Safeguard would not prevent threat occurrences.
As of 7/29/2021
Percentage Index
50% 3
14% 2
50% 3
9% 1
1% 1
50% 3
10% 1
1.1
1.3
1.4
1.5
1.6
1.7
2.1
2.2
2.3
2.4
2.6
3.1
3.2
3.3
3.4
3.5
3.6
3.7
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
5.1
5.2
5.3
5.4
5.5
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
9.1
9.2
9.3
9.4
10.1
10.2
10.3
10.4
10.5
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.8
12.11
13.1
13.2
13.4
13.6
13.7
14.1
14.2
14.3
14.4
14.6
15.1
15.2
15.3
15.6
15.7
15.9
15.10
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.10
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
20.1
20.2
20.4
20.5
20.6
20.8
SAT Pro
CIS CSAT Pro for CIS Controls v8.0
1.1
1.2
1.3
1.4
2.1
2.2
2.3
2.4
2.5
2.6
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
5.1
5.2
5.3
5.4
5.5
5.6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.1
9.2
9.3
9.4
9.5
9.6
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
13.1
13.2
13.3
13.4
13.5
13.6
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
18.1
18.2
18.3
Instructions for Importing CIS CSAT Pro Scores
into CIS RAM
1) In CIS CSAT Pro, filter on IG1 and IG2 and Export Filtered CSV.
a. Go to the Assessment Summary page for the assessment of interest (this is reachable from the
Assessment Summary tab at the top of the Assessment Dashboard for that assessment).
c. Find the appropriate section in the “CIS CSAT Pro” tab based on which CIS Controls version you
are using (either CSAT Pro for CIS Controls v7.1 or CSAT Pro for CIS Controls v8.0).
d. Paste the copied data into the appropriate section of the “CIS CSAT Pro” tab.
e. For instance, if you are using Controls v7.1, you might copy cells E2 to E141 from the CSAT Pro
CSV to C5 to C146 in the “CIS CSAT Pro” tab of the CIS RAM for IG2 Workbook.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, go to the appropriate CIS RAM tab – “3a. Risk Register Controls v7.1” for v7.1
of the CIS Controls or “3b. Risk Register Controls v8” for v8 of the CIS Controls.
a. Sort the Risk Register by ‘CIS Safeguard #,’ lowest to highest. (This is a critical step, as the Risk
Register is sorted by ‘Asset Class’ by default, not ‘CIS Safeguard #.’)
5) Copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguard Maturity Score”
column of the appropriate CIS RAM tab – “3a. Risk Register Controls v7.1” for v7.1 of the CIS Controls or
“3b. Risk Register Controls v8” for v8 of the CIS Controls.
a. Right-click to copy and “Paste Special” as “Values” (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT”
tabs, if present. If copied, these values can be deleted from the “Safeguard Maturity Score” cell and
will not affect the functionality of the CIS RAM Risk Register.
6) Re-sort the Risk Register by ‘Asset Class,’ A > Z.
Note: Please ensure that your enterprise's method for scoring Safeguards in CSAT Pro
aligns closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.
Maturity Scores
2
3
4
5
lease ensure that your enterprise's method for scoring Safeguards in CSAT Pro
closely enough with the CIS RAM Maturity Scores (defined below). Adjustments
may need to be made based on your current scoring.
Definition
1.1
1.3
1.4
1.5
1.6
1.7
2.1
2.2
2.3
2.4
2.6
3.1
3.2
3.3
3.4
3.5
3.6
3.7
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
5.1
5.2
5.3
5.4
5.5
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
9.1
9.2
9.3
9.4
10.1
10.2
10.3
10.4
10.5
11.1
11.2
11.3
11.4
11.5
11.6
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.8
12.11
13.1
13.2
13.4
13.6
13.7
14.1
14.2
14.3
14.4
14.6
15.1
15.2
15.3
15.6
15.7
15.9
15.10
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
18.6
18.7
18.8
18.9
18.10
18.11
19.1
19.2
19.3
19.4
19.5
19.6
19.7
20.1
20.2
20.4
20.5
20.6
20.8
CIS-Hosted CSAT
Control Automated Control Reported
Maturity Scores
Unknown -
None None
Unscored
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
CIS-Hosted CSA
1.1
1.2
1.3
1.4
2.1
2.2
2.3
2.4
2.5
2.6
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
5.1
5.2
5.3
5.4
5.5
5.6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.1
9.2
9.3
9.4
9.5
9.6
10.1
10.2
10.3
10.4
10.5
10.6
10.7
11.1
11.2
11.3
11.4
11.5
12.1
12.2
12.3
12.4
12.5
12.6
12.7
13.1
13.2
13.3
13.4
13.5
13.6
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
18.1
18.2
18.3
CSAT Values From XLSX Export Calculated Numerical Score
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
#N/A #N/A
lculated Numerical Score
CIS RAM Maturity CIS RAM Maturity
Score Average Score Final
Control Automated Control Reported
1) In CIS-Hosted CSAT, filter on IG1 and IG2 and export the filtered Safeguards.
a. Go to the All Controls page for the assessment of interest (this is reachable from the All Control
the left under “Current Assessment”).
b. Click the Filter button.
c. Select both “Group 1” and “Group 2” for the Implementation Group filter and click Filter.
d. Check to see if any of these Safeguards are in the blue (Not Assessed) state. You can see this
there will be a colored circle in each row by the Safeguard number. Any Safeguards that have a blue
export; if you have any blue Safeguards and you want to continue these steps, one way to get them
to:
i. Select the checkbox next to each blue Safeguard.
ii. Select “Un-Assign the control” from the Bulk Action option dropdown and click the “Save”
dropdown. Please note: If any of the selected Safeguards were assigned, this will remove the
date.
e. Click the Download Report button to export the report.
2) Copy your scores from the exported CIS-Hosted CSAT XLSX file to the CIS RAM for IG2 Workbook.
a. In the CIS-Hosted CSAT XLSX file, copy the contents of columns E through H (labeled Policy D
Implemented, Control Automated, and Control Reported) excluding the heading row.
b. Go to the “CIS-Hosted CSAT” tab in the CIS RAM for IG2 Workbook.
c. Find the appropriate section in the “CIS-Hosted CSAT” tab based on which CIS Controls version
CIS-Hosted CSAT for CIS Controls v7.1 or CIS-Hosted CSAT for CIS Controls v8).
d. Paste the copied data into the appropriate section of the “CIS-Hosted CSAT” tab.
e. For instance, if you are using Controls v7.1, you might copy the cells from E2:E141 over to H2:H
Hosted CSAT XLSX file, select cell C14 in the “CIS-Hosted CSAT” tab in the CIS RAM for IG2 Workb
there.
3) Note: Adjustments may need to be made based on your scoring from CSAT to CIS RAM.
4) Once scores are final, go to the appropriate CIS RAM tab – “3a. Risk Register Controls v7.1” for v7.1 o
“3b. Risk Register Controls v8” for v8 of the CIS Controls.
a. Sort the Risk Register by ‘CIS Safeguard #,’ lowest to highest. (This is a critical step, as the Ris
‘Asset Class’ by default, not ‘CIS Safeguard #.’)
5) Copy the scores in the “CIS RAM Maturity Score Final” column into the “Safeguard Maturity Score” colu
CIS RAM tab – “3a. Risk Register Controls v7.1” for v7.1 of the CIS Controls or “3b. Risk Register Controls v
Controls.
a. Right-click to copy and “Paste Special” as “Values” (e.g., 1,2,3).
b. Note: Values of ‘N’ and ‘DIV/0!’ may copy over from the “CIS CSAT Pro” and “CIS-Hosted CSAT
copied, these values can be deleted from the “Safeguard Maturity Score” cell and will not affect the f
RAM Risk Register.
6) Re-sort the Risk Register by ‘Asset Class,’ A > Z.
Note: This method will average the four scoring categories in CIS-Hosted CSAT for each Safegu
those averages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, a
to ensure this method aligns closely enough for your enterprise's scoring practice
Maturity Scores
3
4
5
is method will average the four scoring categories in CIS-Hosted CSAT for each Safeguard and aligns
ages with the CIS RAM Maturity Scores. Please review the CIS RAM Maturity Scores, as defined below,
to ensure this method aligns closely enough for your enterprise's scoring practices.
Definition
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your mission were acceptable, or unacceptable.
Impact Magnitude
Negligible
Acceptable
Unacceptable
High
Catastrophic
Operational
2
Objectives
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your operational objectives were acceptable, or unacceptable.
Impact Magnitude
Negligible
Acceptable
Unacceptable
High
Catastrophic
3 Financial Objectives
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your financial objectives were acceptable, or unacceptable.
Impact Magnitude
Negligible
Acceptable
Unacceptable
High
Catastrophic
4 Obligations
Instructions: Imagine that your enterprise suffers a cybersecurity or information security incident. Descr
determine that the impacts to your obligations (harm, to others) were acceptable, or unacceptable.
Impact Magnitude
Negligible
Acceptable
Unacceptable
High
Catastrophic
Prompt
How would you concisely describe the benefit that your enterprise
provides your customers, clients, constituents, or the public? This is
why they engage in this risk with you.
agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your mission were acceptable, or unacceptable.
Prompt
What observable evidence would you have that your mission - as you
defined it above - would be unaffected?
What observable evidence would you have that your mission would be
compromised, but it would not require correction?
What observable evidence would you have that your mission would be
compromised in a way that would require correction, but the correction
could be achieved through the normal course of business?
What observable evidence would you have that your mission would be
compromised so badly that extraordinary efforts would be required to
restore it?
What observable evidence would you have that your mission would be
compromised so badly that it could not be achieved?
Prompt
agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your operational objectives were acceptable, or unacceptable.
Prompt
What observable evidence would you have that your operational
objectives - as you defined them above - would be unaffected?
Prompt
What are the unexpected cost outlays that your enterprise could or
could not tolerate?
agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your financial objectives were acceptable, or unacceptable.
Prompt
What observable evidence would you have that your financial objectives
- as you defined them above - would be unaffected?
What observable evidence would you have that your financial objectives
would be compromised, but it would not require correction?
What observable evidence would you have that your financial objectives
would be compromised in a way that would require correction, but the
correction could be achieved through the normal course of business?
What observable evidence would you have that your financial objectives
would be compromised so badly that extraordinary efforts would be
required to restore them?
Leave this blank
Prompt
agine that your enterprise suffers a cybersecurity or information security incident. Describe in the spaces provided below how you would
he impacts to your obligations (harm, to others) were acceptable, or unacceptable.
Prompt
Describe a condition where others would not be harmed.
Response
Response
Ranked as #1 in all categories in annual "Custom Widget
World" Magazine poll.
Response
Response
$1,000
This enterprise could
tolerate a loss up to
$10,000 $10,000.
If this enterprise loses
more than $500,000,
$500,000 they could not recover.
$5,000,000
Response
Response
No customer would suffer a loss of competitive
advantage.
2 Impact Criteria
Impact Scores
Definition
1. Negligible
2. Acceptable
3. Unacceptable
4. High
5. Catastrophic
3 Expectancy Criteria
Expectancy Score
1
2
3
4
5
Asset Class
Enterprise
Devices
Applications
Data
Network
Users
Enterprise Name
Scope
Last Completed (Date)
Mission
Reliably produce just-in-time, custom widgets that meet
demanding resiliency and design specifications, and
within market-leading turnaround times.
All orders would be produced within specifications and on
time and without unplanned effort.
All orders would be produced within specifications and on
time, but some may require unplanned effort to stay within
tolerance metrics.
Few orders each quarter (outside of our tolerance
metrics) may miss targets, but could be corrected with
adjustments or discounts.
Expectancy
Remote
Unlikely
As likely as not
Likely
Certain
Expectancy
3
Acceptable Risk is less than …
What is the highest impact to the Mission, Operational Objectives, Financial Objectives, and Obligations that each Asset Type c
The "Enterprise" Asset Class will automatically use the highest Impact Score you provide for the assets below.
Mission Impact
4
2
4
3
3
3
Example Manufacturer
Enterprise
31-Jul-21
Operational Objectives
Criteria
Safeguard would reliably prevent the threat.
Safeguard would reliably prevent most occurrences of the
threat.
Safeguard would prevent as many threat occurrences as
it would miss.
Safeguard would prevent few threat occurrences.
Safeguard would not prevent threat occurrences.
Impact
3
9
rational Objectives, Financial Objectives, and Obligations that each Asset Type could cause?
use the highest Impact Score you provide for the assets below.
$ 1,000.00
$ 10,000.00
$ 500,000.00
$ 5,000,000.00
hat each Asset Type could cause?
elow.
Risk Register
Applications 2.1
Applications 2.2
Applications 7.3
Applications 7.4
Applications 7.5
Applications 7.6
Applications 7.7
Applications 9.1
Applications 9.4
Applications 16.1
Applications 16.2
Applications 16.3
Applications 16.4
Applications 16.5
Applications 16.6
Applications 16.7
Applications 16.8
Applications 16.9
Applications 16.10
Applications 16.11
Data 3.1
Data 3.2
Data 3.3
Data 3.4
Data 3.5
Data 3.7
Data 3.8
Data 3.9
Data 3.10
Data 3.11
Data 11.1
Data 11.2
Data 11.3
Data 11.4
Data 11.5
Devices 1.1
Devices 1.2
Devices 1.3
Devices 1.4
Devices 3.6
Devices 4.4
Devices 4.5
Devices 4.8
Devices 4.9
Devices 4.10
Devices 4.11
Devices 8.8
Devices 10.1
Devices 10.2
Devices 10.3
Devices 10.4
Devices 10.5
Devices 10.6
Devices 10.7
Devices 12.7
Devices 13.2
Devices 13.5
Enterprise 14.1
Enterprise 14.2
Enterprise 14.3
Enterprise 14.4
Enterprise 14.5
Enterprise 14.6
Enterprise 14.7
Enterprise 14.8
Enterprise 14.9
Enterprise 15.1
Enterprise 15.2
Enterprise 15.3
Enterprise 15.4
Enterprise 17.1
Enterprise 17.2
Enterprise 17.3
Enterprise 17.4
Enterprise 17.5
Enterprise 17.6
Enterprise 17.7
Enterprise 17.8
Enterprise 18.1
Network 3.12
Network 4.2
Network 4.6
Network 8.1
Network 8.2
Network 8.3
Network 8.4
Network 8.5
Network 8.6
Network 8.7
Network 8.9
Network 8.10
Network 8.11
Network 9.2
Network 9.3
Network 9.5
Network 9.6
Network 12.1
Network 12.2
Network 12.3
Network 12.4
Network 12.5
Network 12.6
Network 13.1
Network 13.3
Network 13.4
Network 13.6
Network 18.2
Network 18.3
Users 4.3
Users 4.7
Users 5.1
Users 5.2
Users 5.3
Users 5.4
Users 5.5
Users 5.6
Users 6.1
Users 6.2
Users 6.3
Users 6.4
Users 6.5
Users 6.6
Users 6.7
Manufacturer
e
All data on this page is considered sample da
Restrict Unnecessary or
Unauthorized Browser and Email x Protect
Client Extensions
Risk Analysis
We use AppXYZControl that Monthly scan reports and Shell scripting tools and compilers are
monitors for applications "diff" reports are located in \\ permitted, but we have no way of
installed on all servers and end- fileserverALPHA\evidence\ validating scripts, or side-loaded
user systems. 20211212\2\ applications.
We use AppXYZControl that Monthly scan reports and Shell scripting tools and compilers are
monitors for applications "diff" reports are located in \\ permitted, but we have no way of
installed on some servers and fileserverALPHA\evidence\ validating scripts, or side-loaded
end-user systems. 20211212\2\ applications.
ACME's Ops team remediates The Ops team reviews all vulnerabilities,
vulnerabilities that they are but does not resolve vulnerabilities that
certain will not compromise are out of our control, or that would
system performance. "break" systems.
rganization's risk register. Only to be used for demonstration purposes.
Impact to Impact to
Safeguard Expectancy Impact to
VCDB Index Operational Financial
Maturity Score Score Mission
Objectives Objectives
3 2 2 4 2 4
2 2 3 4 2 4
5 2 1 4 2 4
2 2 3 4 2 4
4 2 2 4 2 4
5 2 1 4 2 4
4 2 2 4 2 4
5 2 1 4 2 4
2 2 3 4 2 4
3 2 2 4 2 4
2 2 3 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 4 2 4
2 3 4 3 4 5
2 3 4 3 4 5
1 3 5 3 4 5
2 3 4 3 4 5
4 3 2 3 4 5
3 3 3 3 4 5
3 3 3 3 4 5
1 3 5 3 4 5
1 3 5 3 4 5
2 3 4 3 4 5
3 3 4 5
3 3 4 5
3 3 4 5
3 3 4 5
3 3 4 5
5 1 1 2 1 3
3 1 1 2 1 3
2 1 3 2 1 3
4 1 1 2 1 3
3 1 1 2 1 3
1 1 4 2 1 3
2 1 3 2 1 3
1 1 4 2 1 3
2 1 3 2 1 3
4 1 1 2 1 3
2 1 3 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
1 2 1 3
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
3 4 4 5
4 1 1 3 4 3
1 1 4 3 4 3
4 1 1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 4 3
1 3 5 3 3 4
3 3 3 3 3 4
5 3 1 3 3 4
1 3 5 3 3 4
2 3 4 3 3 4
3 3 3 3 3 4
4 3 2 3 3 4
5 3 1 3 3 4
2 3 4 3 3 4
1 3 5 3 3 4
1 3 5 3 3 4
3 3 3 3 3 4
3 3 3 4
3 3 3 4
3 3 3 4
Risk
Register
Impact to
Risk Score Risk Level Risk Treatment Option Risk Treatment Safeguard
Obligations
5 10 Reduce 2.1
5 15 Reduce 2.1
5 5 Accept 2.2
5 15 Reduce 2.2
5 10 Reduce 2.3
5 5 Accept 2.4
5 10 Reduce 2.5
5 5 Accept 2.6
5 15 Reduce 4.1
5 10 Reduce 7.1
5 15 Reduce 7.2
5 7.3
5 7.4
5 7.5
5 7.6
5 7.7
5 9.1
5 9.4
5 16.1
5 16.2
5 16.3
5 16.4
5 16.5
5 16.6
5 16.7
5 16.8
5 16.9
5 16.1
5 16.11
2 20 3.1
2 20 3.2
2 25 3.3
2 20 3.4
2 10 3.5
2 15 3.7
2 15 3.8
2 25 3.9
2 25 3.1
2 20 3.11
2 11.1
2 11.2
2 11.3
2 11.4
2 11.5
3 3 1.1
3 3 1.2
3 9 1.3
3 3 1.4
3 3 3.6
3 12 4.4
3 9 4.5
3 12 4.8
3 9 4.9
3 3 4.1
3 9 4.11
3 8.8
3 10.1
3 10.2
3 10.3
3 10.4
3 10.5
3 10.6
3 10.7
3 12.7
3 13.2
3 13.5
5 14.1
5 14.2
5 14.3
5 14.4
5 14.5
5 14.6
5 14.7
5 14.8
5 14.9
5 15.1
5 15.2
5 15.3
5 15.4
5 17.1
5 17.2
5 17.3
5 17.4
5 17.5
5 17.6
5 17.7
5 17.8
5 18.1
1 4 3.12
1 16 4.2
1 4 4.6
1 8.1
1 8.2
1 8.3
1 8.4
1 8.5
1 8.6
1 8.7
1 8.9
1 8.1
1 8.11
1 9.2
1 9.3
1 9.5
1 9.6
1 12.1
1 12.2
1 12.3
1 12.4
1 12.5
1 12.6
1 13.1
1 13.3
1 13.4
1 13.6
1 18.2
1 18.3
4 20 4.3
4 12 4.7
4 4 5.1
4 20 5.2
4 16 5.3
4 12 5.4
4 8 5.5
4 4 5.6
4 16 6.1
4 20 6.2
4 20 6.3
4 12 6.4
4 6.5
4 6.6
4 6.7
Risk Treatment
Safeguard Title
Implement DMARC
Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.
Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.
Ensure that only currently supported software Thisisenterprise
designated as authorized in the software
inventory for enterprise assets. If software is unsupported,
believes that yet necessary for the fulfillment of the
enterprise’s mission, document an exception detailing mitigating controls and residual risk
permitting script
acceptance. For any unsupported software engines
without an
on exception
only documentation, designate as
unauthorized. Review the software list to verify
systemsoftware
adminsupport at least monthly, or more
frequently. computers will address
this risk.
Ensure that only currently supported software is designated as authorized in the software
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the
enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a
documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the
discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software
can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized
libraries from loading into a system process. Reassess bi-annually, or more frequently.
Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software (operating
systems and applications). Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a documented vulnerability management process for enterprise assets.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Perform operating system updates on enterprise assets through automated patch management
on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a
monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more
frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-
compliant vulnerability scanning tool.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise,
only using the latest version of browsers and email clients provided through the vendor.
Establish and maintain a secure application development process. In the process, address such
items as: secure application design standards, secure coding practices, developer training,
vulnerability management, security of third-party code, and application security testing
procedures. Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities,
including providing a means for external entities to report. The process is to include such items
as: a vulnerability handling policy that identifies reporting process, responsible party for handling
vulnerability reports, and a process for intake, assignment, remediation, and remediation
testing. As part of the process, use a vulnerability tracking system that includes severity ratings,
and metrics for measuring timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to
set expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root
cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and
allows development teams to move beyond just fixing individual vulnerabilities as they arise.
Use up-to-date and trusted third-party software components. When possible, choose established
and proven frameworks and libraries that provide adequate security. Acquire these components
from trusted sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that
facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process
includes setting a minimum level of security acceptability for releasing code or applications.
Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management
and helps ensure the most severe bugs are fixed first. Review and update the system and
process annually.
Use standard, industry-recommended hardening configuration templates for application
infrastructure components. This includes underlying servers, databases, and web servers, and
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken configuration hardening.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities. Training can include general security
principles and application security standard practices. Conduct training at least annually and
design in a way to promote security within the development team, and build a culture of security
among the developers.
Apply secure design principles in application architectures. Secure design principles include the
concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of "never trust user input." Examples include ensuring that explicit
error checking is performed and documented for all input, including for size, data type, and
acceptable ranges or formats. Secure design also means minimizing the application
infrastructure attack surface, such as turning off unprotected ports and services, removing
unnecessary programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity
management, encryption, and auditing and logging. Using platform features in critical security
functions will reduce developers’ workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide effective mechanisms for
identification, authentication, and authorization and make those mechanisms available to
applications. Use only standardized, currently accepted, and extensively reviewed encryption
algorithms. Operating systems also provide mechanisms to create and maintain secure audit
logs.
Establish and maintain a data management process. In the process, address data sensitivity,
data owner, handling of data, data retention limits, and disposal requirements, based on
sensitivity and retention standards for the enterprise. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Retain data according to the enterprise’s data management process. Data retention must
include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may
use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to
those labels. Review and update the classification scheme annually, or when significant
enterprise changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should
be based on the enterprise’s data management process. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an isolated instance of recovery data. Example implementations include,
version controlling backup destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records
the network address (if static), hardware address, machine name, enterprise asset owner,
department for each asset, and whether the asset has been approved to connect to the network.
For mobile end-user devices, MDM type tools can support this process, where appropriate. This
inventory includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly connected to
the enterprise’s network infrastructure, even if they are not under control of the enterprise.
Review and update the inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to
update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset
inventory weekly, or more frequently.
Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Implement and manage a firewall on servers, where supported. Example implementations
include a virtual firewall, operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused
file sharing service, web application module, or service function.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Enable anti-exploitation features on enterprise assets and software, where possible, such as
Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or
Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or
supported.
Manage access control for assets remotely connecting to enterprise resources. Determine
amount of access to enterprise resources based on: up-to-date anti-malware software installed,
configuration compliance with the enterprise’s secure configuration process, and ensuring the
operating system and applications are up-to-date.
Establish and maintain a security awareness program. The purpose of a security awareness
program is to educate the enterprise’s workforce on how to interact with enterprise assets and
data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and
update content annually, or when significant enterprise changes occur that could impact this
Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting,
and tailgating.
Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset, erasing
physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics
include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to
unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such
an incident.
Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations include
secure system administration courses for IT professionals, OWASP® Top 10 vulnerability
awareness and prevention training for web application developers, and advanced social
engineering awareness training for high-profile roles.
Establish and maintain an inventory of service providers. The inventory is to list all known
service providers, include classification(s), and designate an enterprise contact for each service
provider. Review and update the inventory annually, or when significant enterprise changes
occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers.
Review and update the policy annually, or when significant enterprise changes occur that could
impact this Safeguard.
Classify service providers. Classification consideration may include one or more characteristics,
such as data sensitivity, data volume, availability requirements, applicable regulations, inherent
risk, and mitigated risk. Update and review classifications annually, or when significant
enterprise changes occur that could impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may
include minimum security program requirements, security incident and/or data breach
notification and response, data encryption requirements, and data disposal commitments. These
security requirements must be consistent with the enterprise’s service provider management
policy. Review service provider contracts annually to ensure contracts are not missing security
requirements.
Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal
to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor,
designate at least one person internal to the enterprise to oversee any third-party work. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-
to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT,
information security, facilities, public relations, human resources, incident responders, and
analysts, as applicable. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report
during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind
that certain mechanisms, such as emails, can be affected during a security incident. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved
in the incident response process to prepare for responding to real-world incidents. Exercises
need to test communication channels, decision making, and workflows. Conduct testing on an
annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.
Establish and maintain a penetration testing program appropriate to the size, complexity, and
maturity of the enterprise. Penetration testing program characteristics include scope, such as
network, web application, Application Programming Interface (API), hosted services, and
physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack
types; point of contact information; remediation, such as how findings will be routed internally;
and retrospective requirements.
Segment data processing and storage based on the sensitivity of the data. Do not process
sensitive data on enterprise assets intended for lower sensitivity data.
Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative
interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype
Network) and HTTP, unless operationally essential.
Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit
log management process.
Standardize time synchronization. Configure at least two synchronized time sources across
enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event
source, date, username, timestamp, source addresses, destination addresses, and other useful
elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a
potential threat. Conduct reviews on a weekly, or more frequent, basis.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to
potentially malicious or unapproved websites. Example implementations include category-based
filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all
enterprise assets.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC
policy and verification, starting with implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.
Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-controlled-
infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).
Centralize security event alerting across enterprise assets for log correlation and analysis. Best
practice implementation requires the use of a SIEM, which includes vendor-defined event
correlation alerts. A log analytics platform configured with security-relevant correlation alerts also
satisfies this Safeguard.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example
implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent
cloud service provider (CSP) service.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should contain
the person’s name, username, start/stop dates, and department. Validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a
minimum, an 8-character password for accounts using MFA and a 14-character password for
accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Risk Treatment
Our Planned Implementation Safeguard Maturity
Score
Update the SCAP policies quarterly and include all approved changes to the
updated policies.
1 4 2 4
4 2 4
4 2 4
4 2 4
1 4 2 4
4 2 4
4 2 4
4 2 4
2 4 2 4
2 4 2 4
1 4 2 4
Risk Treatment
Risk Treatment Reasonable and Risk Treatment
Safeguard Impact to
Safeguard Risk Score Acceptable Safeguard Cost
Obligations
5 5 Yes $ -
5 No
5 Yes
5 No
5 5 Yes $ -
5 Yes
5 No
5 Yes
5 10 No $ 501,000
5 10 No
5 5 Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
No
Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
No
No
No
Yes
Yes
No
No
No
No
No
No
No
Reasonable Annual Cost
Impact to
Implementation Reasonabl
Implementation Year Financial Year
Quarter e?
Objectives
$ 501,000.00 2022 No
$ - 2023 Yes
$ - 2024 Yes
$ - 2026 Yes
$ - 2027 Yes
$ - 2028 Yes
$ - 2030 Yes
CIS-Hosted CSAT
Policy Defined Control Implemented
Maturity Scores
1 No Policy Not Implemented
2 Informal Policy Parts of Policy Implemented
3 Partially Written Policy Implemented on Some Systems
4 Written Policy Implemented on Most Systems
5 Approved Written Policy Implemented on All Systems
Unknown - Unscored None None
Unknown - N/A Not Applicable Not Applicable
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
sted CSAT
5 3 4 4
3 4 3 3
5 5 5 5
4 5 4 4
2 3 2 2
3 4 3 3
3 3 3 3
3 4 4 4
5 5 5 5
4 5 4 4
4 5 5 5
5 4 4 4
4 4 4 4
2 1 1 1
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 5 5 5
5 5 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
5 Unknown - N/A 5 5
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
Unknown -
Unknown - Unscored #DIV/0! #DIV/0!
Unscored
2 1 1 1
1 1 1 1
4 4 4 4
5 3 4 4
4 5 4 4
4 5 5 5
5 5 5 5
5 4 5 5
4 5 4 4
4 5 5 5
5 5 5 5
2 1 1 1
1 1 1 1
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
#N/A #N/A #N/A #N/A
CIS CSAT Pro
CIS CSAT Pro for CIS Controls v7.1